Grid Security News is a curated summary of recent key stories related to the Electric Grid, produced weekly by Protect Our Power (Protectourpower.org). Headlines appear in the first section, followed by complete summaries.
For a complete transcript of paywalled stories, please REPLY to this email and specify the story you would like to view in full.
For your email security, we no longer provide embedded hyperlinks in our feed. Instead, we provide unembedded links that you may copy and paste into your browser to view the entire article. We instituted this change to ensure your cyber safety. We hope this causes no inconvenience, but in today's environment, we must all be vigilant.
Note: Email on MacOS (AppleMail, iPhones) will probably reinsert the hyperlink. Only click on hyperlinks from trusted sources!
For daily updates, follow us on Twitter: @gridprotection
To subscribe to Grid Security News: Protectourpower.org/news/
|
|
American Public Power Association: NERC Summer Assessment Sees ‘Elevated’ Reliability Risks In The West, MISO
Publicpower.org/periodical/article/nerc-summer-assessment-sees-elevated-reliability-risks-west-miso
|
|
Nextgov: CISA Orders Agencies to Mitigate VMWare Vulnerabilities Under Deadline
Nextgov.com/cybersecurity/2022/05/cisa-orders-agencies-mitigate-vmware-vulnerabilities-under-deadline/367108/
|
|
Washington Post/Cybersecurity 202: Lawmakers want to get tougher on cyber adversaries
Washingtonpost.com/politics/2022/05/19/lawmakers-want-get-tougher-cyber-adversaries/
|
|
Organized Crime And Corruption Reporting Project Energy Sector Expects Deadly Cyberattacks in Next Two Years
Occrp.org/en/daily/16353-energy-sector-expects-deadly-cyberattacks-in-next-two-years
|
|
Wall Street Journal: Cyber Insurers Raise Rates Amid a Surge in Costly Hacks
Wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200?st=wkob4i68pnr4exb&reflink=share_mobilewebshare
|
|
The Hill: Experts see progress on federal cybersecurity
Thehill.com/policy/cybersecurity/3496431-experts-see-progress-on-federal-cybersecurity/
|
|
Tom Alrich's Blog: Bring me the broomstick of the wicked witch of the west!
Tomalrichblog.blogspot.com/2022/05/bring-me-broomstick-of-wicked-witch-of.html
|
|
Michigan Matters/CBS Detroit: Richard Mroz of Protect Our Power Previews EV Exchange Conference
Detroit.cbslocal.com/video/6242759-michigan-matters-major-events-detroit/
|
|
American Public Power Association: NERC Summer Assessment Sees ‘Elevated’ Reliability Risks In The West, MISO
Publicpower.org/periodical/article/nerc-summer-assessment-sees-elevated-reliability-risks-west-miso
Parts of western North America face an “elevated or high risk” of energy shortfalls this summer because of predicted above-normal temperatures and drought conditions and electric reliability in the Midcontinent ISO (MISO) is at “high risk” because of capacity shortfalls, according to the 2022 Summer Reliability Assessment released by the North American Electric Reliability Corp. (NERC).
The expected continuation of western drought conditions poses several threats to electric reliability, NERC said. Below normal snowpack can result in lower-than-average output from hydro generation in a region that depends on energy transfers to balance electric supply and demand.
In particular, the California-Mexico (CA/MX) assessment area and the Southwest Reserve Sharing Group (SRSG), depend on “substantial electricity imports” to meet demand on hot summer evenings and at times when wind and solar resources are low.
Texas, the Southwest Power Pool (SPP), and Saskatchewan, in particular, are at elevated risk of energy emergencies during extreme conditions, the NERC report said, pointing out that in addition to putting a strain on electrical equipment, high temperatures also contribute to high demand.
The report also noted that continuing drought conditions over the Missouri River Basin could adversely affect SPP thermal generators that use the Missouri River for cooling.
Drought conditions can also exacerbate wildfires, NERC said, noting that government agencies are warning of the potential for above-normal wildfire risk across much of Canada, the U.S. South Central states, and Northern California. Wildfires can affect the reliability of transmission lines and the smoke from wildfires can cause diminished output from solar power resources, NERC said.
NERC also warned that the risk of unexpected tripping of solar photovoltaic resources during grid disturbances continues to be a reliability concern. In May and June of 2021, Texas experienced widespread solar loss events like those previously observed in California and four additional solar loss events occurred between June and August 2021 in California. During these events, widespread loss of solar resources was coupled with the loss of synchronous generation, unintended interactions with remedial action schemes, and some tripping of distributed energy resources, NERC said.
