cyber security - Power Utilities - Red Sky Alliance2024-03-28T23:24:34Zhttps://redskyalliance.org/power-utilities/feed/tag/cyber+securityEVs and Grid Cyber Securityhttps://redskyalliance.org/power-utilities/evs-and-grid-cyber-security2023-07-17T12:15:00.000Z2023-07-17T12:15:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12148353455,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12148353455,RESIZE_400x{{/staticFileLink}}" alt="12148353455?profile=RESIZE_400x" width="228" /></a>With his electric Kia EV6 running low on power, an EV driver pulled into a bank of fast-chargers near Terre Haute, Indiana, to plug in. As his car powered up, he peeked at nearby chargers. One in particular stood out. Instead of the businesslike welcome screen displayed on the other Electrify America units, this one featured a picture of President Biden pointing his finger, with an “<span style="text-decoration:underline;">I did that</span>!” caption. It was the same meme the president’s critics started slapping on gas pumps as prices soared last year, cloned 20 times across the screen. “It was, unfortunately, not terribly surprising,” Malcom said of the hack, which he stumbled upon last fall (a Twitter post shows the actual video of the hack<a href="#_ftn1">[1]</a>). Such shenanigans are increasingly common. At the beginning of the war in Ukraine, hackers tweaked charging stations along the Moscow–Saint Petersburg motorway in Russia to greet users with anti-Putin messages. Around the same time, cyber vandals in England programmed public chargers to broadcast pornography. Just this year, the hosts of YouTube channel The Kilowatts tweeted a video showing it was possible to take control of an Electrify America station’s operating system.<a href="#_ftn2">[2]</a></p>
<p>While such breaches have so far remained relatively innocuous, cybersecurity experts say the consequences would be far more severe at the hands of truly nefarious miscreants. As companies, governments and consumers sprint to install more chargers, the risks could only grow.</p>
<p>In recent years, security researchers and white-hat hackers have identified sprawling vulnerabilities in internet-connected home and public charging hardware that could expose customer data, compromise Wi-Fi networks, and, in a worst-case scenario, bring down power grids. Given the dangers, everyone from device manufacturers to the Biden administration is rushing to fortify these increasingly common machines and establish security standards. “This is a major problem,” said a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don’t get this right.”</p>
<p>Issues in EV charger security are not hard to find. Sandia summarized known shortcomings in a paper published last fall in the journal Energies. Researchers found everything from the possibility of hackers being able to track users to vulnerabilities that “may expose home and corporate [Wi-Fi] networks to a breach.” Another study, led by Concordia University and published last year in the journal Computers & Security, highlighted more than a dozen classes of “severe vulnerabilities,” including the ability to turn chargers on and off remotely as well as deploy malware.</p>
<p>When British security research firm Pen Test Partners spent 18 months analyzing seven popular EV charger models, it found five had critical flaws. For instance, it identified a software bug in the popular ChargePoint network that hackers could likely exploit to obtain sensitive user information (the team stopped digging before acquiring such data). A charger sold in the UK by Project EV allowed researchers to overwrite its firmware.</p>
<p>Such cracks could conceivably permit hackers to access vehicle data or consumers’ credit card information, said Pen Test Partners. But perhaps the most worrying weakness to him was that, as with the Concordia testing, his team discovered that many of the devices allowed hackers to stop or start charging at will. That could leave frustrated drivers without a full battery when they need one, but it’s the cumulative impacts that could be truly devastating. “It’s not about your charger, it’s about everyone’s charger at the same time,” they said. Many home users leave their cars connected to chargers even if they are not drawing power. They might, for example, plug in after work and schedule the vehicle to charge overnight when prices are lower. </p>
<p>If a hacker were to switch thousands, or millions, of chargers on or off simultaneously, it could destabilize and even bring down entire electricity networks. “We’ve inadvertently created a weapon that nation-states can use against our power grid,” said Pen Test Partners. The US theorized what such an attack might look like in 2021 when hackers hijacked the Colonial Pipeline and disrupted gasoline supplies nationwide. The attack ended once the company paid millions of dollars in ransom.</p>
<p>Researcher’s top recommendation for consumers is to not connect their home chargers to the Internet, which should prevent the exploitation of most vulnerabilities. The bulk of safeguards, however, must come from manufacturers. “It’s the responsibility of the companies offering these services to make sure they are secure,” said a senior staff technologist at the Electronic Frontier Foundation, a digital rights nonprofit. “To some degree you have to trust the device you’re plugging into.”</p>
<p>Electrify America declined an interview request. With regard to the issues The Kilowatts documented, a spokesperson wrote in an email that the incidents were isolated and the fixes were quickly deployed. In a statement, the company said, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and focusing on risk-mitigating station and network design.”</p>
<p>Pen Test Partners wrote in its findings that companies were by and large responsive to fixing the vulnerabilities it identified, with ChargePoint and others plugging gaps in less than 24 hours (though one company created a new hole while trying to patch the old one). Project EV did not respond to Pen Test Partners but did eventually implement “strong authentication and authorization.” Experts, however, argue that it’s far past time for the industry to move beyond this whack-a-mole approach to cybersecurity. “Everybody knows this is an issue and lots of people are trying to figure out how to best solve it,” said Pen Test, adding that he has seen progress. For example, many public EV charging stations have upgraded to more secure methods of transmitting data. But as for a coordinated set of standards, he said, “there’s not much regulation out there.”</p>
