A Primer on the SolarWinds Hack
Recent Cybersecurity Attacks and the Bulk Electric System
The threats to cyber assets that support the operation and security of the Bulk Electric System (BES) are becoming more and more advanced. Over the past decade, the world has witnessed a rise in innovative and unconventional campaigns, including the development of Stuxnet, the 2013 Yahoo hack, the 2017 Equifax hack, and the 2020 Solar Winds hack.
One thing they all seem to have in common is they employ a myriad of techniques, old and new, to achieve their objectives. The companies operating BES are susceptible, even though mandatory Critical Infrastructure Protection Standards (CIPS) are enforced by the North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Council (FERC). To combat such regulations, new measures must be developed and implemented, along with existing actions, to combat these dynamic threats.
Advanced Cybersecurity Events and the Bulk Electric System
In 2010, the world took notice of a very advanced cyberattack that caused great damage to the Natanz nuclear site in Iran. At that time, the worm that caused such devastating damage was a new kind of threat, advanced and sophisticated. It made the world notice that these cyber threats had moved from the machinations of deep web occupants to tangible, real-world applications. The worm, later dubbed Stuxnet, possessed another surprise as it contained a bug of its own and didn’t recognize the difference between operating systems at Natanz and the indexed internet. This allowed savvy cybersecurity investigators to get a good look at the inner workings of the code that was developed to manipulate Supervisory Control and Data Acquisition (SCADA) systems. The joint US-Israeli operation, the Olympic Games, has been unofficially credited with creating and applying Stuxnet, though no one has ever accepted credit.
Over the next ten years, many hacks would gain publicity due to the high volume of victims and the high-profile entities that were targeted. Most of these attacks yielded personal information to be used, presumably for financial gain. These included institutions such as Yahoo, Equifax, Zynga, IRS, Microsoft, and NASA. Late 2020 brought a new, far-reaching attack involving the relatively obscure software company SolarWinds. This particular attack has some potentially devastating ramifications for the US intelligence community, the Department of Defense, the Department of Energy, and a plethora of Fortune 500 companies, as government entities and private industry alike widely used the SolarWinds Orion software platform.
Believed to be carried out by foreign state-sponsored actors, the SolarWinds hack compromised sensitive systems on an unprecedented scale, with the full extent of the breach yet to be publicly acknowledged. An attack of this magnitude has been feared for quite some time. In May 2020, the Trump Administration issued Executive Order 13920, aimed at addressing the security of the BES, and NERC enacted the CIP-013-1 Reliability Standard, which dealt with supply chain vulnerabilities.
Coincidentally, SolarWinds’ malicious code appears to have been injected into the supply chain during patch/update development.
Like Stuxnet, which targeted SCADA systems, the SolarWinds attack is being hailed as a new kind of attack, leaving untold devastation in its wake. Since the US Department of Energy has confirmed the SolarWinds attack compromised their systems, the entities responsible for the operation and planning of the BES are now in a position to investigate the extent of the condition of the hack and subsequent damage control. Since this attack wasn’t aimed at obtaining personal information for financial gain, we must focus on the sophistication of the hack, the targeted entities (and the reasons behind it), and the potential consequences that may follow. After the damage assessment, an after-action effort should be made to shore up any vulnerabilities or identified exposure.
Identifying Risk and Extent of Condition
Because the SolarWinds hack used such sophisticated methods, the task of assessing your organization’s risk may seem overwhelming. The first and most obvious action to be taken is to determine if your system uses FireEye or SolarWinds software. This particular attack is believed to have temporarily replaced legitimate files with malicious ones. It first delivered a light payload to keep suspicion low and then replaced the malicious file with the original one. The deployed payload is thought to be a modified penetration testing platform widely used in the cybersecurity industry. One way to gain some insight as to whether their systems were impacted is by employing measures to detect certain tasks that would indicate this file replacement and re-replacement. For the BES, the extent of potential damage from the hack depends on the intent of the perpetrators and how much information was compromised. At this point, the breadth and scope of the hack are unknown. In the intelligence community, this would lead to the assumption that all sensitive information has been compromised, meaning that immediate measures must be taken to ensure the worst-case scenario results cannot materialize.
Action and After-Action
With the level of sophistication and consensus that the attackers were foreign state-sponsored actors, it is safe to assume that the expected outcome does not involve financial gain. If disruption of the critical infrastructure and ensuing chaos is the goal, attacking the BES would be a logical step in achieving that goal. As this is the worst-case scenario, measures to isolate BES facilities from such outcomes must be explored, including evaluating relaying operating systems, SCADA, EMS, and other critical systems. Contingencies should be developed to ensure the operability of the BES if the compromised software could potentially impact a BES facility’s system. As more is learned about the extent of this particular hack, BES entities will be better able to assess the lasting damage to existing systems and work to safeguard their systems from similar future attacks.
