Grid Security News is a curated summary of recent key stories related to the Electric Grid, produced weekly by Protect Our Power (Protectourpower.org). Headlines appear in the first section, followed by complete summaries.

For your email security, we no longer provide embedded hyperlinks in our feed. Instead, we provide unembedded links that you may copy and paste into your browser to view the entire article. We instituted this change to ensure your cyber safety. We hope this causes no inconvenience, but in today's environment, we must all be vigilant.



Note: Email on MacOS (AppleMail, iPhones) will probably reinsert the hyperlink. Only click on hyperlinks from trusted sources!

For daily updates, follow us on Twitter: @gridprotection 

To subscribe to Grid Security News: Protectourpower.org/news/

UtilityDive: How US grid operators can defend against the unprecedented surge in power system attacks

Utilitydive.com/news/how-us-grid-operators-can-defend-against-the-unprecedented-surge-in-power-s/640987/

Newsmax: When Will 'Powers That Be' Protect the Electric Grid?

Newsmax.com/henryfcooper/electric-grid/2023/01/27/id/1106209/

NBC News: DOJ disrupts major ransomware group

Nbcnews.com/tech/security/doj-disrupts-major-ransomware-group-rcna67627

Wall St. Journal: Infrastructure Companies Say Suppliers Pose a Growing Cyber Threat

Wsj.com/articles/infrastructure-companies-say-suppliers-pose-a-growing-cyber-threat-11674774577

Utility Dive: ‘We got lucky.’ A stronger 2022 storm season could have threatened grid recovery: EEI

Utilitydive.com/news/nerc-summit-resilience-outage-iso-ne-supply-chain/641270/

Cybersecurity Dive: Industrial organizations may worry too much about ICS vulnerabilities

Cybersecuritydive.com/news/industrial-ics-vulnerabilities-dragos/641418/

Reuters: U.S. and EU to launch first-of-its-kind AI agreement

Reuters.com/technology/white-house-european-commission-launch-first-of-its-kind-ai-agreement-2023-01-27/

Solar Magazine: MRC launches new chapter to advance microgrids in Texas

Solarmagazine.com/2023/01/mrc-launches-new-chapter-to-advance-microgrids-texas/

Tom Alrich's Blog: Do we need regulations to have SBOMs?

Tomalrichblog.blogspot.com/2023/01/do-we-need-regulations-to-have-sboms.html

UtilityDive: How US grid operators can defend against the unprecedented surge in power system attacks

Utilitydive.com/news/how-us-grid-operators-can-defend-against-the-unprecedented-surge-in-power-s/640987/

Undertaking random security measures, better information-sharing with law enforcement, and enlisting public support are among the steps grid operators can take to address the increase in attacks.

Just as much of the country was experiencing record cold and massive travel disruptions, bad actors continued physical attacks against substations. As Robert Walton reports in Utility Dive, “Six substations in the Pacific Northwest were damaged by attacks in November, and the Federal Bureau of Investigation is looking into a North Carolina firearms attack … that knocked power out to about 45,000 Duke Energy customers.” In total, including a more recent incident this month, authorities are investigating an unprecedented 13 substation attacks over a period of just several weeks.

These attacks are reminiscent of the April 2013 attack on a key Pacific Gas & Electric substation in Metcalf, California, which the California Public Utilities Commission deemed a “wake-up call” for the electric utility industry to apply closer security scrutiny to exposed infrastructure. Unfortunately, even given lessons learned from that sophisticated attack, there are several interrelated dynamics that still make securing exposed critical infrastructure difficult: 



1. “Last-mile” power delivery realities: While the North American Electric Reliability Corporation Critical Infrastructure Protection standards, or NERC-CIP, and federal regulators have taken important steps to safeguard key nodes of the bulk-electric system — strategic transmission assets that, if targeted, could cause significant disruption and persistent black-outs — the “hub-and-spoke” approach to power delivery means that there will always be customers at the end of a delivery line.Simply put, one or two substations can support thousands of homes and businesses (or critical customers), but not rise to a critical level under NERC-CIP regulations, which require enhanced physical and cybersecurity measures. Given the vastness of the system, regulators and operators must use a risk-based approach when deploying limited security resources. But these tiering equations often over-weight consequences or impact to the grid, and may not always incorporate site-specific vulnerabilities or threats. 
2. Limited response capabilities — especially in rural areas: Most electric utilities employ a mixture of proprietary and contract guard forces — but these resources tend to be concentrated around large generation plants, corporate headquarters, or critical power control facilities. Because there are 55,000+ substations in the United States placing a guard at each location is not feasible. Instead, companies rely on local law enforcement and an array of cameras and sensors to direct their response.
3.  Multiple single points of failure: While it’s true that some early reports, particularly in North Carolina, indicated that attacker(s) there had insider knowledge of “exactly” how to disable substations, the reality is that even hardening or shielding key areas on the site will not prevent a motivated attacker from damaging transmission stations or targeting the hundreds of thousands of miles of exposed high-voltage transmission lines. The nature of power delivery still relies on wired connection points across the country — any of which can be vulnerable to attack. 