NERC also singled out the risks facing MISO, saying the region is at “high risk” because it faces capacity shortfalls in its north and central areas during both normal and extreme conditions because of generator retirements and increased demand.
(May 21)
Publicpower.org/periodical/article/nerc-summer-assessment-sees-elevated-reliability-risks-west-miso
|
|
Nextgov: CISA Orders Agencies to Mitigate VMWare Vulnerabilities Under Deadline
Nextgov.com/cybersecurity/2022/05/cisa-orders-agencies-mitigate-vmware-vulnerabilities-under-deadline/367108/
Advanced adversaries appear to be exploiting the vulnerabilities to get around multifactor authentication.
Federal agencies must report to the Cybersecurity and Infrastructure Security Agency over the coming days on the status of VMWare product vulnerabilities the agency flagged in an emergency directive Wednesday.
“CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch agencies and require emergency action,” the agency said, imposing a deadline of Monday, May 23, at noon for required actions. “This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
VMWare is a Dell company specializing in technology for cloud computing and network virtualization. Earlier this month, researchers at the continuous security monitoring firm Assetnote reported that a vulnerability in VMWare’s Workspace One [Unified Endpoint Management] could have compromised companies’ cloud accounts.
“While I cannot share exact details about what companies were affected, there were a large number of enterprises that were vulnerable to this,” Assetnote Chief Technology Officer Subham Shah said in a May 2 press release. “In some cases, it was possible to use this vulnerability to breach the AWS accounts of the companies.”
CISA’s emergency directive Wednesday instructs agencies to either patch the vulnerabilities across all instances of the VMWare products or to disconnect them from agency systems. For any applications that are internet facing, CISA additionally directs agencies to assume they’ve been compromised, initiate threat hunting and to immediately report to the agency.
CISA described overwhelming capabilities adversaries could achieve by exploiting the vulnerabilities, which could not necessarily be mitigated by the implementation of multifactor authentication as they target processes that occur in advance of that verification method.
“According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,” CISA said in an advisory accompanying the directive. “The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.”
(May 18)
Nextgov.com/cybersecurity/2022/05/cisa-orders-agencies-mitigate-vmware-vulnerabilities-under-deadline/367108/
|
|
Washington Post/Cybersecurity 202: Lawmakers want to get tougher on cyber adversaries
Washingtonpost.com/politics/2022/05/19/lawmakers-want-get-tougher-cyber-adversaries/
The U.S. lacks tools to enforce good cyber-behavior from other countries
The United States needs a broader set of options to punch back at nations that violate norms of good behavior in cyberspace, according to a Republican and a Democratic lawmaker I spoke with.
The most severe options could include blocking nations from the international financial system or dramatically restricting trade with them, Rep. Elissa Slotkin (D-Mich.) told me during a Washington Post live discussion.
The comments reflect a long simmering frustration in Washington that nations far inferior to the United States in military and economic might can nevertheless batter us in the cyber domain. Indeed, the United States is among the most vulnerable nations in cyberspace because our institutions are far more reliant on the Internet than other nations.
- U.S. officials have tried indicting government-backed hackers and imposing limited sanctions on the companies that support them as well as naming and shaming nations it believes have stepped out of bounds in cyberspace.
- But none of that has made much of a dent in the willingness of Russia, China and other U.S. adversaries to hack U.S. companies and government agencies.
If the United States wants to compel better behavior it will likely have to get far more aggressive, Slotkin said.
“There's a lot of tools left in the toolbox, but it means the United States doing something that we don't do a lot — or we don't like to do — which is mixing our military policy with our economic policy, making sure…we have consequences and built-in deterrence on cyber threats.”
(May 19)
Washingtonpost.com/politics/2022/05/19/lawmakers-want-get-tougher-cyber-adversaries/
|
|
Organized Crime And Corruption Reporting Project Energy Sector Expects Deadly Cyberattacks in Next Two Years
Occrp.org/en/daily/16353-energy-sector-expects-deadly-cyberattacks-in-next-two-years
More than half of energy professionals believe cyberattacks on the industry in the near future will result in a loss of life and many companies are not doing enough to protect themselves, according to a recent report.
Published Thursday by Norwegian risk management firm DNV, the paper found that “energy executives anticipate life, property and environment-compromising cyberattacks on the sector within the next two years.”
