FERC, NERC joint report on cyber incident response at electric utilities

Security Affairs

The US FERC and NERC published a study on cyber incident response at electric utilities that also includes recovery best practices. electric utilities. A cyber attack could have a severe impact on the operations of the utilities and consequent economical losses.

Cybersecurity in utilities: Critical questions for securing distributed energy resources (DERs)


Cybersecurity in utilities: Critical questions for securing distributed energy resources (DERs). The energy transition is driving a shift toward the increasing use of distributed energy resources (DERs). DERs are smaller power-generation resources, usually located on the consumer side, that provide energy where it is needed. From a cybersecurity perspective, DERs pose new and unique challenges for utilities.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

NERC $10,000,000 Fine of Public Utility Highlights the Need for Cybersecurity Preparedness and CIP Compliance Programs

Data Matters

On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”). Cybersecurity Energy Enforcement Information Security National Security

Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks

Security Affairs

This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks. “Utilities can’t just flip a few switches to bring the lights on following a major shutdown.

Lessons for In-House Counsel from Cybersecurity’s Front Lines

HL Chronicle of Data Protection

Recent developments reinforce the urgent need for general counsel and legal departments to deepen their focus on cybersecurity. Lessons for In-House Counsel from Cybersecurity’s Front Lines was written by members of the Hogan Lovells Privacy and Cybersecurity practice Peter M. In today’s environment, any organization can be the target of a cyberattack, regardless of industry, size, or geographic footprint.

Breach Reveal: PG&E Exposed 30,000 Sensitive Records

Data Breach Today

Previously Unnamed Utility Reached Record $2.7 energy company that agreed to a record $2.7 Million Settlement Agreement A previously unnamed U.S.

'Cyber blindspot' threatens energy companies spending too little

Information Management Resources

Amid rising threats, utilities are now spending less than 0.2 percent of their revenue on cybersecurity, at least a third less than financial institutions. Cyber security Data security Cyber attacks

NIST Updates Cybersecurity Framework

Data Matters

On April 17, the National Institute for Standards and Technology (NIST) released an updated version of its standard-setting Cybersecurity Framework. Commerce Secretary Wilbur Ross announced the new release with a statement saying the “Cybersecurity Framework should be every company’s first line of defense” and “adopting version 1.1 For example, the revised introduction notes that “similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line.

Tiao Discusses Utilities’ Concerns in Sharing Information with the Government

Hunton Privacy

Tiao was featured on Platts Energy Week discussing the importance of the homeland security partnership between electric utility companies and the U.S. Utilities Wary of Sharing Grid Risks,” Tiao talked about the recent leak to The Wall Street Journal of a sensitive internal memo at the Federal Energy Regulatory Commission that revealed potential vulnerabilities in the electricity grid. View the Platts Energy Week feature with Paul Tiao.

Webinar on the SAFETY Act and Cybersecurity: Protecting Your Reputation and Reducing Liability Risk

Hunton Privacy

In 2002, Congress enacted the Supporting Anti-Terrorism by Fostering Effective Technologies Act (“the SAFETY Act”) to limit the liabilities that energy, financial, manufacturing and other critical infrastructure companies face in the event of a serious cyber or physical security attack. Hunton Andrews Kurth LLP recently represented an electric utility in obtaining a first-of-its-kind enterprise-wide SAFETY Act Certification for its cybersecurity risk management program.

NHTSA Releases New Automobile Cybersecurity Best Practices

Hunton Privacy

The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives’ Committee on Energy and Commerce (“Energy and Commerce Committee”).

China’s Cybersecurity Law Undergoes Third Reading

Hunton Privacy

On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported , the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.

NHTSA Set to Release New Automobile Cybersecurity Best Practices

Hunton Privacy

On October 14, 2016, the National Highway Transportation Administration (“NHTSA”) indicated in a letter to Congress that it intends to issue new best practices on vehicle cybersecurity. This letter came in response to an earlier request from the House Committee on Energy and Commerce (“Energy and Commerce Committee”) that NHTSA convene an industry-wide effort to develop a plan to address vulnerabilities posed to vehicles by On-Board Diagnostics (“OBD-II”) ports.

Final Cybersecurity Law Enacted in China

Hunton Privacy

On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.

Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?

Security Affairs

Russia-linked cyber-espionage group hacked the Ukrainian energy company Burisma at the center of the impeachment trial of US President Donald Trump. The attack was detailed by California-based cybersecurity firm Area 1 Security in a report.

