May 17, 2012

Posts Comments

You are here: Home / Archives for NERC

Skilled Social Engineers Threaten Your Proprietary Data

January 17, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.

Unfortunately, there are a lot of bad guys out there who do this, too.

The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.

Your best line of defense: Training your people.

Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.

Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.

Bank robbers case the joint. So do Social Engineers.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.

Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Security Tagged With: , , ,

NERC Compliance Managed Services Worth a Close Look

January 12, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

There is a new concept emerging within the NERC Compliance arena called NERC Compliance Managed Services. The managed services concept is nothing new to the business community, but it has not yet taken hold in the NERC arena. One of the main reasons is that there are only one or two companies that competently perform this service.

If you do decide to pursue a managed service provider, keep in mind that there are five things you must make sure the managed service provider you choose adheres to.

Customer Service: Your managed service provider must commit to giving you better customer service than the next guy. Everyone provides customer service. Make sure your managed service providers’ customer service is exceptional. Your managed service provider must let you know that they are truly committed to doing whatever it takes to make your NERC compliance program successful. Be sure that your managed service provider doesn’t make customer service an afterthought, but a part of their business strategy.

Understand Your Business Culture: Your managed service provider must get to know your way of doing business so that they can deliver you services in a manner that best meets your needs. A good managed service provider doesn’t deliver cookie cutter services. The managed service provider must know how to tailor and execute their services in a way that is compatible with your unique way of doing business.

By having a laser focus on your needs, the managed service provider can offer higher premium services that add the most value to your business.

Education: A good managed service provider will educate your staff on everything NERC related…not just one or two particular areas. Your managed service provider must show a value every step of the way. Your managed service provider is providing a valued-added service and they should be able to give you a ROI that will show you why they are the best choice for your business. If the managed service provider can’t show you the metrics, they don’t deserve your business.

Ongoing Communication: In order to retain your business over time, your managed service provider needs to maintain constant communications with you and your staff. Whether it’s phone calls, social media, or on-site visits, your managed service provider needs to build a rapport with you and your staff so that you will eventually see your managed service provider as a trusted business advisor rather than just a vendor.

Commitment: Commitment from your managed service provider is the key to growing your trust and adding value to your business. If developed properly, an managed service provider relationship is a sophisticated business model that needs to be given adequate dedication and resources from both sides.

Bottom-line: Make the investment in the right managed service provider, staff and the right technology in order to deliver the best value to your business. Don’t do it halfway; you will only end up with poorly constructed NERC compliance program…and possibly some heavy monetary fines.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: James Holler Tagged With: , , ,

It’s Time To Check Your CIP-009 Mandated Business Continuity Plan

December 27, 2010 By 2 Comments

James Holler, Founder, Abidance Consulting

It’s probably time to revisit your Business Continuity Plan(s) required under CIP-009.

Why? Because you’ve got less than a week until most facilities deemed to be Critical Assets have to be auditably compliant with the NERC CIP rules.

Around the country, natural disasters and man-made incidents and attacks have directly disrupted business operations across the power and utility industries. Having a definitive plan and response technique is essential to remain viable, especially in today’s rough economic climate.

Good continuity planning is vital to any critical industry. However, a rise in service interruptions due to natural disasters and other activities has underscored the need for business continuity plan development and maintenance. Even if you have completed your planning, you may want to revisit your plan one last time before you self-certify your compliance. One of the major areas that is not being addressed in most Business Continuity Plans are topics that were not of any significant concern until very recently, such as terrorist activities, Aurora events and surviving a pandemic flu.

We’ve talked with several regional auditors recently, and they suggest that the regions are looking for registered entities to directly address these areas in the Business Continuity Plans. Several registered entities have recently suffered monetary fines for failure to include these areas in their plans.

Our discussions with the regional auditors also suggest that roughly 70% of the Business Continuity Plans that were reviewed were not deemed adequate. Unfortunately, this suggests that registered entities are not carefully planning their strategies or they do not have a firm grasp of what is required for a comprehensive plan. Either way, the regional auditors are not going to be so forgiving next year as registered entities begin to certify that they are compliant.

As you wrap up 2010 and prepare for the new regulatory world in 2011, it’s time to review your plan again or have a specialist in this area review it and make the necessary modifications so that you are truly auditably compliant.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory Tagged With: , ,

NERC Compliance Could be Tougher in 2011

December 16, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

As one year winds down, let’s peer ahead to see what compliance “surprises” could come from our friends at NERC in 2011 and beyond.

