Lack of clarity hampers new regulation’s ability to stop SolarWinds-type attack on power grid

One of the most pernicious aspects of the far-reaching and potentially devastating SolarWinds supply chain hack is that it successfully evaded detection for at least ten months by hiding inside seemingly normal software operations. The hack of SolarWinds’ Orion product enabled Russian actors to embed surveillance malware into widely used management software. It pushed the so-called SUNBURST malware deep into public and private networks using the invisibility cloak of ordinary activity, causing no harm or disruption as it silently operated.

The SolarWinds hack is largely considered a turbo-charged nation-state espionage campaign.  Most experts, however, won’t rule out that out the possibility that the Russian intelligence team behind the breach weren’t also paving the way for attacks that could damage operations. One of the biggest concerns about the hack’s impact is how it affected the nation’s power grid.

New regulations aimed at spotting attempted compromises in the power grid that don’t cause damage, like SolarWinds, went into effect on January 1, 2021. It’s not at all clear that the new requirements will help the energy industry spot these kinds of attacks.

Power companies likely compromised by SolarWinds

Early reports indicate that more than a dozen unnamed critical infrastructure companies in the electric, oil and manufacturing industries ran the tainted malware, along with three critical infrastructure OEM (original equipment manufacturing) suppliers. Some of the infections spread beyond ordinary IT infrastructure into the infected companies’ operational technology or industrial control components. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert last month saying infrastructure entities were “compromised” by the SolarWinds hack.

New NERC cybersecurity standard expands report requirements

New requirements from the North American Electric Reliability Corporation (NERC) are embodied in the NERC CIP-008-6 standard. (CIP stands for critical infrastructure protection). The 008-6 standard follows a set of other relatively new cybersecurity requirements, CIP-007-6.

Consistent with an order by the Federal Energy Regulatory Commission (FERC), the new standard requires relevant bulk power entities to report not only actual compromises of bulk electric systems but also, for the first time, “attempts to compromise” those systems. All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC).

Copyright © 2021 IDG Communications, Inc.

Source link

Add a Comment