Let’s Get it Right, Folks

I always look forward to EnergySec’s Weekly Update newsletter. I have almost never failed to find a few very interesting nuggets in it that I hadn’t seen anywhere else. So I wasn’t particularly surprised to find something I hadn’t seen anywhere in a recent newsletter: a link to a press release from a group called the Foundation for Resilient Societies (which I had never heard of). This press release, which quotes Joe Weiss, a well-known consultant in the area of control systems security (and who I wrote about previously in this post), uses the recent Ukrainian cyber attack to point to the fact that the CIP standards specifically don’t apply to “communications networks” between Electronic Security Perimeters[i].

The second paragraph of the press release states the problem: “Ten years after Congress passed a law with the intent of protecting the U.S. electric grid from cyberattack, electric utilities increasingly rely on the public internet for critical communications, including those between grid control rooms and transformer substations. As a result, foreign governments have been able to implant malware into the U.S. electric grid. Worse yet, no current or proposed federal regulation requires encryption or other cyber-protection of grid communications with substations.”

There are three main assertions in this paragraph. They form the basis for the entire press release.

1. Electric utilities use the public internet for communications between “control rooms[ii]” and substations.
2. Because of this, “foreign governments have been able to implant malware” into the grid. Note this seems to say explicitly that the “OT” networks of electric utilities have been compromised. The press release implies that the Black Energy malware that is suspected of being involved in the Ukraine attack is at least one of the types of malware referred to. So Black Energy is most likely infecting the US grid!
3. If the NERC CIP standards or other regulations required encryption of “grid communications with substations,” these dangers might be mitigated. But they don’t require it.

The words “As a result” in the paragraph quoted above imply there is a causal relationship between items 1 and 2. That is, because electric utilities are using the public internet for substation communications, malware has made its way into the US grid. On the face of it, this wouldn’t be surprising, since almost any unencrypted traffic traversing the public internet will most likely quickly become infested with all sorts of malware.

There is one main problem with the first assertion: It’s completely false. I know of no electric utility that uses the public internet to communicate with its substations, encrypted or otherwise. The communications channel is always private (whether carrier-owned or utility-owned), often serial or Frame Relay. Where does this assertion come from? Were it true, it would be quite scary. But it isn’t.

And where does the second assertion come from – that malware has infected the grid as a result of attacks on substation communications? I have never heard of any successful cyber attack on substation communications. Given this fact, it is very hard to understand how 2 could be true. But if it nevertheless is true, where is the evidence?

The third assertion is true: NERC CIP specifically excludes communications between ESPs from being in scope. However, FERC, in their recent Order 822, ordered NERC to develop a new standard or requirements protecting communications between control centers. In the same Order (paragraph 57) FERC stated that they did not currently see the need to include communications with substations in these new requirements.

The press release seems to be advocating that FERC order that communications between control centers and substations be encrypted. While there would be a lot of problems with doing this[iii], this isn’t to say that it would never be a good idea to encrypt substation communications. But the threat requiring this step needs to be identified. Simply waving our arms and making assertions without any evidence for them doesn’t help.[iv]

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

---

[i] This exemption is stated in Section 4.2.3.2 in each of the CIP v5 and v6 standards.

[ii] NERC calls these “Control Centers”, not control rooms.

[iii] One concern is that serial communications probably can’t be encrypted in any useful way; they probably still constitute the majority of substation communications, and that majority would undoubtedly grow if encryption were required for substation communications. This is because utilities would remove routable communications and go back to serial. The other concern is latency, since many operations at substations need to be executed at sub second speeds, and encryption will often impose an unacceptable time lag.

[iv] There is one way in which the Ukrainian incident points to a deficiency in cyber regulations in North America: It is apparent that the substations attacked were Distribution ones, not Transmission. This means NERC CIP would never have applied to them in the first place. As I pointed out in this post, I believe that ultimately there will need to be cyber regulations that apply to the entire grid, not just Transmission. As I also pointed out, doing this will pose a very difficult political problem.