This following article was published in SecureState’s Winter Newsletter. With the recent story that broke regarding the international spies from Russia and China that hacked into the United States’ electrical grid (http://www.msnbc.msn.com/id/30107040/from/ET/), this story has become more relevant. It has been something that SecureState has been preaching for quite some time… CIP is not strong enough…
Fox’s TV series 24 could very well become reality TV!
The reason is not that a simple device can be used to compromise our water, energy, transportation, etc. But because the Critical Infrastructure Protection (CIP) standard is not to the level it needs to be to protect our most critical infrastructure.
The biggest problem with the CIP standard is that it may not even be possible to be CIP compliant! The biggest issue that the North American Energy Reliability Corporation (NERC) has with its CIP standard is that it does not deal with the issue of legacy systems. For NERC itself, the problem is that it will not force vendors to upgrade their systems to become compliant.
“Until vendors are forced to upgrade their products, there is not going much in the way of actual security,” says Matt Davis, Principal of Audit & Compliance at SecureState. “100% of these EMS and GMS systems that CIP deals with were designed to do one thing… and that is work!”
These systems that do not have the option of being upgraded are then pushed aside and not tested, therefore becoming exceptions to the standard. How good can a standard be if it is not testing all systems critical to the standard?
During several CIP engagements, SecureState found that most of the systems that are in scope of CIP have never been tested to the level that they needed to be. Nor could they stand up to simple tests including vulnerability scans. In fact, CIP does not even require penetration testing!!! - A test that is required by most standards including PCI.
CIP Audits
All organizations connected to the nation’s energy grid are to begin reporting their compliance and activities this January, with audits beginning January 1, 2010.
The audits are to be performed by the seven regional NERC operators scattered throughout the country. This poses the question of how strict each individual operator will audit the organizations in their region. This could cause some heat if one group realizes they got dinged on something another organization with the same system got away with. And you can bet they are going to share and compare report cards.
“You have to wonder how much these operators are going to let slide during these audits. Is the fact that there are certain systems that cannot be upgraded going to make exception the rule? We will have to wait and see,” said Matt Davis, Partner at SecureState.
CIP Importance
The importance of the CIP Standard goes far beyond any other security regulation that there is currently in place. But CIP isn’t even as tough as PCI, for example. The net result is that there is better security in restaurants than what goes into the grid.
“PCI, SOX, GLBA, HIPAA… they all have their place in protecting the United States,” said SecureState Senior Consultant Jason Leuenberger. “But if the power goes out… those standards become obsolete!”
And the importance stretches beyond just losing a modern convenience. Because a failure in the country’s energy grid, means a weakness in the country’s security!
By Matt Franko
f735c088-4fca-4921-baac-7e821f821945|0|.0
We've been posting a lot of information about compliance regulation lately, so I'll just add another scoop to this steamy pile...
The North American Electric Reliability Corporation (NERC) is a self-regulatory (non-governmental) organization subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC). As of June 18, 2007, FERC granted NERC the legal authority to enforce reliability standards with all U.S. users, owners, and operators of the bulk power system, and made compliance with those standards mandatory and enforceable.
The preceding paragraph came pretty much verbatim from the NERC website. Now that we have a little insight on NERC, let's stop FERC'in around and talk about Critical Infrastructure Protection (CIP).
CIP was designed to protect the United States critical infrastructure and features a heavy emphasis on safeguarding critical cyber assets (CCA) that help run the systems that generate electricity and control the transmission of electricity. The CIP standard is broken down into 8 individual requirements (CIP-002 through CIP-009) for various areas of protection or security. Audits for NERC CIP begin July 1, 2009. You might recall a certain blackout of 2003 that affected a large number of northeastern states? Hmmmmmm?? This prompted the NERC CIP standard, much like Enron prompted SOX.
As assessors or auditors, our team works with many different standards and regulations, and we've done a lot of NERC CIP related work with our energy clients over the past year. We've heard multiple complaints from clients about the CIP standard being vague or hazy, and I tend to agree. The clarity on protection levels that are expected are muddy.
As far as standards go, CIP needs a protein shake. We're talking about a standard that's designed to protect some of the country's most critical systems. It NEEDS to be stronger.
