Registered entities have until July 24 to report to NERC on the cyber assets present on their systems and the potential impact of adding security monitoring software under a data request issued by the ERO on Thursday.
NERC released the data request in accordance with an order that FERC issued in January approving the development of reliability standards requiring internal network security monitoring (INSM) to be implemented in high-impact cyber systems and medium-impact systems with external routable connectivity (ERC) at grid facilities. (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.)
FERC also required the ERO to submit a report within 12 months on the feasibility of implementing INSM on systems to which its order did not apply, namely medium-impact systems without ERC and low-impact systems. NERC’s classification of high-, medium- and low-impact is based on the functions of the assets within each system, along with the risks they could pose to reliable grid operations. Utilities are responsible for classifying the systems’ impact level.
NERC’s data request affects balancing authorities, distribution providers, generator owners and operators, transmission owners and operators, and reliability coordinators. The ERO is hoping to find out from each entity:
- the number of substation and generation locations containing medium-impact cyber systems with and without ERC;
- the number of substation, generation and control center locations containing low-impact systems with and without ERC;
- the estimated percentage of network configurations for several categories of medium-impact systems without ERC, and low-impact systems with and without ERC; and
- the estimated percentage of low-impact systems that currently have network-based malicious code detection.
The ERO also asked utilities to rate a series of challenges involved in extending INSM to medium-impact cyber systems without ERC and to all low-impact cyber systems, including equipment retrofit and network redesign, compliance burdens, implementation and maintenance costs, and supply chain constraints. In addition, entities have the option of suggesting alternate approaches to mitigate the risk of operating without INSM and, for those that have already implemented INSM on their cyber systems, how they went about it.
Responses are due within 60 days from the issuance of the request.
Chinese Hackers Targeted US Infrastructure
The commission defines INSM as a set of practices or tools for gaining visibility into an entity’s own system, including anti-malware, intrusion-detection and prevention systems. It initially suggested the addition of INSM to NERC’s Critical Infrastructure Protection standards last year in response to recent cyberattacks, most prominently the SolarWinds hack of 2020 that left network management software used by thousands of public- and private-sector organizations worldwide infected with malware. (See FERC Proposes New Cybersecurity Standard.)
SolarWinds now claims the actual number of customers affected by the hack to be fewer than 100, but the prospect of malicious actors, particularly hostile nation-states, caused alarm bells to ring throughout the cybersecurity community. (The U.S. has accused Russia’s Foreign Intelligence Service of perpetrating the SolarWinds hack.) FERC, which was one of the organizations potentially affected, said last year that the attack “demonstrated how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack.”
Those concerns have continued to grow. The day before NERC issued its data request, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency, FBI and several of CISA’s international counterparts, published a joint cybersecurity advisory warning about Volt Typhoon, a cyber actor believed to be sponsored by China.
According to CISA, Volt Typhoon uses “legitimate network administration tools [to blend] in with normal system and network activities, avoid identification … and limit the amount of activity that is captured in common logging configurations,” an approach commonly called “living off the land.” A separate statement from Microsoft identified Volt Typhoon as having “targeted critical infrastructure organizations in Guam and elsewhere in the United States,” including the utility sector.
“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe. Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity,” CISA Director Jen Easterly said in a press release. “We encourage all organizations to review the advisory, take action to mitigate risk and report any evidence of anomalous activity.”