Updated ESCC COVID-19 Resource Guide
This is an updated novel coronavirus (or COVID-19) Resource Guide for the electric power industry. This living document was developed under the direction of the Electricity Subsector Coordinating Council (ESCC), with participation from all segments of the industry and the natural gas sector. It provides information and options to consider when making localized decisions in response to the current global health emergency.
Update to OE-417
The updated OE-417 form is going through the White House Office of Management and Budget (OMB) review now after two rounds of public comment. Since the updated form is under review, the current version will stay in effect until the new version is approved. DOE will update the website with a message noting the continued use of the current version pending recertification.
Last week, Tenable published a broad-ranging vulnerability assessment report that claimed to identify four distinct assessment “styles” leveraged by organizations. According to their research, the results provide insight on vulnerability assessment maturation and how to measure it.
In the report, Tenable indicates that the “utilities industry had the highest proportion of the low-maturity Minimalist style overall.” The report also stated that the “utilities industry showed no representatives who followed the mature Diligent style.”
The company states that the report was based on compiling data (methods and results) from 300,000+ scans on 2,100+ individual organizations across 66 countries over a three-month period (March to May 2018). Their report states that they used machine learning algorithms against that data to develop their findings.
Tenable did not clarify what criteria was used to select participant organizations or how each organization was categorized into the eighteen industry categories detailed in the report. They also did not clarify the number of organizations within the “utility” group that were electricity companies.
Tenable is the company behind the commercial version of Nessus, a vulnerability scanner.
On Friday, March 13, the President of the United States (POTUS) held a news conference regarding the global pandemic COVID-19 and declared a national emergency. This declaration will open up $60 billion to help the fight against the virus. Every state has been requested to set up Emergency Operations Centers and every hospital in the United States is activating emergency preparedness plans to meet the needs of Americans everywhere. The declaration also allows officials at the Department of Health and Human Services the ability to waive laws to enable telehealth so that remote doctor visits are feasible. The National Guard has said that it will deploy a maximum of 1,000 troops in six states by the end of the day (Friday). The Guard is also evaluating military bases across the country to use for “isolation housing” to stock medical supplies.
An announcement was made regarding a new partnership with the private sector to increase the capacity to test for COVID-19. 1.4 million tests are to be available next week and 5 million within a month. Pharmacies and retailers are planning to make drive thru tests available in critical locations so that individuals are able to get tested for the virus while remaining in their vehicles. Google is in the process of developing a website to determine whether or not a test is warranted and if so, to facilitate testing at a convenient location. Labs are to provide results within 24-36 hours after testing. On Sunday evening, the public will receive specific guidance on when the website will be operational.
The President also announced a few emergency Executive actions that have been implemented such as waiving interest in all student loans via helped from federal government agencies. Based on the price of oil, the Secretary of Energy has also purchased large quantities of crude oil for storage in the U.S. strategic reserve. Ultimately, these measures are aiming to save the American taxpayer billions of dollars, improve the oil industry, and help establish energy independence. When questioned about other specific targeted measures that the Administration is taking, the President stated that a report will be released in two hours regarding additional steps.
When questioned on the President’s photograph with an individual that was tested positive for COVID-19, he stated that he has no symptoms. When asked about how long the American people will have to remain in an emergency state, the President stated that it is impossible to predict the time element.
For situational awareness, below please find a message from the Department of Homeland Security regarding working with NASA to secure Drone traffic.
