[USA] Government agencies warn of new malware with implications for critical infrastructure

On April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) warning of a newly discovered malware targeting the systems that control electricity and natural gas infrastructure.[1] The CSA said the new malware has a modular architecture and is able to conduct highly automated attacks against critical infrastructure. The CSA warns that it could enable lower-skilled cyber actors to emulate higher-skilled capabilities. The malware has a wide range of uses, including initial infiltration, reconnaissance, uploading malicious configuration or code to the targeted device, backing up or restoring device contents, and modifying device parameters.

In the announcement, the government agencies urged critical infrastructure companies, particularly those in the energy sector, to implement the CSA’s detection and mitigation recommendations. These recommendations include enforcing multifactor authentication for remote access and having a cyber incident response plan. The government announcement credited Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric SE with helping to discover and analyze the malware. Cybersecurity firms Dragos and Mandiant have also published their own respective reports on the malware.


[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

[USA] Biden issues National Security Memorandum on critical infrastructure cybersecurity

On July 28, 2021, President Joe Biden signed a National Security Memorandum on improving critical infrastructure cybersecurity.[1] The memorandum aims to encourage critical infrastructure owners and operators to voluntarily adopt better cybersecurity standards. The memorandum specifically focuses on industrial control systems (ICS), which monitor, regulate, and automate operational technologies (OT). Compromised ICS and OT can enable attackers to cause physical damage to systems and even widespread outages.

The memorandum formalizes the ICS Cybersecurity Initiative, which was launched in April 2021 and included a pilot program for the electricity sector. The pilot program is a voluntary, collaborative effort between the federal government and the electricity sector to improve the cybersecurity of these systems. So far, more than 150 utility companies have joined the pilot. A separate pilot is being developed for natural gas pipelines later in 2021, followed by plans for the chemical industry and waste-water treatment plants. The memorandum also directs the Departments of Commerce and Homeland Security (DHS), in coordination with the Secretary of Commerce (through the Director of the National Institute of Standards and Technology) and other agencies, to develop and issue cybersecurity performance goals to help critical infrastructure owners and operators improve their individual capabilities.

[1] https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

[USA] Biden signs executive order to bolster federal cybersecurity

President Biden signed an executive order on May 12, 2021, to strengthen cybersecurity in the U.S. and protect federal networks.[1] The executive order, titled “Executive Order on Improving the Nation's Cybersecurity,” comes in the aftermath of the ransomware attack that shut down the 5,500-mile Colonial oil pipeline on May 7, 2021. Colonial is the largest gasoline pipeline in the U.S. and supplies an estimated 40-45% of all fuel used on the East Coast. As of May 13, 2021, Colonial has restarted operations of the pipeline, but the brief shutdown caused widespread uncertainty.[2]

The executive order’s main directives are to 1) set more rigorous IT and cybersecurity policy, 2) remove barriers to information sharing among federal agencies, 3) modernize federal government cybersecurity, 4) enhance software supply chain security, 5) establish a cybersecurity safety review board, 6) standardize the federal government’s response to cybersecurity vulnerabilities and incidents, 7) improve detection of cybersecurity issues on federal networks, 8) improve the federal government’s investigative and remediation capabilities, and 9) adopt national systems security requirements. The Cybersecurity Safety Review Board will be co-chaired by the government and the private sector and will analyze lessons learned from major cybersecurity incidents. Although the order does not apply to the private sector, private companies will need to increase their own security to contract with the federal government.

[1] https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

[2] https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption

[USA] DOE announces 100-day plan to address threats to the electric grid

On April 20, 2021, the Department of Energy (DOE) launched a 100-day plan to increase the cybersecurity of electric utilities’ industrial control systems (ICS) and protect the electric grid as a part of the Biden administration’s effort to safeguard critical infrastructure in the U.S against threats.[1] The initiative is a coordinated effort between the DOE, the electric industry, and the Cybersecurity and Infrastructure Security Agency (CISA). In partnership with electric utilities, the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will advance technologies and systems that will provide cybersecurity capabilities for ICS of electric utilities. The 100-day plan will encourage the implementation of measures or technology that “enhance their detection, mitigation, and forensic capabilities;” include milestones throughout the initiative for identification and deployment of technologies and systems that facilitate near real-time situational awareness and response capabilities in ICS and operational technology (OT) networks; reinforce the cybersecurity of critical infrastructure information technology networks; and include a “voluntary industry effort” to improve threat visibility in ICS and OT systems.

