The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) on July 31 published a joint white paper to help the electric utilities identify specific vendors of components on their networks so that they can take any necessary action to mitigate potential risks to the bulk power system (BPS).
The purpose of the white paper is to provide example approaches on assessing infrastructure and the deployment of specific foreign adversary components that could be used to impact the BPS. While there are several noninvasive methods highlighted in the document, industry may have other methods to identify foreign vendor equipment or components, FERC and NERC noted.
“In addition, industry should consider developing and implementing a process to not only initially identify vendor suppliers, but also to implement an overarching process that could be periodically re-performed and assessed against previous results.”
The white paper notes that in 2012, the House Permanent Select Committee on Intelligence released a bipartisan report assessing the security threat posed by Chinese telecommunication companies. This report recommended against the use of Huawei or ZTE equipment by U.S. government agencies and federal contractors and encouraged the private sector to exclude such equipment as well.
Due to the pervasiveness of these manufacturers throughout the marketplace, the electric sector may unknowingly be using devices from foreign adversaries that could negatively impact the BPS, FERC and NERC said.
To facilitate the identification of these devices, this report details possible techniques that noninvasively identify one component, the network interface controller (NIC), which generally takes the form of an integrated circuit chip integrated into a motherboard or upon a host bus adapter card.
According to the white paper, research has demonstrated numerous avenues to compromise systems using NICs as a method for undetected access for an attacker. “While the techniques described in this report will aid in identifying the NIC vendor, please note that the presence of foreign vendor equipment does not necessarily indicate malicious activity,” FERC and NERC said.
The report identifies the noninvasive techniques that security professionals may employ to identify a vendor of a NIC. “This approach selects the NIC as a well-known and often-targeted component and contemplates methods for easy identification of devices often not readily labeled by suspect vendors or that may integrate suspect vendor components.”
The techniques described in the report are not the only methods of detection nor do they encompass the only concerns industry should have about malicious activity and attacks, the white paper said.
FERC and NERC said that before implementing any approach detailed in the white paper, “caution dictates complete testing in a non-production network to minimize or eliminate operational impacts. If a vendor of concern is identified, it does not confirm there is malicious activity in the network. Actions should be taken to determine if the device or component exhibits malicious activity.”
The white paper is available here.