Sony, NERC & Cyber Vulnerability

To the chagrin of just about everyone, Sony capitulated to the hacker’s demands and threats – sending absolutely the wrong message.  What was Sony thinking? From a long-term view and national perspective, the action they took was in error. If you give in to the demands of terrorists, they will be emboldened to attack again. Further, there is a ripple effect – other threat actors around the world are watching and are inspired by the success of the tactic. The North Korean cyber warriors of Bureau 121, the regime’s crack information warfare unit, are surely celebrating their huge their victory.

For the U.S., what North Korea wrought should be considered a canary in the coalmine – a warning of what may come.

Bringing down an entertainment industry giant such as Sony Corporation is one thing. Embarrassment, red-faces all around, not to mention the compromise of some very popular intellectual property. However, this attack could serve as a rehearsal for something much more serious and devastating to the U.S. What if the next attack were on the U.S. electrical grid?

The U.S. electrical grid, otherwise known as the Bulk Electrical System (BES), is acutely vulnerable to a cyber attack because of poorly secured pathways into the information networks that support transmission and sub-transmission systems, distribution systems, customer loading, industrial control systems, and many more critical elements. The reason these information systems are vulnerable is the migration of computerized control systems from mainframe, largely proprietary systems used decades ago to distributed systems and open, routable network protocols such as TCP/IP. This technical migration, coupled with industry trends to downsize, avoid redundancy to save money and cut costs, and implement digital remote automated systems, is heightening the vulnerability of our electrical grid. It does not help that savvy threat actors can target target profiles of nodes within the grid because of open access to transmission system information.

To their credit, the North American Reliability Corporation (NERC) initiative to roll out more robust Critical Infrastructure Protection (CIP) standards, known as NERC CIP Version 5, for the U.S. electrical grid, could not come a moment too soon. The Version 5 Standard, which becomes effective 1 April 2016, significantly increases the number of facilities that must develop and implement security programs to maintain compliance. A large number of the facilities that are applicable under the new standards have not been required to comply with previous NERC CIP standards.

A key difference in NERC CIP Version 5 is the concept behind the development of the standards. NERC is actively shifting the focus of audit and enforcement away from strict measurement against specific requirements [i.e., security-through-compliance] and towards a qualitative assessment of internal security controls. This shift reinforces the need for utilities to transition to holistic security programs and away from traditional compliance checklists.

For example, NERC CIP Guidance for Physical Security [006-5] states, “The entire content of CIP-006-5 is intended to constitute a physical security program. This represents a change from previous versions since there was no specific requirement to have a physical security program in previous versions of the standards, only requirements for physical security plans.” The Federal Energy Regulatory Commission (FERC) supports NERC’s move away from a “zero tolerance” approach, to compliance. The move in this direction encourages the development of strong internal controls by responsible entities, i.e. developing a risk framework and environment that encourages business processes to ensure compliance with NERC standards.[1]

Also, NERC CIP includes 12 requirements for new cyber security controls, covered in the following broad areas:

  • Electronic Security Perimeters
  • Systems Security Management
  • Incident Reporting and Response Planning
  • Recovery Plans for BES cyber systems
  • Recovery plans for BES cyber systems

There is an old saying that there is “many a slip between the cup and the lip.” NERC CIP’s good intentions are liable to run into old ways of doing business – specifically when it comes to “getting compliant” for the auditors. All too often, compliance preparation is geared towards doing the minimum possible to meet the letter of the law and nothing more – checked boxes, tape around the server suite, etc.

This time around, utility professionals who adopt this philosophy could be in for a rude awakening when it comes time for audit. Security plans designed around “duty of care” may have been sufficient in the more innocent era of the 1990s, however, when these old regimes are lined up against the auditors’ expectations of a fully developed, defense-in-depth security program, they will likely fall short. Further, assigning various elements of NERC CIP compliance preparation in-house to different departments, risks a stove-piped compliance preparation effort that is bound to leave gaps. In the intervening time between the development of earlier NERC security standards and today, for example, physical security technology has evolved to the point that these systems converge and overlap significantly with information systems and networks. Treating physical security and cyber security as two separate entities misses the point and can leave a gaping vulnerability in compliance.

Ultimately, trying to get compliant on the cheap without significant internal resource focus or outside consulting help is a really bad idea and does not serve the best interests of your corporation, its shareholders, or management. The wiser course is to leverage outside resources with expertise in both the requirements of NERC CIP and the development of strong, comprehensive cyber and physical security programs. NERC is looking for good compliance through good security, not the other way around. The investment is worth it.

In the meantime, given the recent successful cyber attack on Sony, perhaps NERC CIP should consider accelerating the implementation of its new suite of cyber security standards, lest we all be left in the dark.

[1] “Are you ready for NERC CIP Version 5”, Baker Tilley, 9 June 2014