E-ISAC Update – March 13, 2020 In coordination with NERC, the E-ISAC, continues to track the evolving situation with regard to COVID-19. The E-ISAC is monitoring cyber and physical security issues related to coronavirus and encourage industry...

E-ISAC UpdateMarch 13, 2020

In coordination with NERC, the E-ISAC, continues to track the evolving situation with regard to COVID-19. The E-ISAC is monitoring cyber and physical security issues related to coronavirus and encourage industry to continue sharing information related to grid security issues.

At this point, the E-ISAC is limiting all non-essential travel for staff, encouraging full-time telework, and is restricting visitors to our offices. Through these unprecedented times, the E-ISAC continues to serve the electricity industry to support information sharing, and reduce cyber and physical risk to the North American power grid.

On March 12, NERC posted an announcement [hXXps://www.nerc.com/news/Headlines%20DL/Coronavirus%20Impacts%2011MAR20_final.pdf] on steps it is taking to prevent the impact of the coronavirus. This includes links to the Level 2 NERC Alert [hXXps://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/NERC_Alert_R-2020-03-10-01_COVID-19_Pandemic_Contingency_Planning.pdf] issued on March 10 and ESCC Guidance [hXXps://images.magnetmail.net/documents/clients/EEI_/2020-03/ovodrzgn.2mp/ESCC_Coronovirus_Resource_Guide_031020.pdf] “Assessing and Mitigating the Novel Coronavirus [COVID-19].”

We are committed to the safety and security of our industry members and government and cross-sector partners and will continue to work with you to share information, best practices, and lessons learned.

Additional Resources

Visit the CDC [hXXps://www.cdc.gov/coronavirus/2019-ncov/index.html] and World Health Organization (WHO) [hXXps://www.who.int/emergencies/diseases/novel-coronavirus-2019] for the latest health information.

Find out more about the U.S. Government response [hXXps://www.usa.gov/coronavirus] to coronavirus including international travel restrictions, how you can prepare for coronavirus, and what the U.S. government is doing to respond.

Check out guidance from the Department of Homeland Security on risk management [hXXps://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf] and ongoing DHS Coronavirus News and Updates [hXXps://www.dhs.gov/coronavirus-news-updates].

 

For additional questions for the E-ISAC, contact us at Operations[@]eisac.com [mailto:Operations[@]eisac.com] or memberservices[@]eisac.com [mailto:memberservices[@]eisac.com]

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued a document describing steps for company executives to consider in order to reduce physical, cyber, and supply chain issues resulting from...

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued a document describing steps for company executives to consider in order to reduce physical, cyber, and supply chain issues resulting from COVID-19. The document is intended for widest distribution and may assist in preparing for any potential impacts to your company.

The document is attached to this post for your convenience. It is important to note that this was distributed broadly to critical infrastructure owners and operators, and not being specifically aimed at our industry.

Summary According to theregister.co.uk researchers at Singapore University disclosed 12 security vulnerabilities affecting certain Bluetooth Low Energy (BLE) software development kits (SDKs) from system-on-a-chip (SoC) vendors. The vulnerabilities...

Summary

According to theregister.co.uk [hXXps://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/] researchers at Singapore University disclosed 12 security vulnerabilities affecting certain Bluetooth Low Energy (BLE) software development kits (SDKs) from system-on-a-chip (SoC) vendors. The vulnerabilities may allow attackers to “crash or… bypass pairing security to gain arbitrary read and write access to device functions.” Proof-of-concept code and a video demonstrating the crash of a device (Fitbit) are publicly available.

Analysis

The register article quoted Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang with the following statement: "SWEYNTOOTH potentially affects IoT products in appliances such as smart-homes, wearables and environmental tracking or sensing." Their full research paper can be found here [hXXps://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf].

Patches have been made available for some of the devices that are known to be vulnerable.