DNV notes fears over “more extreme consequences” to these security breaches than in recent years, citing as examples the 2021 shutdown-inducing attack on the U.S. Colonial Pipeline, and a series of disabling attacks against parts of Ukraine’s power grid in the mid-to-late 2010s.
The research is based on a survey of almost 1,000 energy professionals and in-depth interviews with executives from different countries around the world.
Almost half of respondents said control systems at their companies were not as secure as their IT systems, and less than a third said management at their firms were making cybersecurity a top priority.
“As [operational technologies] become more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries,” said Trond Solberg, managing director of cybersecurity at DNV.
“It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cybersecurity rather than actively addressing emerging cyber threats,” he added.
DNV published its report the same day U.K. Attorney General Suella Braverman addressed a conference at London-based think tank Chatham House, underlining the need for a clear and common framework for applying international law to cyberspace following the outbreak of war in Ukraine.
Russian-backed hackers have targeted multiple European institutions in recent weeks. Microsoft reported in late April that at least six Russian-aligned groups had launched 240 cyber operations against Ukraine since the invasion began, and the U.S., European Union and U.K. have since blamed Russia for a hack against a satellite network that knocked thousands of German wind turbines offline.
Italian police also said they’d thwarted a pro-Russian attack on network infrastructure during the Eurovision Song Contest, in which Russia had been barred from participating.
But while hostile states are believed to be the greatest threat to critical energy infrastructure, experts and government officials have warned that the risk of organized criminal activity in this area is not to be underestimated.
“The line between nation-state and criminal actors is increasingly blurry as nation-states turn to criminal proxies as a tool of state power, then turn a blind eye to the cybercrime perpetrated by the same malicious actors,” Mieke Eoyang, U.S. Deputy Assistant Secretary of Defense for Cybersecurity, told Congress last May.
(May 20)
Occrp.org/en/daily/16353-energy-sector-expects-deadly-cyberattacks-in-next-two-years
|
|
Wall Street Journal: Cyber Insurers Raise Rates Amid a Surge in Costly Hacks
Wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200?st=wkob4i68pnr4exb&reflink=share_mobilewebshare
Insurers significantly increased premiums for cyber coverage over the course of 2021, as a string of high-profile attacks and government action helped boost demand for products, data collected by industry bodies shows.
Direct-written premiums collected by the largest U.S. insurance carriers in 2021 swelled by 92% year-over-year, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms.
Analysts say that the increase primarily reflects higher rates, rather than insurers significantly expanding the amount of money they are willing to cover.
“The amount of rate that is being generated in this market is quite astonishing, just in terms of the percentages that are out there,” said Tim Zawacki, principal research analyst at S&P Global Inc.’s Market Intelligence business.
The price bumps helped the U.S. cyber insurance industry pare back its direct loss ratio, or the percentage of its income that it pays out to claimants, to 65.4% in 2021 from a record of 72.5% in 2020. However, that figure is still far above 2019’s direct loss ratio of 47.1%.
The sometimes drastic rate increases reflect a realignment of a relatively new market that is maturing quickly, executives say, indicating that the insurance industry is getting to grips with pricing cyber risk.
“Cyber risk insurance premiums are being right-sized after many years of softer market conditions despite an evolution in cyber underwriting,” said Jack Kudale, chief executive of Pleasanton, Calif.-based insurer Cowbell Cyber Inc.
Part of the reset includes stricter criteria for those applying for coverage, an approach the White House has applauded as it makes a broader push to tighten private-sector security. Many carriers are now requiring potential clients to demonstrate that they practice at least basic cyber hygiene, including measures such as multifactor authentication.
(May 18)
Wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200?st=wkob4i68pnr4exb&reflink=share_mobilewebshare
|
|
The Hill: Experts see progress on federal cybersecurity
Thehill.com/policy/cybersecurity/3496431-experts-see-progress-on-federal-cybersecurity/
After grappling with multiple devastating cyberattacks, experts are applauding the progress made by the White House in the year since President Biden signed an executive order aimed to strengthen federal cybersecurity.
They are particularly impressed with the improvements to make it easier for the government and the private sector to share threat information.
“I’ve seen much more directive, actionable steps coming out now and I think the executive order is a big reason for that,” said Chris Wysopal, chief technology officer at Veracode.
The May 2021 order sought to help secure federal government networks and critical infrastructure against cyber strikes. It introduced several key initiatives, including facilitating threat information sharing between the government and the private sector, modernizing federal cybersecurity standards and improving software supply chain security, among others.
