cyber security response

FERC staff and electric utility regulators have outlined in a report best practices on how to effectively respond to and recover from cyber security incidents like the one that caused a natural gas pipeline to temporarily shut down earlier this year.

Staff of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation (NERC) identified common elements in Incident Response and Recovery (IRR) plans among electric utilities.

Effective IRR procedures contain well-defined personnel roles, promote accountability and empower personnel to act without unnecessary delays, the agencies said in the report published on Monday. Successful plans also use supporting technology and automated tools while recognizing the importance of human performance.

Proven IRRs require well-trained personnel who constantly update their skills and incorporate lessons learned from past incidents or tests, according to regulators. Baselining also is part of effective IRRs so personnel can detect significant deviations from normal operations, as is the use of flowcharts or decision trees to determine quickly when the utility reaches a predefined risk threshold and a suspicious set of circumstances qualifies as an event.

The agencies found that under a sound IRR plan, electric utilities should remove all external connections when activated and consider the possibility that a containment strategy may trigger predefined destructive actions by the malware. Utilities also should employ evidence collection and continued analysis to determine whether an event indicates a larger compromise. An IRR that considers the resource implications of incident responses of indeterminate length and implements lessons learned from previous incidents and simulated activities also was found by the agencies to be effective.

The joint staffs of FERC and NERC, and the NERC regional entities, developed the report after interviewing subject matter experts from eight electric utilities of varying size and function. The report includes the joint staffs’ observations on their defensive capabilities and on the effectiveness of their IRR plans.

Earlier this year, a ransomware cyber attack caused a natural gas company to shut down a pipeline for two days, according to the Department of Homeland Security.

DHS’ Cybersecurity and Infrastructure Security Agency (CISA) did not say where or when the attack occurred, but said the unspecified “threat actor” behind the attack breached the facility’s network in a malicious link sent in an email. The malware first infected the information technology (IT) network before spreading to the operational technology (OT) network in a natural gas compression station. The hackers then triggered the ransomware, which encrypted data and blocked systems from running properly, according to CISA.

The hackers were able to get into the OT networks because the operators did not properly divide it from the IT systems, the agency said. During the attack, the hackers disrupted various devices needed for operators to view what was happening in the compression station, though “at no point did the victim lose control of operations.”

The facility was able to restore the last known safe computer configurations and replace equipment, according to the agency. However, it noted that the facility lacked an emergency response plan that considered cyber threats.

CISA said the facility’s owner “cited gaps in cybersecurity knowledge and the wide range of possible scenarios” as reasons for not having a plan for cyber threats.

The agency’s technical document marks the first time the U.S. government has publicly reported a disruptive hack of U.S. pipeline networks.