As many of you are aware, a significant power outage occurred in South America Sunday, impacting all of Argentina and Uruguay, as well as portions of southern Brazil, Chile, and Paraguay.
Below is an official statement from the Department of Energy:
At this time, the cause of the outage remains under investigation. It appears that the outage occurred following the failure of two 500 kV transmission lines.
The Argentine Minister of Energy has stated that they are looking into every possibility but noted that "[w]e don't believe it was a cyber attack."
We will continue to monitor the situation and will provide additional information if there are any updates.
DOJ UAS Policy Update
Details: The National Council of ISACs shared information regarding the Department of Justice’s updated policy for using Unmanned Aircraft Systems (UAS), which was released in November of 2019.
On November 27, 2019, DOJ published an updated copy of its Policy on the Use of UAS [hXXps://www.justice.gov/jm/9-95000-unmanned-aircraft-systems-uas]. They noted that:
“In light of advancements in unmanned aircraft system (UAS) technology, and lessons learned from the Federal Bureau of Investigation’s limited use of UAS, the Policy enables the Department of Justice’s law enforcement components to safely and responsibly employ UAS technology within a framework designed to provide accountability and protect privacy and civil liberties. . . The Policy permits the use of UAS only in connection with properly authorized investigations and activities. It also requires compliance with the Constitution and all applicable laws and regulations, including regulations issued by the Federal Aviation Administration.”
E-ISAC Analyst Comment: It is useful to maintain awareness of government policy on the use of UAS both to inform knowledge of the risks associated with them and ensure that your organization is able to make informed decisions when using UAS.
Recommendation: The E-ISAC recommends members review the updated policy for awareness.
The E-ISAC is providing this bulletin for situational awareness. If further information becomes available, it will be added as an update to this post.
Dragos blog post has identified a new activity group RASPITE targeting access operations in the electric utility sector.
Dragos has identified a new activity group targeting access operations in the electric utility sector. They call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017.
The cyber research firm Dragos today detailed the operations of a suspected Russian hacker group that focuses on penetrating critical infrastructure networks. The group, which Dragos calls ALLANITE, “accesses business and industrial control (ICS) networks, conducts reconnaissance and gathers intelligence in United States and United Kingdom electric utility sectors,” according to a newly published profile, the first in a series about infrastructure-focused hacking teams. Dragos said that ALLANITE hackers “continue to maintain ICS network access” so they can “understand the operational environment necessary to develop disruptive capabilities” and be ready to disrupt those systems when called upon to do so. The company, which does not attribute hacking groups to nation-states, acknowledged that ALLANITE'S “activity closely resembles” a Russian cyber intrusion campaign that U.S. officials have dubbed Palmetto Fusion. “Russian government cyber actors ... targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks,” DHS said in a March 15 alert. Dragos said that ALLANITE uses spearphishing and malware-laden websites to harvest the login information necessary to penetrate networks. So far, the company said, ALLANITE campaigns “limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.”
Drone Strikes in Saudi Arabia
Yemen Houthi rebels have recently claimed responsibility for two drone strikes in Saudi Arabia targeting oil pumping stations and resulting in the temporary shutdown of a major pipeline in the kingdom. It is believed that these attacks were sponsored by Iran, and the rebels claimed that the drone attacks were part of a coordinated attack which included other energy infrastructure. The rebels said the attacks was a response to “the crimes they are committing every day against the Yemeni people.”[i] [file://wdcevfs1/users$/meredithj/Documents/Portal%20Posts/TLP%20GREEN%20E-ISAC_May%2015%20Drone%20Attack%20Article_v2.docx#_edn1] Although the damage was minimal, the attack demonstrated not just the ownership and usage of armed drones, but the capability to use global positioning satellite technology to target infrastructure. The attack came only a day after four oil tankers were sabotaged near the coast of the United Arab Emirates, two of which appear to also belong to Saudi Arabia, which has led to speculation that the attacks may be connected.
It is important for the electric industry to be aware of attacks such as these as a sign of the increasing threat posed by and weaponization of unmanned aircraft systems (UAS), as well as tactics, techniques, and procedures that are beginning to become more prevalent worldwide.
