By Michael Brooks
Two malware campaigns against vendors of industrial control systems have prompted the Federal Energy Regulatory Commission to propose the development of a new reliability standard.
FERC issued a notice of proposed rulemaking last week that directs the North American Electric Reliability Corp. to develop critical infrastructure protection (CIP) rules for supply chain management to respond to risks to communication networks and related Bulk Electric System (BES) assets (RM15-14).
“This new type of malware campaign is based on the injection of malware while a product or service remains in the control of the hardware or software vendor, prior to delivery to the customer,” FERC said. The supply chain rules would be part of a revised standard, CIP-006-6 (Physical Security of BES Cyber Systems).
The NOPR seeks comment on that and six other updated CIP standards.
Trojan Horse Viruses
The two malware threats that prompted FERC’s concern are Trojan horse viruses planted in industrial control systems, such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs). One, called Havex, was identified in June by cybersecurity firm F-Secure and was used to conduct espionage against several industrial companies in Europe.
Last fall, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning that a Trojan horse virus dubbed BlackEnergy had been found on Internet-connected human-machine interfaces (HMIs) from vendors including GE Cimplicity, Advantech/Broadwin WebAccess and Siemens WinCC. ICS-CERT also cited public reports of a BlackEnergy campaign against overseas targets that took advantage of vulnerabilities affecting Microsoft Windows and Windows Server 2008 and 2012.
The virus is believed to have been planted as early as 2011 but only activated recently by government-backed hackers in Russia.
Third Time
Highlighting the seriousness of FERC’s concern, Commissioner Cheryl LaFleur noted that the NOPR represented only the third time the commission has ordered NERC to initiate a standard. FERC previously ordered standards addressing geomagnetic disturbances and physical security.
“The work that NERC, the industry and the commission do on cybersecurity must obviously continually evolve to meet the changing nature of the cybersecurity threat, which we all see in the news practically daily,” LaFleur said in a statement. “Understanding the evolving threats and how best to respond to them is of critical importance.”
The NOPR only gave NERC general directions as to what the new standard should include. The commission suggested it could be based on the National Institute of Standards and Technology’s supply chain risk management controls (SP 800-161). The Department of Energy also has offered guidance on cybersecurity procurement for energy delivery systems.
“It’s too early in the process to say what a standard might say or what the terms of it might be,” FERC Chairman Norman Bay said.
The order is intended to protect against malware and other supply chain risks including counterfeits and tampering or theft of data.
The new standard would only apply to registered entities subject to NERC jurisdiction, not vendors supplying them. “At this time we aren’t seeking some sort of broader statutory authority,” Bay said.
“While the commission’s CIP standards don’t specifically cover … supply chain vendors, there is undoubtedly a gap and vulnerability there that’s been identified now for some period of time that I think all of us take very, very seriously,” Commissioner Tony Clark said. “I suppose the main idea is that we’re trying to ensure that security becomes effectively baked into the cake, as it were, from the ground up in the systems that the electric utilities use.”
The commission asked for comment on the proposed standard, including what would be “a reasonable time frame” for its completion. Comments are due in 60 days from publication of the NOPR in the Federal Register.
Transient Devices
While FERC accepted most of the CIP standards as proposed, the commission ordered NERC to provide additional justification for its rules regarding risks posed by “transient” electronic devices such as USB flash drives and laptops.
The commission said it was concerned about NERC’s decision not to include rules regarding use of transient devices on “low-impact” cyber systems, including low-impact control centers.
“Malware inserted via a USB flash drive at a single low-impact substation could propagate through a network of many substations without encountering a single security control under NERC’s proposal,” FERC said. “In addition, we note that low-impact security controls do not provide for the use of mandatory anti-malware/antivirus protections within the low-impact facilities, heightening the risk that malware or malicious code could propagate through these systems without being detected.”
Nonprogrammable Components
The commission also said it was concerned that NERC’s standards provided limited protection for nonprogrammable components of communication systems, such as cabling.
NERC has proposed physical access restrictions and encryption as protections against physical attacks on nonprogrammable equipment, session hijacking attacks within a BES control center and man-in-the-middle attacks — in which an attacker intercepts and may alter data between two parties who believe they are directly communicating with each other.
But it “does not extend protections to real-time data passing between control centers outside of a facility,” FERC said.
The commission ordered NERC to modify CIP-006-6 to require protection of all communication links and sensitive data communicated between all BES control centers.
Other Standards
The other standards tentatively approved by FERC were: CIP-003-6 (Security Management Controls); CIP-004-6 (Personnel and Training); CIP-007-6 (Systems Security Management); CIP-009-6 (Recovery Plans for BES Cyber Systems); CIP-010-2 (Configuration Change Management and Vulnerability Assessments); and CIP-011-2 (Information Protection).