(Jan.24)

Utilitydive.com/news/how-us-grid-operators-can-defend-against-the-unprecedented-surge-in-power-s/640987/

Newsmax: When Will 'Powers That Be' Protect the Electric Grid?

Newsmax.com/henryfcooper/electric-grid/2023/01/27/id/1106209/

For over two decades, the Commission to Assess the Threat to the United States from Electromagnet Pulse (EMP) Attack (EMP Commission, for short), composed of well-informed competent physicists and engineers, reported to Congress and issued over a dozen reports on the nature of the existential threat posed by both manmade and natural EMP threats — and how to protect against these threats.

Some of these experts were actively engaged in the early efforts (in the 1960s) to understand EMP effects and to design and protect our most important strategic systems to survive and operate through such effects. Moreover, these same countermeasures also can be quite affordably applied to protect our critical civil systems — and those protective measures are openly reported and are readily available.

Yet the “powers that be” have at best studied the problem without applying such well-known methods to protect even our most important critical civil infrastructure, like the electric power grid — while the threat has grown.

For example, I joined several experts in a 2015 Newsmax article to warn about Iran’s pending capability to attack the United States, including with an EMP attack on the electric power grid. And my 2017 Newsmax article opposed efforts to disband the EMP Commission, even as the leaders of North Korea explicitly threatened an EMP attack on our electric power grid.

Moreover, we have known for years that North Korea and Iran — as well as Russia and China — include EMP attacks in their military plans, which today would debilitate the United States.

As I testified on May 2017 before the Senate Energy and Natural Resources Committee and wrote for a May 2018 American Legion article for their 2.2 million subscribers, I became frustrated that Washington’s “Powers that Be” were doing nothing to address this existential threat and decided to try to address the problem from “The Bottom Up” — starting locally and then working up to the state and federal authorities.

Those reports are expanded in Appendix B of Powering Through 2020, Building Critical Infrastructure Resilience — including a discussion of the Lake Wylie Pilot Study that was initiated to better understand these issues and to estimate the cost of countering EMP vulnerabilities.

(Jan. 27)

Newsmax.com/henryfcooper/electric-grid/2023/01/27/id/1106209/

NBC News: DOJ disrupts major ransomware group

Nbcnews.com/tech/security/doj-disrupts-major-ransomware-group-rcna67627

Hive, one of the most prolific hacker gangs in the world, had received about $100 million in extortion payments, according to government officials.

The FBI infiltrated and disrupted a major cybercriminal group that extorted schools, hospitals and critical infrastructure around the world, federal officials said Thursday.

The group, Hive, is one of the most prolific hacker gangs in the world, having received about $100 million in extortion payments, according to a November warning from the FBI, the Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency. As of Thursday morning, its website on the dark web showed a message saying it had been seized by an international law enforcement coalition, including the FBI and Justice Department.

The FBI said it gained access to Hive’s computer networks in July 2022, acquiring decryption keys to more than 1,300 current and past victims, which helped prevent more than $130 million in demanded ransom money. Ransomware hackers extort victims by hacking into an organization, then either encrypting their files, rendering computers unusable, or stealing and threatening to leak those files. Previous ransomware attacks have resulted in the release of sensitive information about law enforcement officers and schoolchildren.

Those figures underscore just how large the ransomware crime ecosystem has grown. Jen Ellis, a co-chair of the Ransomware Task Force, a cybersecurity industry partnership to address ransomware, said the takedown on Thursday was a major step, but likely wouldn’t stop Hive entirely.

The FBI did not announce any arrests, but is still investigating the group. FBI Director Christopher Wray and Attorney General Merrick Garland announced the action in a news conference.



The takedown is a rare victory against a ransomware gang. Such groups often act with near-impunity in attacking targets in the U.S. and around the world.

