August 7, 2020

Volume X, Number 220

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

Hacker-Triggered Ukrainian Blackout Emphasizes Importance of Cybersecurity

The electric utility industry has spent vast amounts of money on cybersecurity, an investment that has steadily escalated since the Critical Infrastructure Protection (CIP) Reliability Standards became effective in 2008. Those investments, and the increasingly strict CIP Reliability Standards, were intended to address fears that hackers could use the industrial control systems and other computer systems that control the electric system to cause a blackout. Until recently, that threat was hypothetical. Now, for the first time, public reports have emerged of hackers taking down part of an electric grid.

In late December 2015, hackers allegedly infected several of Ukraine’s power authorities, causing blackouts that lasted several hours and affected thousands of people. Ukrainian authorities confirmed that malicious software infected several control systems, which disabled those systems and resulted in a power outage. The malware, known to have been involved in attacks since 2007, was reportedly embedded in Microsoft Office documents and was retrofitted to include code targeting power stations and other critical infrastructure. Although the geopolitical circumstances in Ukraine are drastically different from those faced by electric utilities in the United States, the attack provides a “proof of concept,” demonstrating that it is possible for an attacker to cause a widespread blackout—the threat is no longer hypothetical.

For those electric utilities already subject to CIP Reliability Standards, there are three key takeaways:

  • First, the threat is real. This has the benefit of creating greater corporate awareness, but the risk of greater awareness by regulators as well. Although recent changes to the Federal Power Act provide the federal government with the ability to direct short-term emergency actions in response to threats to electric infrastructure, an appetite for new authority and greater regulation continues in these areas.

  • Second, strict implementation of the CIP requirements for malware protections can pay dividends in protecting critical computer systems. Recent reports suggest that known malware was used to gain access to these systems and cover up the signs of the intrusion.

  • Third, protecting against malware cannot be a purely automated process; human error likely permitted the malware’s initial introduction into the utility’s systems. Reports suggest that the malware may have been introduced through macros in Microsoft Office documents, which employees opened as a result of spear-fishing attacks. Such attacks use social engineering to convince preselected email recipients to open apparently innocuous documents or click on apparently safe links. In reality, those actions cause malicious programs to download or run on the recipient’s computer, spreading throughout the connected network. A timely reminder that utility employees, particularly those with access to critical utility systems, should receive training on identifying and handling spear-fishing attacks as part of their regular security training. Such training, although not required by the existing CIP Reliability Standards, could be part of the quarterly CIP security awareness efforts required under CIP-004-5.1 R1.1.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 8

TRENDING LEGAL ANALYSIS


About this Author

J. Daniel Skees, Energy attorney, Morgan Lewis
Partner

J. Daniel Skees represents electric utilities before the Federal Energy Regulatory Commission (FERC) and other agencies on rate, regulatory, and transaction matters. He handles rate and tariff proceedings, electric utility and holding company transactions, reliability standards development and compliance, and FERC rulemaking proceedings. The mandatory electric reliability standards under Section 215 of the Federal Power Act are a major focus of Dan’s practice. He advises clients regarding compliance with reliability standards, and helps them participate in the...

202-739-5834
Arjun Prasad Ramadevanahalli, Morgan Lewis, energy attorney
Associate

As the US energy business continues to evolve, Arjun Prasad Ramadevanahalli represents key industry participants in regulatory, transactional, and litigation matters, including investigations and enforcement proceedings. Arjun represents electric power, natural gas, and other energy industry participants before the Federal Energy Regulatory Commission (FERC), the US Commodity Futures Trading Commission (CFTC), and the North American Electric Reliability Corporation (NERC). When necessary, his representations extend to court appeals.

202-739-5913