The North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) published on Tuesday a joint white paper focusing on the need for continued vigilance around supply chain compromises and incidents affecting the North American electricity industry. The agencies highlighted the lessons learned from recent supply chain compromises and recommended a series of specific cybersecurity mitigation actions to better ensure the security of the bulk power system (BPS).
The white paper, titled ‘SolarWinds and Related Supply Chain Compromise,’ by FERC executives and NERC’s E-ISAC unit, primarily focuses on the significant and ongoing cyber events related to supply chain compromises such as the SolarWinds Orion platform, Microsoft 365/Azure Cloud compromises, and vulnerabilities in products such as Pulse Connect Secure, email-based attacks by Nobelium, Microsoft’s on-premise Exchange servers, and F5’s BIG-IP networks.
The agencies advised organizations to revalidate implementation of the least-privilege principle for host and network permissions, specifically surrounding local administrative privilege, service accounts, and delegation under Active Directory. Electric companies must also consider a systemic risk-based approach for protecting the most critical assets, and implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and baseline critical access and administrative privileges.
The companies must also consider participating in the Cyber Mutual Assistance Program with peer utilities to ensure a collective response during a cyber event, in addition to exercising cyber and physical security response plans with third-party vendors, partners, and the government. They must also review and update cyber plans as necessary to include lessons learned from these supply chain attacks while considering conducting security assessments or penetration tests to ensure security baseline and increasing the timeliness of voluntary reporting to the E-ISAC and Cybersecurity and Infrastructure Agency (CISA) as well as mandatory CIP008-6 reports.
As investigation on the SolarWinds and other supply chain compromises continue, the electricity industry must view information and take appropriate actions to assure the reliability and security of the BPS as new information becomes available, until such time that the CISA directs affected federal entities to rebuild the Windows operating system and reinstall the SolarWinds software package, the agencies said.
Organizations must also identify and remove all threat actor-controlled accounts and identified persistence mechanisms. Electric industry stakeholders should report an incident to CISA and the E-ISAC any evidence of computer system compromise as a result of the SolarWinds attack, either through direct purchase and application of the affected software, or indirect compromise through a third-party vendor or supplier.
After all threat actor-controlled accounts and identified persistence mechanisms have been removed, electricity industry stakeholders must treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed. It should work towards rebuilding hosts monitored by the SolarWinds Orion monitoring software using trusted sources and reset all credentials used by or stored in SolarWinds software.
CISA also developed and publicly released a new tool intended to detect post-compromise threat activity using the CISA Hunt and Incident Response Program (CHIRP) IOC Detection Tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find IOC (indicators of compromise) associated with the Orion products, threat activity in Microsoft cloud environments (Azure and Office 365), and threat activities associated with on-premise enterprise environments.
The E-ISAC is working closely with its members, FERC, and other partners in the Canadian and U.S. governments to produce timely, actionable, and useful defense information for all segments of the electric industry.
In the coming months, the E-ISAC anticipates supplementing its current information sharing with new capabilities, enhanced cross-border sharing, and collaboration with the U.S. Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER). Likewise, FERC staff stands ready to assist in the dissemination of actionable information that supports the electric industry in proactively responding to cyber-attacks and other cyber vulnerabilities.
Supply chain attacks are not common and the SolarWinds supply-chain attack is “one of the most potentially damaging attacks we’ve seen in recent memory,” Jake Williams wrote in a blog post for the SANS Institute.
“Supply chain compromise will continue. They are extremely difficult to protect against, highlighting the need for security to be considered as part of the vendor selection process,” Williams added. “Supply chain compromises do extend SaaS applications. Understand that your SaaS vendor does not have any magic process that makes it easier for them to detect these issues. They are every bit as vulnerable to software supply chain attacks.”
There have been off and on cybersecurity attacks on electric companies. About 25,000 members in southeastern Alabama were affected after Wiregrass Electric Cooperative was hit by a ransomware attack that temporarily prevented customers from accessing their account information, but an executive said Tuesday that systems were beginning to be brought back online.
The Rural Alabama electric cooperative said no data was compromised in the attack, but member account information and payment systems were taken offline for maintenance. It added that it did not pay a ransom and didn’t have any data compromised in the attack.
Earlier this year, Recorded Future detailed a campaign conducted by a China-linked threat activity group, RedEcho, targeting the Indian power sector. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. Data sources include the Recorded Future Platform, SecurityTrails, Spur, Farsight, and common open-source tools and techniques.
Following the SolarWinds supply chain compromise, a group of US senators introduced in May bipartisan legislation that will boost electric grid security by incentivizing electric utilities to make investments in cybersecurity. The Senate bill also establishes a Department of Energy (DOE) grant and technical assistance program for the deployment of advanced cybersecurity technology for utilities that are not regulated by the FERC.
The U.S. administration announced in April a 100-day plan that will modernize critical electric infrastructure using cybersecurity defenses with aggressive milestones, and assist owners and operators to deliver better detection, mitigation, and forensic capabilities. The plan will help meet cybersecurity threats faced by the nation’s electric system, apart from seeking feedback from stakeholders on protecting the critical electric infrastructure.