Executive Order: White House takes on Utility Hackers…

Executive Order: White House takes on Utility Hackers…

PART 1 of Enemy Perspectives in OT.

"Knock Knock"

Power Plant: "Who's there?"

"It’s me, Huawei"

Power Plant: "Huawei who?"


Background: The concern of foreign hardware and software being installed inside our national grid is nothing new. These components have historically come from everywhere with various degrees of scrutiny. Pressure on CapX and OpX spending has led to multiple sourcing teams procuring through cost-competitive but ethically challenged vendors.


Before the opinion is analyzed, one must understand what The North American Electric Reliability Corporation (NERC) is about to do. NERC CIP (Critical Infrastructure Protection) regulates everything cyber for utilities. Chapter 013 of NERC-CIP covers "Supply Chain Risk Management." It's not yet enforceable, but it will require six cyber features vendors must comply with. Specifically:


White House Utility Hacker 1


This is all pretty basic stuff and was designed to move the needle but not burden the vendors or utilities. The White House is coming over the top and functionally adding a seventh feature: blacklisted firms.


Politics aside, this issue has been wrestled with behind the scenes of FERC and not necessarily thrust into the spotlight until now. The CIP standards have teeth and are driving rapid maturity within the sector. Utilities are far more mature than the rest of the infrastructure industries. This executive order feels different; this is much more public, political, and targeted. It might lack the teeth of NERC, but that doesn't mean it doesn't bite. Only time will tell how it's received on the national and domestic stage.


What is left unclear:


  • Definition of "foreign adversary" – Sure, we know this is targeting China. But what about Latin American firms, or Southeast Asian manufacturers?
  • Sec 2ii – A joint agency will develop ways to identify, isolate, monitor, and replace affected suppliers. One can assume each and every utility is going to have to be more nimble then previously required, specifically, around IT hygiene inside of Operational Technology (OT).


It sounds like this is going to publicly target a "blacklist" and make funds available for replacement with less risky vendors.


What is clear:


There will be a rush of managers, directors, and CISOs getting questions on "do we own ABC or XYZ?" This same line of questioning is what panicked this group in 2017 when the Schneider Triconex vulnerability was released. In my experience, asset discovery is the number one use case for all of OT. Many have moved on a solution, but most have not. This leaves many of our Critical Infrastructure Teams combing through old POs or delivery slips for real-time knowledge of their operating environment.


It's also clear that NERC and the White House will spend considerable time ironing out the details. In the meantime, here are three pragmatic improvements any firm needing to improve production floor security can take:


  1. Find the assets:

    There are many solutions on the market that break down OT network traffic to determine the make/model of IT and OT gear. More importantly, they connect CVEs, detail patching history, and discover configuration errors. These discovery tools will be the enablement arm of this order. Most utilities don't have this functionality today. Most rely on physical records and tribal knowledge.

  2. Test the Assets:

    Once identified, some critical components cannot be removed or are so widely deployed that replacement is too costly. Also, NERC-CIP does not require third-party verification. A malicious actor, skilled in documentation and process, would not be deterred. If a product does have questionable origins, reverse engineering is the only way to determine how to properly mitigate potential vulnerabilities – either accidental or purposeful.

    Of note, Russia requires a cryptography compliance verification before US software can be sold within the country.

  3. Secure the assets:

    The threat to the supply chain ranges from the largest generators to the smallest switches. At some point, there will be a weak point. Overlaying this network with the ability to detect and respond to anomalies' behavior is critical. Three examples of real (and undetected) behavior found in the wild:

    1. An isolated VLAN reaching out for a patch from an unverified source. It had never been patched before.
    2. TBs of data being uploaded to the cloud from a jump box that normally downloads 5MB a year.
    3. Malware calling home…every 90 seconds…for three years.


All of those behaviors have been routinely examined and monitored on the IT networks (with various degrees of success) for years. The OT world has gotten a pass for much too long. No matter the threat source, a firm has to be ready to see things that are abnormal operations of IT equipment, especially when it’s connected to critical infrastructure.


The above three steps will enable speed of identification, allow protection features, and reduce time to detection…. regardless of political pressure.



White House Utility Hackers 2


Conclusion: The sentence above is a “Respond and Recover” away from a NIST Full House. The White House is inadvertently signaling that the foundations of IT are not being implemented in OT. Things like NIST are a far-off dream here and are only complicated further by Trump and NERC one-upping each other. Managing an OT security program capable of meeting C-Suite budgets and White House expectations is difficult. There is help. Building strategic and pragmatic programs in OT is a reality. Call it Plan, Build, Run or People, Process, and Technology – having expert guidance can keep a CISO sane.

Sean Tufts
Practice Director, Product Security - ICS & IoT | Optiv
Sean Tufts is the Practice Director for the OT/IoT business at Optiv. He's a former NFL Linebacker turned Critical Infrastructure security leader. Post NFL, he worked for utility operators and O&G hardware suppliers. Prior to his current leadership position at Optiv, Sean was on the Digital transformation team for General Electric focusing on security services for the O&G market. In 2012 he was honored by Forbes as a "30 Under 30" recipient. Sean has a bachelor’s degree and MBA from the University of Colorado, Boulder.