We all know there are no guarantees that there won’t be any “surprises” next year or beyond. What we, as an industry, do know is that there is going to be a new version of the CIP requirements that will cause most, if not all, registered entities to become a low, medium or high impact critical asset. This change will require registered entities to prepare new policies and procedures as well as implement a series of fail-safes to protect the facility from a physical and/or logical intrusion.

Beyond the revised CIP requirements on tap, there is no telling what the compliance future holds in store for us. This past year there have been multiple NERC Alerts issued that would have affected a majority of the registered entities to some extent.

Then there was AURORA, a big NERC Alert that did affect the current status of many registered entities. As you may know, this alert was issued in October and gave registered entities only a few weeks to respond to NERC.

Next year may have a similar number of Alerts issued, there is no way to determine what may or may not affect you until the Alerts or directives are issued either by your region, NERC or even FERC. One way to stave off any unforeseen expenses, including some of the ones registered entities incurred this year, is to outsource all of your NERC compliance efforts for a fixed fee via a Master Services Agreement (MSA) to either an internal corporate division or to a competent consulting firm. In either case, whomever you outsource your compliance efforts to must be fully adept at both CIP and Reliability Standards. This outsourcing could, in effect, negate any unforeseen expenses for consulting and other initiatives since all NERC Alerts, etc. would be covered.

In addition to helping you prepare for and handle a prospective audit, your consultants should also be responsible for keeping you compliant at all times, filing the appropriate self certifications, self reports, updating all policies and procedures to reflect any changes that may occur and also to address all NERC Alerts and new requirements that affect you.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Beware the NERC CIP Consultant Spreading Rumors

December 13, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

I’ve noticed a new and troubling trend recently: There are a few consultants and firms using scare tactics to scare potential clients into becoming paying customers. Many of these consultants use misinformation and half-truths to spread their fear mongering on social network sites such as LinkedIn. Unless FERC, NERC or one or more of the eight Regional Entities has been directly quoted, naming the source, or if you can’t confirm comments or statements by a consultant, it is recommended that you contact these organizations for confirmation.

A good example of this is that there is a consulting firm spreading wild rumors and accusations around that there is going to be a CIP version 5, with set of rules that is radically different than what is in place now. Well, having spoken to Commissioner Spitzer’s office at FERC, there are no immediate plans for a version 5 of the CIP requirements. Version 4 has not even been approved by FERC, therefore, FERC can’t even contemplate when or even if there will be a version 5 of the CIP requirements.

Some members of the Standards and Development Team that is working with NERC to create the various CIP rules and changes is made up of a team of industry experts – some more knowledgeable than others – that create the modifications or new requirements. These are then put out for vote by the industry. If they are approved, then the CIP requirements are presented to FERC for their approval. More times than not, FERC will refer the presented rules back to NERC for modification or makes requests for clarity and guidance. The Standards and Development Team is not the defacto word in the CIP requirements, FERC is.

To sum up, don’t believe everything you read or hear. I do recommend that you get independent verification from FERC, NERC or your Regional Entity. If the consultant is using scare tactics to get you to sign a contract, they are only interested in making a quick dollar and do not have your best interests in mind. There are literally hundreds of people on the Standards and Development Team, so if someone touts that they are on the team, that’s nice…so are many others and they aren’t going around using scare tactics to get you to sign on the dotted line. My best advice is to do your due diligence before you jump simply because someone told you the sky is falling.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Are The NERC Requirements Strong Enough To Protect The Power Grid?

October 27, 2010 By Leave a Comment

James Holler, Founder, Abidance Consulting

The NERC requirements might help the people at NERC and the regions get a better night’s sleep, but a sound action plan, including situational awareness, is the only true way to get there — and ensure greater cybersecurity for all.

With so much at stake, NERC is faced with a daunting challenge of locking down the nation’s cyber infrastructure as it pertains to the power grid. NERC has forced registered entities to establish programs for securing their Critical Assets and Critical Cyber Assets that includes dedicated management, oversight, accountability of corporate officers, processes for securing IT systems, and mechanisms for measuring progress.

Of course, just meeting NERC requirements doesn’t mean a registered entity is secure. NERC should recognize its shortcomings and pass a measure that will, among other things, strengthen the role of an industry recognized leader like the National Institute of Standards and Technology in shaping cybersecurity requirements.

So, why is cybersecurity such a challenge? That’s a loaded question because today’s information infrastructure is a quandary. Some of the issues are:

Advanced Persistent Threat

Cyber criminals have become more sophisticated, outpacing defensive measures. Hackers constantly exploit weaknesses in popular products and create new techniques using viruses, rogue antivirus software, keystroke loggers, botnets, and other tools, for immediate targets or time-triggered actions.

