At a glance.
- Reaction to the US Executive Order on bulk-power system.
- UK's National Health Service begins COVID-19 contact tracing app trials.
Reaction to the US Executive Order on bulk-power systems.
As Infosecurity Magazine points out, the Executive Order on Securing the United States Bulk-Power System nowhere names Russia or China among the adversaries who pose a threat to the US power grid, but it's clear that the order has them in mind. Russian intelligence threat groups (like Energetic Bear) have been suspected of conducting extensive reconnaissance of the American grid, and concerns about Chinese-manufactured hardware in American supply chains have surfaced in many sectors. Reuters sees a comprehensive US effort to decouple from China as a close trading partner.
Security industry experts generally have seen the Executive Order as, in Nozomi CEO Edgard Capdevielle's words, "a step in the right direction," but also say that more work remains to be done. Capdevielle went on to add, in emailed remarks, that "it does not go far enough. While there are several positives in the order; namely, raising the importance of our grid infrastructure and electric power in our lives, national security, and developed economic life; pointing at countries that may want to challenge our global status, way of life, or ability to keep stable conditions; and seeking to address a potential vector of attack in the backdoors and trojans that could be implanted in foreign-sourced infrastructure equipment.
"However, there are a few shortcomings. Firstly, it ignores the largest problems in the electric cyber environments: lack of visibility in the networks and any nationally enforceable standards. Secondly, it is not immediately actionable. The order does not name countries, or propose anything specific, it just enables a team to go look at this without clear advice if problems are found. And lastly, even if enforced and specifics were given, i.e. no new equipment from China or Russia in the grid, it does not address all the legacy infrastructure that has been and will be around for a very long time.
"While this latest executive order on securing the US bulk power system is good in some ways, it is simply not enough. Though it is directionally correct, it left me wanting real substance, and real security."
Joe Weiss also liked much of what he saw. As he writes at Control Global, "I do not know what precipitated the issuance of the May 1st, 2020 Executive Order. However, this new Executive Order is long overdue, and addresses many longstanding concerns. The Executive Order demonstrates a high level of technical details and detailed knowledge of existing gaps and vulnerabilities in bulk power equipment and Operations including identifying a specific minimum bulk power voltage level. As a result, the Executive Order will reopen much needed dialogue to address security and policy issues between regulators, policy makers, manufacturers (OEMs) and owner/operators. More specifically, we can expect to see a growing debate on authorities and responsibilities between the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), etc. Additionally, the Executive Order will directly challenge core NERC Critical Infrastructure Protection (CIP) cyber security requirements that previously excluded the specific bulk electric equipment identified in the Executive Order."
Thus one might expect to see a shakeup in regulatory regimes.
UK's National Health Service begins COVID-19 contact tracing app trials.
The UK has begun to pilot its contact-tracing app on the Isle of Wight. Matt Hancock, Secretary of State for Health and Social Care, gave the islanders a bucking up. “We’ll learn a lot, we’ll use it to make things better, and we want to hear from you,” the Telegraph quotes him as saying. “Where the Isle of Wight goes, Britain follows.”
The British system is something of an outlier among the more recent approaches to contact tracing in that it represents a centralized approach to collection and analysis of data. The Telegraph has a description of how the app is intended to work. It's an opt-in system that uses Bluetooth for sensing proximity, and that depends upon self-reporting of positive diagnoses.