The North American Electric Reliability Corporation (NERC) serves more than 300 million people in North America as the electric reliability organization under the Federal Energy Regulatory Commission (FERC). In 2013, the FERC approved changes and additions to Critical Infrastructure Protection (CIP) Reliability Standards, also known as CIP v5, which are a set of requirements for securing the assets responsible for operating the bulk power system.
CIP is just one of 14 mandatory NERC standards that are subject to enforcement in the U.S. However, it gets a good deal of attention because this regulation is centered on the physical security and cybersecurity of assets deemed to be critical to the electricity infrastructure. Within CIP, there are eleven reliability standards currently subject to enforcement under CIP v5, but there are plans to introduce more in the future.
Obtaining compliance under CIP is more about policy and procedure than technology. The firms that help the responsible entities achieve CIP compliance aren't widely known to the public. Because cybersecurity requirements for the energy sector are so new, there isn't a lot of competition.
Most of the consultancies in this space have rarely strayed outside of critical infrastructure. They're specialized, and have a lot of institutional knowledge and previous experience with these types of systems. Some well-known commercial vendors are working in the space too, but most only sell products that address certain needs under CIP.
After talking with several experts and those familiar with CIP, as well as reading all of the NERC documentation, one thing became clear: CIP isn't about technical controls. If technical controls are considered, such as an IP camera or a firewall, the effectiveness of said control doesn't really come up.
CIP works on severity ratings when it comes to scope: high, medium, and low. Like any other regulatory matter, scope is what ultimately determines a pass or fail with CIP.
As expected, entities that need to comply with CIP will do all they can to lower the overall scope, which makes earning compliance easier. One expert, commenting on background, said he's seen examples where an asset owner wouldn't implement network security monitoring, because doing so would increase their regulatory footprint.
Another example: An electric provider addressing the severity ratings for their facility counted its buildings as separate assets. Overall, the facility was generating more than 3,000 MW, which would designate them as high impact. Because the company had two buildings, with turbines generating +/- 1500 MW each, it was able to lower its scope to medium impact. It didn't matter that both buildings were on the same property, nor did it matter that both were controlled from the same control room.
This shouldn't come as a surprise. Lowering scope to achieve compliance is commonplace. Yet, when things are moved out of scope, there is a risk of increasing one or more attacks. By sticking to CIP, however, does the juggling of scope hurt the overall goal of security? Not really.
"The security programs [at installations required to comply with CIP], work because of the layered security controls. It is a defense-in-depth mentality, and because the attack surfaces – while significant – are so few and so specialized, and so well-obfuscated, these security programs work," said Phil Grimes, senior security consultant with RedLegg Security Services.
Grimes spent years helping entities operating critical infrastructure organizations better understand their security posture and in some cases helped determine CIP compliance. "CIP does work. That's why we haven't seen a major breach in the U.S. or Canada. We've seen this kind of thing happen in other places, but because of these protections, it's proven to work. But it's not the end all, be all."
So, after an entity achieves CIP compliance, where do the weak points still exist? CSO Online asked Grimes to share some war stories, which we've outlined by section below. However, there is an interesting crossover, as many of the problems Grimes outlined can also apply to organizations outside of the energy sector.
CIP-004-6 (personnel and training)
Awareness programs. Every company has them for the most part, and some are more effective than others. However, when it comes to CIP, the focus is more on the existence of a policy that outlines quarterly awareness training that discusses cybersecurity practices. Such training could include physical security practices as well. However, what these programs actually consist of is left to the facility itself to determine.
This section also includes identity confirmation for personnel, a process for checking and evaluating criminal history, and personnel risk assessments. There is also a requirement for audit records addressing identity and access management (IAM) and electronic access.
The IAM-related records have to be assessed once every 15 months, and show that user accounts, account groups, roles and privileges are correct and updated. This is where most facilities get into trouble, because the documentation often isn't updated, or accounts for those who left the company are not deactivated within an acceptable amount of time.
However, while awareness training and access monitoring are important to CIP, the people are almost always placed out of scope when a consultant arrives to conduct testing. "Every time a consultant comes in to perform an assessment, the people are out of scope. Attacking this surface is out of scope in almost every engagement, because [the organization] knows they're going to lose. They know that this part of the program is weak, and they refuse to implement something stronger; because it means that we have to invest in our people, and they don't want to do it. It's not a blinking box that we can configure and leave it be," Grimes said.
CIP-005-5 (electronic security perimeter)
The electronic security perimeter (ESP) is the control systems, server room, telecom room and so on. The critical cyber-assets will fall under this section of CIP. For the most part, entities covered by CIP will spend a good deal of time and energy constructing a hard exterior (the ESP), but assets contained within – the guts – are soft. "We're talking fairytale darkness here, all of the stuff you see on television when the power grid goes down, that's going to happen when the ESP is successfully breached," Grimes said.
