Earlier this month, the Federal Energy Regulatory Commission (FERC) published a joint report entitled “Cyber Planning Response and Recovery Study” (CYPRES) in partnership with the North American Electric Reliability Corporation (NERC) and eight of its Regional Entities (REs) in order to review the methods for responding to a cybersecurity event. The report is heavily focused on incident response and recovery (IRR) plans that describe how an electric utility should use their own plan to respond to a cyber-incident to ensure the reliability of their Bulk Electric Systems (BESes). I found some of the key take-aways rather interesting, which I will summarize. You can find the report in its entirety here.
Where NIST SP 800-61 Fits In
While it is likely that most organizations leverage CIP-008-5: “Incident Report and Response Planning” to form their IRR plan, the joint team quickly observed that the entities followed a framework identified in the National Institute of Standards and Technology (NIST) Special Publication 800-61 Revision 2. Because of this, the joint team observed that plans that “contain well-defined personnel roles, promote accountability and empower personnel to take action without unnecessary delays” and that “leverage technology and automated tools while also recognizing the importance of human performance” are most effective. Time and time again, we find the human element to be equally if not more important than the technology tools in place.
With regard to containment and eradication, I found this observation particularly interesting: “IRR plans should consider the possibility that a containment strategy may trigger predefined destructive actions by the malware.”
Arguably, this may be one of the most difficult to plan for. Malware behavior and analysis is not a novel subject. Even so, planning how an asset owner might need to alter their mitigation approach so as not to trigger the next stage of a payload is likely unchartered territory for most if not all incident response and recovery plans.
The Need for Continuous Evidence Collection
Ultimately, I was pleased to still see the inclusion of the following clause: “Evidence collection and continued analysis are important to determine whether an event is an indicator of a larger compromise.” It’s not just because I work at Tripwire!
Continuous evidence collection is not only helpful to keep auditors at bay and not just to those looking to meet the CIP-008-5 three-year retention requirement. Absent comprehensive information, it may take significant effort and especially time for Digital Forensics and Incident Response (DFIR) teams to complete their investigation. Things like logs (Tripwire Log Center), open ports, installed software, configured users and group membership (Tripwire State Analyzer App), changes detected by File Integrity Monitoring (FIM) and Security Configuration Monitoring (SCM) (Tripwire Enterprise), vulnerabilities (Tripwire IP360) and network communication changes all play a significant role in “replaying” the history of an incident.
Safeguarding Industrial Environments
Diving a bit deeper, the section on Detection and Analysis contained some valuable insights. Being quite familiar with typical utility network architectures, the joint team keenly observed that the OT network typically resides within the entity’s corporate network—a secure enclave, if you will. Therefore, port scans against an OT network typically indicates that the adversary may have already breached the IT/business network and therefore “may have penetrated multiple trust-zones before reaching the OT network or related critical assets.”
While this report is focused on the IRR, the team does also recommend the use of tools to detect both known and unknown threats to the system as well as network communication baselining to detect changes to patterns. I find this to be a great use case for a dedicated tool leveraged within the OT environment that’s different from what is being leveraged for IDS/IPS on the edge of the IT network.
Tripwire Industrial Visibility, which can perform this very kind of continuous threat monitoring, is ideally suited for this. As the report already established, network baselining is not sufficient alone; baselining of the systems at a deeper level in order to adequately perform proper configuration management is crucial.
Additionally, the report brought to light that “automated security tools are used for documentation requirements that would be difficult to perform manually,” which is of course a strong suite of the Tripwire NERC Solution Suite.
Don’t Forget Baselining!
Ultimately, the joint team concluded with a key take-away: “Baselining is an effective resource utilization tool that allows personnel to detect deviations from normal operations.”
While the CYPRES report is a lengthy 30-page document, it is an easy and quick read. I highly recommend you take a look!