Three years ago, hackers hijacked the websites of three different energy industry suppliers to sneak past oil, gas and power companies’ digital defenses.
The attackers used the websites to spread malicious software updates to sensitive electricity and manufacturing control systems in the U.S. and Europe.
Once brought to light, the "Dragonfly" group’s Trojan horse-style tactics set off changes to securing the U.S. power grid’s "soft underbelly" — its supply chain.
Now, a U.S. regulatory push to lock down the global market for grid equipment is on the agenda at the Federal Energy Regulatory Commission, as the Dragonfly hackers have reportedly staged a comeback (Energywire, Sept. 7).
Supply chain issues "keep me up at night," said Devon Streit, the Energy Department’s deputy assistant secretary for infrastructure security and energy restoration, at a cybersecurity event Wednesday.
She recommended utilities assume "that either you are going to be compromised, or if you really are going to be honest about this, that you already have been compromised, and take it from there."
Streit said DOE’s Advanced Manufacturing Office is working with defense officials to address potential security flaws in critical manufacturers, an effort distinct from the petition sent to FERC last week.
Streit also pointed to research and development underway at U.S. national labs. "There’s a lot of nascent work there, and a lot more to be done," she said at an event hosted by the Intelligence and National Security Alliance at the MITRE Corp.’s headquarters in Virginia.
Supply chain problems have vexed U.S. utilities for years. Energy companies have to worry not only about Trojan horses sent by the likes of Dragonfly but also more prosaic counterfeit products that can pose competitive, safety and quality assurance problems.
Reverse-engineering software or hardware components to look for potential backdoors is a painstaking, costly process out of reach to all but the biggest power utilities. Grid operators can request certain cyber protections in contract language with their suppliers, but experts say there’s little appetite to go further than that.
"I wish I could offer you a simple solution or a box to check for you to secure your software supply chain," said Tonya Ugoretz, director of the cyberthreat intelligence integration center at the Office of the Director of National Intelligence, during another cybersecurity event Wednesday at the U.S. Chamber of Commerce.
Supply chain security "is an area where U.S. businesses are essential; here, private industry is truly the first line of defense for us all," she said.
A ‘tight spot’
The proposed supply chain security standards that arrived at FERC last week were crafted by the North American Electric Reliability Corp., the nonprofit U.S. grid overseer.
Last year, FERC ordered NERC to review the issue and draft a new set of "critical infrastructure protection" rules, citing the Dragonfly threat, variously known as "Havex" and "Energetic Bear" (Energywire, July 22, 2016).
Under federal law, FERC and NERC set and enforce binding security standards on the bulk power grid. FERC directs NERC to draft rules, then gets the final say on whether to adopt NERC’s proposals, throw them out or call for changes.
From the outset, the government’s focus on supply chain defenses drew skepticism from some industry observers, who wondered how regulators could crack down on global equipment and software suppliers that don’t fall under federal jurisdiction.
"This regulation is basically impacting one industry through another one," said Patrick Miller, managing partner at Archer Energy Solutions and a former control system security auditor.
In other words, utilities would act as a "proxy" regulator for FERC, Miller explained, by getting their suppliers to improve the security of products that end up in the U.S. power grid.
"That puts utilities in a tight spot and makes the vendors and the utilities act in strange ways," said Miller, who noted that he would have preferred a more "surgical" approach for the standards.
The draft rules would make utilities develop supply chain risk management plans, accounting for vendors’ policies for disclosing cyber vulnerabilities and identifying any remote access to installed equipment, among other precautions.
Another part of regulations would require utilities to have at least one way to shut off vendor access to systems that could affect electric reliability. That way, the thinking goes, hackers who break into a supplier couldn’t count on getting a remote pathway to the grid. (Control system providers often request access to installed equipment for troubleshooting or maintenance.)
In a nod to the Dragonfly threat, NERC’s petition would also make utilities double-check the integrity of software updates and "patches" applied to major parts of the electric system.
Miller said that even if FERC agrees to adopt the rules as written, enforcing them could prove tricky. "The auditors will be challenged to actually call a ball or a strike because the language of the standard is so flexible," he said.
NERC has acknowledged many of the challenges with the rule, noting that supply chain management "is a complex global issue."
The standards "cannot directly impose obligations on suppliers, vendors, or other entities that provide products or services" to big power utilities, NERC said. "NERC Reliability Standards should not be expected to mitigate all risks inherent to the global supply chain."
Melissa Crawford, global consultant for industrial cybersecurity for Siemens Plant Security Services, said the automation giant has developed varying "protection levels" for its products based in part on supply chain checks. Such rankings, she explained, can help organizations determine which products are the best fit for highly regulated or sensitive environments. She also said that Siemens maintains only one-way access to deployed products — that is, the vendor can typically monitor data coming in from installed devices but not send back commands that could pose a cybersecurity risk.
"Supply chain security is such a large topic — you have to think about what level of security you’re trying to achieve, and what kind of attackers you’re trying to prevent," she said. "It comes back down to money: Do you want to have your own team that has the skills and knowledge in the products that you’re using and will be testing them themselves? [Or] is that something you want the vendor to be accountable for?"
Crawford, who is based at Siemens’ headquarters in Munich, often works with chemical and manufacturing customers who have facilities in multiple countries, with varying regulations, cultures and security challenges. She pointed out that Siemens has its own cybersecurity emergency response team to home in on potential vulnerabilities in products or third-party components.
"There have already been known instances of attackers mimicking firmware updates from the supplier. … I can understand why NERC wants to address that," she said, though she added it could still be a "challenge" to regulate. "When a regulator gets involved, it might force you to pay more attention."