Sophisticated offensive cyber capabilities can be directed against major critical infrastructure, and very recently just such a potential "cyber weapon" has been discovered. Malware developed over years has been uncovered; it has the potential for catastrophic disruption of a variety of infrastructure, most immediately, the electric grid. Those many businesses relying on the internet for their operations would do well to ensure they understand and work to defend against this malware.
Last week, the Maryland-based cybersecurity firm Dragos (a leading firm created by former Department of Defense cyber experts) issued a report titled CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. The report details Dragos' finding of a new, tailored malware. Although related to the malware employed in the 2016 Ukraine electric cyber attack, this new malware is of particular concern, according to Dragos, because "there is no simple fix to the capability…. It cannot just be patched or architected away." The malware, which Dragos calls CRASHOVERRIDE, appears to be the "first ever malware framework designed and deployed to attack electric grids."
A copy of the full Dragos report, which is currently being reported on by the media, is available on the Dragos website or by clicking here.
Although the report is somewhat technical, the basics are clear. Infrastructural elements, such as the electric grid, are managed through a digital network, often called the Industrial Internet of Things (IIoT). The IIoT, like its cousin the Internet of Things, is based on networked communications, which allow various physical devices to talk to each other, respond to data from sensors and obey human commands. Many people are familiar with home items such as digitally networked thermostats that can respond to temperature sensors, electric load and user preferences, or refrigerators that can tell when the milk spoils. The IIoT is that, but on a national scale, and instead of your home heater or fridge, the network controls huge switching stations and key parts of power generator stations. Bad things can happen if the Internet of Things is hacked or damaged (your milk may spoil, or your identity may be stolen), but potentially catastrophic results could flow from disruption of the IIoT: We may lose power for hours or days, oil rigs may shut down, and generating plants could be shut down or, worse, damaged beyond repair. The Dragos report, although still preliminary, indicates the significance of these risks.
Day Pitney's Cybersecurity and Data Protection practice group has been particularly focused on the IIoT and will continue to monitor this matter. If you need help understanding or navigating the evolving risks associated with the IIoT, please contact Steven Cash or Daniel Wenner.
Day Pitney will host a FERC 101 event, co-sponsored by Connecticut Power & Energy Society and EBA, on November 13 in its Hartford and Washington, DC offices.
Sebastian Lombardi will serve on a panel, "State Policies and the Markets: How the tension is playing out in PJM," at the Northeast Energy and Commerce Association's Power Markets Conference on November 8, at the Marriott Courtyard Hotel in Marlborough, MA.
Day Pitney White Paper
On September 27, partner Joseph Fagan will be speaking on a panel, "Policy v. Practical: What can the regional consumers expect from lawmakers, regulators and energy providers?," at the Northeast Energy and Commerce Association's (NECA) annual Fuels Conference in Marlborough, MA.
Day Pitney Alert
Day Pitney associate Alexander W. Judd has been elected to serve as Chair of the Energy, Public Utility and Communications Law Section of the Connecticut Bar Association (CBA).
Day Pitney Press Release
Paul Belval will be honored at "Celebrating Leaders for Justice," a dinner and ceremony being presented by the Greater Hartford Legal Aid (GHLA) Foundation.
Joseph Fagan was quoted in an article, "Fuel shippers seek U.S. review of 'excessive' Colonial Pipeline rates," published by Reuters.
Day Pitney and the National Governors Association (NGA) hosted an invitation-only forum, held at the Downtown Harvard Club of Boston, that brought together lawyers, policymakers, cybersecurity experts and other participants to identify and discuss legal issues related to the growing Industrial Internet of Things (IIoT).