The U.S. Department of Homeland Security has warned that for at least two years, Russian government cyber actors have targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial
facilities, water, aviation, and critical manufacturing sectors.
In a joint Technical Alert issued March 15, 2018 by the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation, the agencies warned of a "multi-stage intrusion campaign by Russian government cyber actors." The report follows an October 2017 alert by computer security firm Symantec of a re-emergence of a sophisticated cyber espionage group known as "Dragonfly."
According to the government agencies' report, the Russian cyber threat actors seem to have deliberately targeted specific organizations,
as opposed to pursuing targets of opportunity. In an initial "staging" phase, the campaign used tools like malware, watering holes, and spear phishing to gain access to small commercial facilities' networks -- typically peripheral organizations like trusted third-party suppliers whose networks may be less secure. For example, the threat actors sent emails with malicious attachments appearing to be personnel resumes or contract documents. Clicking on links in the attachments exposed the victims to malware or data harvesting. In a subsequent phase, the threat actors made further use of the staging targets' networks as "pivot points and malware repositories" for use in targeting their final intended victims.
The report says that these Russian government cyber
actors used this hacked access for network reconnaissance and collection of information pertaining to Industrial Control Systems (ICS). It describes multiple instances of threat actors accessing workstations and servers on corporate networks that contained data
output from control systems within energy generation facilities.
Cyber security is now a significant concern, both domestically and abroad. A February 2018 report by the U.S. intelligence community described the targeting of national
security information and proprietary information from US companies and research institutions
involved with defense, energy, finance, dual-use technology, and other areas as "a persistent
threat to US interests." Last month, U.S.
electric grid reliability regulators imposed a $2.7 million penalty on
an unidentified utility for its violations of mandatory reliability
standards in connection with a data security breach -- the largest fine to date associated with U.S. utility cybersecurity regulation. In that case, a third-party contractor hired by
the utility allegedly copied protected data from the utility's network to
the contractor's unsecured network -- where it was accessible online
without the need to enter a user ID or password, and where it was in fact accessed by one or more unknown outside entities.
In 2014, reports emerged that Russian hackers had found flaws in solar panel monitoring software that, if left unfixed, could allow malicious actors to damage the electric grid. Foreign
state-sponsored cyber attacks in 2016 and 2017 against Ukraine and
Saudi Arabia targeted multiple sectors across critical infrastructure,
government, and commercial networks, causing disruption to Ukrainian energy distribution networks.
Energy powers society; society's choices shape energy policy. A blog about our energy resources and the choices they present for society.
Showing posts with label hacker. Show all posts
Showing posts with label hacker. Show all posts
NERC fines utility $2.7 million for cyber breach
Friday, March 9, 2018
The electric reliability organization responsible for the grid spanning much of North America has penalized an unidentified utility $2.7 million for its violations of mandatory reliability standards in connection with a data security breach. The penalty may be the largest fine to date associated with U.S. utility cybersecurity regulation.
NERC, or the North American Electric Reliability Corporation, is charged by U.S. law with ensuring the reliability of the nation's bulk power system. NERC establishes reliability standards for the bulk electric system, which are approved by the Federal Energy Regulatory Commission, and takes action to monitor and enforce compliance with its reliability standards.
On February 28, 2018, NERC filed with the Commission a Notice of Penalty regarding what it described as noncompliance by an "Unidentified Registered Entity (URE)", following a settlement between the anonymous utility and regional reliability group Western Electricity Coordinating Council (WECC).
Some of the details of the underlying fact pattern are protected from public disclosure as Critical Energy Infrastructure Information or CEII. But NERC's public filing says the settlement arose from WECC's determination and findings that the anonymous utility violated two of NERC's Critical Infrastructure Protection or CIP cybersecurity standards. According to NERC's report, the utility received a report that an outside "white hat security researcher" had found data publicly available online which appeared to be protected information associated with the utility.