Updates on Federal Cybersecurity Legislation

Hunton Privacy

The United States Congress is currently considering several bills addressing cybersecurity issues. This bill would amend the Federal Power Act to grant the Federal Energy Regulatory Commission (“FERC”) authority to issue emergency orders requiring critical infrastructure facility operators to take actions necessary to protect the bulk power system. The GRID Act is being considered by the Senate Committee on Energy and Natural Resources at this time.

Draft Cybersecurity Law Published for Comment in China

Hunton Privacy

On July 6, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published a draft of the country’s proposed Network Security Law (the “Draft Cybersecurity Law”). A public comment period on the Draft Cybersecurity Law is now open until August 5, 2015. At this point, the Draft Cybersecurity Law has not yet been finalized. The Draft Cybersecurity Law also includes a provision that pushes China towards a policy of data localization.

Recent Federal Government Activity on Cybersecurity

Hunton Privacy

The absence of congressional action on cybersecurity legislation has spurred efforts by various entities to exert influence over cybersecurity policy. Cybersecurity has been one of the highest-profile topics in Washington this year. Yet, despite considering multiple cybersecurity bills, Congress left Washington for the upcoming elections without passing legislation. Cybersecurity already presents difficult legal and compliance issues. Cybersecurity U.S.

Hackers Target Oil Producers During COVID-19 Slump

Security Affairs

Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector. The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks.

FERC Proposes to Accept Updated CIP Standards and Calls for New Cybersecurity Controls

Hunton Privacy

On July 16, 2015, the Federal Energy Regulatory Commission (“FERC”) issued a new Notice of Proposed Rulemaking (“NOPR”) addressing the critical infrastructure protection (“CIP”) reliability standards. The NOPR proposes to accept with limited modifications seven updated CIP cybersecurity standards. Utilities that violate them are potentially subject to substantial financial penalties. Cybersecurity Enforcement FERC National Institute of Standards and Technology

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Data Protection Report

However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK. Under the NIS Regulations, entities meeting certain threshold conditions in the energy, transport, healthcare, utilities and digital infrastructure sectors will be considered to be operators of essential services. Compliance and risk management Regulatory response cyber cybersecurity data protection NIS Security UK

FERC Adopts Supply Chain Risk Management Reliability Standards

Hunton Privacy

At its October monthly meeting, the Federal Energy Regulatory Commission (the “Commission”) adopted new reliability standards addressing cybersecurity risks associated with the global supply chain for Bulk Electric System (“BES”) Cyber Systems. The new standards expand the scope of the mandatory and enforceable cybersecurity standards applicable to the electric utility sector. Cybersecurity Adequacy Compliance FERC

What the Blockchain Taught Us about IT Security

Security Affairs

It is not just about security, but in utilizing Blockchain to secure your company and your information. But it is not just about security, but in utilizing Blockchains to secure your company and your information. Energy Efficiency. Securi ty Affairs – blockchain, cybersecurity).

MY TAKE: Iran’s cyber retaliation for Soleimani assassination continues to ramp up

The Last Watchdog

This escalation of reconnaissance is being closely monitored by the global cybersecurity and intelligence communities. Here are a few key things everyone should understand about the cybersecurity ramifications spinning out of the Soleimani assassination.

Protecting America’s Critical Infrastructure

Thales eSecurity

From taking a shower, to brewing your coffee, and watching the news, your morning routine is fueled by the energy sector. But the energy sector also underpins our emergency and response systems, our hospitals and healthcare, our schools, our businesses, and virtually everything we do as a society. Unfortunately, the energy sector is of great interest to cyber attackers today. It’s even possible that the attackers didn’t even know they were targeting a power utility.

FERC Approves NERC’s Supply Chain Risk Management Reliability Standards and Directs NERC to Expand Their Scope

Data Matters

A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector. Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities. Against this backdrop, it is unsurprising that energy regulators have increasingly focused their attention on cybersecurity issues.

DOE and DHS Assess U.S. Readiness to Manage Potential Cyber Attacks

Hunton Privacy

Department of Energy (“DOE”) and the U.S. electrical utilities has been observed, the assessment references a December 2015 cyber attack on three Ukrainian electricity distribution companies. Cybersecurity Department of Homeland Security United StatesOn May 30, 2018, the federal government released a report that identifies gaps in assets and capabilities required to manage the consequences of a cyber attack on the U.S. electric grid. The assessment is a result of the U.S.

