The North American Electric Reliability Corporation (NERC) reported three cyber security incidents on the North American bulk power system in a 2023 report to the Federal Energy Regulatory Commission (FERC). The incidents included ransomware, malware, and a combined physical-cyber Bulk Electric System (BES) intrusion, all involving different third parties. This article imparts lessons learned and recommended mitigations for the reported incidents.

It is important to note that just because the number of reported incidents is low, the actual risk of similar cyber and physical attacks is high (see MRO’s 2024 Regional Risk Assessment). This suggests that more attention to identifying and sharing cyber activity occurring outside of the systems deemed most critical is warranted, as this can often provide early warning of an attack.

This article underscores the importance of a comprehensive cybersecurity strategy that considers the entire Industrial Control System (ICS) kill chain, including monitoring less protected systems for signs of malicious activity. It also encourages continued sharing of cyber incident activity to the Electricity Information Sharing and Analysis Center (E-ISAC), Cybersecurity and Infrastructure Security Agency (CISA), or through the MRO Security Advisory Council Threat Forum.

The following is a more detailed account of the three reported attacks and mitigation strategies to assist electric sector cyber, physical, and operational security personnel.

NERC’s annual summary highlights three 2023 reportable incidents per Critical Infrastructure Protection (CIP) Reliability Standard CIP-008-6:

It is beneficial to revisit the lessons learned from these incidents to identify and close process gaps. For incidents 1 and 2, it is a best practice to assess whether devices or personnel computers in critical roles (specifically ICS or ICS secondary systems) require internet access. Network permissions can be very granular for ICS environments where critical equipment is located, and necessary internet-based services are likely specific. From a risk management perspective, it is best to deny all outbound traffic by default—taking an approach of risk avoidance—only allowing traffic based on designed need.

All three reported incidents had aspects of third-party risk, reinforcing the need for periodic personnel training and evaluation of access permissions and controls. The third-party issues stemmed from access given to contractors (supply chain) and have elements of non-malicious insider threats. There is a list of mitigating references at the end of this article that are applicable to this risk.

The unspoken lesson from NERC’s report is the perception that the number of reported incidents is low. A recent report from Apple, The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, highlights a 20% increase in data breaches. In the report, the increases are attributed to cloud, ransomware, and supply chain. This is relevant because it shows the high level of adversary activity on systems that would not fall into the scope of NERC reportable cyber incidents. It is no surprise that the largest quantity of cyber threats originates from IT and ICS secondary systems that have externally facing attack surfaces, because threat actors compromise low hanging fruit. Reliability Standard CIP-008-6 applies to the most critical systems (high and medium Impact BES assets) and associated Electronic Access Control and Monitoring Systems (EACMS). While these systems are indeed the most impactful to the BES, incidents reported under CIP-008 have already occurred. Since the goal is to mitigate risk, the industry stands a better chance of responding before threats manifest on the most critical systems by identifying and sharing cyber activity that occurs in IT on ICS secondary systems as leading indicators. Information sharing acts as a preventative control before a threat actor can pivot to attacking power system ICS.

Leading indicators of malicious cyber activity on secondary systems provide early warning signs of a potential broader attack. Critical assets connected to the bulk power system are rarely the direct target, but once access is gained to IT systems (i.e., finance, human resources, customer interfaces, engineering systems, and other ICS secondary systems), attackers can establish persistence, a technique used to maintain access to a compromised host for an extended period. With this foothold, they can pivot or move laterally to critical systems. So, while CIP-008 protects the most critical assets, it is essential for organizations to have a comprehensive cybersecurity strategy that considers the entire ICS kill chain.

Such a strategy would include monitoring less protected systems for signs of malicious activity and sharing that information with your industry peers. Malicious activity might include Denial of Service (DOS) attacks that last more than 12 hours, malicious code, targeted and repeat scans, repeated attempts to gain unauthorized access, email or mobile messages associated with attempted or successful phishing, and ransomware.

Further underscoring the need for greater information sharing is a warning from the US government through CISA on the People’s Republic of China’s (PRC) Volt Typhoon threat actor using Living Off the Land Techniques. The notice highlights that PRC threat actors “pre-position themselves on IT networks to enable lateral movement to OT assets to disrupt functions.” It provides specific recommendations for detection and hunting that are applicable to IT systems. This illustrates that threat activity targeting critical ICS systems may often originate in less protected areas, providing an opportunity for early detection.

MRO encourages continued sharing of cyber incident activity with the E-ISAC, CISA, or during the MRO Security Advisory Council Threat Forum Threat Call Wednesday mornings at 0800 central (sign-up here).

Mitigation References

The reported issues primarily arose from human behavior, with secondary elements of vendor risk management process (notification, response), and technical access controls.

Physical and Cyber Access Control

• CIP-004-7, Personnel & Training
• CIP-005-7 Electronic Security Perimeters
• CIP-007-6, Physical Security of BES Cyber Systems
• CISA, Electricity Substation Physical Security – an easy-to-read infographic with helpful suggestions

Internet Access from within ICS networks

• CIP-005-7 Electronic Security Perimeters
• Technical Rationale and Justification for Reliability Standard CIP-005-7 – see section under R1.

Supply Chain

• MS-ISAC Supply Chain Cybersecurity Resources Guide
• NATF, Supply Chain Risk Management Plans
• NERC Security Guideline, Vendor Risk Management Lifecycle

Insider Threat

• The MRO Insider Threat Program Checklist and Maturity Assessment (link)
• Carnegie Mellon Common Sense Guide to Mitigating Insider Threats, 6^th Ed. – This document applies numerous interviews and many years of Insider Threat research into a useful resource for industry.

• Office of the Director of National Intelligence (DNI) – The National Counterintelligence and Security Center (NCSC) – Insider Threat Mitigation for U.S. Critical Infrastructure Entities. – This publication focuses on the human threats to U.S. critical infrastructure, including employees at critical infrastructure organizations who may be exploited by foreign adversaries. The publication provides guidance on how to incorporate these threat vectors into organizational risk management plans and offers best practices for critical infrastructure entities to mitigate insider threats.
• Department of Homeland Security (DHS) – Cybersecurity and Infrastructure Security Agency (CISA) – Insider Threat Mitigation Guide. – This document is an evolution in the series of resources CISA makes available on insider threats. This guide draws from the expertise of reputable experts in the field to provide comprehensive information to help federal, state, local, tribal, and territorial governments; non-governmental organizations; and the private sector establish or enhance an insider threat prevention and mitigation program.

Lee Felter, MRO Principal Security Engineer