I attended the DHS NCCIC unclassified awareness briefing on Russian activity against critical infrastructure. The briefing dealt with incidents that happened last year affecting supply chain and network issues. There was no discussion of process sensors or cascading failures. July 24, 2018, NERC issued a formal Lessons Learned report of a compromise of a utility device for seven months prior to discovery. This was not part of the DHS discussion. Consequently, July 24, 2018, I issued a blog: “Russian activity against critical infrastructure – what’s new?”
July 19, 2018, the Federal Energy Regulatory Commission (FERC) passed Order No. 848 to expand cyber security incident reporting. According to FERC, the North American Electric Corporation (NERC) needs to develop, within six-months of the effective date of this final rule, modifications to the Critical Infrastructure Protection (CIP) cyber security standards to improve mandatory reporting of cyber security incidents, including attempts that might facilitate subsequent efforts to harm reliable operation of the nation’s bulk electric system.
July 24, 2018, NERC issued a formal Lessons Learned report where an electronic access point connected to the Internet from a low-impact facility for remotely accessing a capacitor bank was compromised by unauthorized Internet users for seven months prior to discovery. Because the device was identified as an End-of-Life system, the compromised system was not maintained (patched, monitored, etc.). The initial compromise resulted from an unauthorized Internet user guessing via a “brute force” method the weak password for the administrators’ account, which permitted remote access. The compromised cyber asset was used over a seven-month period as a mail relaying (SMTP) and remote desktop (RDP) scanner. Additionally, the IP address and credentials for the cyber asset were posted on a Russian-based media site, and the cyber asset was subsequently infected with ransomware. Upon looking into the matter further, personnel discovered that the cyber asset was compromised with ransomware, so the registered entity immediately (after 7 months) powered off the cyber asset. Although the attackers likely conducted reconnaissance on the local network to identify other vulnerable devices, the primary focus of their activity appears to identify other remote systems to target for attacks.
The purpose of the Internet-connected access point was to remotely access and operate the capacitor banks to ensure the reliability of the system. The compromise was discovered after support staff could not remotely access the capacitor bank. A cyber incident with a capacitor bank was the root cause of an outage that affected portions of the lower two-thirds of Florida that led to the loss of 22 transmission lines, 4,300 MW of generation, and 3,650 MW of customer service or load. Consequently, targeting a capacitor bank is not a trivial event (I have addressed the Florida outage incident in my book – Protecting Industrial Control System from Electronic Threats).
Some of the more glaring issues with the NERC Lesson Learned report include:
- NERC refuses to identify this incident as being a “cyber attack” despite calling this a ransomware attack and stating the device was compromised.
- NERC only addresses BES assets even though the 2015 Ukrainian cyber attack was against the distribution system that could pivot into the BES system. Moreover, Low Impact BES assets don’t require an appropriate level of monitoring.
- The 2008 Florida outage started from a capacitor bank switch (considered a distribution device) and serial communications both of which are excluded from NERC CIP requirements. Yet those devices and communications affected multiple BES assets.
- The compromise was undetected for 7 months despite the utility having NERC CIP monitoring requirements.
- There is no mention of any NERC actions taken against the utility for this egregious cyber security failure. What is NERC doing to prevent these types of procedural and technical issues from recurring?
- Why are control systems connected directly to the Internet? In the May/June 2015 time frame, DHS provided explicit guidance not do that or the equipment will be hacked – and it was.
Cyber security is more than just monitoring networks. As control systems are system of systems, it is important to understand system interactions. It should be evident that Low Impact Bulk Electric System (BES) or distribution assets can affect other BES assets or cause cascading impacts. Understanding the physical systems is critical to understanding the potential physical impacts and risks.
Joe Weiss