Skip to content

A Collective Effort to Share Malicious Cyber Activity Benefits All

The North American Electric Reliability Corporation (NERC) reported three cyber security incidents on the North American bulk power system in a 2023 report to the Federal Energy Regulatory Commission (FERC). The incidents included ransomware, malware, and a combined physical-cyber Bulk Electric System (BES) intrusion, all involving different third parties. This article imparts lessons learned and recommended mitigations for the reported incidents.

It is important to note that just because the number of reported incidents is low, the actual risk of similar cyber and physical attacks is high (see MRO’s 2024 Regional Risk Assessment). This suggests that more attention to identifying and sharing cyber activity occurring outside of the systems deemed most critical is warranted, as this can often provide early warning of an attack.

This article underscores the importance of a comprehensive cybersecurity strategy that considers the entire Industrial Control System (ICS) kill chain, including monitoring less protected systems for signs of malicious activity. It also encourages continued sharing of cyber incident activity to the Electricity Information Sharing and Analysis Center (E-ISAC), Cybersecurity and Infrastructure Security Agency (CISA), or through the MRO Security Advisory Council Threat Forum.

The following is a more detailed account of the three reported attacks and mitigation strategies to assist electric sector cyber, physical, and operational security personnel.

NERC’s annual summary highlights three 2023 reportable incidents per Critical Infrastructure Protection (CIP) Reliability Standard CIP-008-6:
  1. A ransomware event on a third party that supported an ICS secondary system (maintenance management rendered that system inoperable, but BES was unaffected).
  2. A malware incident that compromised Information Technology (IT) systems occurred when a contractor accessed the internet from an ICS secondary system (emissions control). The BES remained unaffected.
  3. A combined physical and cyber BES intrusion due to a vendor granting unauthorized access to a group of its employees. The BES remained unaffected.

It is beneficial to revisit the lessons learned from these incidents to identify and close process gaps. For incidents 1 and 2, it is a best practice to assess whether devices or personnel computers in critical roles (specifically ICS or ICS secondary systems) require internet access. Network permissions can be very granular for ICS environments where critical equipment is located, and necessary internet-based services are likely specific. From a risk management perspective, it is best to deny all outbound traffic by default—taking an approach of risk avoidance—only allowing traffic based on designed need.

All three reported incidents had aspects of third-party risk, reinforcing the need for periodic personnel training and evaluation of access permissions and controls. The third-party issues stemmed from access given to contractors (supply chain) and have elements of non-malicious insider threats. There is a list of mitigating references at the end of this article that are applicable to this risk.

The unspoken lesson from NERC’s report is the perception that the number of reported incidents is low. A recent report from Apple, The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, highlights a 20% increase in data breaches. In the report, the increases are attributed to cloud, ransomware, and supply chain. This is relevant because it shows the high level of adversary activity on systems that would not fall into the scope of NERC reportable cyber incidents. It is no surprise that the largest quantity of cyber threats originates from IT and ICS secondary systems that have externally facing attack surfaces, because threat actors compromise low hanging fruit. Reliability Standard CIP-008-6 applies to the most critical systems (high and medium Impact BES assets) and associated Electronic Access Control and Monitoring Systems (EACMS). While these systems are indeed the most impactful to the BES, incidents reported under CIP-008 have already occurred. Since the goal is to mitigate risk, the industry stands a better chance of responding before threats manifest on the most critical systems by identifying and sharing cyber activity that occurs in IT on ICS secondary systems as leading indicators. Information sharing acts as a preventative control before a threat actor can pivot to attacking power system ICS.

Leading indicators of malicious cyber activity on secondary systems provide early warning signs of a potential broader attack. Critical assets connected to the bulk power system are rarely the direct target, but once access is gained to IT systems (i.e., finance, human resources, customer interfaces, engineering systems, and other ICS secondary systems), attackers can establish persistence, a technique used to maintain access to a compromised host for an extended period. With this foothold, they can pivot or move laterally to critical systems. So, while CIP-008 protects the most critical assets, it is essential for organizations to have a comprehensive cybersecurity strategy that considers the entire ICS kill chain.

Such a strategy would include monitoring less protected systems for signs of malicious activity and sharing that information with your industry peers. Malicious activity might include Denial of Service (DOS) attacks that last more than 12 hours, malicious code, targeted and repeat scans, repeated attempts to gain unauthorized access, email or mobile messages associated with attempted or successful phishing, and ransomware.

Further underscoring the need for greater information sharing is a warning from the US government through CISA on the People’s Republic of China’s (PRC) Volt Typhoon threat actor using Living Off the Land Techniques. The notice highlights that PRC threat actors “pre-position themselves on IT networks to enable lateral movement to OT assets to disrupt functions.” It provides specific recommendations for detection and hunting that are applicable to IT systems. This illustrates that threat activity targeting critical ICS systems may often originate in less protected areas, providing an opportunity for early detection.

MRO encourages continued sharing of cyber incident activity with the E-ISAC, CISA, or during the MRO Security Advisory Council Threat Forum Threat Call Wednesday mornings at 0800 central (sign-up here).

Mitigation References

The reported issues primarily arose from human behavior, with secondary elements of vendor risk management process (notification, response), and technical access controls.

Physical and Cyber Access Control

Internet Access from within ICS networks

Supply Chain

Insider Threat

Lee Felter, MRO Principal Security Engineer