Background
According to the FERC news release, the 2020 global supply chain attack involving the SolarWinds Orion software demonstrated how attackers can "bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations." Thus, FERC determined that current CIP Reliability Standards focus on prevention of unauthorized access at the electronic security perimeter and that CIP-networked environments are thus vulnerable to attacks that bypass perimeter-based security controls. The new or modified Reliability Standards ("INSM Standards") are intended to address this gap by requiring responsible entities to employ INSM in certain BES Cyber Systems. INSM is a subset of network security monitoring that enables continuing visibility over communications between networked devices that are in the so-called "trust zone," a term which generally describes a discrete and secure computing environment. For purposes of the rule, the trust zone is any CIP-networked environment. In addition to continuous visibility, INSM facilitates the detection of malicious and anomalous network activity to identify and prevent attacks in progress. Examples provided by FERC of tools that may support INSM include anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls.
New or Modified Reliability Standards
The INSM Standards will apply to all high-impact BES Cyber Systems and medium-impact BES Cyber Systems with external routable connectivity, defined as the ability to access a BES Cyber System from outside of its associated electronic security perimeter.FERC拒绝为即将实现的标准设定执行时间框架,代之以指令NERC提交建议书时推荐执行期,因此责任实体实施INSM的最后期限可能是未来数年 。
规则下INSM标准必须:
- (1)解决责任实体开发CIP网络环境网络流量基线的需要;
- (c) Implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices.
Feasibility Study
Within 12 months of the final rule, NERC must also submit a report that studies the feasibility of implementing INSM within medium-impact BES Cyber Systems without external routable connectivity and all low-impact BES Cyber Systems, which are not subject to the INSM Standards.
FERC has emphasized that the commissioned feasibility study should include a determination of:
(1) The ongoing risk to the reliability and security of the Bulk-Power System posed by low and medium-impact BES Cyber Systems that will not be subject to the INSM Standards!并
类表示's样式缩放'>(2)On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called "Five Eye" governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the "Advisory") warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them "to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups." The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures ("TTPs").
In its announcement, the authorities urged critical infrastructure network defenders in particular "to prepare for and mitigate potential cyber threats by hardening their cyber defenses" as recommended in the Advisory.
Overview. The Advisory notes that "evolving intelligence" indicates that the Russian government is exploring options for potential cyber attacks and that some cybercrime groups have recently publicly pledged support for the Russian government and threatened to conduct cyber operations on behalf of the Russian government. The Advisory summarizes TTPs used by five state-sponsored advanced persistent threat ("APT") groups, two Russian-aligned cyber threat groups, and eight Russian-aligned cybercrime groups. Additionally, it provides a list of mitigations and suggests that critical infrastructure organizations should implement certain mitigations "immediately."
Russian State-Sponsored Cyber Operations. The Advisory notes that Russian state-sponsored cyber actors have "demonstrated capabilities" to compromise networks!保持长期持续访问网络从信息技术网络和操作技术网络排出敏感数据并使用破坏性恶意软件干扰关键工业控制系统及OT网络咨询详解俄罗斯APT五大类:
Russian Foreign Intelligence Service ("SVR"): SVR has likewise targeted multiple critical infrastructure organizations, although the Advisory does not specify the sectors in which these organizations operate. SVR's TTPs include custom and sophisticated malware targeting Windows and Linux systems and lateral movement within a compromised network that can bypass multi-factor authentication ("MFA") on privileged cloud accounts. The U.S., UK, and Canada have attributed the SolarWinds Orion supply chain compromise to the SVR.
Russian General Staff Main Intelligence Directorate ("GRU"), 85th Main Special Service Center ("GTsSS"): GTsSS primarily targets government organizations, travel and hospitality entities, research institutions, non-government organizations, and critical infrastructure entities. Its TTPs include harvesting credentials to gain access to targets via spear phishing emails and spoofed websites that trick users into entering their account names and passwords.