The E-ISAC recommends members evaluate IOT devices in use that are BLE enabled and may be vulnerable. Below is a list of the CVEs released with the research:

Vulnerability

CVE(s)

Vendor

Link Layer Length Overflow

CVE-2019-16336 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16336]
CVE-2019-17519 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17519]

Cypress
NXP

LLID Deadlock

CVE-2019-17061 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17061]
CVE-2019-17060 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17060]

Cypress
NXP

Truncated L2CAP

CVE-2019-17517 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17517]

Dialog

Silent Length Overflow

CVE-2019-17518 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17518]

Dialog

Public Key Crash

CVE-2019-17520 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17520]

Texas Instruments

Invalid Connection Request

CVE-2019-19193 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19193]

Texas Instruments

Invalid L2CAP Fragment

CVE-2019-19195 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19195]

Microchip

Sequential ATT Deadlock

CVE-2019-19192 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19192]

STMicroelectronics

Key Size Overflow

CVE-2019-19196 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19196]

Telink

Zero LTK Installation

CVE-2019-19194 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19194]

Telink

For the complete article with additional information, including proof-of-concept code and a video demonstrating the exploitation and crashing of a Fitbit device, please refer to the original article and research paper.

hXXps://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/

hXXps://asset-group.github.io/disclosures/sweyntooth/

hXXps://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf

hXXps://youtu.be/Iw8sIBLWE_w

 

 

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of...

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of five Remote Code Execution vulnerabilities, as well as one Denial of Service vulnerability. CDPwn utilizes the Cisco Discovery Protocol (CDP), which is a layer-2 networking protocol that Cisco devices use to gather information about devices connected to the same network. The CDPwn vulnerabilities could potentially be utilized for the purposes of breaking network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, and data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras. Armis Security relayed information about CDPwn to Cisco soon after discovery.

On February, 5th, 2020, Cisco released patches for devices vulnerable to CDPwn exploitation. Cisco said that they are not aware of any malicious use of the CDPwn as of yet. In order to exploit the vulnerabilities, attackers would first need to establish a foothold inside a target’s network, and then hop from device to device (via CDPwn exploitation) to gain significant access and/or control over a network and potentially execute code or cause denial of service.

Many of the vulnerable Cisco products—such as desk phones, web cameras, and network switches—do not auto-update, and need manual patching to receive protection. Enterprise switches and routers are often behind on patches and updates due to avoidance of network downtime. CDP is implemented in virtually all Cisco products, including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. According to Cisco, over 95 percent of Fortune 500 companies use Cisco Collaboration solutions.

Cisco device owners should look up whether or not their devices are listed by Cisco as being susceptible to CDPwn exploitation by going to Cisco’s website. If they are listed as containing CDPwn vulnerabilities, device owners should immediately download and manually install patches from Cisco’s website. Routine updates are recommended for all Cisco devices in order to avoid possible exploitation by malicious actors relying on utilizing unpatched devices as attack vectors for infiltrating enterprise systems.

The following fix action is recommended for Cisco device owners: please refer to the “Affected Products” section of the attached “CISCO CDP vulnerability for DoS.pdf” to determine whether or not your device(s) are listed as having CDPwn vulnerabilities and, if so, refer to the “Fixed Releases” section, and download and install the patch for the device.  A table containing both the affected devices series and links to their respective vulnerability patch instructions has been included below.

Recommendation: Partners and Client organizations should have cyber security teams determine which affected devices they have and patch accordingly.

Recommendation: More frequent updating of Cisco devices.

Affected Cisco Device(s)

Vulnerability Patch Instructions Link

IP Conference Phone 7832

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Conference Phone 7832 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96060

IP Conference Phone 8832

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96071

IP Conference Phone 8832 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96064

IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96065

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96067

IP Phone 7811, 7821, 7841, 7861 Desktop Phones

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96739

IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform

Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96063

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96066

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96058

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96059

Unified IP Conference Phone 8831

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96738

Unified IP Conference Phone 8831 for Third-Party Call Control

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96057

Wireless IP Phone 8821 and 8821-EX

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96070

Firepower 4100 series and Firepower 9300 security appliances

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15083

IOS XR software

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr150824

MDS 9000 Series Multilayer Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073

Nexus 1000 Virtual edge for VMware vSphere

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078]

Nexus 1000V Switch for Microsoft Hyper-V

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078]

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976]

Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079]

Nexus 7000 Series Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073]

Nexus 9000 Series Fabric Switches in ACI Mode

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072]

UCS 6200, 6300, and 6400 Series Fabric Interconnects

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082]  

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111]  

Details: The National Council of ISACs shared information regarding the Department of Justice’s updated policy for using Unmanned Aircraft Systems (UAS), which was released in November of 2019.   On November 27, 2019, DOJ published an...