DHS and FBI – Hackers Are Targeting US Nuclear, Energy, and Manufacturing Facilities

Privacy and Cybersecurity Law

According to a new joint report issued by the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), hackers have been penetrating the computer networks of companies that operate nuclear power stations, energy facilities, and manufacturing plants in the US since May 2017. On May 11, as the attacks were ongoing, President Trump signed an executive order to strengthen the cybersecurity of federal networks and critical infrastructure.

Congratulations to Sidley’s Newest Partners!

Data Matters

Kate is a member of the firm’s Privacy and Cybersecurity, Healthcare, and Commercial Litigation groups. Congratulations to our 30 colleagues, including Kate Heinzelman and Tomoki Ishiara , for their election to the Sidley Austin partnership , effective January 1, 2020.

Leak of Grid Vulnerabilities Creates National Security Risks

Hunton Privacy

The recent leak of an internal memo to the former Chair of the Federal Energy Regulatory Commission, which was widely reported by national news media, has created a national security setback for the United States. In an article published in Intelligent Utility Update , Hunton & Williams partner Paul M. Tiao discusses the effects of the leak on national security and on the relationship between the energy industry and the government.

DHS CISA warns of Critical issues in Medtronic Medical equipment

Security Affairs

The US DHS Cybersecurity & Infrastructure Security Agency (CISA) issued a security advisory to warn of three recently patched flaws in Medtronic Valleylab products that could be exploited to install a non-root shell. Another vulnerability is related to the use of a vulnerable version of the rssh utility in these products to facilitate file uploads. and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0

China Publishes Draft Regulations on Protecting the Security of Key Information Infrastructure

Hunton Privacy

The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. They may conduct this inspection and evaluation on their own behalf, or engage third-party cybersecurity service providers. Cybersecurity Information Security International China Cross-Border Data FlowThis post has been updated. .

MY TAKE: Memory hacking arises as a go-to tactic to carry out deep, persistent incursions

The Last Watchdog

In fact, memory attacks have quietly emerged as a powerful and versatile new class of hacking technique that threat actors in the vanguard are utilizing to subvert conventional IT security systems. That’s Gartner’s estimate of global spending on cybersecurity in 2017 and 2018. Allegedly developed by US and Israeli operatives, Stuxnet was discovered circulating through Iranian nuclear energy facilities in 2010.

A new piece of Snake Ransomware targets ICS processes

Security Affairs

It is for these same reasons that some RaaS (Ransomware as a Service) offerings utilize the language as well. “ The Snake ransomware targets files associated with SCADA platforms, enterprise management tools, and system utilities.

China-linked hackers target government agencies by exploiting flaws in Citrix, Pulse, and F5 systems, and MS Exchange

Security Affairs

“The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S.

Podcast Episode 132: NERC issues a Big Fine – does it matter?

The Security Ledger

» Related Stories Secrecy Reigns as NERC Fines Utilities $10M citing Serious Cyber Risks Podcast Episode 131: suing Yahoo! NERC fined a firm identified in reports as Duke Energy for violations of the Critical Infrastructure Protection (CIP) cybersecurity standard. Spotlight Podcast: At 15 Cybersecurity Awareness Month Grows with Cyber Risk. Still, subsequent, public reports citing unnamed energy industry sources have identified Duke Energy Corp.

SilverTerrier gang uses COVID-19 lures in BEC attacks against healthcare, government organizations

Security Affairs

“Specifically, we find it alarming that several of these campaigns recklessly included targets at government healthcare agencies, local and regional governments, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.” Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS [link].

US Cyber Command warns of Iran-linked hackers exploiting CVE-2017-11774 Outlook flaw

Security Affairs

Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec — USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019. The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. These executables are both downloaders that utilize powershell to load the PUPY RAT.

A potential solution for protecting customer privacy when sharing smart meter data


This is because smart meters are widely regarded as a key to reducing both energy consumption and emission levels. While the simplest solution to avoid this type of risk lies in not sharing your metering data with anyone, including your utility provider, which is easier said than done. works, I invite you to read my journal paper , which was presented for the proceedings of Energy Informatics held September 26-27 this year in Salzburg, Austria. in the utilities sector.

90% of critical infrastructure providers have fallen victim to a cyber attack since 2017

IT Governance

Cybersecurity in Operational Technology: 7 Insights You Need to Know found that 90% of respondents from the UK, US, Germany, Australia, Mexico and Japan had been breached since 2017, with many organisations revealing they’d fallen victim to multiple attacks. The anonymous survey covered the utility, energy, health and transport sectors – industries renowned for keeping their activities secret because they store highly sensitive information and are responsible for essential services.