<p>There has been some movement toward changing that. The 2021 bipartisan infrastructure law included some $7.5 billion to expand the electric vehicle charging network across the US, and the Biden administration has made cybersecurity part of that initiative. Last fall, the White House convened manufacturers and policymakers to discuss a path toward ensuring that increasingly vital electric vehicle charging hardware is properly protected.</p>
<p>Earlier this year, the Federal Highway Administration finalized a rule that will require all states to implement cybersecurity standards for any charger installed under the 2021 bipartisan infrastructure law. “Our critical infrastructure needs to meet a baseline level of security and resilience,” said the chief strategist at the White House Office of the National Cyber Director. He also argued that bolstering EV cybersecurity is as much about building trust as it is mitigating risk. Secure systems, he said, “give us the confidence in our next-generation digital foundations to aim higher than we possibly could have otherwise.”</p>
<p>Earlier this year, the Federal Highway Administration finalized a rule requiring states to implement “appropriate” cybersecurity strategies for chargers funded under the infrastructure law. But Sandia says the regulation omits devices installed outside that expansion, not to mention the more than 100,000 units already in place nationwide. Plus, he said, states haven’t offered much detail about what they’ll do. “If you drill down into the state plans, you’ll find that they are actually extremely light on cyber requirements,” he said. “The vast majority that I saw just say they will follow best practices.”</p>
<p>Just what constitutes best practice remains ill-defined. Sandia published recommendations for charger manufacturers, and it noted that the National Institute of Standards and Technology (NIST) is developing a framework for fast-charging that could help shape future regulation. But, ultimately, Sandia would like to see something akin to the 2022 Protecting and Transforming Cyber Health Care Act that’s geared toward electric vehicles. “Regulation is a way to drive the entire industry to improve their baseline security standards,” Sandia reported, pointing to recent laws in other countries as models or starting points for policymakers in the United States. Last year, for instance, the United Kingdom rolled out a host of requirements for EV chargers, such as enhanced encryption and authentication standards, tamper detection alerts, and randomized delay functionality.</p>
<p>The latter means that a charger must be able to turn on and off with a random time delay of up to 10 minutes. That would mitigate the impact of all the chargers in an area coming online simultaneously after a power outage or hack. “You don’t get that spike, which is great,” they said. “It removes the threat from the power grid.”</p>
<p>Sandia is optimistic that the industry is moving in the right direction, albeit more slowly than is ideal. “I can’t imagine [stricter standards] won’t happen. It’s just taking a long time,” he said. And he certainly doesn’t want to spark undue alarm, but rather apply steady pressure for improvement. “It’s scary stuff,” he said, “but it shouldn’t be fearmongering.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://twitter.com/Skye_Borg/status/1666920007102496770">https://twitter.com/Skye_Borg/status/1666920007102496770</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://grist.org/technology/hackers-already-infiltrate-ev-chargers-it-could-only-get-worse/">https://grist.org/technology/hackers-already-infiltrate-ev-chargers-it-could-only-get-worse/</a></p></div>Protecting Energy and Utility Providers: We can DO IT !!https://redskyalliance.org/power-utilities/protecting-energy-and-utility-providers-we-can-do-it2020-02-13T20:20:53.000Z2020-02-13T20:20:53.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}3861136483,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}3861136483,RESIZE_710x{{/staticFileLink}}" width="276" height="179" alt="3861136483?profile=RESIZE_710x" /></a>As time marches on, many are forgetting the two Russian attacks on Ukraine that shut down their power supply during their cold winters. Memories fade, but the energy threat continues. Total shut-down of the electric grid were traditionally rare and inconceivable. But, attacks targeting energy sector companies are now being initiated with growing frequency. In 2017, Russian APT known as DragonFly 2.0, compromised US and European energy companies and gained access to interfaces its engineers utilize to supply energy to homes and businesses. That same year, a computer virus was introduced remotely on controllers used in 18,000 internationally located power plants that regulate voltage, pressure, and temperatures in nuclear and water treatment facilities; which nearly triggered an explosion in Saudi Arabia. And nearly two years after malware jeopardized operations during US hurricane recovery, which was then quickly followed by a ransomware attack, a North Carolina utility provider (water) is still trying to recover.<a href="#_ftn1">[1]</a> More recently, a DDoS attack for more than 10 hours crippled the network of a company supplying power to consumers in California, Utah, and Wyoming.</p>
<p>The energy and utilities sectors are so critical to the maintenance of any country, which make attacks to these venues a national security risk. Traffic signal operations, heating and air conditioning services (HVAC) in hospital, offices and our homes, and the Internet and cell phone services used for vital communications and a normal way of life in 2020, and in essence – taken for granted. That until the electricity is maliciously shut-off. </p>