You would think that the ESP would be the ultimate hard point, but it isn't in most cases. physical access controls (PACs) are not covered under the ESP section. For example, video cameras are a weak point, as they're not considered when it comes to the ESP.
A lot of facilities have high-tech cameras in place, but they're not keeping these systems in a maintained environment. Instead, they're often using default credentials and are regularly left in a state that mirrors what one would expect form a test environment, not production.
"By trivializing the severity of the importance of an asset, and not including it in the ESP or not properly protecting in the ESP – these can then be used for further attacks," Grimes adds. As such, attackers can use these ancillary systems to leverage further attacks that can result in a physical breach of the ESP.
"Why we haven't seen that, frankly, I'm amazed. Because, the state of some of the facilities I've walked into, if somebody really wanted to get in there, they probably already have and just haven't caused any damage," he says, comparing the situation to Swiss cheese.
Compounding the issue with ESP security are the technical feasibility exceptions (TFEs). These systems are outdated, or in severe need of a patch, or are easily knocked offline. In many cases, there is no known vulnerability in these systems, Grimes said, but the critical nature of the operation makes any potential disruption a risk the business is unwilling to accept.
While these systems are exempt from scope, Grimes added, they are often significantly out of date (e.g., Windows 2003, Windows XP), poorly defended, or poorly maintained. Nevertheless, the organization will accept that risk, the potential damage notwithstanding.
CIP-006-6 (physical security)
This is where physical access to systems comes into play, and for the most part focuses on policies supporting a specific physical security plan.
PAC systems are covered here, as well as human security, fences, seismic monitoring, video monitoring and locks. Yet, the documented existence of these controls is all a facility needs to ensure CIP compliance. The technical aspect of these systems is secondary, assuming it becomes a consideration at all (it rarely does). "I've had one instance where I found a video monitoring system exposed to the internet with default credentials on a high-level BES (bulk electric system) cyber asset," Grimes explained.
In the grand scheme of things, even with this finding, the facility wasn't out of compliance. Because it isn't required to keep the video system protected. It's just a video system, how does default credentials and public exposure matter in terms of shutting down power generation capabilities?
"How it matters is, I changed the password on that thing. I totally took control of their cameras, moved them, and was able to circumvent the physical parameter. I knew where their guards were, where the patrol was happening. So, we were able to actually gain physical access to the generation station and stand inside their sacred ESP, all because we were able to take control of their cameras and see what they were doing and prevent them from seeing what we were doing," Grimes said.
"The response became so slow, they didn't have a response. They didn't even know about it until we made them aware. We were already in, we had already breached the ESP and say 'Hi, we're here. The call is coming from inside the house,' and they didn't even know it had happened yet."
Now, in this example, the ESP breach wasn't a result of the controls, or lack thereof, around the camera system. The cameras were, in general terms, the big assist. It was a successful physical attack that got Grimes and his team into the ESP, but because the cameras were so exposed, that physical attack became so much easier.
Another issue with the physical security of a given facility relates to age. Many of the existing facilities in North America are rather old, and in some cases, they're not properly, or regularly, or appropriately maintained.
In one example, Grimes told a story where he simply shimmied through an opening between the fence and gate of a high-impact facility without setting off any alarms. The gate and fence had been in a state of disrepair for years, and that didn't have any impact on the company's compliance.
The shocking aspect of the story though, is realized only if you know Grimes personally. He is 6 feet, 5 inches tall (~200 cm), and weighs 270 lbs. He is built like a linebacker. Yet he was able to simply slip past the gate and access the ESP.
CIP-008-5 (incident reporting and response planning)
Incident response planning and reporting plans need to include the process needed to "identify, classify, and respond to Cyber Security Incidents" and "provide guidance or thresholds for determining" what incidents are reportable to the ES-ISAC.
"Yeah sure, [the organizations] have a documented response plan, but they've never used it, they've never tested it. They don't know that it works. They basically just modified the CIP requirements and say 'yeah, this is our program, our program is exactly what you say we have to have'," Grimes said.
The big problem comes from the resources and people who are supposed to be working the program in the event of an incident. “With physical incident response/disaster recovery, these people have emergency roles which they assume in the event of a storm, or a major component failure, or a squirrel. But when it comes to the digital incident response/disaster recovery plan these people, who are supposed to be working the program in the event of an incident, often don't know their roles," Grimes adds.
It's not all bad, but more can be done
As mentioned earlier, despite the problems he outlined, CIP overall works, and the facilities that are bound by it are better because of it. However, the lesson is that compliance isn't security, and in some cases, it isn't even a good baseline. Developing an honest threat model, and understanding the real risks the organization faces will go a long way toward a solid security baseline than any compliance measure.