By Rich Heidorn Jr.
FERC on Thursday ordered NERC to lower the threshold for mandatory reporting of cyber incidents, saying that the lack of any reports in 2015 and 2016 suggests gaps in the grid’s protections (RM18-2, AD17-9).
NERC’s Critical Infrastructure Protection (CIP) reliability standard only requires reporting of incidents if they have “compromised or disrupted one or more reliability tasks” (CIP-008-5, Cyber Security – Incident Reporting and Response Planning).
“Therefore, in order for a cyber-related event to be considered reportable under the existing CIP reliability standards, it must compromise or disrupt a core activity (e.g., a reliability task) of a responsible entity that is intended to maintain bulk electric system [BES] reliability,” the commission said. “Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity’s core activities are not subject to the current reporting requirements.”
In a Notice of Proposed Rulemaking, the commission said the standard should be revised to require reporting of incidents “that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).”
FERC cited NERC’s 2017 State of Reliability report, which noted that “while there were no reportable cybersecurity incidents during 2016 and therefore none that caused a loss of load, this does not necessarily suggest that the risk of a cybersecurity incident is low.”
The current “mandatory reporting process does not create an accurate picture of cybersecurity risk since most of the cyber threats detected by the electricity industry manifest themselves in … email, websites, smart phone applications … rather than the control system environment where impacts could cause loss of load and result in a mandatory report,” NERC said.
The organization recommended redefining reportable incidents “to be more granular and include zero-consequence incidents that might be precursors to something more serious.”
NERC noted that the 2016 annual summary of the Department of Energy’s electric disturbance reporting form OE-417 included two suspected and two actual cyberattacks. In addition, the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded in 2016 to 59 cybersecurity incidents within the energy sector, which includes the electric subsector.
“Based on this comparison, the current reporting threshold in reliability standard CIP-008-5 may not reflect the true scope and scale of cyber-related threats facing responsible entities,” FERC said.
Deadlines, Data Requirements
FERC said NERC’s revision should set a deadline for filing a report following a cyberattack attempt and specify the information required in the reports to “improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information.”
Current rules require responsible entities to provide the Electricity Information Sharing and Analysis Center (E-ISAC) with initial notification within an hour of determining a “reportable” incident, which may be made by phone call, email or web-based notice. The rules do not specify what should be included in the report, nor do they set a deadline for completing the full report.
FERC said the reporting timeline “should reflect the actual or potential threat to reliability, with more serious incidents reported in a more timely fashion.”
The commission suggested requiring information on three “attributes,” as used in DHS’ multisector reporting and summarized in its annual report: the functional impact that the incident achieved or attempted to achieve; the attack method or “vector” (such as a phishing attack for user credentials or a virus designed to exploit a known vulnerability); and the level of intrusion that was achieved or attempted.
In addition to being filed with the E-ISAC, as is now required, the incident reports also would be sent to ICS-CERT. NERC also must file an annual — and public — summary of the reports with FERC with identifying details anonymized. “We believe that the ICS-CERT annual report, which includes pie charts reflecting the energy sector’s cybersecurity incidents by level of intrusion, threat vector and functional impact, would be a reasonable model for what NERC reports to the commission,” the NOPR said.
Comments Sought
Comments on the NOPR will be due 60 days after publication in the Federal Register. The commission specifically sought comment on whether to exclude EACMS from the new standard and establish the ESP as the minimum reporting threshold instead.
NERC defines an ESP as the “logical border surrounding a network to which BES cyber systems are connected using a routable protocol.” EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems.
“Therefore, EACMS control electronic access into the ESP and play a significant role in the protection of high- and medium-impact BES cyber systems. Once an EACMS is compromised, an attacker could more easily enter the ESP and effectively control the BES cyber system or protected cyber asset,” FERC said.
“The EACMS … are the systems that control access to the ESP. … You could consider it being the doorway,” Kevin Ryan, an attorney in the General Counsel’s office, explained during a presentation at the commission’s open meeting Thursday. “This … limits the proposal to high- and medium-impact BES cyber systems so we can see what happens in the future. But we’re not touching on low-[impact systems] at this point.”
The commission also asked for comment on alternatives to modifying the mandatory reporting requirements, such as whether a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure “would effectively address the reporting gap … and satisfy the goals of the proposed directive.”
Safety ‘Pyramid’
The NOPR was approved unanimously.
“One thing that has been observed and studied across many industries — not just electricity but in aviation, medicine and other industries — is a well-established … statistical correlation between minor issues or near misses that are far more frequent and … rare major events,” said Commissioner Cheryl LaFleur, referring to what is known as “the safety pyramid.”
“We need to learn from the things that don’t happen but that could have happened in order to prevent the big thing that you’re afraid of happening,” she continued. “I think it’s important that we identify and track attempted incursions into the grid’s cyber defenses to help us learn from them, study the trends [and] see what we might need to do to standards.”
Commissioner Richard Glick, attending his first meeting, said, “We’ve been pretty lucky in the United States so far — at least on the electric side — in not having any significant consequences from cyber efforts.
“But we’ve seen it around the world already,” he added, noting the 2015 and 2016 attacks in Ukraine and Schneider Electric’s Dec. 14 disclosure that one of its control systems — used by power plants worldwide — was the target of an attack.
Malware
The attack, believed to be the work of nation-state hackers, targeted Schneider’s Triconex industrial safety technology, which is used by nuclear generators and oil and gas plants.
Investigators said the hackers used malware to take remote control of a workstation running Triconex’s safety shutdown system, then sought to reprogram controllers used to identify safety issues. One investigator called it a “watershed” attack that will likely be repeated.
The malware, which security firm FireEye named Triton, is the third type of computer virus known to be able to disrupt industrial processes. It was preceded by Stuxnet, which the U.S. and Israel allegedly used to attack Iran’s nuclear weapons program, and CrashOverride (also known as Industroyer), believed to have been used in the December 2016 attack in Ukraine. (See Experts ID New Cyber Threat to SCADA Systems.)
In proposing tighter disclosure rules, FERC also rejected The Foundation for Resilient Societies’ January 2017 petition asking the commission to set new standards for malware detection, mitigation and reporting (AD17-9).
The commission said new standards were not necessary based on existing reliability standards and ongoing efforts.
“For example, provisions of currently effective reliability standards, including CIP-005-5 and CIP-007-6, address malware detection and mitigation. Ongoing efforts described by NERC and other commenters, such as the development of a supply chain risk management standard, should also address malware concerns,” FERC said.