NERC CIP-013 SUPPLY CHAIN AUTHENTICITY AND INTEGRITY
Trace Bellassai, Cyber Security Solutions Engineer
We’re prepared for the NERC CIP changes, are you?
Here at FoxGuard, we always try to stay ahead of the curve when it comes to new requirements and regulations. We make sure we are postured to serve our customers in the best way possible. Starting on July 1, 2020, several new NERC CIP-013 new regulations will become enforceable. NERC CIP 013-1 is an entirely new regulation concerning supply chain risk management. New requirements are also being added to NERC CIP 010-4 (R1.6), which requires verifying the authenticity and integrity of downloaded software. NERC CIP 013-1 also requires verification of software authenticity and integrity (R1.2.5), a plan to deal with vendor vulnerability and incident disclosures (R1.2.1, 1.2.2, and R1.2.4), and plans in place for when a vendor notifies you that they no longer need remote or on-site access (R1.2.3).
Software authenticity and integrity requirements will likely have the most significant impact on entities, so we will focus on these. Authenticity and integrity go hand in hand when trying to verify that a piece of software is what you expect it to be. Authenticity ensures that the software came from the vendor you expect it to and is the correct software that the vendor supplied. Integrity ensures that the software is not altered after it was retrieved from an authentic source. On the surface, these things can seem simple to check. When you start to dive into them, they can become increasingly complicated. How can you prove that the file you downloaded is the file that came from the vendor? There are many aspects to verifying authenticity and integrity, such as hash value, secure websites, code signing, encryption, and physical tamper-evident packaging. Though these are not the only ways of verifying authenticity and integrity, they are some of the most common methods.
Hash values are fixed-length values that are generated using a one-way algorithm. Hashes are always the same size regardless of the file being hashed, and larger files take longer to hash. Hashing is relatively easy to perform and impossible to reverse. It is extremely helpful when a vendor provides both files and file hashes. The hashes can be used to verify the integrity and, if signed, authenticity. An end-user can use a tool to compute a hash of the software using the same algorithm used by the vendor. If the hash matches, the end-user will know that the file they have downloaded has not been altered while being downloaded. Many vendors, however, host hash values on the same site as their downloads, meaning an attacker that has compromised the download may be in a position to replace the hash on the website. One thing that can help prevent this is using a secured website.
Secure sites are sites that are accessed using the HTTPS protocol. This means that the site has an SSL or TLS certificate, which encrypts the traffic between the end user’s browser and the webserver. This helps prevent an attacker from intercepting the connection between a browser and a server (a man-in-the-middle attack) and change things such as the webpage before the browser receives it. Such an attack would allow the attacker to replace a download link and hash values with links to their own malicious versions. It isn’t very easy to trust the authenticity of any website that is not secured using the HTTPS protocol.
Code signing is the act of using a signed hash to validate the integrity and authenticity of an executable. This means that, as long as a vendor’s private key has not been compromised, the end-user can trust that the signed executable came from the vendor. Code signing uses hashing to ensure that the file has not been altered. This helps ensure both the authenticity and integrity of the file. Even if a site has been compromised, the end-user would have tools necessary to determine if the file has been replaced or altered.
Encryption prevents others without the appropriate password or key from seeing any of the encrypted information. This can help with authenticity and integrity if the person or vendor supplying you with the password or encryption keys also keeps them safe since no one, but those with the key or password can view the contents of the encrypted file. It reduces the risk of someone intercepting the file in transit and modifying it. If a malicious actor were to obtain a copy of the file, they might be able to determine the password using brute-force (thousands of attempts). This is why an encryption key is more secure since they are much more challenging to discover.
Both of these options are only as secure as their passwords or keys. For this reason, passwords and keys should be unique to each file and transmitted separately to ensure that they are not intercepted together.
Physical tamper-evident methods help ensure that any physical packaging that is sent out has not been tampered in route. When shipping a physical item, such as a flash drive, in the cybersecurity space, physical tamper-evident material is one more layer of the integrity onion; on top of what is hopefully, many other layers such as hashing and encryption. Physical tamper-evident packaging will most often take the form of tamper-evident tape, which will clearly indicate if the tape has been removed after being sealed. The serialized tamper-evident tape is even more secure. It is increasingly suspicious when the package is received with the wrong serial numbers.
Here at FoxGuard, we already have many of these methods in place. We make sure to cryptographically hash anything being delivered to a customer so that customers can rest easy knowing that they are truly getting the files we have sent. We provide vendor hash values in our reports if they are being provided by a vendor, verify hash values when we are providing files, make use of tamper-evident packaging, and, in some cases, deliver the files via encrypted media. We are currently in the process of strengthening our authenticity and integrity verifications by doing things such as verifying website SSL certificates (when available) before trusting any material on the site. We are working hard to make the NERC CIP-013 new regulation changes easier for our customers so that they don’t have to.