On July 31, 2020, the Federal Energy Regulatory Commission (“FERC”) and the North American Electric Reliability Corporation (“NERC”) released a joint white paper on preventing security risks posed by a Network Interface Controller (“NIC”). It is intended to help the electric sector identify vendors of components on their networks in order to mitigate any potential risks to the bulk power system. The white paper is in response to several hearings and reviews since 2012 which examined a security threat posed by Chinese telecommunication companies – specifically, Huawei or ZTE. As the market share of Chinese telecommunication companies has increased, their electronic components have entered the bulk power system, creating a potential cybersecurity concern. The joint white paper provides several noninvasive techniques a cybersecurity professional can use to identify potentially malicious components.
A NIC is an integrated circuit chip integrated into a motherboard or upon a host bus adapter card. As the NIC enables network communications, it is nearly ubiquitous. Backdoors may appear on the NIC, allowing hackers to obtain access to the system via a compromised NIC.
Although a component can be physically identified for its part number, this process is time consuming and can potentially void warranties. Further, as the printed part number can be missing or mislabeled, even a physical examination of the NIC can overlook malicious components. The white paper provides four techniques a cybersecurity professional can use to examine the manufacturer of an NIC in a nonintrusive way: 1) a Network Mapper (“NMAP”) Passive Address Resolution Protocol (“ARP”) Scan; 2) the list ARP Cache Table; 3) the Dynamic Host Configuration Protocol (“DHCP”) Client Table; and 4) Port Mirroring.
As the white paper notes, even if a vendor of concern is identified, it does not confirm malicious activity in the network. However, the white paper advises that the presence of Huawei, ZTE, and components manufactured by their subsidiaries create a potential risk to the network and should be reviewed further if identified.
The Joint Staff White Paper on Supply Chain Vendor Identification – Noninvasive Network Interface Controller
can be accessed here
, Lisa Gast
, and Sean Neal