Skip to main content

Executive Order: White House takes on Utility Hackers…

May 11, 2020

PART 1 of Enemy Perspectives in OT.

"Knock Knock"
Power Plant: "Who's there?"
"It’s me, Huawei"
Power Plant: "Huawei who?"

Background: The concern of foreign hardware and software being installed inside our national grid is nothing new. These components have historically come from everywhere with various degrees of scrutiny. Pressure on CapX and OpX spending has led to multiple sourcing teams procuring through cost-competitive but ethically challenged vendors.

Before the opinion is analyzed, one must understand what The North American Electric Reliability Corporation (NERC) is about to do. NERC CIP (Critical Infrastructure Protection) regulates everything cyber for utilities. Chapter 013 of NERC-CIP covers "Supply Chain Risk Management." It's not yet enforceable, but it will require six cyber features vendors must comply with. Specifically:

WhiteHouse Utility Hacker 1

This is all pretty basic stuff and was designed to move the needle but not burden the vendors or utilities. The White House is coming over the top and functionally adding a seventh feature: blacklisted firms.

Politics aside, this issue has been wrestled with behind the scenes of FERC and not necessarily thrust into the spotlight until now. The CIP standards have teeth and are driving rapid maturity within the sector. Utilities are far more mature than the rest of the infrastructure industries. This executive order feels different; this is much more public, political, and targeted. It might lack the teeth of NERC, but that doesn't mean it doesn't bite. Only time will tell how it's received on the national and domestic stage.

What is left unclear:

  • Definition of "foreign adversary" – Sure, we know this is targeting China. But what about Latin American firms, or Southeast Asian manufacturers?
  • Sec 2ii – A joint agency will develop ways to identify, isolate, monitor, and replace affected suppliers. One can assume each and every utility is going to have to be more nimble then previously required, specifically, around IT hygiene inside of Operational Technology (OT).

It sounds like this is going to publicly target a "blacklist" and make funds available for replacement with less risky vendors.

What is clear:

There will be a rush of managers, directors, and CISOs getting questions on "do we own ABC or XYZ?" This same line of questioning is what panicked this group in 2017 when the Schneider Triconex vulnerability was released. In my experience, asset discovery is the number one use case for all of OT. Many have moved on a solution, but most have not. This leaves many of our Critical Infrastructure Teams combing through old POs or delivery slips for real-time knowledge of their operating environment.

It's also clear that NERC and the White House will spend considerable time ironing out the details. In the meantime, here are three pragmatic improvements any firm needing to improve production floor security can take:

  1. Find the assets:

    There are many solutions on the market that break down OT network traffic to determine the make/model of IT and OT gear. More importantly, they connect CVEs, detail patching history, and discover configuration errors. These discovery tools will be the enablement arm of this order. Most utilities don't have this functionality today. Most rely on physical records and tribal knowledge.

  2. Test the Assets:

    Once identified, some critical components cannot be removed or are so widely deployed that replacement is too costly. Also, NERC-CIP does not require third-party verification. A malicious actor, skilled in documentation and process, would not be deterred. If a product does have questionable origins, reverse engineering is the only way to determine how to properly mitigate potential vulnerabilities – either accidental or purposeful.
    Of note, Russia requires a cryptography compliance verification before US software can be sold within the country.

  3. Secure the assets:

    The threat to the supply chain ranges from the largest generators to the smallest switches. At some point, there will be a weak point. Overlaying this network with the ability to detect and respond to anomalies' behavior is critical. Three examples of real (and undetected) behavior found in the wild:

    1. An isolated VLAN reaching out for a patch from an unverified source. It had never been patched before.
    2. TBs of data being uploaded to the cloud from a jump box that normally downloads 5MB a year.
    3. Malware calling home…every 90 seconds…for three years.

All of those behaviors have been routinely examined and monitored on the IT networks (with various degrees of success) for years. The OT world has gotten a pass for much too long. No matter the threat source, a firm has to be ready to see things that are abnormal operations of IT equipment, especially when it’s connected to critical infrastructure.

The above three steps will enable speed of identification, allow protection features, and reduce time to detection…. regardless of political pressure.

 

White House Utility Hackers 2

 

Conclusion: The sentence above is a “Respond and Recover” away from a NIST Full House. The White House is inadvertently signaling that the foundations of IT are not being implemented in OT. Things like NIST are a far-off dream here and are only complicated further by Trump and NERC one-upping each other. Managing an OT security program capable of meeting C-Suite budgets and White House expectations is difficult. There is help. Building strategic and pragmatic programs in OT is a reality. Call it Plan, Build, Run or People, Process, and Technology – having expert guidance can keep a CISO sane.


    Sean Tufts

By: Sean Tufts

Practice Director, Product Security - ICS & IOT

See More

Related Blogs

March 26, 2020

COVID-19: Securing Work From Home

CISOs must consider COVID ramifications on a larger scale and not lose sight of their organizational roadmap.

See Details

March 30, 2020

Navigating Your "New Normal": Help from a WFH Veteran

A WFH veteran offers tips on maximizing productivity while promoting physical and emotional well-being.

See Details

March 25, 2020

COVID-19: Charting the Cybersecurity Implications of a Pandemic

This series will deliver COVID crisis cybersecurity strategies, best practices and advice.

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

May 07, 2020

Energy Sector Critical Infrastructure: The Enemy Perspective

This article discusses how threat actors attack critical energy infrastructure and how they achieve success.

See Details

October 30, 2017

Critical Infrastructure Security

The United States Department of Homeland Security identifies 16 critical infrastructure sectors whose assets, systems and networks—whether physical or...

See Details

January 02, 2020

Extending the Hybrid Cloud Lab

Part 2 in the Gaining Visibility into NIST SP 800-190 series is designed for security practitioners and others starting down the path of understanding...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.