New Dynamics

Registered entities have completely changed the way they communicate, interact and accomplish their missions. They’re sharing information in new, amazing and sometimes scary ways—from portals (regional scale for the most part) to social networking websites like LinkedIn. They’re even bringing trusted third parties into the fold. And their flexible IT model is establishing technology options that could present more risks, such as mobility and cloud computing.

Shared Risk

All of this is extending NERC’s reach into the critical infrastructure. Yet, 95% of that infrastructure is in the hands of the private sector. Risk to that infrastructure, information assets and private data is rampant with potentially deep and catastrophic consequences. The fact is, registered entities are giving more and more access to data and applications, a concept that runs counter to most security type of thinking. Traditional network security that relies on reactive measures simply isn’t enough.

Pay Closer Attention To Applications

Whether off-the-shelf or home-grown, most applications are not engineered with security in mind, so you need to ensure trusted development processes to maintain their integrity. Today, that means adhering to requirements set-forth by the NERC requirements. Trusted delivery is also critical — especially with innovations like cloud computing. Protecting the perimeter around applications is not a sufficient defense and you must extend security to the application layer. In every case, you need to be able to measure an application’s ability to process and handle sensitive information throughout its deployment lifecycle.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory, Risk Management, Security Tagged With: , , ,

NERC Requires Aurora Compliance by All Registered Entities

October 25, 2010 By 2 Comments

James Holler, Founder, Abidance Consulting

If you run SCADA/EMS data exchange networks and are located 1 substation away from a generation plant then the Aurora vulnerability should be on your mind considering the latest NERC Alert. The CIP Standards will not help you out of this vulnerability; neither will “normal” protection schemes. Idaho National Laboratory (INL) blew past those in seconds with time to spare, just like a well trained adversary will (see video below). Since that time, there are many small and midsized entities that are vulnerable as vectors to allow an adversary the ability to reproduce this catastrophic physical failure on a grand scale.

The vulnerability in a nutshell is that by physical or cyber means an adversary gains access to the breakers up to three substations out from a generator and ‘bangs’ it out of phase. By how much out of phase is still something of a mystery to many who are not protection systems engineers or generator folks. Suffice it so say that they are very aware of the worst case scenario of phase alignment problems. Aurora creates this in a split second. One second your generator is humming happily and then next it has broken couplings and a mangled shaft. It leaves you scratching your head and putting out fires.

There is hope and now a reason to get this problem fixed. The first step in doing this is to create an inventory, the second is getting your best protection people, cyber folks and substation folks together to see what ingress point you have to your substations. Next is cutting off the “pipe”. If you are running modem access to your RTU’s you need to stop it. This is not good business practice unless you have encryption and password protection. Also of note are the engineering access points. If you have the access points set up on a VPN, you might have allowed split tunneling which is not a good idea. Last but not least is that entities need to start talking amongst themselves.

If you are a registered entity then you should be talking to whoever owns the next substation out from your onsite substation to see what they are doing to protect your assets. This affects most registered entities to some extent.

In order to comply with the NERC requirement you will have to create a mitigation plan and continue reporting to NERC every 6 months until you have mitigated this issue.

A complimentary Webinar “NERC AURORA Compliance: Are you Ready?” will take place on November 11, 2010. You can register here.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: James Holler Tagged With: , , ,

NERC Adds Heavier Fines, CIP Violations to Latest Enforcement Actions

October 18, 2010 By Leave a Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

NERC is mad as hell, and they’re not going to take it anymore.

Okay, maybe that’s stretching it a bit, but take a look at their latest batch of tougher enforcement actions that hit some regulated entities with some heavy penalties.

Former cyber security specialist in FERC’s Office of Electric Reliability Randal Blanchette believes the upswing can be partially attributed to the simple fact that more and more entities are being audited for CIP-002 through CIP-009 generally.  “There are also more complexities [for companies to comply with] as newer revisions come out,” he adds. We’ve talked to Randal before about confusing NERC  regulations.

But Abidance Consulting’s James Holler says NERC is “flexing its muscle a bit.” They’ve been “nice” to regulated entities up until now, “but now they are saying it’s over.”

He noted a lot of six figure fines among this recent slew of penalties. “Those who didn’t take NERC seriously better start doing so now.” NERC observers tell us that in the past, few NERC citations carried a price tag for regulated entities. “We gave you a break and you took advantage of it,” is Holler’s view of NERC’s new attitude. “Some of you were slow to get your compliance programs in order and NERC wants to show they mean business now.”