It is becoming increasingly difficult to detect these attacks as hackers have become more sophisticated in their methods and have learned from the defensive measures used against them.
In response to the SolarWinds attack, the US Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 21-03 (12/13/2020), which contains actions required for government agencies. It is recommended that private entities also adhere to these requirements by maintaining a vigilant posture, fostering industry collaboration, and increasing training on cyber-attack sources and methods.
It is important to remember that those of us on defense have to get it right every time, while the attackers only have to get it right once.
Need Help with NERC CIP Compliance?
To evaluate your organization’s compliance with NERC CIP standards, Certrec offers a free NERC CIP Health Check. We also provide comprehensive gap analyses to help you identify and resolve compliance gaps. To learn more about our CIP services, contact us at NERCExperts@certrec.com or call 817-738-7661.
Share
Related Posts
NERC 693 – a summary
How did NERC’s 693 reliability standards come about?
On March 16, 2007, the FEDERAL ENERGY REGULATORY COMMISSION outlined Mandatory Reliability Standards for the Bulk-Power System, 18 CFR Part 40 (Docket No. RM06-16-000; Order No. 693): Summary is below. The full document can be accessed here.
On June 18, 2007, compliance with NERC Reliability Standards became a legal requirement for Bulk-Power System owners, operators and users.
The North American Electric Reliability Corporation NERC 693 reliability standards define the reliability requirements for planning and operating the North American bulk power system. NERC 693 standards govern all stages of the energy process from generation to distribution to transmission.
AGENCY: Federal Energy Regulatory Commission, DOE. ACTION: Final Rule. SUMMARY: Pursuant to section 215 of the Federal Power Act (FPA), the Commission approves 83 of 107 proposed Reliability Standards, six of the eight proposed regional differences, and the Glossary of Terms Used in Reliability Standards developed by the North American Electric Reliability Corporation (NERC), which the Commission has certified as the Electric Reliability Organization (ERO) responsible for developing and enforcing mandatory Reliability Standards. Those Reliability Standards meet the requirements of section 215 of the FPA and Part 39 of the Commission’s regulations. However, although we believe it is in the public interest to make these Reliability Standards mandatory and enforceable, we also find that much work remains to be done. Specifically, we believe that many of these Reliability Standards require significant improvement to address, among other things, the recommendations of the Blackout Report. Therefore, pursuant to section 215(d)(5), we require the ERO to submit significant improvements to 56 of the 83 Reliability Standards that are being approved as mandatory and enforceable. The remaining 24 Reliability Standards will remain pending at the Commission until further information is provided.
What is NERC?
What is FERC’s role?
The Federal Energy Regulatory Commission is a federal agency that regulates the interstate transmission of electricity, natural gas and oil.
What is the difference between NERC and FERC?
According to NERC, NERC is the Electric Reliability Organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC’s jurisdiction includes users, owners, and operators of the bulk power system, which serves nearly 400 million people.
What do small entities have to do to comply with NERC and FERC?
The Small Entity Compliance Guide Mandatory Reliability Standards (Order No. 693) published by FERC sets out the impact on all small entities:
A small entity is required to comply with Commission-approved mandatory Reliability Standards if it is registered by a Regional Entity as a user, owner, or operator of the Bulk Power System. A Regional Entity is an entity which has entered into an agreement, approved by the Commission, with the ERO by which the ERO delegates authority its authority to propose and enforce Reliability Standards. Order No. 693 stated that the 83 Commission-approved Reliability Standards will apply to organizations that are registered by the ERO.
Generally, the Regional Entity will register entities who use, own or operate the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment generally operated at voltages of 100 kV or higher.
Further, the ERO has established criteria for registering users, owners and operators of the Bulk-Power System that must comply with Reliability Standards and the Commission approved these criteria in Order No. 693. Generally, NERC will register those distribution providers or Load-Serving Entities that have a peak load of 25 MW or greater and are directly connected to the bulk electric system or are designated as a responsible entity as part of a required underfrequency load shedding program or a required undervoltage load shedding program. For generators, the ERO plans to register individual units of 20 MVA or greater that are directly connected to the bulk electric system, generating plants with an aggregate rating of 75 MVA or greater, any blackstart unit material to a restoration plan, or any generator “regardless of size, that is material to the reliability of the Bulk-Power System.”2 2 More details are available at the NERC website. See https://www.nerc.com
Just getting started with NERC CIP? Check out some of our resources
NERC CIP Cheatsheet
NERC Primers NERC CIP Cheatsheet Introduction NERC Critical Infrastructure Protection...
Read More
NERC – The Importance of Critical Infrastructure Protection in the Energy Sector
The NERC Critical Infrastructure Protection (CIP) standards establish essential security...
Read More
NERC Standards: NERC CIP Explained for the Energy Sector
The North American Electric Reliability Corporation (NERC) mandate encompasses technical...
Read More
