In the grand scheme of things, even with this finding, the facility wasn't out of compliance. Because it isn't required to keep the video system protected. It's just a video system, how does default credentials and public exposure matter in terms of shutting down power generation capabilities?
"How it matters is, I changed the password on that thing. I totally took control of their cameras, moved them, and was able to circumvent the physical parameter. I knew where their guards were, where the patrol was happening. So, we were able to actually gain physical access to the generation station and stand inside their sacred ESP, all because we were able to take control of their cameras and see what they were doing and prevent them from seeing what we were doing," Grimes said.
"The response became so slow, they didn't have a response. They didn't even know about it until we made them aware. We were already in, we had already breached the ESP and say 'Hi, we're here. The call is coming from inside the house,' and they didn't even know it had happened yet."
Now, in this example, the ESP breach wasn't a result of the controls, or lack thereof, around the camera system. The cameras were, in general terms, the big assist. It was a successful physical attack that got Grimes and his team into the ESP, but because the cameras were so exposed, that physical attack became so much easier.
Another issue with the physical security of a given facility relates to age. Many of the existing facilities in North America are rather old, and in some cases, they're not properly, or regularly, or appropriately maintained.
In one example, Grimes told a story where he simply shimmied through an opening between the fence and gate of a high-impact facility without setting off any alarms. The gate and fence had been in a state of disrepair for years, and that didn't have any impact on the company's compliance.
The shocking aspect of the story though, is realized only if you know Grimes personally. He is 6 feet, 5 inches tall (~200 cm), and weighs 270 lbs. He is built like a linebacker. Yet he was able to simply slip past the gate and access the ESP.
CIP-008-5 (incident reporting and response planning)
Incident response planning and reporting plans need to include the process needed to "identify, classify, and respond to Cyber Security Incidents" and "provide guidance or thresholds for determining" what incidents are reportable to the ES-ISAC.
"Yeah sure, [the organizations] have a documented response plan, but they've never used it, they've never tested it. They don't know that it works. They basically just modified the CIP requirements and say 'yeah, this is our program, our program is exactly what you say we have to have'," Grimes said.
Sign up for CIO Asia eNewsletters.