The US Federal Energy Regulatory Commission (FERC) announced on 20 January 2022, to strengthen its Critical Infrastructure Protection (CIP) Reliability Standards by requiring internal network security monitoring (INSM) for high and medium impact bulk electric system cyber systems.
The Notice of Proposed Rulemaking (NOPR) proposes to direct the North American Electric Reliability Corporation to develop and submit new or modified Reliability Standards to address a gap in the current standards.[1]
Under existing CIP reliability standards, network security monitoring is focused on defending the electronic security perimeter of networks. FERC is seeking to address concerns that the existing standards do not address potential vulnerabilities of the internal network to cyber threats.
INSM addresses situations where vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk. For example, the SolarWinds attack in 2020 demonstrated how an attacker can bypass network perimeter-based security controls used to identify and thwart attacks. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations.
Incorporating INSM requirements into the CIP Reliability Standards would help to ensure that utilities maintain visibility over communications in their protected networks, FERC said. Doing so can help detect an attacker’s presence and movements and give the utility time to take action before an attacker can fully compromise the network. INSM also helps to improve vulnerability assessments and can speed recovery from an attack.[2]
The NOPR seeks comment on all aspects of the proposed directive to develop and submit new or modified Reliability Standards for INSM for high- and medium-impact cyber systems. Comments on the NOPR are due 60 days after publication in the Federal Register.
Red Sky Alliance totally supports these proposed regulations. If the electric grid shuts down, everything in cyber and in essence, an entire country will shut down.
But wait, experts Find Strategic Similarities b/w NotPetya and WhisperGate Attacks on Ukraine. On 22 January 2021, TheHackerNews provided a report that the latest analysis into the wiper malware that targeted dozens of Ukrainian agencies earlier this month has revealed "strategic similarities" to NotPetya malware that was unleashed against the country's infrastructure and elsewhere in 2017.[3]
The malware, titled WhisperGate, was discovered by Microsoft last week, which said it observed the destructive cyber campaign targeting government, non-profit, and information technology entities in the nation, attributing the intrusions to an emerging threat cluster codenamed "DEV-0586." "While WhisperGate has some strategic similarities to the notorious NotPetya wiper that attacked Ukrainian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage," Cisco Talos said in a report detailing its response efforts.
Stating that stolen credentials were likely used in the attack, the cybersecurity company also pointed out that the threat actor had access to some of the victim networks months in advance before the infiltrations took place, a classic sign of sophisticated APT attacks.
The WhisperGate infection chain is fashioned as a multi-stage process that downloads a payload that wipes the master boot record (MBR), then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that irrevocably destroys files by overwriting their content with fixed data on the infected hosts.
The findings come a week after roughly 80 Ukrainian government agencies' websites were defaced, with the Ukrainian intelligence agencies confirming that the twin incidents are part of a wave of malicious activities targeting its critical infrastructure, while also noting that the attacks leveraged the recently disclosed Log4j vulnerabilities to gain access to some of the compromised systems.
"Russia is using the country as a cyberwar testing ground — a laboratory for perfecting new forms of global online combat," Wired's Andy Greenberg noted in a 2017 deep-dive about the attacks that took aim at its power grid in late 2015 and caused unprecedented blackouts. "Systems in Ukraine face challenges that may not apply to those in other regions of the world, and extra protections and precautionary measures need to be applied," Talos researchers said. "Making sure those systems are both patched and hardened is of the utmost importance to help mitigate the threats the region faces."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://ferc.gov/news-events/news/ferc-moves-close-gap-reliability-standards-electric-grid-cyber-systems Docket No. RM22-3
[2] https://news.bloomberglaw.com/privacy-and-data-security/ferc-seeks-to-boost-power-grid-cyber-security-standards
[3] https://thehackernews.com/2022/01/experts-find-strategic-similarities-bw.html