U.S. Dam Data Breach and NERC CIP Standards
United States intelligence agencies have uncovered a data breach that targeted and compromised the U.S. Army Corps of Engineers’ National Inventory of Dams (NID) starting back in January.
The database itself contains classified information on vulnerabilities on 8,100 dams across the United States, including rankings of hazard levels for each dam. It has been mentioned in the media that U.S. officials have made claims tracing the attack to the Chinese government, but no additional information has been provided regarding these statements.
The information from the National Inventory of Dams in the wrong hands could provide a road map for cyber attacks from a hostile state, or terrorist group to target dams, as well as disrupt the power grid.
The National Inventory of Dams data could provide attackers with information on what NERC (North America Electric Reliability Corporation) the entity for enforcing reliability, security and compliance for the bulk power system, would classify as Critical Assets (CA) and the Critical Cyber Assets (CCA) that control them.
NERC’s Critical Infrastructure Protection (CIP) provides standards for cyber security that the power industry must follow to keep these assets secure ranging from continuous monitoring, security configuration management, incident detection amongst other topics. But one wonders how secure NERC CIP, or any standards hold up in real-world attacks where the adversary has a mapping of critical infrastructure and potential vulnerabilities.
Tripwire will be providing more information regarding NERC CIP in the coming months. Tripwire has a long history working with hundreds of entities not only helping with NERC audits, but also ensuring security of the electronic perimeter, and providing management of critical systems.
Here is a list of some additional educational resources regarding NERC and securing the nation’s power grid:
- Great River Energy and Essential Power needed a security configuration management solution to automate processes for NERC compliance while proactively guarding against cyber attacks.
- Automating NERC Compliance for the North American Bulk Power System (Solution Brief)
- NERC-CIP Quick Reference Guide (White Paper)
- Shedding Light On Smart Grids and Cyber Security: New Standards to Keep Them Smart and Secure
- NERC and the Power Grid: Achieving and Maintaining Compliance (Podcast)