(Jan. 26)

Nbcnews.com/tech/security/doj-disrupts-major-ransomware-group-rcna67627

Wall St. Journal: Infrastructure Companies Say Suppliers Pose a Growing Cyber Threat

Wsj.com/articles/infrastructure-companies-say-suppliers-pose-a-growing-cyber-threat-11674774577

Companies in critical infrastructure sectors say weak cyber defenses at suppliers are becoming a significant threat to their business, and that rules to boost security down the supply chain might be needed.

While federal and industry rules for specific areas such as aviation, pipeline companies and other critical infrastructure operators are well-established, said Curley Henry, vice president and deputy chief information security officer at power utility Southern Co. , cyber regulations for businesses supplying those operators are less so.

“The supply chain is the area where the threats are growing the most for us, but the regulations aren’t targeted to those who are providing the products,” Mr. Henry said, speaking on a virtual panel hosted Thursday by industrial cybersecurity firm Dragos Inc. 

“While I agree with the need for regulations for us, in critical infrastructure, oil and gas, manufacturing, that’s an overlooked area that needs to get a lot of focus,” he said. 

Mr. Henry’s comments reflect long-held concerns of government officials and security chiefs about the security of supply chains, and the impact that a breach of one company can have on many others. 

High-profile examples include the successful breach of a product used by software provider Kaseya Ltd. in July 2021 that resulted in hundreds of companies being infected by ransomware, and an attack on SolarWinds Corp. software in 2020 that resulted in compromises of multiple federal agencies.

Companies in supply chains, which are often small to medium-size businesses, might not have the resources necessary to fund a full cybersecurity program, but a successful attack could stymie production further up the line, said Dawn Cappelli, director of the Operational Technology-Cyber Emergency Readiness Team at Dragos. The OT-CERT provides free cybersecurity resources and runs cyber exercises for companies that use industrial systems. 

“We have to be thinking not just about our own companies, but about the whole ecosystem,” she said, speaking on the same panel as Mr. Henry. 

Ms. Cappelli, former CISO at manufacturing-tech company Rockwell Automation Inc., said that a supplier doesn’t necessarily need to pose a direct cyber threat to a company, such as through a software or network link, for a disruption to have a significant impact. 

During her tenure at Rockwell, she said, manufacturing companies struck by ransomware would be unable to produce parts Rockwell needed to build its products, sometimes for weeks or months at a time.

“They didn’t present a cyber risk to us, but I realized they presented an operational risk,” she said. Larger companies should perform cyber assessments of their suppliers, and where possible, assist them with strengthening their defenses, Ms. Cappelli said.

(Jan. 27)

Wsj.com/articles/infrastructure-companies-say-suppliers-pose-a-growing-cyber-threat-11674774577

Utility Dive: ‘We got lucky.’ A stronger 2022 storm season could have threatened grid recovery: EEI

Utilitydive.com/news/nerc-summit-resilience-outage-iso-ne-supply-chain/641270/

The evolving power grid faces a host of challenges, speakers at NERC’s 2023 Reliability Leadership Summit said Wednesday.

The evolving U.S. power grid faces a host of long-term challenges, including resource adequacy, gas-electric coordination and physical and cyber resilience, according to a panel of experts. And those threats can be worsened by near-term concerns like supply chain constraints, they warned.

“We got lucky last year, that it was not a terrible storm season,” said Scott Aaronson, senior vice president of security and preparedness for the Edison Electric Institute, which represents investor-owned utilities. “But had it been a terrible storm season, I don’t have a lot of confidence that we had all the material and equipment that we would have needed to put the system back together.”

Aaronson and other utility leaders discussed grid transformation and resilience efforts at the North American Electric Reliability Corp.’s 2023 Reliability Leadership Summit on Wednesday. The sector faces shortages of materials and equipment, including distribution, pole-top and pad-mount transformers, utility poles and conductor, he said.

EEI is “working closely” with equipment manufacturers and the Biden administration to “address those shortfalls in the near term. But that’s only going to be exacerbated as we continue to grow out the system,” Aaronson said.

The head of the New England electric grid pointed to energy adequacy, with a focus on gas-electric coordination, and resource adequacy as major concerns.

“If we don’t get our hands around those two, I think we’re going to see more and more events like we’ve seen in the last two years,” Gordon Van Welie, president and CEO of ISO New England, said.



Around the country, in the past two winters, there have been power outages, price spikes and plant failures in extreme weather.

(Jan. 26)

Utilitydive.com/news/nerc-summit-resilience-outage-iso-ne-supply-chain/641270/

Cybersecurity Dive: Industrial organizations may worry too much about ICS vulnerabilities

Cybersecuritydive.com/news/industrial-ics-vulnerabilities-dragos/641418/

The pressure to constantly patch is more likely to damage industrial plants, Dragos CEO Robert M. Lee said.