And what's with the non-standard terms in the standard? "Cyber"? "Electronic Security Perimeter"?
Really? Who uses those?
Why don't they just throw in "microcomputer" or "World Wide Web"?
While other standards and compliance reg's require penetration testing, CIP only requires vulnerability scanning. Scanning for modems is referenced quite a bit in CIP, but there's practically nothing related to wireless. Sure, there are tons of modems out there, especially in those sectors, but NERC needs to let go of 1996. Check out some of the latest breaches across the country - I can't remember the last time I read a story about a compromise being traced back to a dusty modem. (Calm down, calm down...I know it still happens, just not as frequently.) And what about the exception for nuke plants? Why can't you apply NERC CIP to nuke plants as well? Businesses have to deal with multiple compliance efforts ALL THE TIME. Why wouldn't you use CIP as a "second set of eyes" for those sites?
And one more before I move on to the positives of NERC CIP. The standard isn't a shadow of what other regulations like PCI are requiring. You mean to tell me that the standards for the companies that allow me to turn on my lights are less than those of the companies that want to swipe my plastic?
NEWS FLASH: If the power is off, no one cares about PCI, HIPAA, or SOX.
Why?
Because the 'puters, calculators, and credit card processors don't work so well without power.
On a positive note - NERC CIP outlines a great schedule for compliance, with different progression paths. It's very detailed and could be something that other regulations take note of. The standard also breaks down what can be used as measures to demonstrate compliance, as well as specific levels of non-compliance which act as a nice grading system.
All in all, the standard has some positives but plenty of negatives. In my opinion, it has a long way to go before I stop stocking up on candles.
95e68b39-6f7a-4e68-9364-a9000c2c8a81|0|.0
August 18, 2008 19:32 by
AdminAfter having attended yet another Defcon, I find myself a little frustrated. While I am a geek at heart, I am not a Linux chugging, code puking, trench coat wearing, hair dying, multi-pierced hardcore guy like many. But then again, I am not alone. Though many like to think it’s still ‘underground’, it really hasn’t been for quite a while. Security isn’t just an IT thing any more and its gaining ground in the business world. Hence there are many security professionals and vendor in attendance. So this year, I specifically set out to find that business side of security. As to being undercover, no I would not be a winner in the ‘spot the fed’ contest. I am just a security auditor that was hoping to hang out with my coworkers, learn a few things, and do a little networking.
Now I have to preface my story with some important information. Every night typically ended with the sun rising, my buzz fading, and my alarm looming just a few hours away. So perhaps I was a little tired, hung over and grumpy going into each morning – though I’m generally grumpy according to most anyway :) Still, I made my way to the conference, grabbed my new-fangled badge, and hit my first presentation. The abstract was very promising as the presenter alluded to the fact that compliance != (does not equal) security. Certainly he had a strong starting point. But, he tripped coming out of the blocks. The rest of the presentation turned into an angry IT guy condemning every standard, every certification, and pointing out how stupid and useless auditors are.
Now I’ll be the first to say there are many auditors working in areas they should not be. I think we’ve all had to deal with the Big X auditor/kid straight out of college that can’t seem to discuss anything outside the verbiage in his checklist. But it’s just as annoying to have someone unqualified lecturing about compliance. It does not make any sense to compare strength of compliance based on the length of the standard. Nor should you compare an IT standard against a security standard. And you shouldn’t even bring up standards that you don’t even know what the letters stand for. Again, I’ll be glad to raise my hands and tell you all the flaws with all the standards like my recent post on PCI. But I have at least had to actually work with those frameworks. I suppose it’s just a different view when you are subject to them.
During the rest of my Defcon experience, it was also peppered with more compliance bigotry, even from the likes of professors. But that’s not to say there weren’t some great ones too. One was on a new tool to find and perhaps exploit ModBusTCP devices on SCADA systems. That certainly piqued my interest with all the NERC CIP compliance work we are doing. There were a couple different presentations that covered different problems with RFID including devices that go beyond just cloning prox cards but also doing site codes brute force attacks on common card codes. I think the best presentation was ours – only because I got see out head geek get pummeled with lemons for his sins against humanity. Don’t ask :) After all, what happens in Vegas...
0253b1be-ddd9-44b9-86b5-dee95a72e2fb|0|.0