Dive Brief:

• A new report from the Federal Energy Regulatory Commission and the North American Electricity Reliability Corporation outlines best practices for utilities facing a cyber intrusion, but some experts say the advice misses obvious responses and could allow hackers to perpetrate additional damage.
• "Containment is not always the best option," the report warns, noting that disconnecting systems to prevent malware from communicating with hackers can result in "predefined destructive actions," including erasing data or rendering equipment unusable. 
• While such a scenario is possible, it is not common and waiting to disconnect access could allow hackers additional time to disrupt utility networks, according to Tony Turner, vice president of security solutions for Fortress Information Security. "There will always be edge cases. We want to follow a defined process that is the right approach in most scenarios," he said.

Dive Insight:

Utilities are working hard to keep hackers out of their networks, but intrusions do occur. FERC and NERC's new report focuses on common elements found among effective Incident Response and Recovery (IRR) plans.

Among shared aspects, the report concludes IRR plans: contain well-defined personnel roles, use baselining "so personnel can detect significant deviations from normal operations," and consider the impacts that incident responses can have on network and operations resources.

The report is based on interviews with eight unnamed electric utilities as well as FERC and NERC staff observations of their defensive capabilities and the effectiveness of their plans.

"IRR plans are important resources for addressing cyber threats, and effective IRR plans can mitigate the natural advantages that cyber attackers possess," the report concludes. "Because attackers operate covertly to gain footholds across networks, effective IRR plans should be in place and response teams should be prepared to detect, contain, and, when appropriate, eradicate the cyber threat before it can impact the utility’s operations."

The report notes that because there are differences among utilities, "there is no one best IRR plan model." But based on staff's observations, "there are practices that utilities should consider when developing their own IRR plans."

Those often include "unplugging and isolating the operational network to protect reliable operations." But the report also cautions that there can be risks to immediately containing or isolating a threat, and notes that some strategies include "monitoring malicious traffic to better understand it."

Understanding the risks of incident response  

While it is true that observing hackers' activity can yield important information, Fortress' Turner said in most cases the best move is to cut off the intruder's access as quickly as possible. The risk that containing an attacker results in more damage is largely a "Hollywood scenario," he said.

The utility industry at large is "super-focused on the zero-day, advanced-system threat and super-destructive malware," said Turner. "That's cute but it's not the real world." The majority of hacks, he said, will be low-skill and attacks of opportunity.

"You can't predict what kind of scenario you're walking into," said Turner. "When you first identify there's been an incident, you have a short period of time to decide what you want to do. The key is to have good training, a documented process, and be prepared with an incident response plan."

However, fully assessing the situation is important and more sophisticated attacks are a possibility. Rick Moy, vice president of sales and marketing at cybersecurity firm Tempered, said that it is often best to "determine the scope of the adversary’s intrusion."

"Responders should be aware that any action against an infected host sends intelligence back to the adversary, thereby signaling awareness of the event," said Moy. "There are often multiple footholds within an organization, which could then still be controlled, and even given instructions on how to evade detection."

Financial institutions, said Moy, "will often leave infected trading systems running in order to avoid certain downtime and loss until the workload can be transferred to a clean system."

The report concludes it is important to understand how long an attacker has had access to a utility system, to understand the full extent of the vulnerability. And the analysis warns that containment strategies "should balance the need for responsiveness with the potential of operational impact if a containment strategy, such as isolation, is performed too soon."

There are risks involved in eradicating a malware attack, according to Katie Teitler, senior analyst at security firm TAG Cyber.

"When any part of the system needs to be taken offline to manage the attack, that results in loss of system use and/or access," Teitler said in an email. "And if the attack is ransomware, companies need to consider data exposure in addition to breach."

To properly handle malware containment and eradication, "it's possible that dependent systems will be impacted," said Teitler. If, for instance, a programmable logic controller is taken offline, then automated processes or machines may stop running.

In the case of industrial control systems, which hackers are increasingly targeting, Teitler said taking some systems offline "could mean a power plant might not be able to deliver electricity to its consumers, or manufacturing companies' robotic devices wouldn't work for some period."