At the Texas Reliability Entity’s CIP Workshop on Thursday, participants from across the ERO Enterprise shared the challenges they’ve encountered with keeping their physical and electronic systems secure in the face of a rapidly growing threat landscape.
The day’s presentations focused on the requirements of NERC’s Critical Infrastructure Protection (CIP) standards, but presenters emphasized that safety depends on more than cleaving to the letter of the regulations.
“Something we all need to remember is that compliance doesn’t equal security, but compliance plus security helps mitigate those threats, those vulnerabilities, those risks that are out there,” Kenath Carver, Texas RE’s manager of CIP compliance monitoring, said in the day’s first panel on supply chain risk management.
Software Supply Chain Hacks to Continue
Many panelists touched on the compromise of the SolarWinds Orion network management platform that was discovered last year. More than 18,000 public- and private-sector organizations, including the Department of Energy and FERC, are known to have been impacted by the breach, which security officials have attributed to Russian hackers. Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security, said earlier this year that large-scale replacement of affected systems “may be the only option” for some users. (See SolarWinds Recovery May Require Extreme Actions.)
Software supply chain vulnerabilities don’t only manifest through business management technology: Collaboration software like Slack and Microsoft Teams are another potential avenue for hackers to gain entry to corporate networks, particularly given the rise in working from home because of the COVID-19 pandemic. Even for a platform that has not been compromised, the surge in users gives hackers myriad new vectors to gain entry.
“In the world that we live in right now, which is way more remote than ever before, these technologies are becoming more and more sophisticated, and are also being developed in a more and more rapid fashion,” Brian Allen, a senior cybersecurity specialist at Georgia System Operations, told the first panel. “So you want to ensure that you fully understand the capabilities of these technologies and not simply go based off what you can see, but what could also be done behind the scenes.”
Bill Peterson, manager of training and outreach at SERC Reliability, acknowledged that web conferencing platforms have been a boon for remote workers but advised organizations to limit their impact on vital systems as much as possible. This means restricting interactivity so that users can view others’ systems but not change them, and even thinking proactively about how much vital information is visible to other users. After all, he said, if one coworker could take a screenshot of another’s screen, potentially any hacker who is surreptitiously watching their interaction could do the same.
Analog Communications also Vulnerable
Participants also reminded listeners that communication does not always mean digital interaction. In a panel focused on CIP-012-1 (Communications between control centers), NERC Senior CIP Assurance Adviser Jeremy Withers observed that old-fashioned phone calls between different entities or even within one entity’s business domain are vulnerable to interception too. Even voice communications within control centers can’t always be considered secure.
“Think about some scenarios where control centers are located in buildings that they don’t necessarily own … and they have other occupants. There may be some high-traffic areas in those buildings near the control centers,” Withers said. “And the entities may want to do … a walk close to the perimeters, to make sure that all communications aren’t heard outside of [them]. If they do find issues, maybe look at [mitigations] such as white noise machines … or other soundproof technologies.”
Jess Syring, CIP compliance monitoring manager for the Midwest Reliability Organization, added that entities should not expect to be able to use a one-size-fits-all playbook to satisfy CIP auditors.
“Some examples of the questions that we’re going to ask are: What part of the transmission between the applicable control centers is the encryption applied to? What is the demarcation point where the encryption is controlled? What is the method and level of encryption — is it an outdated encryption standard?” Syring said. “All of these are questions that I would say [are] going to be the first line to start additional conversations … to ensuring that there [are] appropriate protections around those communications.”