The Federal Energy Regulatory Commission (FERC) is tasked with keeping our electric grid safe and maintaining reliable and secure energy for U.S. consumers. On January 20, FERC issued a Notice of Proposed Rulemaking (NOPR) that proposes to strengthen its Critical Infrastructure Protection Reliability Standards by requiring internal network security monitoring for high and medium impact bulk electric system cyber systems.

According to the NOPR, the current Reliability Standards do not address internal network security monitoring and this omission constitutes a gap. The NOPR proposes to direct the North American Electric Reliability Commission to develop such standards that require internal network security monitoring that would ensure that responsible entities maintain visibility over communications between networked devices, hopefully to increase the probability of early detection of a cyber-attack. The NOPR referred to the need for the internal network security monitoring in light of the highly publicized Solar Winds cyber-attack as the attack “demonstrates how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack.”  Comments to the proposed NOPR will be due 60 days after publication in the Federal Register.

ECRI has been publishing its annual report of health technology hazards for the past 15 years. According to ECRI’s Device Evaluation group, “the Top 10 Health Technology Hazards list identifies the potential sources of danger that we believe warrant the greatest attention for the coming year. The list does not necessarily enumerate the most frequently reported problems or the ones associated with the most severe consequences—although we do consider such information in our analysis. Rather, the list reflects our judgment about which risks should receive priority now.”

This year, ECRI named cybersecurity attacks as the #1 health technology hazard for 2022. According to ECRI, “Cybersecurity incidents don’t just interfere with business operations—they can disrupt patient care, posing a real threat of physical harm.” This includes the inability to offer care to patients, including the rescheduling of preventative and scheduled surgeries, to the closure of a unit or the entire facility.

ECRI notes that “Responding to these risks requires not only a robust security program to prevent attacks from reaching critical devices and systems, but also a plan for maintaining patient care when they do.”

Heath care providers and systems have been hit hard by cyber-attacks during the pandemic, and ECRI’s prediction is that the attacks will not abate in the coming year.

This week in Japan, the world’s first fully-autonomous ship navigation system deployed a car ferry during a demonstration test. The demonstration took place using a 15,500 gross ton Ro-Pax ferry, spanning 730 feet, that traveled approximately 150 miles between Shinmoji and Iyonada in a 7-hour period. The vessel’s operating speed reached about 26 knots during the demonstration.

The vessel was first introduced into service in July 2021 and is equipped with high-precision sensor image analysis systems and infrared cameras to detect other ships (even in complete darkness). The vessel also has a navigation system with an avoidance function and automated port berthing/unberthing technology that can perform turning and reversing movements.

Mitsubishi Shipbuilding Co. crafted the vessel and used advanced technologies like artificial intelligence to navigate the autonomous journey. The company plans to continue to develop technologies in this space in order to achieve safe, high-quality service for passenger ferries, too. The vessel will need to also be equipped with technology to monitor motor conditions during normal operations with passengers aboard.

While there are still many issues to be resolved and improvements to be made, this voyage is a big step towards fully autonomous vessels entering the market much more commonly. These advancements will also hopefully lead to resolution of issues in coastal shipping such as safety, accidents, crew shortages, high crew labor costs, and extensive operational costs.

Passwords are so difficult to remember. We all know we shouldn’t use the same or similar passwords across platforms. Stolen password credentials are dumped on the dark web and criminals use the stolen passwords to steal other data from victims, including frequent flyer miles, online banking credentials, cryptocurrency and other digital assets, and to get into employers’ systems. But passwords are so hard to remember….so we may be tempted when our chrome browser pop-up asks us if we want to save them.

A relatively new malware, dubbed Redline Stealer, gives us another reason why we shouldn’t be saving those passwords on our chrome (or other) browser. According to AhnLab ASEC, “Redline Stealer is an infostealer that collects account credentials saved to web browsers, which first appeared on the Russian dark web in March 2020.

In the case that Ahn Lab researched, the user had saved credentials to the company VPN through the browser on the laptop. The user, who was working from home, allowed everyone in the household to use the company laptop. It was infected with the malware through lax security measures, which allowed the threat actor access to the saved credentials to the company VPN and the attacker was able to infiltrate the company’s system through the compromised credentials.

