OCCEAC Risk Partners: Energy Sector

Greetings!

Prepared by the CyberWire (Monday, September 19, 2016) — Widespread public concern over election hacking is also renewing concern about the cyber security of the power grid.

Election-related incidents, generally attributed to Russian intelligence services, have shown to the satisfaction of most informed observers that the Russian government is actively engaged in a cyber offensive against its adversaries, and that it's operating that offensive on an industrial scale which is largely indifferent to stealth—the GRU in particular seems content with the thinnest fig leaf of deniability. Whether voting systems should be classified as critical infrastructure is controversial, but there's no controversy about the criticality of the power grid, nor is there any doubt that it represents an attractive target.

The second respect in which election hacking is attracting the interest of utility CISOs lies in the distributed, complex nature it shares with the power grid. This is seen, by such officials as FBI Director Comey and NERC Vice President Sachs, as lending both a built-in resilience, but those concerned with the grid are seeking to improve on this default security.

Thus many are revisiting the lessons learned from the December 2015 hack of the Ukrainian power grid. This was a sophisticated, well-planned campaign assembled from such relatively humble components as phishing, privilege escalation, exploitation of end-of-life unpatched systems (Windows XP, specifically), and telephonic denial-of-service timed to impede recovery from the incident. It's been noted that Ukrainian operators were able to restore power by recourse to manual backups, a lesson that hasn't been lost on NERC or others.

The 2016 ICS Cyber Security Conference Control promises a demonstration of a proof-of concept vulnerability in protective relays. Now that these have evolved from electromechanical switches to intelligent electronic devices, they will be shown susceptible to being controlled by an attacker who could lock out administrators, change relays' configuration, mask the hack from operators, and disrupt power distribution.

DARPA has awarded Vencore contracts to research two topics in power grid cyber security. The research areas are Machine-Intelligence for Advance Notification of Threats and Energy-Grid Survivable Situational Awareness, and Scalable and Holistic Energy CybeR-weapon Localization and Characterization.

Not an energy sector case, but one that will bear watching, is St. Jude Medical's suit against Muddy Waters Capital and vulnerability research firm MedSec. St. Jude alleges these organizations and collaborators combined to issue misleading reports of flaws in medical devices in order to short St. Jude stock. The litigation will have implications for both stock trading and vulnerability disclosure practices.

[407]

Selected Reading

Cyber Attacks, Emerging Threats, and New Vulnerabilities (7)

Cyber Trends (5)

Marketplace (4)

Technologies, Techniques, and Standards (1)

Research and Development (3)

Legislation, Policy, and Regulation (2)

Litigation, Investigation, and Law Enforcement (4)

Cyber Attacks, Emerging Threats, and New Vulnerabilities

Demonstration of hacking a protective relay and taking control of a motor – the grid is at risk (Control: Unfettered Blog) Protective relays are critical to the operation of the electric grid and the protection of large electric equipment in many industries including electric, nuclear, manufacturing, etc. Protective relays were originally electro-mechanical switches but have progressed to complex networked digital devices with enormous computing capabilities making them intelligent electronic devices…

PLCs Possessed: Researchers Create 'Undetectable' Rootkit (Dark Reading) New attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes…

Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON (CSO) The results from this year's IoT hacking contest are in and it's not a pretty picture…

The Threat Landscape as Seen Through FireEye's Eyes (the CyberWire) FireEye gave its annual overview of the threat landscape for the summit. His big conclusion, shared by many, but with some interesting consequences, is that there are few risk or repercussions for cyber attacks, and the threat actors are increasingly aware of this. This is true of both criminal and state-sponsored attacks. Many countries afford criminals a safe harbor, and the criminals are emboldened by this…

The Cold War is over. The Cyber War has begun. (Washington Post) Contemplating Russian nuclear threats during the Cold War, the strategist Herman Kahn calibrated a macabre ladder of escalation, with 44 rungs ranging from “Ostensible Crisis” to “Spasm or Insensate War”…

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure (Threatpost) Bruce Schneier talks to Mike Mimoso about information he was given regarding an increase in DDoS and probing attacks targeting companies running core internet infrastructure in an attempt to test their defenses…

US Emergency Phone System ‘911’ Can Be Hacked Through TDoS Attack (HackRead) 911, the emergency telephone number for the North American Numbering Plan (NANP) can be hacked through a simple telephone denial of service or TDOS attack — did you see that coming?…

Cyber Trends

Energy Sector Security May Not Be As Airtight As Once Thought (Point Beyond) Energy sector security is a major issue with far-reaching consequences. As seen when a cyberattack-induced power outage left more than 200,000 Ukraine residents in the dark last December, these systems are highly sought-after targets for hackers…

Tripwire Study: Energy Sector IT Professionals Overconfident in Cyber Security Capabilities as Attacks Increase (BusinesWIre) Industry leader evaluates confidence in seven key security controls required to detect cyber attacks on endpoints…

