Advanced Threats and Smart Grid Standards

(This article was originally published on the Findings From the Field blog.)

At the recent Smart Grid Security East conference, I had opportunity to ask two standards gurus about advanced threats and existing security standards. I asked if they felt the evidence to date of advanced threats to control systems warranted changes in security standards. The answer was a qualified "no" from both...

A Floor, not a Ceiling

Annabelle Lee, the former leader of the NISTIR 7628 effort responded in detail:

"There is no effective defense against targeted attacks. Organizations will always be susceptible to advanced, targeted attacks, especially if those attacks make use of insiders at the organization. Only pragmatic, cost effective defenses can be mandated by standards and regulations. That said, every organization should undertake their own impact and risk assessments and take appropriate measures in addition to the standards, where warranted."

The FERC representative responded by referring me to FERC order 706. The order approves the version 1 standards, addresses comments submitted by industry, and requires NERC to develop certain modifications to the standards by following their standards-definition processes. The document is some 200 pages long and makes repeated use of the phrase "at minimum," indicating clearly that FERC regards the NERC-CIP standards as minimum requirements for security. Organizations are expected to routinely exceed these minimum standards when risks or impacts warrant.

A common theme in these two responses is that existing standards should be seen as minimum requirements, or "floors," not "ceilings" on expected protections. When business risk assessments indicate, entities are expected to exceed these standards.

The Problem with Floors

The problem with this approach lies in persuading utilities to exceed published standards. Adoption of comprehensive security programs is a comparatively new practice at most utilities, and is fraught with debate as availability risks related to security breaches are compared to risks of outages due to changes introduced into control systems by security procedures. Security standards for an industry are created by experts for that industry and provide valuable guidance regarding these conflicting priorities. Utilities are justifiably reluctant to undertake their own analyses of security standards from other arenas to determine themselves which security measures do or do not make sense in their industry - this is what standards are for.

To compound the problem, the discussion in the NERC-CIP workshop made it clear that implementing more than the minimum NERC-CIP security protections had compliance risks as well. A question posed to the panel was "how would a NERC auditor react If an entity implemented policies and procedures which exceeded NERC-CIP requirements?" The discussion which followed cautioned that there could be problems if the more secure policies were mis-applied on some equipment, even if that equipment still exceeded NERC-CIP requirements. In this circumstance, NERC auditors would be required to find the entity in violation because of the deviations from the entity's own published policies. The way to avoid penalty was to document the non-compliant equipment with an exception report describing mitigations which would be acceptable per the CIP rules.

It seems that the way the minimum CIP provisions are enforced puts some entities at risk of violations if they shoot "higher" than NERC-CIP, but miss even a little. This of course misses the point - NERC should reward entities which implement better-than-required security.

Standards Can Do More

Most of us have heard the story of control system purchasers who have added all of the language of the DHS Cyber Security Procurement Language for Control Systems into their procurement documents. This, even though the document itself states it should not be interpreted as a "one size fits all" standard. The real lesson is not that people don't read these documents. The lesson is that at least some firms will use standards guidance when it exists, even if such use is not required by law or by regulation. A comprehensive list of possible security requirements is a convenient yardstick by which to measure the commitment to security of competing vendors.

So, yes, it is impossible to guarantee warding off every advanced threat, especially if that threat has planted insider agents in your organization. But security is not about guarantees, it is about reducing risk. Standards really should describe ways to significantly slow down advanced threats and significantly improve detection of these actors. The objective is to increase the probability of discovering advanced attacks in time to stop them from doing harm. On the other hand, it does not make sense to require advanced protections for every site, no matter how insignificant.

Looking Forward

I like the approach of the NISTIR in providing minimum security requirements as well as two classes of optional guidance for each requirement. Advanced guidance could and should be provided in security standards, even if that guidance is optional. For example: Host Intrusion Protection Systems appear to be more effective at securing control system assets than are traditional signature-based anti-virus systems. There is no guidance reflecting this in any of the standards discussed here.

Another example: NISTIR 7628, NERC-CIP and even the DHS procurement language all say perimeter firewalls and boundary protections should "deny by default." However, every one of them goes on to say that ports "required for operations and for monitoring" can remain open. In practice, this guidance results in many connections allowed through perimeter firewalls. Advanced guidance should indicate that air-gapped systems are more secure than firewalled systems, that perimeter equipment with a deep knowledge of allowed protocols is better than systems with no such knowledge, and that organizations should seek to minimize the number and kind of connections allowed through firewalls, even if this means incurring some inconvenience or extra costs.

Optional guidance would allow standards to address advanced threats, without making those standards unduly harsh for low-impact assets. The optional guidance will be used by some firms, and can be used to evaluate and compare different firms' commitment to security.

No comments:

Post a Comment