Resilience for Grid Security Emergencies: Opportunities for Industry–Government Collaboration
Johns Hopkins Applied Physics Laboratory just released a report by Dr. Paul Stockton entitled (and linked here): Resilience for Grid Security Emergencies: Opportunities for Industry–Government Collaboration [hXXp://www.jhuapl.edu/Content/documents/ResilienceforGridSecurityEmergencies.pdf].
The report discusses potential Emergency Orders from the US Department of Energy that come from changes to the Federal Power Act as modified by the Fixing America’s Surface Transportation (FAST) Act. The statute authorizes the Secretary of Energy to order emergency measures, following a Presidential declaration of a grid security emergency, to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during the emergency. A grid security emergency could result from a physical attack, a cyber-attack using electronic communication, an electromagnetic pulse (EMP), or a geomagnetic storm event, damaging certain electricity infrastructure assets and impairing the reliability of the Nation's power grid.
Last week, Tenable published a broad-ranging vulnerability assessment report that claimed to identify four distinct assessment “styles” leveraged by organizations. According to their research, the results provide insight on vulnerability assessment maturation and how to measure it.
In the report, Tenable indicates that the “utilities industry had the highest proportion of the low-maturity Minimalist style overall.” The report also stated that the “utilities industry showed no representatives who followed the mature Diligent style.”
The company states that the report was based on compiling data (methods and results) from 300,000+ scans on 2,100+ individual organizations across 66 countries over a three-month period (March to May 2018). Their report states that they used machine learning algorithms against that data to develop their findings.
Tenable did not clarify what criteria was used to select participant organizations or how each organization was categorized into the eighteen industry categories detailed in the report. They also did not clarify the number of organizations within the “utility” group that were electricity companies.
Tenable is the company behind the commercial version of Nessus, a vulnerability scanner.
A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.
The researchers demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.
They subsequently added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.
While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.
"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."
Dragos blog post has identified a new activity group RASPITE targeting access operations in the electric utility sector.
Dragos has identified a new activity group targeting access operations in the electric utility sector. They call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017.
A Radware blog post has identified a new malware campaign- "Nigelthorn"- aimed at the Facebook network that not only steals account credentials, but also installs a covert cryptominer. The malware abuses a legitimate Google Chrome extension called Nigelify, from where the malware campaign derives its name.
The cyber research firm Dragos today detailed the operations of a suspected Russian hacker group that focuses on penetrating critical infrastructure networks. The group, which Dragos calls ALLANITE, “accesses business and industrial control (ICS) networks, conducts reconnaissance and gathers intelligence in United States and United Kingdom electric utility sectors,” according to a newly published profile, the first in a series about infrastructure-focused hacking teams. Dragos said that ALLANITE hackers “continue to maintain ICS network access” so they can “understand the operational environment necessary to develop disruptive capabilities” and be ready to disrupt those systems when called upon to do so. The company, which does not attribute hacking groups to nation-states, acknowledged that ALLANITE'S “activity closely resembles” a Russian cyber intrusion campaign that U.S. officials have dubbed Palmetto Fusion. “Russian government cyber actors ... targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks,” DHS said in a March 15 alert. Dragos said that ALLANITE uses spearphishing and malware-laden websites to harvest the login information necessary to penetrate networks. So far, the company said, ALLANITE campaigns “limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.”
A new program aims to increase involvement and enhance collaboration and information sharing between member utilities of The North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC). E-ISAC, in partnership with the Large Public Power Council, began an initiative in January called the Industry Augmentation Program, which invites utility staff for multi-day visits to work with E-ISAC personnel. The Industry Augmentation Program aims to raise awareness of E-ISAC cyber and physical security analysis processes, data protection and the separation from NERC’s compliance functions, provide an avenue for the E-ISAC to receive feedback from industry on tools and communications protocols and strengthen utility security programs and staff expertise. “This program highlights the benefit of multi-directional information sharing between the E-ISAC and industry,” Bill Lawrence, director of the E-ISAC, said.
Update to OE-417
The updated OE-417 form is going through the White House Office of Management and Budget (OMB) review now after two rounds of public comment. Since the updated form is under review, the current version will stay in effect until the new version is approved. DOE will update the website with a message noting the continued use of the current version pending recertification.
experts will come together to share ideas, methods, and techniques for defending control systems. In-depth
presentations and interactive panel discussions will highlight real-world approaches that work and make a difference
for the individuals fighting this fight every day.
March Event - CYBER STRIKE WORKSHOP
The training will offer attendees a hands-on, simulated demonstration of a cyber-attack, drawing from elements of the December 2015 Ukraine cyber incident. The workshop will be conducted by utilizing a series of exercises/labs listed below that workshop attendees will have to work through in teams. Other topics that will be referenced include the North American Electric Reliability Corporation (NERC) alert related to the 2015 Ukraine cyber incident and the applicability of NERC Critical Infrastructure Protection (CIP) reliability standards* for such an incident. However, the primary focus will not be standards, but rather understanding the Ukraine cyber incident from a technical perspective to enhance cyber preparedness.