Wysopal added that the Cybersecurity and Infrastructure Security Agency (CISA) has been frequently sharing threat intelligence and issuing guidance on the best cybersecurity practices to adopt, including implementing multi-factor authentication and using encryption.
“CISA has really improved immensely in that area,” he said.
Kelly Rozumalski, a senior vice president at technology consulting firm Booz Allen Hamilton with similar views, said the order paved the way for better coordination between sectors.
“I think the public-private partnership portion of the executive order has really been key,” Rozumalski said.
(May 22)
Thehill.com/policy/cybersecurity/3496431-experts-see-progress-on-federal-cybersecurity/
|
|
Tom Alrich's Blog: Bring me the broomstick of the wicked witch of the west!
Tomalrichblog.blogspot.com/2022/05/bring-me-broomstick-of-wicked-witch-of.html
Last week, someone brought to my attention this “position paper” on SBOMs from the “Cybersecurity Coalition” (a group I hadn’t heard of. But then, there are lots of legitimate groups I haven’t heard of). The person pointed out to me that the paper describes roadblocks preventing SBOMs from being widely used. I read it because I’m very interested in identifying these roadblocks. I’ve come to realize in the past year that widespread rollout of SBOMs will require solving some fundamental problems – and those problems need to be identified before they can be solved.
However, in reading this paper (it’s not very long), I realized that this isn’t an honest attempt to facilitate the rollout of SBOMs; it’s an attempt to impede it by asserting that this rollout can’t happen before a bunch of impossible things happen. It’s a lot like the Wizard of Oz ordering Dorothy to bring him the broomstick of the Wicked Witch of the West. The good wizard didn’t expect Dorothy to bring him the broomstick, and he certainly didn’t have any use for it when she did.
So what’s the broomstick that the Cybersecurity Coalition wants “SBOM” to bring back? Oh, just these four items:
· Establish pilot programs involving software suppliers and agencies to demonstrate the effectiveness of SBOMs in improving vulnerability management practices, based on risk metrics, more rapidly and with less effort than existing tools and processes.
· Drive to common standards for sharing, processing, and implementation of SBOMs and infrastructure to reduce potential confusion and inconsistency in outcomes.
· Perform additional research and develop pilot programs to better refine how SBOMs can and should be used in cloud environments.
· Create public/private workshops to discuss both the technical and non-technical aspects of SBOM sharing, including establishment of criteria for ensuring confidentiality where desired, and avoiding liability for software suppliers.
Of course, there’s nothing inherently bad about any of these things. But the NTIA Software Component Transparency Initiative went on for almost four years (from 2018 through the end of 2021) and took at least some of these steps. Plus, if the good people who wrote this position paper had joined the NTIA effort during that time and suggested these specific steps, I’m sure the group would have considered them. Why have they just recently realized that all of these things are needed?
Of course, the NTIA effort is over (although a couple of the groups that were working under the NTIA are continuing to work under CISA). Meanwhile, Executive Order 14028 (which the Cybersecurity Coalition expresses great love for in their document) – which was published a little more than one year ago - requires federal agencies to start asking their software suppliers for SBOMs less than three months from today. Isn’t it kind of late to suddenly decide that we need pilot programs and additional research and public/private workshops…and lions and tigers and bears (oh my!)?
These people could have…you know, mentioned these things when the EO was being drafted or at least after it was released. And they might have contacted OMB to give them this input, since that agency is charged with implementing the EO.
(May 19)
Tomalrichblog.blogspot.com/2022/05/bring-me-broomstick-of-wicked-witch-of.html
|
|
Michigan Matters/CBS Detroit: Richard Mroz of Protect Our Power Previews EV Exchange Conference
Detroit.cbslocal.com/video/6242759-michigan-matters-major-events-detroit/
Richard Mroz, Protect Our Power's Senior Advisor, State and Government Relations, previews this year's EV Exchange Conference, which takes place at Huntington Place in Detroit on June 22.
Mroz's segment begins at the 6:00 mark of the video.
For more information on EV Exchange, go to theevexchange.com/
(May 22)
Detroit.cbslocal.com/video/6242759-michigan-matters-major-events-detroit/
|
|
Jim Gold | Operations Director
O: 212.235.0251 M: 347.968.2912
Protectourpower.org @gridprotection
|
|
|
|
|
|
|