Industrial control system operators have a lot to worry about, but known vulnerabilities in their OT systems get more attention than they deserve.

“There have been zero known ICS vulnerabilities ever leveraged in any ICS cyberattack,” Robert M. Lee, CEO and co-founder at Dragos said Thursday during an executive briefing on critical infrastructure security hosted by Dragos.

The cyberthreats confronting ICS are vast and distinct. One way to cut through the risk: Prioritize resources and efforts in line with the most likely points of attack or failure.

“I’m not saying vulnerabilities don’t matter. I’m just saying we put it as the No. 1 thing when it’s probably not in the top four in terms of what we need to do,” Lee said.

“There’s so much pressure on asset owners and operators to always be patching, and I have responded to more IT people taking down plants through patching than Russia, China and Iran combined,” Lee said. “I just want us to be careful of the risk.”

When the ICS and OT security software vendor’s threat intelligence team looks at vulnerabilities, it ascertains their potential impact to industrial organizations based on two queries:

• Has it been used in an attack? 
• Could the vulnerability be used in an attack that might cause serious damage?

Any vulnerability that meets one of those factors gets placed in the “you should take care of this now category,” Lee said. “And only 4% rise to the level of, you should do it now.”

The remaining vulnerabilities are almost evenly split between those that might be used for an attack but have negligible impact and those that bear no relevance to ICS or industrial OT, according to Lee.

Vulnerabilities have a correlation to legacy equipment and software, another common target for misplaced priorities in industrial OT.

“There’s this idea that if we didn’t have legacy equipment that we wouldn’t have the risk, and that’s not how the industrial attacks actually happen,” Lee said. “It’s not a let’s rip and replace as if everything could be magically better.”

(Jan 27)

Cybersecuritydive.com/news/industrial-ics-vulnerabilities-dragos/641418/

Reuters: U.S. and EU to launch first-of-its-kind AI agreement

Reuters.com/technology/white-house-european-commission-launch-first-of-its-kind-ai-agreement-2023-01-27/

The United States and European Union on Friday announced an agreement to speed up and enhance the use of artificial intelligence to improve agriculture, healthcare, emergency response, climate forecasting and the electric grid.

A senior U.S. administration official, discussing the initiative shortly before the official announcement, called it the first sweeping AI agreement between the United States and Europe. Previously, agreements on the issue had been limited to specific areas such as enhancing privacy, the official said.

AI modeling, which refers to machine-learning algorithms that use data to make logical decisions, could be used to improve the speed and efficiency of government operations and services.

"The magic here is in building joint models (while) leaving data where it is," the senior administration official said. "The U.S. data stays in the U.S. and European data stays there, but we can build a model that talks to the European and the U.S. data because the more data and the more diverse data, the better the model."

The initiative will give governments greater access to more detailed and data-rich AI models, leading to more efficient emergency responses and electric grid management, and other benefits, the administration official said.

Pointing to the electric grid, the official said the United States collects data on how electricity is being used, where it is generated, and how to balance the grid's load so that weather changes do not knock it offline.

Advertisement · Scroll to continue

Many European countries have similar data points they gather relating to their own grids, the official said. Under the new partnership all of that data would be harnessed into a common AI model that would produce better results for emergency managers, grid operators and others relying on AI to improve systems.

The partnership is currently between just the White House and the European Commission, the executive arm of the 27-member European Union. The senior administration official said other countries will be invited to join in the coming months.

(Jan 27)

Reuters.com/technology/white-house-european-commission-launch-first-of-its-kind-ai-agreement-2023-01-27/

Solar Magazine: MRC launches new chapter to advance microgrids in Texas

Solarmagazine.com/2023/01/mrc-launches-new-chapter-to-advance-microgrids-texas/

The Microgrid Resources Coalition (MRC) announced the launch of a Texas Chapter focusing on legislative and regulatory engagement to advance microgrid adoption throughout Texas.

Texas has suffered several severe winter storms over the past few years. The power crisis in 2021 attributed to Winter Storm Uri brought out the necessity and urgency for reliable power resiliency plans to address power issues in Texas under extreme weather.

"In forming the MRC Texas Chapter, we aim to give a unified voice to the microgrid industry throughout Texas, with the goal of building community resilience and supporting business continuity so something of that nature never happens again," said Pierson Stoecklein, Executive Director of the MRC.