The DOE also released a new Request for Information (RFI) to seek stakeholder recommendations for supply chain security in U.S. energy systems. In addition, the DOE announced that it is revoking the "Prohibition Order Securing Critical Defense Facilities.” The prohibition order, which the Trump administration issued in 2020, blocked utilities that supply critical defense facilities from procuring certain types of bulk power system equipment from China.

[1] https://www.energy.gov/articles/biden-administration-takes-bold-action-protect-electricity-operations-increasing-cyber-0

[USA] U.S. federal government says SolarWinds hack hit fewer than 10 agencies

In a joint statement on January 5, 2021, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of The Director of National Intelligence (ODNI), and the National Security Agency (NSA)—which make up the Cyber Unified Coordination Group (UCG) task force—said that the compromise of IT service provider SolarWinds in 2020 was part of an ongoing information gathering effort and was likely Russian in origin.[1] The massive breach started in March 2020 when hackers compromised IT management software from SolarWinds. The breach compromised an email system used by senior leadership at the Treasury Department and systems at several other federal agencies. According to the joint statement, of SolarWinds’ 18,000 customers, USG believes that “a much smaller number” were targeted following the initial hack. Additionally, USG said that fewer than ten agencies were targeted by the hack and the task force is now working to identify and notify nongovernment entities that may have also been affected.

The joint statement also outlined USG’s actions and the next steps of the investigation. The FBI will remain focused identifying victims, collecting evidence, analyzing the evidence to determine the group responsible, and sharing results with stakeholders. CISA will focus on sharing information quickly and has created a free tool for detecting unusual and potentially malicious activity related to the SolarWinds hack. ODNI is coordinating the intelligence community to ensure the UCG has the most up-to-date intelligence and is also providing information to key stakeholders. Finally, the NSA is supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners.

[1] https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

[USA] Report: Not-for-profit utilities less prepared for cybersecurity threats

According to a Moody’s Investors Service report released on November 4, 2020, privately owned utilities are better prepared to face cybersecurity threats than not-for-profit utilities.[1] [2] The report surveyed 115 private, state-owned, unregulated and not-for-profit electric utilities. Moody's found that smaller utilities that operate in the not-for-profit space don't have the same resources to handle cybersecurity threats while private utilities have more funds to combat cyberthreats and are more likely to have advanced defensive tools at their disposal to counteract hackers. Larger utilities also have more training against some of the common attack methods like email spearphishing, which is when hackers send malicious links aimed at tricking victims to give up valuable information or inserting malware into their devices. The report also found that only the largest utilities with total assets valued at over $100 billion have directors on their board with any cybersecurity expertise.

[1]https://www.eenews.net/energywire/2020/11/05/stories/1063717835?utm_campaign=edition&utm_medium=email&utm_source=eenews%3Aenergywire

[2] https://www.moodys.com/research/Moodys-Electric-utilities-cybersecurity-readiness-tied-to-scale-and-business--PBC_1252439

[USA] House passes four bipartisan bills to bolster DOE’s cybersecurity fight

On September 29, 2020, the U.S. House of Representatives passed four bipartisan bills yesterday to boost the Department of Energy's (DOE) capabilities to help maintain cybersecurity. All four bills were passed by voice vote under suspension of the rules, a means of fast-tracking noncontroversial bills. Bills passed by voice vote have to pass with supermajorities (two-thirds of the House) and without floor amendments. The bills passed by voice vote are:

·   H.R. 360, the Cyber Sense Act of 2020, which would direct the DOE to launch a voluntary Cyber Sense program to identify products secure enough for the bulk power system.[1] The bill was introduced by Representative Robert Latta (R-Ohio) and cosponsored by Representatives Jerry McNerney (D-California), Ralph Norman (R-South Carolina), and Josh Harder (D-California).

·   H.R. 5760, the Grid Security Research and Development Act, which would support DOE research into cybersecurity and physical protections of the grid.[2] The bill is from Representatives Ami Bera (D-California) and Randy Weber (R-Texas).

·   H.R. 359, the Enhancing Grid Security through Public-Private Partnerships Act, which would create a DOE program to enhance cybersecurity at utilities through increased collaboration and public-private partnerships.[3] The bill is from Representatives Jerry McNerney (D-California) and Robert Latta (R-Ohio).