|
Connect with DHS:
Facebook [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&112&&&hXXps://www.dhs.gov/facebook?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | Twitter [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&113&&&hXXps://www.dhs.gov/twitter?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | Instagram [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&114&&&hXXps://www.dhs.gov/instagram?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | LinkedIn [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&115&&&hXXps://www.dhs.gov/linkedin?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | Flickr [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&116&&&hXXps://www.dhs.gov/flickr?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov] | YouTube [hXXp://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTkwMjEyLjE1NTE3MzEmbWVzc2FnZWlkPU1EQi1QUkQtQlVMLTIwMTkwMjEyLjE1NTE3MzEmZGF0YWJhc2VpZD0xMDAxJnNlcmlhbD0xODQ1NjEyMiZlbWFpbGlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdXNlcmlkPWJpbGwubGF3cmVuY2VAbmVyYy5uZXQmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&117&&&hXXps://www.dhs.gov/youtube?utm_source=govdelivery&utm_medium=email&utm_campaign=dhsgov]
SANS WFH Deployment Kit
The spread of the global pandemic COVID-19 has resulted in many organizations adopting work-from-home policies. This professional change in shifting to an entirely remote workforce may be new for many businesses, which means they could lack the processes, policies, and technologies required for business continuity. In an effort to assist businesses in creating a secure remote workforce, SANS published a “Securely Working From Home Deployment Kit,” which can be found here [hXXps://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit?utm_medium=Email&utm_source=HL&utm_content=SANS+Resources+WFH+deployment+kit&utm_campaign=SANS+Resources].
Resilience for Grid Security Emergencies: Opportunities for Industry–Government Collaboration
Johns Hopkins Applied Physics Laboratory just released a report by Dr. Paul Stockton entitled (and linked here): Resilience for Grid Security Emergencies: Opportunities for Industry–Government Collaboration [hXXp://www.jhuapl.edu/Content/documents/ResilienceforGridSecurityEmergencies.pdf].
The report discusses potential Emergency Orders from the US Department of Energy that come from changes to the Federal Power Act as modified by the Fixing America’s Surface Transportation (FAST) Act. The statute authorizes the Secretary of Energy to order emergency measures, following a Presidential declaration of a grid security emergency, to protect or restore the reliability of critical electric infrastructure or defense critical electric infrastructure during the emergency. A grid security emergency could result from a physical attack, a cyber-attack using electronic communication, an electromagnetic pulse (EMP), or a geomagnetic storm event, damaging certain electricity infrastructure assets and impairing the reliability of the Nation's power grid.
For awareness, the Department of Homeland Security has several free resources available that may be of assistance in preventing or mitigating physical security incidents within the electricity subsector. While these are not sector-specific, they may be able to be applied to members’ individual facilities. Please find a list of resources below.
- Insider Threat Video [hXXps://www.dhs.gov/insider-threat-mitigation]
- Active Shooter Preparedness [hXXps://www.dhs.gov/active-shooter-preparedness] and Video [hXXps://www.dhs.gov/active-shooter-emergency-action-plan-video]
- Securing Soft Targets and Crowded Places [hXXps://www.dhs.gov/publication/securing-soft-targets-and-crowded-places]
- Vehicle Ramming [hXXps://www.dhs.gov/sites/default/files/publications/Vehicle%20Ramming%20-%20Security%20Awareness%20for%20ST-CP.PDF]
- Pathway to Violence [hXXps://www.dhs.gov/pathway-violence-video]
- Connect, Plan, Train, Report [hXXps://www.dhs.gov/connect-plan-train-report]
On August 4, 2019, news sources reported that one individual died and another is in critical condition due to a copper theft attempt at a radio transmitter site in Oklahoma.
The Tulsa County Sheriff’s office reported that they were called to the KRMG AM Transmitter Site in Oklahoma the morning of August 4. They found two individuals who appeared to have been electrocuted while attempting to access the building through a conduit. Based on the tools and materials discovered at the site, the sheriff’s office believe they were attempting to steal copper. One of the individuals died, and the other is in critical condition.
E-ISAC Analyst Comment: While this is not a member site or related to the electricity industry, it is a good example of how dangerous copper theft can be – not only when stealing the copper itself, but even in accessing sites that contain copper. It is essential to increase awareness of the dangers of copper theft to assist in prevention and mitigation. A few suggested prevention tips provided by members include:
- Create local groups to address copper theft, such as a coalition to increase public awareness and/or community watches to keep an eye on nearby facilities.
