Provided by the American Public Power Association
In a recent memo to American Public Power Association (APPA) members, APPA CEO Sue Kelly urged municipal electric utilities to review a white paper recently posted by the Electricity Information and Analysis Center (E-ISAC). The white paper discusses the recent Internet of Things (IoT) Distributed Denial of service (DDos) attacks on computer systems, and includes mitigation recommendations. Kelly strongly recommended that public power systems read the report and take actions where necessary. The document can be downloaded here.
The “bottom line” of the paper is that the E-ISAC strongly recommends utilities examine their Internet-facing systems to ensure that:
• Internet-facing devices are inventoried and examined for vulnerabilities;
• Internet-facing devices have sufficient business justification for being publicly exposed;
• Utility-owned and managed systems that are exposed to the Internet have adequate protections in place to prevent the exploit described in the paper;
• If you do not have the technical expertise within your utility to take these steps, you should seek assistance.
On October 21, 2016, a DDoS attack against the Dyn Managed Domain Name System (DNS) infrastructure occurred, which shut down some popular web based media systems. Such attacks are escalating in scale. This is the highest throughput DDoS attack seen to date. Due to the highly interconnected state of the IoT, and the insecurity built into systems as mundane as consumer products and toys, there is a risk that this type of attack can now be leveraged against critical industrial control systems, such as those used in the electric power industry.
“I want to emphasize the importance of incorporating the E-ISAC’s recommendations into your cyber security programs and processes, due to the unprecedented scale of these recent attacks,” Kelly noted. “Your immediate attention to these recommendations will help mitigate the risk of your cyber systems being misused or rendered unavailable, with all the actual and reputational damage such an event could cause.”
If you have not done so already, IAMU encourages its electric members to sign up for the E-ISAC portal to receive further details on this and other cyber risks. You may also utilize the E-ISAC forum to stay informed and to share information on any cyber or physical attacks, so those in the electricity industry can learn from each other and better defend themselves. To sign up, please contact the E-ISAC for further information at firstname.lastname@example.org or www.eisac.com.