·    H.R. 362, the Energy Emergency Leadership Act, which would codify the new DOE assistant secretary position related to cybersecurity.[4] The bill was introduced by Energy Subcommittee Chairman Bobby Rush (D-Illinois) and cosponsored by Representatives Tim Walberg (R-Michigan), Jefferson Van Drew (D-New Jersey), and Brian Fitzpatrick (R-Pennsylvania).

[1] https://www.congress.gov/bill/116th-congress/house-bill/360

[2] https://www.congress.gov/bill/116th-congress/house-bill/5760

[3] https://www.congress.gov/bill/116th-congress/house-bill/359

[4] https://www.congress.gov/bill/116th-congress/house-bill/362

[USA] Department of Homeland Security announces plan for securing critical infrastructure against cyberattacks

On July 7, 2020, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the federal civilian agency responsible for advising critical infrastructure (CI) partners on how to manage industrial control systems (ICS) risk, revealed a five-year plan titled Securing Industrial Control Systems: A Unified Initiative FY 2019–2023 to address the challenges posed by protecting critical infrastructure networks from hackers.[1] ICS is a term used to describe different types of control systems which include the devices, systems, networks, and controls used to operate or automate industrial processes. ICS underpin everything from power grids to oil and gas pipelines. According to CISA, cyberattacks on ICS can "result in significant physical consequences, including loss of life, property damage, and disruption of the essential services and critical functions upon which society relies.” CISA’s plan lays out a four-part initiative to secure ICS against cyber threats. The four parts are: (1) deepen existing partnerships while expanding the scope of activities with the broader ICS community; (2) develop and use technology to mature ICS cyber defense; (3) build “deep data” capabilities to analyze and deliver information the can be used to disrupt cyberattacks; and (4) enable informed and proactive security investments by understanding and anticipating ICS risk.

[1] https://www.cisa.gov/publication/securing-industrial-control-systems

[USA] FERC issues white paper considering incentives for voluntary cybersecurity investments

On June 18, 2020, the Federal Energy Regulatory Commission (FERC) released a white paper on transmission incentives for utilities making cybersecurity enhancements to the electric grid.[1] The white paper asks stakeholders to address a variety of questions, including whether a project- specific return on equity (ROE) for voluntarily employing cybersecurity enhancements is enough to incentivize investments that exceed the requirements of the Critical Infrastructure Protection (CIP) Reliability Standards. For non-ROE incentives, the white paper proposes that cybersecurity investments be eligible for Construction Work in Progress, recovery of abandoned plant costs, and accelerated depreciation which are the same incentives offered under FERC’s electric transmission incentives policy. Construction Work in Progress incentives allow a party to record the current costs related to long-term projects. Recovery of abandoned plant costs is the ability of an entity to recover costs if the project is canceled for reasons beyond the entity's control. Accelerated depreciation allows for greater tax deductions in the early years of an asset. The white paper requests comments on the paper within 60 days and reply comments within 75 days.

[1] https://www.ferc.gov/sites/default/files/2020-06/notice-cybersecurity.pdf

[USA] FERC approves NERC’s request for delay on reliability standards

On April 17, 2020, the Federal Energy Regulatory Commission (FERC) approved the North American Electric Reliability Corporation’s (NERC) request to delay the implementation of seven reliability standards by three to six months (October 2020-January 2021), citing the substantial impacts of the pandemic on registered entities.[1] NERC stated that registered entities "would need to expend significant effort and resources in the coming months" in order to document compliance; the pandemic would make gathering these resources substantially harder.[2]

The delayed reliability standards include four other requirements focused on bulk electric system personnel and protection control standards, and three cybersecurity Critical Infrastructure Protection (CIP) rules. CIP rules are standards for preparedness and response to serious incidents that involve critical infrastructure. Protect Our Power, a non-profit focused on grid security, advocated for FERC to approve a shorter 30-day delay to the CIP standards, arguing that cybersecurity vulnerabilities in the electric sector supply chain need to be eliminated quickly. However, NERC says the three-month delay for the cybersecurity rules is unlikely to leave the grid vulnerable and is appropriate given the current crisis.