GRU's Main Center for Special Technologies ("GTsST"): GTsST is known to target critical infrastructure entities, including those within the Energy, Transportation, and Financial Services Sectors, as well as member states belonging to the North Atlantic Treaty Organization ("NATO") and Western governments and military organizations. GTsST is particularly known to use destructive or disruptive attacks, such as distributed denial of service ("DDoS") and wiper malware.
Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics ("TsNIIKhM"): TsNIIKhM is known publicly as a research organization in the Russian Ministry of Defense, but the Advisory notes it has developed destructive ICS malware, known as Triton, HatMan, and TRISIS.
Russian-Aligned Cyber Threat Groups. The Advisory addresses two state-sponsored cyber threat groups: PRIMITIVE BEAR and VENOMOUS BEAR. The former is known to target Ukrainian organizations and the latter is known to target NATO governments, defense contractors, and "other organizations of intelligence value." Notably, the Advisory explains that none of the governments responsible for the Advisory have formally attributed either of these groups to the Russian government, but nevertheless seems to recognize that these groups are aligned with the Russian government.
Russian-Aligned Cybercrime Groups. The Advisory details eight cybercrime groups aligned with the Russian government. The Advisory notes that these groups are often financially motivated and pose a threat to critical infrastructure organizations throughout the world, primarily through ransomware and DDoS attacks. The Advisory notes that while these groups "may conduct cyber operations in support of the Russian government ...网络犯罪分子极有可能继续主要基于金融动机运作,这可能包括攻击政府和关键基础设施组织。
MUMMY SPIDER: This group operates an advanced, modular botnet, known as Emotet, which primarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to target "financial, e-commerce, healthcare, academia, government, and technology organizations' networks" throughout the world.
SALTY SPIDER: This group also operates a botnet, known as Sality, which uses advanced peer-to-peer malware loaders. SALTY SPIDER has conducted DDoS attacks against Ukrainian web forums discussing the Russian invasion of Ukraine.
SCULLY SPIDER: This group operates a "malware-as-a-service" model, which includes maintaining a command and control infrastructure and selling access to its malware and infrastructure to affiliates. SCULLY SPIDER also operates the DanaBot botnet, which effectively functions as an initial access vector for other malware and can result in ransomware deployment. The group primarily targets organizations in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.
SMOKEY SPIDER: This group operates a malicious bot, known as Smoke Loader or Smoke Bot, which is used to upload other malware. The group's bot has been used to distribute malware payloads used in DDoS attacks against Ukrainian targets.
WIZARD SPIDER: This group develops TrickBot malware and Conti ransomware. This group has targeted construction and engineering companies, legal and professional services, manufacturing, retail, U.S.healthcare, and first responder networks, and has publicly pledged support to the Russian government, threatened critical infrastructure organizations of countries perceived to "carry out cyberattacks or war against the Russian government," and threatened to "retaliate against perceived attacks against the Russian people."
The Xaknet Team: The Xaknet Team has only been active since March 2022 and has stated they will work "exclusively for the good of [Russia]." The group has threatened to target Ukrainian organizations in response to perceived attacks against Russia and, in March 2022, leaked emails of a Ukrainian official.
Mitigations. The Advisory provides several mitigations that it recommends critical infrastructure organizations implement "immediately": (1) updating software!最大可能执行MFA并需要强密码安全监控远程桌面协议并(4)提供终端用户对潜在网络威胁的认识和培训。
a咨询还建议关键基础设施组织维护者“在识别潜在恶意活动指标时努力克尽职责”,并在检测APT或绑定软件活动后采取具体步骤。
这些步骤包括:(1)立即隔离受影响的系统识别阻塞疑似攻击者IP流量,允许防火墙速率限制,通知组织互联网服务提供人和远程触发黑洞安全备份(4) 收集并审查相关日志、资料和人工品(5)考虑加入第三方IT组织并(6)向适当的网络和执法当局报告事件。咨询还“强烈劝阻”向犯罪方支付赎金,指出支付并不总能成功恢复受害者的档案,这种支付可能“鼓动对手攻击更多组织,鼓励其他犯罪方分发赎金件和/或资助非法活动。”