Last week, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation released a joint Technical Alert entitled Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. The Technical Alert focuses on potential cyber threat targets in the energy, nuclear, water, aviation, and critical manufacturing sectors. It describes recent threats as “a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector.” These threat actors use a variety of tactics, techniques, and procedures, including open-source reconnaissance, spear-phishing emails, watering-hole domains, host-based exploitation, industrial control system infrastructure targeting, and ongoing credential gathering. DHS “has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign,” and this Technical Alert aims to educate network defenders about how to identify and defend against these threats.
FERC has also taken several actions regarding cybersecurity this month. On October 2, 2017, it terminated a proceeding about the cybersecurity of control centers used to monitor and control the bulk electric system. FERC issued a Notice of Inquiry earlier this summer based, in part, on the 2015 cyber-attack that disrupted Ukraine’s electric grid. However, after reviewing the comments it received, FERC concluded that the existing North American Electric Reliability Corporation’s Critical Infrastructure Protection (CIP) Reliability Standards are sufficiently flexible to address FERC’s concerns about cybersecurity at control centers.
More recently, on October 19, 2017, FERC issued a Notice of Proposed Rulemaking that would adopt a new CIP Reliability Standard addressing cybersecurity concerns. This proposed Reliability Standard would: (1) clarify the obligations related to electronic access control for low-impact cyber systems; and (2) adopt mandatory security controls for “transient electronic devices,” such as thumb drives, laptops, and other portable electronics that can connect to cyber systems. Comments on the Notice of Proposed Rulemaking are due 60 days from publication in the Federal Register.