[1]https://www.nerc.com/FilingsOrders/us/FERCOrdersRules/order%20granting%20motion%20to%20defer%20the%20implementation%20dates.pdf

[2]https://www.nerc.com/news/Headlines%20DL/Motion%20to%20Defer%20Implementation%20of%20Reliability%20Standards.pdf

[Japan] Chubu Electric Power, Keio University, and Hitachi Validated a Method to Detect Cyberattacks by Analyzing Darknet Communications

On June 18, 2019, Chubu Electric Power, Keio University, and Hitachi announced that they have validated a method to detect the evidence of difficult-to-identify cyberattacks by analyzing Darknet communications.[1] These efforts will contribute to preventing the potential damage caused by cyberattacks.

While digitalization has enhanced convenience in everyday life, it also increases the risks of cyberattacks. It is urgent for society to address cyber security challenges and strengthen the resilience of critical infrastructure. Accordingly, Keio University, Chubu Electric Power, and Hitachi have been studying Darknet communications since April 2017. After analyzing a vast number of Darknet communications, approximately 20 million cases per day, the study confirmed that the sign of cyberattacks could be identified by tracking and using correlation analysis on the communications made by multiple organizations.

[1] The darknet communications are online hidden communications that are designed specifically for anonymity.

Source: https://www.chuden.co.jp/corporate/publici...

[Japan] Kansai Electric Power and Caulis’ Demonstration Project to Detect Unauthorized Bank Account was Approved under the Regulatory Sandbox Scheme

On March 6, 2019, the Ministry of Energy, Trade and Industry (METI), Government of Japan, approved a demonstration project to detect unauthorized activities on opening bank accounts through the internet, by using financial and electricity data under the Act of Special Measures for Productivity Improvement. The demonstration project is being developed by Kansai Electric Power (KEPCO) and Caulis, a Japanese cyber security solutions company[1]. The project will examine the viability of a new technology which is designed to effectively detect unauthorized activities on opening bank accounts at the Seven Bank[2] by combining financial information with electricity data collected from KEPCO’s electric facilities.

The objective of the project is to explore the cooperation between electricity companies and IT security providers in order to address social security problems. The results of the project will also shape the framework and regulations that promote the adoption of innovative technologies in businesses. The Act of Special Measures for Productivity Improvement entered into force on June 6, 2018. Under the Act, the Scheme for Demonstration of New Technologies, namely the Regulatory Sandbox Scheme, will encourage companies to adopt new technologies and innovative business models.[3]

[1] https://caulis.jp/en/#contact

[2] https://www.sevenbank.co.jp/corp/

[3] https://www.kepco.co.jp/souhaiden/pr/2019/0306_1j.html

[USA] “EEI Statement on Energy Grid Security”

(EEI, 24 July 2018)

EEI Vice President of Security and Preparedness, Scott Aaronson, issued a statement acknowledging the importance of cybersecurity in the face of repeated threats to US critical infrastructure. He noted that though there was a campaign to target US critical electric infrastructure in July 2017, the Electricity Information Sharing and Analysis Center (E-ISAC) was able to quickly update its response to the threat and compiled an update “with potential indicators of compromise and other technical data.” With this update, North American electric power companies would be able to better “protect and defend” their systems. E-ISAC efforts also indicate the strong relationship between industry and the government – a relationship that is vital to maintaining a strong grid. Aaronson concluded his statement by stating that “there have been no operational impacts to the energy grid from these threats.”

Source: http://www.eei.org/resourcesandmedia/newsr...

[USA] “Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure: Assessment of Electricity Disruption Incident Response Capabilities”

[DOE, 30 May 2018]

As cybersecurity becomes an increasingly challenging issue, the Trump Administration is seeking methods to strengthen the U.S.’s national security protections as regards cyber security. In this line, last year Trump signed Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The order initiated an assessment of the potential “scope and duration of a prolonged power outage.” While it was determined that so far there has been no permanent damage resulting from the cyberattacks targeting electric utilities, cyberattacks are becoming increasingly frequent. Thus, it is important to continuously improve the country’s cybersecurity efforts. Rick Perry, DOE Secretary, released a comment acknowledging the “growing security risk of cyber threats” and that the Department “has taken an important step forward through the recent creation of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which will further strengthen DOE’s ability to play a vital role protecting energy infrastructure from cyber threats, physical attacks, and natural disasters.”

Source: https://www.energy.gov/articles/executive-...