- Discuss and develop alert or reporting systems to make it easier for residents to report suspicious activity.
- Increase community awareness by issuing informational brochures and alerts on copper theft.
- Advocate for stricter laws when dealing with copper theft, such as charging thieves with endanger life to increase penalties, thereby deterring future thefts.
For additional copper theft prevention best practices, please reference the TLP:White Copper Theft Prevention White Paper here [hXXps://www.eisac.com/portal-home/document-detail?id=119770] (119770) developed by the E-ISAC Physical Security Analysis Team in coordination with the Physical Security Advisory Group. This paper aims to provide copper theft prevention best practices and lessons learned that asset owners and operators have implemented successfully in North America.
Recommendation: Be vigilant about suspicious behavior in your area. Please continue sharing this type of activity with the E-ISAC and law enforcement.
The E-ISAC is providing this bulletin for situational awareness. If further information becomes available, it will be added as an update to this post.
Summary:
North Korea-associated Lazarus Group could begin a global phishing campaign as early as June 20th.
Impact Statement/Analysis:
Security Firm Cyfirma released analysis showing the Lazarus Group (associated with Dragos’ COVELLITE) may launch a phishing campaign globally starting as early as June 20th. The attack is expected to focus on countries which provided stimulus funding to combat COVID-19 caused economic damage. While not explicitly named, NERC entities and employees could be among those targeted and are at moderate risk.
The hackers are likely to impersonate government agencies tasked with disbursing financial aid and target persons/businesses likely to be in need of financial assistance. Cyfirma has identified several email addresses created by the threat actors meant to mimic legitimate email addresses of government agencies. Lazarus Group claims to have 1.4 million curated email IDs for the US alone with a plan to send a spoofed email luring targets with fake direct payment offers to incite them to provide personal data.
This is consistent with previous Lazarus Group activities, which have shown the capability to accomplish phishing campaigns as well as an interest in stealing funds. Lazarus Group is responsible for the 2014 cyber attack on Sony Pictures and various Bitcoin heists. Aside from disrupting adversaries, using intelligence and cyber activities to procure funds has been a longstanding staple of North Korean government policy to circumvent international sanctions, to the extent that a separate intelligence agency (known as Office 39) has been operating for decades with that specific mission.
Comments:
The E-ISAC will continue to monitor this situation and provide relevant updates when necessary. If you have any questions or comments, please reach out to us at operations[@]eisac.com [mailto:operations[@]eisac.com] or at 202-790-6000.
References:
Cyfirma. June 18, 2020. Global COVID-19-Related Phishing Campaign by North Korean Operatives Lazarus Group Exposed by Cyfirma Researchers hXXps://www.cyfirma.com/early-warning/global-covid-19-related-phishing-campaign-by-north-korean-operatives-lazarus-group-exposed-by-cyfirma-researchers/
Eileen Yu. ZDNet. June 19, 2020. North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations hXXps://www.zdnet.com/article/north-korean-state-hackers-reportedly-planning-covid-19-phishing-campaign-targeting-5m-across-six-nations/
Dragos, Inc. Covellite hXXps://www.dragos.com/resource/covellite/
MITRE Partnership Network. Group: Lazarus group, COVELLITE hXXps://collaborate.mitre.org/attackics/index.php/Group/G0008
John Walcott. Time. April 29, 2020. Cash, Yachts, and Cognac: Kim Yo-Jong’s Links to the Secretive Office Keeping North Korea’s Elites in Luxury hXXps://time.com/5829508/kim-yo-jong-money-office-39/
Matthew Carney. ABC News. January 05, 2018. Defector reveals secrets of North Korea’s Office 39, raising cash for Kim Jong-un hXXps://www.abc.net.au/news/2018-01-06/north-korea-defector-reveals-secrets-of-office-39/9302308