On July 6, 2021, the Federal Energy Regulatory Commission (FERC) staff and the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) issued a white paper on the SolarWinds Orion cyber supply chain compromise that was first detected in mid-December 2020 by FireEye Inc., a cybersecurity solutions and forensics firm. While the white paper primarily focuses on SolarWinds Orion compromise, it also reviews related events involving Microsoft, Pulse Connect Secure and others. The white paper urges continued vigilance by the electricity industry related to supply chain compromises and incidents and recommends specific cybersecurity mitigation actions to better ensure the security of the bulk-power system (BPS).
SolarWinds develops software for businesses to help manage their networks, systems, and information technology infrastructure. Approximately 18,000 SolarWinds customers were directly impacted by this supply chain compromise. Federal agencies believe the Russian Foreign Intelligence Service (SVR) gained access to the SolarWinds production environment after obtaining passwords that were then used to gain IT administrative privileges via remote access. With this access, the SVR inserted malware into a SolarWinds software update that was then sent to SolarWinds customers. SolarWinds and its customers did not know the update contained malware and many of them installed the infected update. This is an example of a trusted vendor/service provider unknowingly infecting its customers’ systems while it appears to be a typical software update.
The white paper seeks to ensure the electricity industry is taking all necessary steps to mitigate potential compromises and describes key actions to take to secure systems. It also cautions that even entities that did not install SolarWinds on their networks could still be impacted. Accordingly, the white paper asserts it is valuable for all entities to consider the recommendations contained in the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) emergency directives requiring actions of federal agencies issued through CISA Alerts. The white paper further recommends cybersecurity mitigation actions focused on Indicators of Compromise (IOC) detection, mitigating the presence of the malware, gaining an understanding of how other vendors were impacted by this compromise, and implementing or reasserting cybersecurity hygiene principles.
The FERC Staff and E-ISAC white paper is available here.
For assistance in determining how this may affect your entity and in preparing recommended key actions to harden cybersecurity systems, please contact Kristen Connolly McCullough, Barry Lawson, or Ellen Hill.