Details: The National Council of ISACs shared information regarding the Department of Justice’s updated policy for using Unmanned Aircraft Systems (UAS), which was released in November of 2019. 

On November 27, 2019, DOJ published an updated copy of its Policy on the Use of UAS [hXXps://www.justice.gov/jm/9-95000-unmanned-aircraft-systems-uas]. They noted that: 

“In light of advancements in unmanned aircraft system (UAS) technology, and lessons learned from the Federal Bureau of Investigation’s limited use of UAS, the Policy enables the Department of Justice’s law enforcement components to safely and responsibly employ UAS technology within a framework designed to provide accountability and protect privacy and civil liberties. . . The Policy permits the use of UAS only in connection with properly authorized investigations and activities.  It also requires compliance with the Constitution and all applicable laws and regulations, including regulations issued by the Federal Aviation Administration.” 

E-ISAC Analyst Comment: It is useful to maintain awareness of government policy on the use of UAS both to inform knowledge of the risks associated with them and ensure that your organization is able to make informed decisions when using UAS. 

Recommendation: The E-ISAC recommends members review the updated policy for awareness. 

The E-ISAC is providing this bulletin for situational awareness. If further information becomes available, it will be added as an update to this post.

According to Threatpost, Mozilla released Firefox 72 browser on January 7, 2020. The update included fixes for five high-severity, four moderate and one low-risk flaw. The update also blocks some third-party fingerprinting of users across different...

According to Threatpost, Mozilla released Firefox 72 browser on January 7, 2020. The update included fixes for five high-severity, four moderate and one low-risk flaw. The update also blocks some third-party fingerprinting of users across different websites.

Some of the flaws addressed are:

CVE-2019-17015

CVE-2019-17017

 CVE-2019-17025

"Mozilla did not indicate if any of these bugs have been exploited in the wild."

Reference:

hXXps://threatpost.com/mozilla-releases-firefox-72/151636/

 

Details: Recent open source articles have noted a few incidents resulting in power outages in Zimbabwe, Bangladesh, and Venezuela. While these are international incidents, they are of interest as the tactics could be an inspiration to those who...

Details: Recent open source articles have noted a few incidents resulting in power outages in Zimbabwe, Bangladesh, and Venezuela. While these are international incidents, they are of interest as the tactics could be an inspiration to those who wish to sabotage the electric grid in North America as well as being a reminder of that damage that can be done.

 

Bangladesh: In an apparent sabotage effort, nine electric meters caught on fire in four separate locations in Bagerhat. All fires occurred simultaneously after midnight within a quarter of a kilometer from each other. The fire was not due to any short circuit or fault.

 

Source: hXXps://unb.com.bd/category/Bangladesh/electric-metres-gutted-in-series-of-fires-sabotage-suspected/35264

 

Zimbabwe: Transformer vandalism and theft has resulted in power outages over the past week, particularly in Marlborough. Residents have noted outage has affected business, lack of water, reduced ability to use facilities, and other health hazards. The Zimbabwe Electricity Supply Authority (ZESA) noted that it takes about five months to replace transformers due to lack of funds. Over 2,200 transformers have been stolen across the country.

 

Source: hXXps://www.zbc.co.zw/vandalism-and-thefts-worsen-power-outages-zesa/

 

Venezuela:  Most of the country faced an approximate 7-hour blackout starting on November 29, affecting 23 of 24 states. The power company, Corpoelec, claimed that there was sabotage at a hydroelectric plant that caused the blackout, though additional details have not been released.