Below please find some articles related to both incidents for your convenience:
[i] [file://wdcevfs1/users$/meredithj/Documents/Portal%20Posts/TLP%20GREEN%20E-ISAC_May%2015%20Drone%20Attack%20Article_v2.docx#_ednref1] Per an article from TRTWORLD citing Mohammed Abdel Salam
E-ISAC and MS-ISAC Launch Information Sharing Partnership to Strengthen Grid’s Cyber, Physical Security
WASHINGTON, D.C. – NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) and the MultiState Information Sharing & Analysis Center® (MS-ISAC®) announced an agreement to improve information sharing among the organizations and their members with the goal of strengthening the cyber security of the nation’s critical electric infrastructure. The new agreement also deepens cooperation between the E-ISAC and the state and local government partners that the MS-ISAC represents. CIS® (Center for Internet Security, Inc.) is home to the MS-ISAC, and both are headquartered in New York. The Department of Homeland Security has designated MS-ISAC as the key cybersecurity resource for state, local tribal and territorial governments, including chief information officers, Homeland Security advisors and fusion centers.
Through a variety of tools, both the E-ISAC and the MS-ISAC analyze potential physical and cyber security threats and use their respective secure portals to alert and advise members on mitigating threats. The goals of the E-ISAC and MS-ISAC under the partnership include:
-- Improve security collaboration on common threat information and incident response.
-- Provide joint analysis of security concerns and events.
-- Advance shared processes for information sharing and situational awareness.
-- Improve information sharing among all ISACs.
The E-ISAC and the MS-ISAC have agreed to use existing policies and procedures for safeguarding sensitive information under the partnership.
E-ISAC Update – March 13, 2020
In coordination with NERC, the E-ISAC, continues to track the evolving situation with regard to COVID-19. The E-ISAC is monitoring cyber and physical security issues related to coronavirus and encourage industry to continue sharing information related to grid security issues.
At this point, the E-ISAC is limiting all non-essential travel for staff, encouraging full-time telework, and is restricting visitors to our offices. Through these unprecedented times, the E-ISAC continues to serve the electricity industry to support information sharing, and reduce cyber and physical risk to the North American power grid.
On March 12, NERC posted an announcement [hXXps://www.nerc.com/news/Headlines%20DL/Coronavirus%20Impacts%2011MAR20_final.pdf] on steps it is taking to prevent the impact of the coronavirus. This includes links to the Level 2 NERC Alert [hXXps://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/NERC_Alert_R-2020-03-10-01_COVID-19_Pandemic_Contingency_Planning.pdf] issued on March 10 and ESCC Guidance [hXXps://images.magnetmail.net/documents/clients/EEI_/2020-03/ovodrzgn.2mp/ESCC_Coronovirus_Resource_Guide_031020.pdf] “Assessing and Mitigating the Novel Coronavirus [COVID-19].”
We are committed to the safety and security of our industry members and government and cross-sector partners and will continue to work with you to share information, best practices, and lessons learned.
Visit the CDC [hXXps://www.cdc.gov/coronavirus/2019-ncov/index.html] and World Health Organization (WHO) [hXXps://www.who.int/emergencies/diseases/novel-coronavirus-2019] for the latest health information.
Find out more about the U.S. Government response [hXXps://www.usa.gov/coronavirus] to coronavirus including international travel restrictions, how you can prepare for coronavirus, and what the U.S. government is doing to respond.
Check out guidance from the Department of Homeland Security on risk management [hXXps://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf] and ongoing DHS Coronavirus News and Updates [hXXps://www.dhs.gov/coronavirus-news-updates].
For additional questions for the E-ISAC, contact us at Operations[@]eisac.com [mailto:Operations[@]eisac.com] or memberservices[@]eisac.com [mailto:memberservices[@]eisac.com]
The E-ISAC is performing maintenance on the Portal email notification process.
During this time, no Portal account user will receive notifications via email.
Please check the Portal for new postings. Maintenance is expected to be completed within the next three business days.
Email notifications will resume once maintenance has concluded. No action is required on your part.
We apologize for the inconvenience, please contact E-ISAC Operations at 202-790-6000 if you need assistance or have any further questions.
The Federal Bureau of Investigation (FBI) has released an article [hXXps://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic] on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.
The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date. See Understanding Patches and Software Updates [hXXps://www.us-cert.gov/ncas/tips/ST04-006].
CISA also recommends the following VTC cybersecurity resources:
- FBI Internet Crime Complaint Center (IC3) Alert: Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments [hXXps://www.ic3.gov/media/2020/200401.aspx]
- Zoom blog on recent cybersecurity measures [hXXps://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/]
- Microsoft Teams security guide [hXXps://docs.microsoft.com/en-us/microsoftteams/teams-security-guide]
E-ISAC was provided the attached documents directed to the Dam sector:
Attachment 1: Official CISA/FERC Correspondence
Attachment 2: Dams Sector Cybersecurity Capability Maturity Model (C2M2)
Attachment 3: Dams Sector C2M2 Implementation Guide