CRASHOVERRIDE, The Latest Malware Menacing the Electric Grid

Publisher: Day Pitney Alert

June 19, 2017

Day Pitney Author(s) Steven A. Cash Patrick M. Gerity

Sophisticated offensive cyber capabilities can be directed against major critical infrastructure, and very recently just such a potential "cyber weapon" has been discovered. Malware developed over years has been uncovered; it has the potential for catastrophic disruption of a variety of infrastructure, most immediately, the electric grid. Those many businesses relying on the internet for their operations would do well to ensure they understand and work to defend against this malware.

Last week, the Maryland-based cybersecurity firm Dragos (a leading firm created by former Department of Defense cyber experts) issued a report titled CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. The report details Dragos' finding of a new, tailored malware. Although related to the malware employed in the 2016 Ukraine electric cyber attack, this new malware is of particular concern, according to Dragos, because "there is no simple fix to the capability…. It cannot just be patched or architected away." The malware, which Dragos calls CRASHOVERRIDE, appears to be the "first ever malware framework designed and deployed to attack electric grids."

A copy of the full Dragos report, which is currently being reported on by the media, is available on the Dragos website or by clicking here.

Although the report is somewhat technical, the basics are clear. Infrastructural elements, such as the electric grid, are managed through a digital network, often called the Industrial Internet of Things (IIoT). The IIoT, like its cousin the Internet of Things, is based on networked communications, which allow various physical devices to talk to each other, respond to data from sensors and obey human commands. Many people are familiar with home items such as digitally networked thermostats that can respond to temperature sensors, electric load and user preferences, or refrigerators that can tell when the milk spoils. The IIoT is that, but on a national scale, and instead of your home heater or fridge, the network controls huge switching stations and key parts of power generator stations. Bad things can happen if the Internet of Things is hacked or damaged (your milk may spoil, or your identity may be stolen), but potentially catastrophic results could flow from disruption of the IIoT: We may lose power for hours or days, oil rigs may shut down, and generating plants could be shut down or, worse, damaged beyond repair. The Dragos report, although still preliminary, indicates the significance of these risks.

Day Pitney's Cybersecurity and Data Protection practice group has been particularly focused on the IIoT and will continue to monitor this matter. If you need help understanding or navigating the evolving risks associated with the IIoT, please contact Steven Cash or Daniel Wenner.

Paul Belval will be co-presenting a webinar, "Developing and Financing Wind Energy Projects: Contract Provisions, Protecting Developer and Landowner Interests," for Strafford.

June 25, 2019

Strafford Webinar

Connecticut Business & Industry Association 2019 Energy & Environment Conference

On June 13, Beth Barton and Harold Blinderman spoke at the Connecticut Business & Industry Association (CBIA) 2019 Energy & Environment Conference in Cromwell, CT.

June 13, 2019

Connecticut Business & Industry Association (CBIA) 2019 Energy & Environment Conference, Cromwell, CT.

Northeast Updates on Tackling Fuel Security

On June 13, Sebastian Lombardi will be moderating a panel, "Northeast Updates on Tackling Fuel Security," at the 2019 Energy Bar Association (EBA) Northeast Chapter Annual Meeting in Washington, DC.

June 13, 2019

2019 Energy Bar Association Northeast Chapter Annual Meeting, Washington, DC

Future Cities: Building Projects from the Green Up

Alex Judd will be moderating a panel, "Future Cities: Building Projects from the Green Up," at the 2019 New England Energy Conference & Exposition (NEECE), a joint conference of the Northeast Energy and Commerce Association and the Connecticut Power and Energy Society being held at the Mystic Marriott in Groton, CT.

May 14, 2019

Mystic Marriott, Groton, CT

Natural Gas & Pipeline Issues

On April 4, Joe Fagan will be speaking at Natural Gas & Pipeline Issues, a 50th Anniversary Master Class presented by the Environmental Law Institute (ELI) and held in Washington, D.C.

April 4, 2019

Environmental Law Institute (ELI), Washington, D.C.

FERC Rebuke Won't Be Last Word In PG&E Power Deals Fight

June 11, 2019

Josh Cohen, chair of Day Pitney's Bankruptcy and Restructuring practice group was quoted extensively in an article, "FERC Rebuke Won't Be Last Word In PG&E Power Deals Fight," published by Law360.

Risk and Opportunity with the Industrial Internet of Things

May 28, 2019

David Doot, Steven Cash and James Blackburn, IV authored an article, "Risk and Opportunity with the Industrial Internet of Things," which was published in the July-August 2019 issue of The Journal of Robotics, Artificial Intelligence & Law.

Day Pitney Represents John Hancock in its $1.25 Billion Acquisition of Commercial Renewable Energy Portfolio from Duke Energy

April 25, 2019

Day Pitney Press Release

PG&E's Ch. 11 Brings Rift With FERC Over Power Deals

January 29, 2019

Partners Josh Cohen and Dave Doot were quoted in an analysis article, "PG&E's Ch. 11 Brings Rift With FERC Over Power Deals," published by Law360.

Alex Judd Elected to Chair CBA's Energy, Public Utility and Communications Law Section

July 13, 2018

Day Pitney associate Alexander W. Judd has been elected to serve as Chair of the Energy, Public Utility and Communications Law Section of the Connecticut Bar Association (CBA).