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey Tagged With: , , ,

How to Interpret a NERC Requirement

October 13, 2010 By 3 Comments

James Holler, Founder, Abidance Consulting

As many of you know, neither FERC, NERC or your Regional Entity (FRCC, MRO, NPCC, RFC, SERC, SPP, TRE, WECC) has been willing to give any kind of interpretation for many of the NERC requirements. For example, if you want to know what the definition of annual is, neither NERC nor any of the regional entities will give you a “hard answer”.

With that said, here is a piece of information you may want to hold onto. If a requirement has not been officially interpreted in writing by the regional entity or NERC or by a FERC Order, Ruling or case decision, then the registered entity can choose its own interpretation as it applies to best business and utility practices for their environment. This interpretation should stand up in court and it is, for a lack of better words, FERC’s Achilles Heel. The registered entity interpretation must be in writing and widely disseminated throughout the organization if the registered entity expects their interpretation to hold up.

Here is an example of an interpretation – feel free to use the one we are providing – that you could use for CIP-008, R1.1:

Procedures to characterize and classify events as reportable Cyber Security Incidents

The response plan must allow for characterizing a reportable Cyber Security Incident by determining if the incident is/was malicious or not, equipment/property was stolen and/or destroyed, length of the incident (if cyber, how long the attack, etc., went on for), are you able to recover from the incident or not – if you can recover, how long will it take.

The response plan must allow for you to classify the reportable Cyber Security Incident by determining if the incident was a reoccurring incident, one-time event or a peripherally related attack, etc. Was the incident detrimental or not to the operations. Was the incident preventable?

As a registered entity, please be reminded that you need to use common business sense and good utility practice when creating/presenting your interpretation(s). Do not interpret a requirement as being something that it clearly is not. In other words, don’t interpret sabotage in CIP-001 as being only an event that is caused by a terrorist. A perfectly acceptable method is to look up the definition of sabotage in the dictionary and use that definition as a guide or starting point.

The information given in this document was garnered through conversations and Q&A sessions with various members of FERC, NERC and several regional entities.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory Tagged With: , ,

NERC/FERC Compliance Standards Too Vague, Former Official Says

October 4, 2010 By 6 Comments

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Confused by FERC’s sometimes vague compliance requirements? You’re not alone – FERC might be, too.

That’s the startling revelation we got recently from a man who ought to know: Randal Blanchette left the agency in September to join Abidance Consulting. At FERC, Randal was a cyber security specialist in the Office of Electric Reliability. He’s done audits on utilities large and small, and he’s seen it all.

“I was there at the creation” of the CIP 002-009 Standards, Randal adds. He’s uniquely positioned to help companies navigate these regulations, he argues, because he’s the only one involved at this level who has since left FERC. “Not to toot my own horn, but I understand what is happening and no one who has left FERC was in the position I was in,” Randal says.

So far, FERC’s efforts to provide more specific standards and requirements have been hamstrung by internal disagreements and an overarching desire to develop standards that “are defensible in court,”  the former FERC official says. That makes some sense, since a standard that won’t hold up in court loses a lot of regulatory teeth, Randal agrees, but that focus has sometimes made it difficult for FERC to offer much in the way of specifics. And it’s left a lot of regulated entities scratching their heads.

“The creation of the CIP 002-009 Standards by NERC with approval from FERC [presented industry with] many challenges of interpretive guidance as can be expected from an imperfect set of documents that catered to the lowest common denominator while simultaneously skimping on clarity for the entity players to understand,” Abidance Consulting’s James Holler has written on this blog.

“Many of the regulated entities I audited or came in contact with didn’t understand the ramifications of non-compliance” with the regulations, Randal says. Worse still, many thought they were in compliance when they actually weren’t.  “Many don’t have a good sense of what’s expected of them and how to comply.”

While regulated entities should get some sympathy for having to grapple with sometimes vague regulations, they still have to find ways to comply, Randal notes.

Making matters more complicated, Randal adds, is that there is a lot of “misinformation” out there in cyberland about what constitutes compliance proven reporting procedures.  Chatter and informal “advice” on the Internet is only adding to the compliance ambiguity faced by many regulated entities.

But there is some relatively good news, Randal says. The new CIP 010 and 011 standards are “more specific and helpful, but we’re still not there yet.”

Progress not perfection, as they say.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey, Regulatory Tagged With: , , ,
« Older Posts
Newer Posts »