News
Utilities: Energy & Power, Water, Waste
Vendors
Vulnerabilities

Dragos warns that power utilities may be affected by SolarWinds breach

December 24, 2020
power utilities

ICS cybersecurity company Dragos revealed that the recent compromise of the SolarWinds Orion platform could have led to a highly sophisticated supply chain exposure as about 18,000 organizations were affected. Out of these, it is likely that some of the nearly 2,000 North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulated power utilities may have been impacted—if not directly, then indirectly through their supply chain.

Under CIP-013 standard, which became mandatory and enforceable in October this year, any new contracts required provisions for vendor incident notifications, remote access, and additional procurement language to improve both security practices across vendors, as well as improved collaboration during a cyber incident, Dragos said in a blog post. The CIP-013 is a reliability standard on Cyber Security –Supply Chain Risk Management that addresses relevant cybersecurity supply chain risks involved in the planning, acquisition and deployment phases of the system lifecycle for high and medium impact bulk electric system (BES) cyber systems.

A prudent first step in managing the “blast radius” of Sunburst would involve each of the power utilities asking their vendors if they utilize SolarWinds Orion, especially if the vendor has access to bulk electric system cyber systems (BES CS) or bulk electric system cyber system information (BES CSI), according to Dragos. For the vendors that do, each utility should coordinate a response to limit or remove access, where reliable operations would not be impacted, and voluntarily perform a threat hunt where access cannot be revoked for reliability reasons.

Regulations, standards, and frameworks have pushed a prevention-focused strategy in the industrial community, wrote Ben Miller, Dragos’ vice president of professional services and R&D in the post. “While Enterprise networks may have network visibility and logging, many ICS networks do not. In all of Dragos’ 2019 assessments, there were none that were doing centralized logging and network visibility prior to engaging with us. Once you confirm the compromised SolarWinds software is in your environment, if you do not have network visibility such as east-west traffic analysis and DNS logging in the ICS/OT networks, it will be incredibly hard to determine if you were breached post-compromise,” he added.

The Hanover, Maryland-based company said that there may also be power utilities that have installed SolarWinds in their high impact control centers, or maybe even a medium impact facility, where they can leverage the larger suite of SolarWinds NERC CIP compliance reporting. In such instances, auditors will be looking for a few potential tasks and may review artifacts based on each utility’s unique response.

Beyond CIP-013, auditors may have a discussion with utilities regarding malicious communications potentially identified in CIP-005 and the tools used (especially if SolarWinds is the only installed solution), as well as how the hotfixes and patches were installed (or other mitigation plans approved) where BES cyber systems using SolarWinds Orion products were identified, Dragos said.

While CIP-007 allows 35-day windows for both evaluating the patch and mitigating/installing the patch, there may be additional scrutiny in how power utilities respond due to the high visibility of this incident.

This brings up the last potential impact for NERC CIP utilities: incident response. Under the current CIP-008-5 requirements, a potential investigation for SolarWinds Orion in a NERC CIP regulated BES Cyber System could become a “Cyber Security Incident.” That said, unless it impacted the Reliability Task of the BES CS, it would not be a “Reportable Cyber Security Incident.”

Though, beginning January, if the same attack on SolarWinds (or another vendor) were uncovered, this could potentially impact the new undefined term “attempt to compromise” in CIP-008-6, featuring the latest version of NERC CIP incident response requirements, Dragos said. In which case, each utility would have new reporting responsibilities to both NERC and DHS, including follow-up reports, that should be exercised and fully understood.

Earlier this month, Dragos secured US$110 million in Series C funding from investors to take the company’s total funding to $158 million. The new investment is driven by a coalition of industrial and manufacturing companies, and investors, who aim to reap the benefits of improved operational OT cybersecurity technology in their daily operations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market