ICS cybersecurity company Dragos revealed that the recent compromise of the SolarWinds Orion platform could have led to a highly sophisticated supply chain exposure as about 18,000 organizations were affected. Out of these, it is likely that some of the nearly 2,000 North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulated power utilities may have been impacted—if not directly, then indirectly through their supply chain.
Under CIP-013 standard, which became mandatory and enforceable in October this year, any new contracts required provisions for vendor incident notifications, remote access, and additional procurement language to improve both security practices across vendors, as well as improved collaboration during a cyber incident, Dragos said in a blog post. The CIP-013 is a reliability standard on Cyber Security –Supply Chain Risk Management that addresses relevant cybersecurity supply chain risks involved in the planning, acquisition and deployment phases of the system lifecycle for high and medium impact bulk electric system (BES) cyber systems.
A prudent first step in managing the “blast radius” of Sunburst would involve each of the power utilities asking their vendors if they utilize SolarWinds Orion, especially if the vendor has access to bulk electric system cyber systems (BES CS) or bulk electric system cyber system information (BES CSI), according to Dragos. For the vendors that do, each utility should coordinate a response to limit or remove access, where reliable operations would not be impacted, and voluntarily perform a threat hunt where access cannot be revoked for reliability reasons.
Regulations, standards, and frameworks have pushed a prevention-focused strategy in the industrial community, wrote Ben Miller, Dragos’ vice president of professional services and R&D in the post. “While Enterprise networks may have network visibility and logging, many ICS networks do not. In all of Dragos’ 2019 assessments, there were none that were doing centralized logging and network visibility prior to engaging with us. Once you confirm the compromised SolarWinds software is in your environment, if you do not have network visibility such as east-west traffic analysis and DNS logging in the ICS/OT networks, it will be incredibly hard to determine if you were breached post-compromise,” he added.
The Hanover, Maryland-based company said that there may also be power utilities that have installed SolarWinds in their high impact control centers, or maybe even a medium impact facility, where they can leverage the larger suite of SolarWinds NERC CIP compliance reporting. In such instances, auditors will be looking for a few potential tasks and may review artifacts based on each utility’s unique response.
Beyond CIP-013, auditors may have a discussion with utilities regarding malicious communications potentially identified in CIP-005 and the tools used (especially if SolarWinds is the only installed solution), as well as how the hotfixes and patches were installed (or other mitigation plans approved) where BES cyber systems using SolarWinds Orion products were identified, Dragos said.
While CIP-007 allows 35-day windows for both evaluating the patch and mitigating/installing the patch, there may be additional scrutiny in how power utilities respond due to the high visibility of this incident.
This brings up the last potential impact for NERC CIP utilities: incident response. Under the current CIP-008-5 requirements, a potential investigation for SolarWinds Orion in a NERC CIP regulated BES Cyber System could become a “Cyber Security Incident.” That said, unless it impacted the Reliability Task of the BES CS, it would not be a “Reportable Cyber Security Incident.”
Though, beginning January, if the same attack on SolarWinds (or another vendor) were uncovered, this could potentially impact the new undefined term “attempt to compromise” in CIP-008-6, featuring the latest version of NERC CIP incident response requirements, Dragos said. In which case, each utility would have new reporting responsibilities to both NERC and DHS, including follow-up reports, that should be exercised and fully understood.
Earlier this month, Dragos secured US$110 million in Series C funding from investors to take the company’s total funding to $158 million. The new investment is driven by a coalition of industrial and manufacturing companies, and investors, who aim to reap the benefits of improved operational OT cybersecurity technology in their daily operations.