CRASHOVERRIDE, The Latest Malware Menacing the Electric Grid

Publisher: Day Pitney Alert

June 19, 2017

Day Pitney Author(s) Steven A. Cash Daniel E. Wenner Patrick M. Gerity

Sophisticated offensive cyber capabilities can be directed against major critical infrastructure, and very recently just such a potential "cyber weapon" has been discovered. Malware developed over years has been uncovered; it has the potential for catastrophic disruption of a variety of infrastructure, most immediately, the electric grid. Those many businesses relying on the internet for their operations would do well to ensure they understand and work to defend against this malware.

Last week, the Maryland-based cybersecurity firm Dragos (a leading firm created by former Department of Defense cyber experts) issued a report titled CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. The report details Dragos' finding of a new, tailored malware. Although related to the malware employed in the 2016 Ukraine electric cyber attack, this new malware is of particular concern, according to Dragos, because "there is no simple fix to the capability…. It cannot just be patched or architected away." The malware, which Dragos calls CRASHOVERRIDE, appears to be the "first ever malware framework designed and deployed to attack electric grids."

A copy of the full Dragos report, which is currently being reported on by the media, is available on the Dragos website or by clicking here.

Although the report is somewhat technical, the basics are clear. Infrastructural elements, such as the electric grid, are managed through a digital network, often called the Industrial Internet of Things (IIoT). The IIoT, like its cousin the Internet of Things, is based on networked communications, which allow various physical devices to talk to each other, respond to data from sensors and obey human commands. Many people are familiar with home items such as digitally networked thermostats that can respond to temperature sensors, electric load and user preferences, or refrigerators that can tell when the milk spoils. The IIoT is that, but on a national scale, and instead of your home heater or fridge, the network controls huge switching stations and key parts of power generator stations. Bad things can happen if the Internet of Things is hacked or damaged (your milk may spoil, or your identity may be stolen), but potentially catastrophic results could flow from disruption of the IIoT: We may lose power for hours or days, oil rigs may shut down, and generating plants could be shut down or, worse, damaged beyond repair. The Dragos report, although still preliminary, indicates the significance of these risks.

Day Pitney's Cybersecurity and Data Protection practice group has been particularly focused on the IIoT and will continue to monitor this matter. If you need help understanding or navigating the evolving risks associated with the IIoT, please contact Steven Cash or Daniel Wenner.

Recommended

Federal Energy Regulatory Commission (FERC) 101

Day Pitney will host a FERC 101 event, co-sponsored by Connecticut Power & Energy Society and EBA, on November 13 in its Hartford and Washington, DC offices.

November 13, 2018

Connecticut Power & Energy Society and EBA, Day Pitney's Hartford and Washington, DC offices

State Policies and the Markets: How the tension is playing out in PJM

Sebastian Lombardi will serve on a panel, "State Policies and the Markets: How the tension is playing out in PJM," at the Northeast Energy and Commerce Association's Power Markets Conference on November 8, at the Marriott Courtyard Hotel in Marlborough, MA.

November 8, 2018

Northeast Energy and Commerce Association's Power Markets Conference, Marlborough, MA

Risk and Opportunity with the Industrial Internet of Things

October 23, 2018

Day Pitney White Paper

NECA's 2018 Fuels Conference

On September 27, partner Joseph Fagan will be speaking on a panel, "Policy v. Practical: What can the regional consumers expect from lawmakers, regulators and energy providers?," at the Northeast Energy and Commerce Association's (NECA) annual Fuels Conference in Marlborough, MA.

September 27, 2018

Northeast Energy and Commerce Association's (NECA) annual Fuels Conference, Marlborough, MA

FERC Expands Cyber Security Incident Reporting Requirements

July 27, 2018

Day Pitney Alert

Alex Judd Elected to Chair CBA's Energy, Public Utility and Communications Law Section

July 13, 2018

Day Pitney associate Alexander W. Judd has been elected to serve as Chair of the Energy, Public Utility and Communications Law Section of the Connecticut Bar Association (CBA).

Alexander Judd Elected to CPES Board

June 5, 2018

Day Pitney Press Release

Paul Belval Honored by Greater Hartford Legal Aid

May 30, 2018

Paul Belval will be honored at "Celebrating Leaders for Justice," a dinner and ceremony being presented by the Greater Hartford Legal Aid (GHLA) Foundation.

Fuel shippers seek U.S. review of 'excessive' Colonial Pipeline rates

December 8, 2017

Joseph Fagan was quoted in an article, "Fuel shippers seek U.S. review of 'excessive' Colonial Pipeline rates," published by Reuters.

Day Pitney and NGA Host Legal Forum on the Industrial Internet of Things

November 30, 2017

Day Pitney and the National Governors Association (NGA) hosted an invitation-only forum, held at the Downtown Harvard Club of Boston, that brought together lawyers, policymakers, cybersecurity experts and other participants to identify and discuss legal issues related to the growing Industrial Internet of Things (IIoT).