Following this tipoff, an investigation by the utility and regional reliability group WECC revealed that a third-party contractor hired by the utility had copied data from the utility's network environment to the contractor's network environment, where it was no longer subject to the utility's visibility or control -- in violation of the contractor's authority. While the data was on the contractor's network, a subset of live utility data including over 30,000 records was accessible online without the need to enter a user ID or password for a period of 70 days. These records included some associated with the utility's Critical Cyber Assets, such as servers storing user data, systems controlling physical access within the utility's control centers and substations, and supervisory control and data acquisition or SCADA systems. System logs showed unauthorized access to this data set by both the white hat researcher and unidentified IP addresses.
According to the Settlement Agreement, the anonymous utility neither admitted nor denied the violations, but agreed to pay a $2,700,000 penalty and take other compliance actions. This may represent the largest fine to date for violations of NERC's CIP standards. While federal penalty policy encourages self-reporting of violations and having an internal compliance program in place -- as the anonymous utility did -- the settlement notes that the utility "was not fully transparent and forthcoming with all pertinent information detailing the data exposed in the incident." In particular, the settlement says the utility did not initially provide WECC with all the data fields exposed in the incident. These factors, combined with a finding that the violations posed a serious and substantial risk to the reliability of the bulk power system, led WECC to set the penalty amount at $2.7 million, which NERC subsequently approved.
By federal rule, the penalty will be effective upon expiration of the 30-day period following the penalty notice's filing with the Federal Energy Regulatory Commission or, if FERC decides to review the penalty, upon final determination by FERC.
NERC, or the North American Electric Reliability Corporation, is charged by U.S. law with ensuring the reliability of the nation's bulk power system. NERC establishes reliability standards for the bulk electric system, which are approved by the Federal Energy Regulatory Commission, and takes action to monitor and enforce compliance with its reliability standards.
On February 28, 2018, NERC filed with the Commission a Notice of Penalty regarding what it described as noncompliance by an "Unidentified Registered Entity (URE)", following a settlement between the anonymous utility and regional reliability group Western Electricity Coordinating Council (WECC).
Some of the details of the underlying fact pattern are protected from public disclosure as Critical Energy Infrastructure Information or CEII. But NERC's public filing says the settlement arose from WECC's determination and findings that the anonymous utility violated two of NERC's Critical Infrastructure Protection or CIP cybersecurity standards. According to NERC's report, the utility received a report that an outside "white hat security researcher" had found data publicly available online which appeared to be protected information associated with the utility.
Following this tipoff, an investigation by the utility and regional reliability group WECC revealed that a third-party contractor hired by the utility had copied data from the utility's network environment to the contractor's network environment, where it was no longer subject to the utility's visibility or control -- in violation of the contractor's authority. While the data was on the contractor's network, a subset of live utility data including over 30,000 records was accessible online without the need to enter a user ID or password for a period of 70 days. These records included some associated with the utility's Critical Cyber Assets, such as servers storing user data, systems controlling physical access within the utility's control centers and substations, and supervisory control and data acquisition or SCADA systems. System logs showed unauthorized access to this data set by both the white hat researcher and unidentified IP addresses.
According to the Settlement Agreement, the anonymous utility neither admitted nor denied the violations, but agreed to pay a $2,700,000 penalty and take other compliance actions. This may represent the largest fine to date for violations of NERC's CIP standards. While federal penalty policy encourages self-reporting of violations and having an internal compliance program in place -- as the anonymous utility did -- the settlement notes that the utility "was not fully transparent and forthcoming with all pertinent information detailing the data exposed in the incident." In particular, the settlement says the utility did not initially provide WECC with all the data fields exposed in the incident. These factors, combined with a finding that the violations posed a serious and substantial risk to the reliability of the bulk power system, led WECC to set the penalty amount at $2.7 million, which NERC subsequently approved.
By federal rule, the penalty will be effective upon expiration of the 30-day period following the penalty notice's filing with the Federal Energy Regulatory Commission or, if FERC decides to review the penalty, upon final determination by FERC.
Cybersecurity, solar energy and the electric grid
Monday, May 12, 2014
A group of Russian hackers claims to have identified security gaps in widely-used solar panel monitoring software. The monitoring platform's developer is said to be fixing the gaps -- but can hackers damage the electric grid?
