Executive Summary
This white paper, prepared jointly by Federal Energy Regulatory Commission (FERC) staff and the E-ISAC, emphasizes the need for continued vigilance by the electricity industry related to supply chain compromises and incidents and recommends specific cybersecurity mitigation actions to better ensure the security of the bulk-power system (BPS). While focusing primarily on the ongoing cyber event related to the SolarWinds Orion platform and related Microsoft's 365/Azure Cloud compromise, it also addresses related compromises in products such as Pulse Connect Secure. Two additional examples of compromises, Microsoft's on-premise Exchange servers and F5's BIG-IP are discussed to illustrate continued adversary interest and exploitation of ubiquitous software systems.
Because of SolarWinds' wide use and the adversarial tactics used, even entities that did not install SolarWinds on their networks could still be impacted. For example, the indicators of compromise (IOCs) have been found on networks without SolarWinds. In addition, although SolarWinds may not have been used by entities, their key suppliers may use the product. Should the suppliers be compromised, the supplier in turn could compromise their customers, including those without SolarWinds. In fact, there is evidence technology firms were targeted for this reason.
On December 13, 2020, FireEye Inc., a cybersecurity solutions and forensics firm, publicly posted details about an attack on certain software developed by SolarWinds Orion. For victims, this attack is particularly damaging because in order to function SolarWinds must have broad and privileged access to the networks it manages, including both the corporate and operational networks of an entity. The breach provides the opportunity for an adversary to monitor network traffic and compromise systems, which could result in disruption of their operations.
Underscoring the severity of the event, on December 13, 2020, the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, which required Federal agencies to take action based on the DHS assessment that a successful compromise from the SolarWinds attack would have "grave" consequences. On December 15, 2020, the White House National Security Council (NSC) established a Cyber Unified Coordination Group (UCG)composed of multiple Federal agencies to coordinate the investigation and remediation of the "significant" cyber incident. On December 17, 2020, CISA issued Alert AA20-352A, directed toward the private sector, which described the attack for industry, the affected products and the mitigation recommendations.
In response to the breach, SolarWinds issued a new version of its software that eliminated the compromised code and addressed other vulnerabilities. At a minimum, users of the compromised software were advised to update their SolarWinds software with the updated version. CISA, however, has warned that operating even the updated version of SolarWinds may carry some risk, explaining that "...it is likely that the adversary is in a strong position to identify any potential ... vulnerabilities in the SolarWinds Orion code that are unrelated to the inserted malicious code and may therefore survive its removal."1
Considering the sophistication, breadth, and persistence of the SolarWinds attack, it is recommended that electric industry stakeholders fully consider the available diagnostics and mitigation measures to affectively address the software compromise. Likewise, it is valuable for entities to consider the recommendations of both CISA Alerts. While CISA Emergency Directive 21-01 is directed to Federal agencies, private sector entities can benefit from the specific mitigation actions set forth in the document, including: disconnecting affected systems, conducting deep forensics, performing risk analyses, and consulting with CISA before reconnecting affected systems.
1 DHS CISA, https://cyber.dhs.gov/ed/21-01/
For more information
888 First St NE
Washington District of Columbia
United States 20426
www.ferc.gov