Keeping the Lights On: Security Trends in the Energy and Utilities Industry (IBM Security Intelligence Blog) A coordinated attack against a large energy and utilities company would impact multiple industries on many levels. The health, welfare, comfort and safety of entire regions — even entire nations — is at stake as attacks on the industry become more common…

Top trends in security testing and vulnerability management (Help Net Security) Many businesses fail to conduct frequent security testing despite believing that it’s critically important to securing their systems and data. One in five of businesses surveyed admitted they don’t do any security testing, despite the fact that 95 percent of survey respondents reported encountering one of the dozen common security issues associated with security vulnerabilities…

IoT and your digital supply chain (CSO) “Money, it's a gas. Grab that cash with both hands and make a stash”, Pink Floyd is always near and dear to my heart. No doubt the theme song to a lot of producers of devices that fall into the category of Internet of Things or IoT…

Marketplace

Chinese Hinkley investment could pose ‘cyber risk’ (Energy Live News) Chinese involvement in the development of Hinkley Point C could leave the UK open to cyber attacks and blackouts…

SINET Announces 16 Most Innovative Cybersecurity Technologies of 2016 (SINET) SINET, an organization focused on advancing Cybersecurity innovation through public-private collaboration, announced today the winners of its annual SINET 16 competition. The companies, which were selected from a pool of 82 applicants from nine different countries, including Australia, Canada, Israel, Japan, Norway, Singapore, Sweden and the United Kingdom, represent a range of Cybersecurity solution providers who are identifying cutting-edge technologies to address Cybersecurity threats and vulnerabilities. The selected companies will share their work with buyers, builders, investors and researchers during the SINET Showcase on Nov. 2 – 3, 2016 at the National Press Club in Washington, DC…

Boards failing to protect customers against cyber attack (Financial Director) Boards are failing to protect their companies and customers against cyber attack, despite more companies taking out cyber insurance, according to new research…

Is there a shift in the IT security market? (MIS Asia) According to analyst firm IDC, the expected growth of the specialised threat analysis market will mark a new era in the IT security sector…

Technologies, Techniques, and Standards

NIST Seeks Input on Cybersecurity in a Digital Economy (MeriTalk) Comments close Friday at 5 p.m. on the NIST Commission on Enhancing National Cybersecurity’s request for information (RFI) on how best to address the “current and future states of cybersecurity in a digital economy"…

Research and Development

Kaspersky to 1337 haxors: take down our power grid. We dare you (Register) Capture the flag romp will offer chance to do the thing governments everywhere fear…

To safeguard U.S. infrastructure, cybersecurity work ramps up at INL (Idaho Statesman) From the outside, the building is easy to miss. It’s a single-story gray structure, off University Boulevard on the outskirts of town…

Vencore Secures R&D Contracts for DARPA Power Grid Cybersecurity Program (GovConWire) A subsidiary of Vencore has landed $17 million in contracts from the Defense Advanced Research Projects Agency to perform work under two technical areas in the Rapid Attack Detection, Isolation and Characterization Systems program, ExecutiveBiz reported Wednesday…

Legislation, Policy, and Regulation

Stopping Hackers from Turning off the Lights (Reg Blog) The power goes out. Is a storm or downed line to blame for the power outage? No—an attack by a malicious hacker is the cause…

Cyber threat sharing is now a two way street between industry and government (Federal News Radio) One of the more controversial laws passed last year just hit a major milestone. Companies are now officially sharing their cyber threat data with the government…

Litigation, Investigation, and Law Enforcement

St. Jude Medical, Inc., Plaintiff, vs. Muddy Waters Cosulting LLC [etc] Defendants (United States Court for the District of Minnesota) St. Jude Medical, Inc. brings this action for false statements, false advertising, conspiracy and the resultant manipulation of the public markets against defendants (i) Muddy Waters Consulting LLC and Muddy Waters Capital LLC, (ii) MedSec Holdings, Ltd. and MedSec LLC, (iii) Carson C. Block, (iv) Justine Bone and (v) Dr. Hemal M. Nayak (collectively the “Defendants” and each a “Defendant”). Defendants’ wrongful conduct conclusively demonstrates a total disregard for the patients whose lives depend on cardiac rhythm management devices and their conduct is indefensible…

Free Speech vs. Costly Speech (Minnesota Litigator) Imagine intentionally alarming the public with fabricated dangers of a company’s life-saving medical devices in the hope that the company’s share price will fall and you will make massive profits by placing bets on the company’s falling share price…

How the US responds to cyber incidents (C4ISRNET) The U.S. and its political parties have repeatedly fallen victim to cyber intruders in recent years. The most recent being the intrusion into a number of networks and accounts affiliated with the Democratic National Committee as well as state election systems, sowing some concern and distrust in American institutions…

Why the Justice Department Is Taking a Closer Look at Connected Devices (Fortune) The Internet-of-things is getting a safety check…

 
OCCEAC Risk Partners
Compiled and published by the CyberWire editorial staff. Views and assertions in linked articles are those of the authors, not the CyberWire or the OCCEAC Risk Partners.