With the recent attack against software developed by SolarWind which affected both public and private organizations, the public has become more acutely aware of the impending threat of the usage of either products or services from organizations that are part of any supply chain management.

The supply chain risk

To understand the impact a supply chain attack may have, it is useful to focus on how the SolarWinds hack developed and its impact.

Malicious actors got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. Once installed, the malware “phoned home” to a command-and-control network run by the hacking group, which enabled them to enter the network and take further action. Since the patch originated and was digitally signed by SolarWinds, most user companies were not aware that the version of their software was compromised.

Until recently, it was known that the attack had affected a handful of US federal and government agencies and organizations, and technology or security firms. However, a recent report from Kaspersky’s ICS CERT unit noted that “about 18,000 users may have installed backdoored versions of SolarWinds.” What is particularly interesting is that among those 18,000 victims, there were “nearly 2,000 domains impacted by Sunburst and estimated that roughly 32% of them were associated with industrial organizations.”

A majority of them are organizations in the manufacturing sector, followed by utilities, construction, transportation and logistics, oil and gas, mining, and energy. The SolarWinds software is highly integrated into many systems around the globe in different industries, therefore, it shouldn’t come as a surprise if we experience second-stage activity in any of these organizations.

How NERC manages supply chain risks

The digital transformation of the industrial sector, including the energy and power industry, has brought many benefits, but it has also created a never seen before expanded threat landscape. Interdependence and interconnectivity are holes in the security, safety, and reliability posture of the electric grid, threatening to wreak havoc if their vulnerabilities are exploited.

We could rephrase this as “The North American Electric Reliability Corporation (NERC), in response to FERC Order 829 which recognizes the impact of supply chain risks to the organizations, developed Critical Infrastructure Protection (CIP) standard 13-1. The standard includes cybersecurity requirements and their related security controls for supply chain risk management of BES Cyber Systems for electric power and utility companies.”The new standard was approved by the Federal Energy Regulatory Commission (FERC) on October 18, 2018, and it has been enforced on October 1, 2020.

The standard applies to assets that are rated as high- and medium-impact Bulk Electric System Cyber Systems (BCS). It requires registered entities to develop documented plans to identify and assess vendor risks associated with their sold and installed products including software and the vendor’s own supply chain. In addition to having an overarching plan, the requirements also explicitly cover six key required process areas.

The five covered areas are:

  • Vendor security incident notification and coordinated response
  • Vendor personnel off-boarding notification
  • Receiving disclosures by vendors of known vulnerabilities
  • Verification of vendor software integrity and authenticity
  • Coordination of vendor remote access.

As NERC does not have regulatory jurisdiction over the vendors, they are regulating the vendors by proxy. The Registered Entity has to include the vendor risks associated with the processes noted above in their compliance risk management.

In addition to CIP 013-1, NERC has enhanced several other existing CIP standards to include supply risk management.

  • CIP-005 requires the identification of active vendor remote access sessions and the establishment of methods to disable active vendor remote access sessions.
  • CIP-010 requires an entity to verify the origin of its software and the integrity of the software it has obtained from its source. The intent is to make it increasingly difficult for attackers to take advantage of vendor patches and software distribution practices to introduce compromises into a system.

Lessons learned

Supply chain risks are a business risk. Therefore, the management of these risks should include various teams within an organization and would require coordination and alignment with common objectives and goals. As an off-shoot of that exercise, the organization would require an evaluation of their standards, processes, and procedures from not only an operational standpoint, but, also from a technical one.

Although the CIP 013-1 standard applies to high- and medium-impact BCS, it is advised that electric grid entities extend its applicability to low-impact BES Cyber Systems as well. As the SolarWinds hack proved, adversaries need to put their feet on one component, and they can take it from there to expand their operations to a multitude of organizations. With the electric grid being increasingly interdependent, it is prudent to safeguard any pathways that may act as backdoors to conquering our castle.

How ITEGRITI can help

As this standard is fairly new, organizations need to consider the risks associated with non or partial compliance of the standard.  They may want to consider the services of organizations, such as ITEGRITI that are well-versed in the interpretation and implementation of NERC CIP regulations.

ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in energy, healthcare, transportation, education, retail and financial sectors.  We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor, and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event.