Federal regulators have begun a push for new cybersecurity defenses to prevent sophisticated attackers from penetrating utility control rooms and other industrial control system centers by infiltrating malware on third-party vendors’ products.
A proposed rulemaking announced Thursday by the Federal Energy Regulatory Commission would require utility industry representatives to develop a new security strategy and standard for supply chain management processes.
FERC is also seeking comment on a second proposed order to the industry’s standards group, the North American Electric Reliability Corp., which would require additional security controls to safeguard communications between grid control centers when vital controls data is traveling on unprotected third-party communications channels.
Several industry officials and experts, asked to respond to FERC’s actions, said new standards on these issues would be hard to write for different reasons but were vital nonetheless.
"I’m happy to see that these initiatives are moving forward," said cyberdefense developer Billy Rios, whose "WhiteScope" listing identifies trusted vendor products for industrial control systems (ICS) and supervisory control and data (SCADA) systems, both used by operators to manage the power grid. "I don’t believe we have scalable solutions in place for any of these parts of the supply chain defense."
"It’s certainly a serious issue," said Nadya Bartol, senior cybersecurity strategist at the Utilities Telecom Council, who authored a recent UTC roadmap on supply chain security. "Opinions vary about how serious it is, but it is certainly of concern throughout the industry.
"There are known cases of hackers going after ICS systems and utilities. The danger is that the malicious code gets implanted through the vendor and becomes a part of the utility system," she said in an interview (EnergyWire, June 9).
The BlackEnergy and Havex malware campaigns last year triggered alerts from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), warning that some leading vendor systems had been infected with malware modules designed to conduct secret surveillance on target ICS systems, possibly to spot weak points for a possible future attack (EnergyWire, April 20).
A recent Dell Inc. security report recorded a 100 percent year-over-year increase in cyberattacks directed against SCADA systems (EnergyWire, April 15).
Patrick Sweeney, executive director of Dell Security, said in an interview: "Definitely the state sponsored hackers are very, very active. The state-sponsored actors are looking for not just the penetration, but reconnaissance of the entire environment. We’re tracking many, many SCADA signatures."
The primary challenge is that FERC does not regulate utilities’ vendors, so the reliability standard it wants would apply only to the utilities, who would then be responsible for defending against malware attempting to hitchhike in on vendor products, said Ken McIntyre, a cybersecurity executive and former Texas electricity regulator.
How do you hold vendors accountable? McIntyre asked. "It is hard to do," he said. It is the utility that is on the hook to show compliance. "How do you put that back out and make sure vendors are doing this?" he asked.
Rios discussed the issue in a podcast in April. "And I’m telling you right now, if anyone tells you that they solved the security supply chain problem, they’re definitely selling you snake oil," Rios said.
"We just want people to be able to verify the integrity of software that they’re right about to load onto a device or onto a system," he said. "So we call that the ‘last mile’ supply chain.
"We want people to be able to validate that the software that they’re going to put on their device came from the vendor."
The National Electrical Manufacturers Association, which represents a range of industries including medical device and electric utility suppliers, published a white paper on supply chain security last month.
Steve Griffith, industry director at NEMA and the organization’s principal liaison for cybersecurity activities, said in an interview that the document reflects manufacturers’ awareness "that the area of supply chain compromise is an issue — and here’s what we’re doing to address it."
In the white paper, NEMA recommended its members document their purchasing process and give preference to sourcing components from original manufacturers.
McIntyre recalls opening a box of grid equipment from a vendor — he won’t say who — and then discovering it was ticking with suspicious software code that had infiltrated the vendors’ product.
"It’s a real issue, and utilities need to be aware of it," said McIntyre, executive vice president of the Anfield Group.
Recognizing the difficulty, FERC’s notice last week said the vendor standard should not attempt to impose rules directly on suppliers nor attempt to rewrite existing contracts between suppliers and utilities, just future ones. The rule should set a goal and give utilities and suppliers flexibility in achieving it, FERC said. But the plan must spell out specific controls that utilities will have in place to manage what they buy, the commission added.
"It’s acknowledged that NERC and FERC don’t have authority over the vendors. Utilities have a limited ability to impose conditions on vendors," Bartol said. "It needs to be done through a productive dialogue."
"Utilities can and should put security requirements in procurements. It’s best when these are discussed and there is agreement on how you do it and monitor it." But FERC regulations should not require controls that go beyond what utilities can achieve, she said.
Protecting grid data flows
FERC’s action on data communications between utility control rooms also deals with vulnerabilities outside of utilities’ direct control — in this case, the flow of vital data on grid conditions that travels between control rooms over telecom company wires or wireless paths.
FERC, in its Order 791, adopted after the 2013 armed attack on a power substation near San Jose, Calif., told NERC to define certain communications networks serving the grid, as a foundation for further defensive rules. However, NERC said a definition wasn’t needed, since adequate protection was covered elsewhere in FERC security rules.
Not good enough, FERC replied last week, contending that more action was needed to close gaps in grid defenses arising from data flows over "non-programmable" traditional third party telecom networks. FERC acknowledged that utilities don’t have the means to oversee these third party links themselves, but the risk can be addressed just the same through encryption or other means, it said.
"It’s doable. It’s just the cost and impact" of a new rule, McIntyre said, which has to be weighed against the risk of a successful infiltration.
Kevin Perry, director of critical infrastructure protection for the Southwest Power Pool, noted communications vulnerabilities at a FERC technical conference in April 2014.
"While not necessarily easy to do it, [it] is possible to intercept and manipulate data via a man-in-the-middle attack," he said. "Data can be changed or replayed to make the operator assume incorrect operating conditions and to respond improperly.
"The ability to intercept and manipulate data has been demonstrated in a variety of classified and unclassified settings and the data can be intercepted to obtain information about current operating conditions that could be valuable in crafting and carrying out a successful attack" against the high voltage grid (EnergyWire, March 25, 2014).
"These attacks are simplified by the fact that the data is often transmitted in clear text and without end-point authentication or integrity verification, making the data manipulation easy to accomplish," he said.
Perry added that he has seen utilities choose to keep older, "non-routable" third party systems in use because these were not subject to FERC security rules. (Routable communications refer to packets of data that contain network addresses, permitting them to be forwarded from one network to another, while non-routable packets can only be sent from one device to another.)
FERC gave industry representatives 60 days to comment following publication of the draft notice of the rulemaking in the Federal Register.