Sophisticated offensive cyber capabilities can be directed against major critical infrastructure, and very recently just such a potential "cyber weapon" has been discovered. Malware developed over years has been uncovered; it has the potential for catastrophic disruption of a variety of infrastructure, most immediately, the electric grid. Those many businesses relying on the internet for their operations would do well to ensure they understand and work to defend against this malware.
Last week, the Maryland-based cybersecurity firm Dragos (a leading firm created by former Department of Defense cyber experts) issued a report titled CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. The report details Dragos' finding of a new, tailored malware. Although related to the malware employed in the 2016 Ukraine electric cyber attack, this new malware is of particular concern, according to Dragos, because "there is no simple fix to the capability…. It cannot just be patched or architected away." The malware, which Dragos calls CRASHOVERRIDE, appears to be the "first ever malware framework designed and deployed to attack electric grids."
A copy of the full Dragos report, which is currently being reported on by the media, is available on the Dragos website or by clicking here.
Although the report is somewhat technical, the basics are clear. Infrastructural elements, such as the electric grid, are managed through a digital network, often called the Industrial Internet of Things (IIoT). The IIoT, like its cousin the Internet of Things, is based on networked communications, which allow various physical devices to talk to each other, respond to data from sensors and obey human commands. Many people are familiar with home items such as digitally networked thermostats that can respond to temperature sensors, electric load and user preferences, or refrigerators that can tell when the milk spoils. The IIoT is that, but on a national scale, and instead of your home heater or fridge, the network controls huge switching stations and key parts of power generator stations. Bad things can happen if the Internet of Things is hacked or damaged (your milk may spoil, or your identity may be stolen), but potentially catastrophic results could flow from disruption of the IIoT: We may lose power for hours or days, oil rigs may shut down, and generating plants could be shut down or, worse, damaged beyond repair. The Dragos report, although still preliminary, indicates the significance of these risks.
Day Pitney's Cybersecurity and Data Protection practice group has been particularly focused on the IIoT and will continue to monitor this matter. If you need help understanding or navigating the evolving risks associated with the IIoT, please contact Steven Cash or Daniel Wenner.
On October 30, Alexander Judd will be moderating a panel, "Financing Renewable Energy Projects in New England," at the Future of Energy: What's the Deal?, the 20th Annual Connecticut Power and Energy Society (CPES) Conference and Exposition.
On October 16, Sophia Browning spoke on a breakout session, entitled “Drafting and Negotiating a Power Purchase Agreement,” at the 2019 Energy Bar Association Mid-Year Energy Forum in Washington, DC.
On October 7, Steven Cash spoke at "Cybersecurity: Tension Between Innovation and Security," an event presented by the Connecticut Power and Energy Society (CPES) and held at Yale University in New Haven, CT.
Day Pitney Alert
On September 11, Beth Barton will serve as the moderator at "Tapping into the Power of Offshore Wind - A Conversation with the Women Making it Happen," a joint meeting of the Connecticut Power and Energy Society (CPES) and New England Women in Energy and the Environment (NEWIEE).
Day Pitney Press Release
Firm Ranked Tier 1 Nationally for Energy Law and Trusts and Estates Law
Josh Cohen, chair of Day Pitney's Bankruptcy and Restructuring practice group was quoted extensively in an article, "FERC Rebuke Won't Be Last Word In PG&E Power Deals Fight," published by Law360.
David Doot, Steven Cash and James Blackburn, IV authored an article, "Risk and Opportunity with the Industrial Internet of Things," which was published in the July-August 2019 issue of The Journal of Robotics, Artificial Intelligence & Law.
Day Pitney Press Release
Partners Josh Cohen and Dave Doot were quoted in an analysis article, "PG&E's Ch. 11 Brings Rift With FERC Over Power Deals," published by Law360.