<p>Naturally occurring power outages are most inconvenient, yet we can overcome these obstacles and in general, normalcy returns in a matter of hours and we get back to business as usual. Cyber-attacks targeting the energy sector are different in that they penetrate networks, which could cause days of research and analysis to recirify operations; especially if unprepared.<a href="#_ftn2">[2]</a></p>
<p>If an attacker (at any hacker tier level) is bent on bringing a nation to its knees for political, military or extortion objectives, the energy sources are a prime and lethal target. These cyber-attacks are often motivated by the high value of energy industry assets and data, as well as the energy sector’s heavily automated and loosely protected processes, networks, and organizations. Coupled with low investments in digital risk management, at least as compared to sectors like financial services, this leaves energy facilities and suppliers vulnerable to damaging and costly attacks.</p>
<p>Although attacks in this sector mirror those in other industries, the social ramifications are significantly higher. Theft of information is not as important to utilities as the extortion aimed at the company to pay a ransom or face a shutdown of energy. The impacts of a full attack would be catastrophic. Multiple hacking groups currently have the capability to attack and compromise industrial control system environments. Phishing, malware and other attack methods, if successful, can give hackers the credentials necessary to access power grids, oil wells, generators, and other sensitive control areas. Energy and utility organizations in the US spend approximately 80 percent of its budget on external suppliers, making third party attacks another serious concern. </p>
<p>Cyber threat actors will continue to penetrate critical infrastructure worldwide. While this is partially due to the natural expansion of the Internet and IoT devices, it can also be attributed to poor cyber security practices and a lack of employee training. However, a few simple steps can help utility companies avoid being vulnerable to breaches and public utility outages.</p>
<p>Understanding which attack vectors most commonly affect energy utilities is the first step in a solid defensive posture. The energy sector is traditionally slow at improving and keeping updated on infrastructure and process software, thus making it a bullseye target for DDoS and exploit attacks. Implementing good quality cyber hygiene, by updating operating systems and applying patches immediately, is integral to proactively safeguarding against cyber compromise. Constantly monitoring and auditing for risk via open source threat intelligence (like Red Sky Alliance provides) can help organizations learn more about attack patterns and threat actors, which industries or companies are being targeted and whether criminals are in the planning stages of an attack before an incident occurs.</p>
<p>Effective cybersecurity awareness training is another essential action that organizations can take to keep corporate users safe on the network. Teach your employees to identify phishing, ransomware, social engineering, and other threats to keep information and accounts secure and mitigate the risk of a breach. For an example, attackers collect email addresses and strategically craft phishing emails that contain malicious links. Train employees to avoid clicking on unsolicited links and pop ups, especially on social media or from unknown sources, and to proactively report security suspected incidents to your network security folks. Additionally, restrict employees’ access to only the data and systems those individuals need to do their jobs. This limits the attack surface and can reduce damage and incident remediation costs should a breach occur.</p>
<p>Also important is reducing third-party risk by understanding vendors’ (supply chain) security posture. Evaluate suppliers and vendors before engaging them as part of the contract and throughout the relationship. Ask questions to identify their potential exposure areas, technical controls to data and systems, network segmentation practices and authentication tools used. After determining cybersecurity practices and enforcement capabilities, a security baseline can then be set for continuous partner monitoring, protecting sensitive data from unauthorized access that might result from gaps in extended parties’ and partners’ security infrastructure or from networks. This is very important and often overlooked. </p>
<p>Like organizations everywhere, the energy sector is afflicted by an ever-growing catalog of constantly evolving cyber threats. Threat actors are always trying to gain access to utility networks, each with the potential to expose ultra-sensitive data or bring critical infrastructure to a stop. There is no way to guarantee 100 percent cyber safety from malicious threats or vulnerabilities. But, a pro-active, strategic and all-inclusive security approach is the only way to safeguard against bad actors. By keeping informed of the latest security threats and maintaining visibility into their own and third parties’ information security infrastructure, along with maintaining a proactive cyber defense and a strong culture of cybersecurity awareness, organizations in the energy sector can prevent an attack from turning into a huge mess.</p>
<p>Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. We provide diagnostic tools RedXray and RedXray-Plus, in addition to providing cyber insurance through Cysurance. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><em>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a><br /> Twitter: <a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></em></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.csoonline.com/article/3314557/ransomware-attack-hits-north-carolina-water-utility-following-hurricane.html">https://www.csoonline.com/article/3314557/ransomware-attack-hits-north-carolina-water-utility-following-hurricane.html</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.power-eng.com/2020/02/12/energy-sector-cybersecurity-is-vulnerable-but-achievable/#gref">https://www.power-eng.com/2020/02/12/energy-sector-cybersecurity-is-vulnerable-but-achievable/#gref</a></p></div>