German company Solare Datensysteme GmbH makes a series of devices to track and monitor solar panel performance. Its "Solar-Log" product line monitors the performance of solar photovoltaic systems and uses an internet connection and software to offer users additional management tools. According to the company's website, Solar-Log systems manage roughly 229,300 solar plants that producing an aggregate average of 5.66 terawatt-hours (TWh) per day.
According to an article on tech website The Register, a Russian hacking firm known as Positive Security has warned that the previous Solar-Log software was vulnerable to malicious cyberattacks that could cause power grid reconfiguration and cascading blackouts. The article claims that attackers could download and modify Solar-Log configuration files without needing propert authentication. Files could be compromised to change user passwords and run code provided by the attacker. The article suggests that malicious hackers could manipulate "specific power-generation related values", letting users could overstate the amount of power pumped back into grids by their solar installations.
The exact details of the weaknesses identified by Positive Security is being kept secret until the Solar-Log maker can distribute a patch shoring up system security. As with past bugs, it is likely that Solare Datensysteme and other product makers will continue to plug holes in their cybersecurity, as new flaws are exposed and as systems evolve. But solar panel monitoring systems are not the only energy-related infrastructure vulnerable to hacking; items ranging from utility smart meters to utility-scale power generator controls may be at risk of compromise from outside forces.
A series of regulations are designed to protect the grid against these threats. The Federal Energy Regulatory Commission has approved mandatory cybersecurity reliability standards for the U.S. bulk power system. Acting under its authority pursuant to the Energy Policy Act of 2005, through Order No. 706 the Commission has approved a series of Critical Infrastructure Protection (CIP) cyber security reliability standards proposed by electric reliability organization North American Electric Reliability Corporation (NERC). Both NERC and the Commission continue to evaluate further changes to those standards, along with other standards bolstering the physical security of the electric grid.
New cybersecurity threats crop up regularly, prompting product developers, service providers, and regulators to engage in a continual effort to identify, block, and protect against threats to the electric power system. For developers of energy technologies or projects, compliance with key regulations is a critical element of this protection, as is taking a proactive view to ensure safe and reliable operations. While it is hard to predict the next front in this war, count on it to be ever shifting.
 |
| Solar panels supporting Goblin Valley State Park, Utah. |
According to an article on tech website The Register, a Russian hacking firm known as Positive Security has warned that the previous Solar-Log software was vulnerable to malicious cyberattacks that could cause power grid reconfiguration and cascading blackouts. The article claims that attackers could download and modify Solar-Log configuration files without needing propert authentication. Files could be compromised to change user passwords and run code provided by the attacker. The article suggests that malicious hackers could manipulate "specific power-generation related values", letting users could overstate the amount of power pumped back into grids by their solar installations.
The exact details of the weaknesses identified by Positive Security is being kept secret until the Solar-Log maker can distribute a patch shoring up system security. As with past bugs, it is likely that Solare Datensysteme and other product makers will continue to plug holes in their cybersecurity, as new flaws are exposed and as systems evolve. But solar panel monitoring systems are not the only energy-related infrastructure vulnerable to hacking; items ranging from utility smart meters to utility-scale power generator controls may be at risk of compromise from outside forces.
A series of regulations are designed to protect the grid against these threats. The Federal Energy Regulatory Commission has approved mandatory cybersecurity reliability standards for the U.S. bulk power system. Acting under its authority pursuant to the Energy Policy Act of 2005, through Order No. 706 the Commission has approved a series of Critical Infrastructure Protection (CIP) cyber security reliability standards proposed by electric reliability organization North American Electric Reliability Corporation (NERC). Both NERC and the Commission continue to evaluate further changes to those standards, along with other standards bolstering the physical security of the electric grid.
New cybersecurity threats crop up regularly, prompting product developers, service providers, and regulators to engage in a continual effort to identify, block, and protect against threats to the electric power system. For developers of energy technologies or projects, compliance with key regulations is a critical element of this protection, as is taking a proactive view to ensure safe and reliable operations. While it is hard to predict the next front in this war, count on it to be ever shifting.
Subscribe to:
Posts (Atom)