A modern microgrid integrates solar technologies and energy storage as part of its generation mix. It is a local energy grid with capabilities that can operate with the traditional grid as well as disconnect from it and operate autonomously. These capabilities allow for resilient and flexible electricity generation when the traditional grid is out of service.

The Texas Chapter also anticipates the filing of multiple bills this session that are favorable to the continued deployment of microgrids.

Notable, Senate Bill 330 (SB 330), which was authored by Senator Bob Hall, proposes to establish the "Texas Electric Grid Security Commission." The Commission will be responsible for evaluating the vulnerabilities to the power grid and critical infrastructure and developing standards that will mitigate related threats.

(Jan. 29)

Solarmagazine.com/2023/01/mrc-launches-new-chapter-to-advance-microgrids-texas/

Tom Alrich's Blog: Do we need regulations to have SBOMs?

Tomalrichblog.blogspot.com/2023/01/do-we-need-regulations-to-have-sboms.html

In the SBOM Forum meeting last Friday, we had a lively discussion – nay, argument – on a question that frankly surprised me: Will it take regulation to make SBOMs widely distributed and widely used by private and government al organizations whose main business isn’t software?

It’s quite clear that SBOMs are being widely used by software developers for their own product security purposes. However, it’s also clear that SBOMs are not being widely – or even narrowly – distributed to non-developers[i]. And, while there are certainly a lot of suppliers who don’t want to distribute SBOMs, there are also a lot of users who would like to utilize the information that SBOMs provide, but have no idea how they will be able to get that information from an SBOM when they receive it. This is because there aren’t any low-cost, commercially supported tools (or really any tools at all) that ingest both SBOMs and VEX information and output lists of exploitable component vulnerabilities in a particular product and version.

In the meeting on Friday, a number of well-known, very experienced people in the SBOM space were telling me that SBOMs won’t really be distributed until suppliers are forced to do that by regulations. However, those people say that regulations are right around the corner, so SBOMs are also surely right around the corner.

I frankly don’t know what these people are talking about. I’m optimistic that within two years there will be substantial distribution and use of SBOMs. However, it won’t be due to regulation. It will be due to – dare I say it? – the operation of the free market. Simply put, it will be due to organizations that use SBOMs deciding that a) they want to have the information that can be gained from SBOMs, and b) the tools and/or services needed to obtain that information are readily available to them (which they aren’t now).

Here is why regulations aren’t coming (or at least not in anywhere near the volume or strength required to make a difference), and also why they wouldn’t be needed, even if they were coming:

1.      I, like everyone else involved with SBOMs, thought Executive Order 14028 would be a game changer; it certainly did change the game in terms of awareness of SBOMs. But the date for compliance with Section 4(e) of the EO (which includes the SBOM provisions) was set by OMB for August 10, 2022. On that date, government agencies were supposed to start requiring SBOMs from their suppliers. I haven’t heard of any flood of SBOMs after that date, have you?

2.      After that date passed, expectation grew for OMB’s EO implementation memo in September. But that memo, when it appeared, required every agency to…decide for themselves what if anything to do about SBOMs. Not exactly a game-changer, IMHO.

3.      The memo does require an attestation from the supplier about their software development practices (including SBOMs), but if the supplier attests that they will produce an SBOM and don’t do it, or if they just attest that they won’t produce one at all, there’s no mechanism for an agency to force the supplier to do this. And if an agency were to even consider terminating a relationship with a supplier due to failure to produce an SBOM, the supplier will simply say, “Please show me where in our current contract it says we’re required to produce SBOMs.”

4.      Indeed, the EO did call for changes in the Federal Acquisition Regulation (FAR), which would be required in order to change new contracts. I haven’t heard anything about any changes in FAR being implemented (and I don’t know whether they require Congressional approval if so). And even when the FAR is changed, remember that would only apply to new acquisitions, not to any current contracts. Of course, federal contracts with suppliers are usually multiyear, meaning it will be years before any changes will be implemented due to the EO.

5.      So – and I should have realized this initially – there’s simply no way that the EO is going to make any real difference in SBOMs, unless federal agencies decide they really need SBOMs (or at least data from them) and do more than just ask meekly for an SBOM – then move to the next topic when the supplier says no. In other words, it will be demand from consumers – the agencies – that will drive federal use of SBOM data. The EO certainly will have played a big role in inspiring that demand, but it won’t be the reason that SBOMs are being distributed and used.

(Jan. 30)

Tomalrichblog.blogspot.com/2023/01/do-we-need-regulations-to-have-sboms.html