Congress to Consider Ransomware Threat as NERC, FERC Call for “Continued Vigilance” to Secure Power Grid
- the Solar winds malware was so prevalent that Indicators of Compromise (IOC) were found on computer networks that did not use the compromised system’s monitoring platform, federal regulators said last week in a new report on the fallout from the attack.
- The power industry must exercise “continuous vigilance” to protect the network from hackers, says joint white paper prepared by staff of the Federal Energy Regulatory Commission and the Center for Information and Analysis Sharing on electricity from the North American Electric Reliability Corporation (NERC).
- In response to an increase in cyber attacks on critical infrastructure, a House Energy and Commerce subcommittee on Tuesday announced a July 20 hearing examine the growing threat. the hybrid The event “Stopping Digital Thieves: The Growing Threat of Ransomware” will examine recent attempts to disrupt the US energy, food and water sectors.
The massive SolarWinds breach, as well as the recent attacks on Colonial Pipeline, the meat processing giant JBS and the Oldsmar, Florida water treatment plant have alarmed government and industry, highlighting vulnerabilities in critical U.S. infrastructure.
“Ransomware attacks are a growing threat to national security, having devastated both private businesses and some of our most critical infrastructure in recent years,” said Representative Frank Pallone Jr., DN.J. , in a joint statement with Representative Diana. DeGette, D-Colo.
Pallone chairs the House’s Energy and Commerce Committee and DeGette heads its Oversight and Investigation subcommittee, which will host the hearing. The event was announced a week after FERC and NERC warned the power sector must remain on a constant watch, with recommendations from their whitepaper, including verifying networks for IOCs, that the platform SolarWinds was used or not.
IOCs “were found on networks without SolarWinds,” the report says. “Although SolarWinds may not have been used by entities, their major vendors can use the product. If the vendors were compromised, the vendor could in turn compromise its customers, including those without SolarWinds.
The SolarWinds attack exposed about a quarter of North America’s utilities, according to NERC. However, no subsequent hacker activity was detected beyond the initial breach.
There is evidence, according to the NERC-FERC report, that technology companies have been targeted for the potential for the malware to spread and that it may be more difficult to remove than previously thought.
While SolarWinds software has been updated since the attack, the white paper notes that the US Agency for Cybersecurity and Infrastructure Security has warned of vulnerabilities “that are unrelated to the inserted malicious code and may therefore survive its removal “.
Finding IOCs on networks that weren’t using SolarWinds is likely due to the fact that “components are sometimes included in other software products, possibly to facilitate monitoring,” security consultant Tom Alrich said in an e-mail. mail.
Alrich participated in the development of a transparency initiative within the National Technology and Information Administration of the United States Department of Commerce, to pilot the use of software nomenclature (SBOM) in the energy sector. SBOMs indicate what components are in software, allowing end users to track and remediate vulnerabilities.
President Joe Biden issued an executive order in May to require SBOMs in government procurement, to allow more effective monitoring of known vulnerabilities.
“This is a good example of how having SBOMs for the software you are using can help you manage risk,” Alrich said. The tool would allow businesses to quickly answer the question, he said, “Are we running SolarWinds components anywhere on our network? “
Lila Kee, product manager at GlobalSign and responsible for the company’s operations in North and South America, said in an email that the SolarWinds attack “has been a game-changer in cybersecurity for the industry. ‘electricity”. The company is a provider of digital identity solutions and has advocated for FERC to require utilities to use SBOMs.
“This will allow electricity providers to have a much clearer view of their software supply chain,” Kee said. An SBOM recommendation was not included in the NERC-FERC white paper.
“I’m not that surprised since our recommendation to FERC is still being evaluated. I hope that in its next round of recommendations the SBOM approach will be included,” Kee said. “Because understanding what’s in your supply chain is absolutely essential.”
The white paper, however, included a host of other recommendations, including that energy companies “consider a systems approach based on risk to protect the most critical assets” and implement the framework and baseline. of Cyber Security from the National Institute of Standards and Technology. critical access and administrative privileges.
The report “provides a solid foundation for responding to these particular events,” said Syed Belal, director of operational technology cybersecurity consulting services at Hexagon PPM, in an email. “The recommended actions and corrective measures provide concrete steps to help prevent these specific attacks.”
However, Belal added that businesses need to worry about the next attack.
“While prevention is important, businesses should assume their systems will be infiltrated and invest in processes and technologies that will allow them to minimize the impact of such an attack and restore operations as quickly as possible,” he said. he declared.