 

Source: hXXps://stockdailydish.com/blackout-hits-most-of-venezuela-as-president-maduro-blames-sabotage-at-power-plant/

 

E-ISAC Analyst Note: While this did not take place in North America and the E-ISAC has not seen any evidence that these incidents will spark actions in North America, it is important to maintain awareness of incidents such as these, as they emphasize the impact of vandalizing electricity related infrastructure.

 

If further information becomes available, it will be added as an update to this post

According to multiple open source websites, the Country of Georgia was hit with a cyber-attack that knocked out thousands of websites, as well as a national television station.  Court websites containing case materials and personal data have...

According to multiple open source websites, the Country of Georgia was hit with a cyber-attack that knocked out thousands of websites, as well as a national television station. 

Court websites containing case materials and personal data have also been attacked, as well as the presidential website.  The origin of the attack, and who was behind it, are not yet known at this time.

At present, the energy sector infrastructure has not been targeted; however, the E-ISAC will continue to monitor for additional developments and provide updates when necessary.

August 19, 2019:  According to Mexico News Daily, there have been over 61,000 vandalism incidents so far in 2019 in Mexico that have triggered electricity outages. The outages have occurred in Sinaloa, Tamaulipas, Michoacán, Sonora,...

August 19, 2019: According to Mexico News Daily, there have been over 61,000 vandalism incidents so far in 2019 in Mexico that have triggered electricity outages. The outages have occurred in Sinaloa, Tamaulipas, Michoacán, Sonora, Hidalgo, Chihuahua, México state, Tabasco and Baja California. This number is higher than combined outages in the same time period for both 2017 and 2018. The article also noted that the Federal Electricity Commission (CFE) increased land and air patrol areas by 60% last year in response to the increase vandalism.

 

Source: hXXps://mexiconewsdaily.com/news/vandalism-triggered-power-outages/

On August 4, 2019, news sources reported that one individual died and another is in critical condition due to a copper theft attempt at a radio transmitter site in Oklahoma. The Tulsa County Sheriff’s office reported that they were called to...

On August 4, 2019, news sources reported that one individual died and another is in critical condition due to a copper theft attempt at a radio transmitter site in Oklahoma.

The Tulsa County Sheriff’s office reported that they were called to the KRMG AM Transmitter Site in Oklahoma the morning of August 4. They found two individuals who appeared to have been electrocuted while attempting to access the building through a conduit. Based on the tools and materials discovered at the site, the sheriff’s office believe they were attempting to steal copper. One of the individuals died, and the other is in critical condition.

Source: hXXps://www.krmg.com/news/local/dead-critical-condition-after-incident-krmg-sand-springs-transmitter-site/95HVjg1jXEWpEzjUKGmDEM/

E-ISAC Analyst Comment: While this is not a member site or related to the electricity industry, it is a good example of how dangerous copper theft can be – not only when stealing the copper itself, but even in accessing sites that contain copper. It is essential to increase awareness of the dangers of copper theft to assist in prevention and mitigation. A few suggested prevention tips provided by members include:

  • Create local groups to address copper theft, such as a coalition to increase public awareness and/or community watches to keep an eye on nearby facilities.
  • Discuss and develop alert or reporting systems to make it easier for residents to report suspicious activity.
  • Increase community awareness by issuing informational brochures and alerts on copper theft.
  • Advocate for stricter laws when dealing with copper theft, such as charging thieves with endanger life to increase penalties, thereby deterring future thefts.

For additional copper theft prevention best practices, please reference the TLP:White Copper Theft Prevention White Paper here [hXXps://www.eisac.com/portal-home/document-detail?id=119770] (119770) developed by the E-ISAC Physical Security Analysis Team in coordination with the Physical Security Advisory Group. This paper aims to provide copper theft prevention best practices and lessons learned that asset owners and operators have implemented successfully in North America.

Recommendation: Be vigilant about suspicious behavior in your area. Please continue sharing this type of activity with the E-ISAC and law enforcement. 

The E-ISAC is providing this bulletin for situational awareness. If further information becomes available, it will be added as an update to this post.