According to multiple media reports, the malware associated with Grizzly Steppe was discovered on a Burlington Electric laptop that was “not connected to the organization’s grid systems.” These reports were based on this DHS/FBI Joint Analysis Report (JAR) from Dec 29, 2016. Grizzly Steppe is the call sign given by the US Government to the wide variety of malicious cyber activity conducted by the Russian Civilian and Military Intelligence Service (RIS). It does not refer to one specific attack vector or malware. However, the malware found on the Burlington Electric laptop appears to have been installed via a spear phishing attack in which fraudulent emails were sent to specific Burlington Electric personnel. The legitimate-looking emails requested sensitive info such as username and password details.
This attack comes almost a year to the day from 2015’s successful cyber attack on the Ukrainian power grid. This concentrated attack on the Ukraine distribution network resulted in significant outages to their system. It is believed that the RIS was responsible for that attack.
The Federal Government is associating the activities of Grizzly Steppe Spear Phishing as the same attack vector that interfered with the 2016 Presidential election and compromised the email accounts of several DNC members.
So what does this mean from a NERC CIP perspective? The only requirements that relate in some way to a spear phishing attack are CIP-004-5 R1 and R2 which require quarterly security awareness training to be provided (R1) and a cyber security training program (R2) that at best requires personnel to know how to identify a potential Cyber Security Incident. Neither specifically address spear phishing. CIP-007-5 R3 requires methods to be deployed to detect, deter, prevent, and mitigate malicious code. The other important thing to remember is that these CIP-004-5 and CIP-007-5 requirements are only applicable to High and Medium impact BES Cyber Systems. As we saw last year, NERC CIP does not address the type of attack that occurred in Ukraine because here in the States Distribution Entities are not currently in scope as Medium or High impact per the NERC CIP framework. Additionally, in the case of Burlington Electric, the laptop with the infected malware didn’t appear to be part of any identified operational network or in-scope BES Cyber System. Therefore, it was not required to have the protections under CIP-007-5 R3. This means that if you are relying on NERC CIP as your security posture, both cyber attacks from 2015 and 2016 may not have been detected.
Page 9 of the above linked JAR does provide mitigation strategies for spear phishing attacks but for those of you still believing that NERC CIP Compliance will make you secure, this incident continues to disprove that assumption.
Regardless of any NERC CIP regulatory applicability, or the lack thereof, all Utilities and Industrial Control System end-users need to be looking at proven security guidelines such as NIST 800-82 “Guide to Industrial Control Systems Security” and the SANS Top 20 Critical Controls for Effective Cyber Defense to implement a security program focused on recovery, operational efficiency, and overall risk mitigation.