WASHINGTON, D.C. – NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) and the MultiState Information Sharing & Analysis Center® (MS-ISAC®) announced an agreement to improve information sharing among the organizations and their members with the goal of strengthening the cyber security of the nation’s critical electric infrastructure. The new agreement also deepens cooperation between the E-ISAC and the state and local government partners that the MS-ISAC represents. CIS® (Center for Internet Security, Inc.) is home to the MS-ISAC, and both are headquartered in New York. The Department of Homeland Security has designated MS-ISAC as the key cybersecurity resource for state, local tribal and territorial governments, including chief information officers, Homeland Security advisors and fusion centers.
Through a variety of tools, both the E-ISAC and the MS-ISAC analyze potential physical and cyber security threats and use their respective secure portals to alert and advise members on mitigating threats. The goals of the E-ISAC and MS-ISAC under the partnership include:
-- Improve security collaboration on common threat information and incident response.
-- Provide joint analysis of security concerns and events.
-- Advance shared processes for information sharing and situational awareness.
-- Improve information sharing among all ISACs.
The E-ISAC and the MS-ISAC have agreed to use existing policies and procedures for safeguarding sensitive information under the partnership.
For situational awareness, below please find a message from the Department of Homeland Security regarding working with NASA to secure Drone traffic.
|
Connect with DHS:
Facebook [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&112&&&hXXps://www.dhs.gov/facebook?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | Twitter [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&113&&&hXXps://www.dhs.gov/twitter?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | Instagram [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&114&&&hXXps://www.dhs.gov/instagram?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | LinkedIn [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&115&&&hXXps://www.dhs.gov/linkedin?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | Flickr [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&116&&&hXXps://www.dhs.gov/flickr?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | YouTube [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&117&&&hXXps://www.dhs.gov/youtube?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov]
For awareness, the Department of Homeland Security has several free resources available that may be of assistance in preventing or mitigating physical security incidents within the electricity subsector. While these are not sector-specific, they may be able to be applied to members’ individual facilities. Please find a list of resources below.
- Insider Threat Video [hXXps://www.dhs.gov/insider-threat-mitigation]
- Active Shooter Preparedness [hXXps://www.dhs.gov/active-shooter-preparedness] and Video [hXXps://www.dhs.gov/active-shooter-emergency-action-plan-video]
- Securing Soft Targets and Crowded Places [hXXps://www.dhs.gov/publication/securing-soft-targets-and-crowded-places]
- Vehicle Ramming [hXXps://www.dhs.gov/sites/default/files/publications/Vehicle%20Ramming%20-%20Security%20Awareness%20for%20ST-CP.PDF]
- Pathway to Violence [hXXps://www.dhs.gov/pathway-violence-video]
- Connect, Plan, Train, Report [hXXps://www.dhs.gov/connect-plan-train-report]
In a previous blog post FireEye detailed the TRITON intrusion that impacted industrial control systems (ICS) at a critical infrastructure facility in the Middle East. In this blog post FireEye provides additional information linking the theat group's activity surrounding the TRITON intrusion to a Russian government-owned research institute.
Resilience for Grid Security Emergencies: Opportunities for Industry–Government Collaboration
Johns Hopkins Applied Physics Laboratory just released a report by Dr. Paul Stockton entitled (and linked here): Resilience for Grid Security Emergencies: Opportunities for Industry–Government Collaboration [hXXp://www.jhuapl.edu/Content/documents/ResilienceforGridSecurityEmergencies.pdf].
The report discusses potential Emergency Orders from the US Department of Energy that come from changes to the Federal Power Act as modified by the Fixing America’s Surface Transportation (FAST) Act. The statute authorizes the Secretary of Energy to order emergency measures, following a Presidential declaration of a grid security emergency, to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during the emergency. A grid security emergency could result from a physical attack, a cyber-attack using electronic communication, an electromagnetic pulse (EMP), or a geomagnetic storm event, damaging certain electricity infrastructure assets and impairing the reliability of the Nation's power grid.
Last week, Tenable published a broad-ranging vulnerability assessment report that claimed to identify four distinct assessment “styles” leveraged by organizations. According to their research, the results provide insight on vulnerability assessment maturation and how to measure it.
In the report, Tenable indicates that the “utilities industry had the highest proportion of the low-maturity Minimalist style overall.” The report also stated that the “utilities industry showed no representatives who followed the mature Diligent style.”
The company states that the report was based on compiling data (methods and results) from 300,000+ scans on 2,100+ individual organizations across 66 countries over a three-month period (March to May 2018). Their report states that they used machine learning algorithms against that data to develop their findings.
Tenable did not clarify what criteria was used to select participant organizations or how each organization was categorized into the eighteen industry categories detailed in the report. They also did not clarify the number of organizations within the “utility” group that were electricity companies.
Tenable is the company behind the commercial version of Nessus, a vulnerability scanner.
A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.
The researchers demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.
They subsequently added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.
While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.
"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."
Dragos has identified a new activity group targeting access operations in the electric utility sector. They call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017.
A Radware blog post has identified a new malware campaign- "Nigelthorn"- aimed at the Facebook network that not only steals account credentials, but also installs a covert cryptominer. The malware abuses a legitimate Google Chrome extension called Nigelify, from where the malware campaign derives its name.
The cyber research firm Dragos today detailed the operations of a suspected Russian hacker group that focuses on penetrating critical infrastructure networks. The group, which Dragos calls ALLANITE, “accesses business and industrial control (ICS) networks, conducts reconnaissance and gathers intelligence in United States and United Kingdom electric utility sectors,” according to a newly published profile, the first in a series about infrastructure-focused hacking teams. Dragos said that ALLANITE hackers “continue to maintain ICS network access” so they can “understand the operational environment necessary to develop disruptive capabilities” and be ready to disrupt those systems when called upon to do so. The company, which does not attribute hacking groups to nation-states, acknowledged that ALLANITE'S “activity closely resembles” a Russian cyber intrusion campaign that U.S. officials have dubbed Palmetto Fusion. “Russian government cyber actors ... targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks,” DHS said in a March 15 alert. Dragos said that ALLANITE uses spearphishing and malware-laden websites to harvest the login information necessary to penetrate networks. So far, the company said, ALLANITE campaigns “limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.”