Reducing a high risk identified in the 2023 Regional Risk Assessment through NERC Alerts and E-ISAC All Points Bulletins
In the never-ending battle against the risk of Phishing/Ransomware/Malware, it is important that security professionals in your organization receive relevant security notifications. This article highlights opportunities for utility industry security professionals to stay abreast of pertinent threat information through NERC Alerts and E-ISAC Critical Broadcast Program (CBP) All Points Bulletins (APB).
Recent NERC Alerts related to ransomware/malware include:
- Industry Recommendation – Preparation for Potential Russian Cyber Activity against Industry from Russia-linked Actors (referenced E-ISAC CBP APB 22-01Awareness of ‘DOE ARES Report on Cybersecurity Considerations During Ongoing Tensions’ Related to Russia).
- Industry Advisory – Apache Software Foundation Log4j, aka Log4Shell Vulnerability (referenced E-ISAC CBP APB 21-07 Active Exploitation of Log4jJava Vulnerability – Mitigate Now).
Recent E-ISAC CBP APB related to ransomware/malware include:
- 22-07 Data Loss from Ransomware Event where Sargent and Lundy, a global engineering services firm, was the victim of a cyber incident that may have included a ransomware attack resulting in data exfiltration.
- 22-04 Novel Malware Found in VMWare ESXi Hypervisors Impacting Virtual Machines where security researchers noted a shift in state-sponsored threat actor techniques in direct response to advances in endpoint detection.
About NERC Alerts
NERC often discovers, identifies, or is provided with information that is critical to ensuring the reliability and security of the bulk power system in North America. To disseminate this information, NERC emails “alerts” designed to provide concise, actionable information to the electricity industry. NERC alerts are divided into three distinct levels:
1. Industry Advisory – Purely informational, intended to alert registered entities to issues or potential problems.
2. Recommendation to Industry – Recommends specific action be taken by registered entities.
3. Essential Action – Identifies actions deemed to be “essential” to bulk power system reliability and requires NERC Board of Trustees’ approval prior to issuance.
NERC distributes Alerts to the users, owners, and operators of the bulk power system in North America identified in the NERC Compliance Registry. Some Alerts are targeted to groups of entities based on their registered functions (e.g., Balancing Authorities, Planning Authorities, Generation Owners, etc.) Entities registered with NERC are required to provide and maintain up-to-date compliance and cybersecurity contacts. The identified contacts that receive NERC Alerts are:
(Primary Recipients) – The designated primary compliance contact for each registered organization. If this alert is a “Recommendation to Industry” or “Essential Action Notification,” a response is required, and reporting instructions are sent to this individual.
(Informational) – You are listed as an additional alert contact as specified by your organization on NERC’s compliance registry.
(Courtesy Copy) – You have received this message as a courtesy copy for your reference only because you are on a NERC committee or stakeholder group.
The NERC Alerts may have single point entry into your organization per the above recipient list and require a process to ensure the information is distributed to the correct individuals. Upon registration with NERC, entities are required to select a primary and backup compliance contact (Primary Recipients). Adding Informational or Courtesy Copy contacts requires additional action. Most NERC Alerts require distribution beyond these initial contacts to other subject matter experts (SMEs), even if official responses are not required. MRO staff asked several registered entities to describe what practices they have in place to ensure Alerts are forwarded to relevant security SMEs within their organizations. Here are some best practices we identified:
- Maintain a SME contact list and periodically assess it for accuracy.
- The contact list could be updated based on internal survey results, org chart information, or by cross-referencing organization security conference attendee lists f to determine who has an active interest.
- Create specific distribution lists for SMEs based on topics or areas of interest.
- Require SME contact lists to be updated as part of the new employee onboarding process.
- Perform a risk analysis to determine relevancy before sending Alerts downstream to avoid overwhelming recipients.
- Encourage relationship-building between NERC registry contacts and security leadership.
- Encourage NERC registry contacts to communicate downstream even if an official response to NERC is not required.
- Try to ensure that the SME contact list has more than one contact per subject to prevent possible single point failures (e.g., employees out sick).
- Have multiple channels to distribute the alerts to SMEs. Such as, email, teams, phone, armor text, etc.
- Have a tracking method to manage the distribution of relevant alerts within the organization.
- As permitted by the Traffic Light Protocol (TLP) classification included on the Alert, distribute to departments and organizations that are not direct recipients of NERC Alerts such as corporate security, nuclear operations, third-party non-registered generators, distributed energy resource companies, member distribution cooperatives, municipal utilities in your territory, etc.
- As permitted by the Traffic Light Protocol (TLP) classification included on the Alert, forward the alert to trade groups.
About E-ISAC CBP APBs
The E-ISAC publishes bulletins to bring security threats and information to your attention. Some of the bulletins are elevated depending on the associated risk. All NERC registered entities can sign up for an account on the E-ISAC portal and customize the notifications. Customization options include cyber, physical, operational technology, geopolitical, socioeconomic, domestic violent extremists, geopolitical threats, geopolitical threats – Russia, key vulnerabilities, Log4j, and supply chain.
CBP APBs are within the above categories, so to further highlight them, recipients can set up an Outlook filter to flag on sender, and “CBP APB” in the subject or text of the email. In addition to recommending security professionals sign up for portal access and monitor for CBP APBs, if an organization has an established internal communication chain utilized for NERC Alert distribution, the compliance team that drives the formal communication may also monitor for critical E-ISAC postings to amplify notices throughout the organization to the correct endpoints.
For more information on NERC Alerts, please contact [email protected].
For more information no E-ISAC CBP APBs, please contact [email protected].
– Lee Felter, MRO Principlal Security Engineer