According to Ahn Lab, “Although the account credentials storing feature of browsers is very convenient, as there is a risk of leakage of account credentials upon malware infection, users are recommended to refrain from using it and only use programs from clear sources.”

Resist the temptation to save credentials through your browser so you don’t give a threat actor easy access to your information and system or that of your employer.

The FBI’s Internet Crime Complaint Center (IC3) recently issued a warning alerting consumers that scammers are using malicious QR Codes to reroute unsuspecting customers to malicious sites to try to steal their data.

Also known as QRishing, [view related post] criminals are taking advantage of our familiarity with QR codes after using them at restaurants and other establishments during the pandemic, to use them to commit crimes. The criminals embed malicious codes into QR codes to redirect a user to a malicious site and then attempt to get the user to provide personal information, financial information or other data that the criminals can use to perpetrate fraud or identity theft.

Embedding malicious code into a QR code is no different than embedding it into a link or attachment to a phishing email or a smishing text. Consumers are not as alert to question QR codes as we are to spot malicious emails and texts.

Hence, the alert from IC3. IC3 is warning consumers to check and re-check any URL generated by a QR code and to be cautious about using them for any form of payment.

QR codes should be viewed as suspiciously as emails and texts. Be cautious when asked to scan a QR code, and refuse to provide any type of personal information or financial information after scanning one.

Another day, another governmental entity hit with a ransomware attack. If you are a resident of Bernalillo County, New Mexico, and you need a marriage license, want to conduct a real estate transaction or register to vote, you might be told there is “no access to systems and no legal filings are possible” due to a cybersecurity “issue.” But you CAN still pay your taxes, as no extension is being given, despite the cyber event.

According to the Albuquerque Journal, the County announced on January 5, 2021, that it was a victim of a cyberattack that affected “a wide variety of county government operations. Most county buildings were closed until further notice.”

Not only was the clerk’s office closed for certain business transactions, but the County also filed an emergency notice in federal court that it was unable to comply with terms of a settlement involving conditions at the County jail because the ransomware attack knocked out access to the jail’s security cameras. As a result, all inmates were limited in how much time they could spend outside their cells, and their access to telephones and tablets was reduced. According to the article, the facility has been “on ‘lockdown’ since Wednesday.”

Court systems were disrupted as well, and personnel scrambled to set up alternate plans to “allow criminal proceedings to continue in the face of this unforeseen event.”

Ransomware attacks against local governmental entities are frequent and very disruptive to residents of that state, county, or municipality. And it does not look like the pace of attacks against local governments will ease any time soon.

Microsoft has issued frequent updates on the Log4j vulnerability that we have been hearing so much about. The vulnerability is a serious problem that will become more widespread as time goes on.

According to Microsoft’s threat intelligence team:

“The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.”

 The threat intelligence team has observed “mass scanning by attackers” trying to find vulnerable systems to attack, and nation-state activity by groups in China, Iran, North Korea and Turkey currently experimenting on how to carry out attacks. It is only a matter of time before they are successful.

Further, in the last week, the threat intelligence team identified that a China-based ransomware group, dubbed DEV-0401, “started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.” This group has successfully deployed ransomware in the past and is “using command and control…servers that spoof legitimate domains.”

Microsoft released new threat and vulnerability management capabilities on January 11, 2022.

Mobile health apps are growing in popularity and their number is increasing every year. Many of us find it convenient to use an app to schedule medical appointments, check medical records, track and store health data, and check symptoms. App developers have always needed to be mindful of protecting the privacy of the information that is shared in a mobile health app but recent guidance from the Federal Trade Commission (FTC) signals that the FTC intends to make compliance with its breach notification rule and enforcement a priority.

Last fall the FTC issued a policy statement to clarify that its Health Breach Notification Rule (Rule) “helps to ensure that entities… not covered by the Health Insurance Portability and Accountability Act (HIPAA) nevertheless face accountability when consumers’ sensitive health information is compromised.” The statement acknowledged that the Rule was issued over a decade ago, but that the “explosion” in health apps makes it important now. The Rule requires certain app vendors to notify consumers, the FTC and in some cases, the media if there is a breach of unsecured identifiable health information. Failure to comply with the Rule could result in civil penalties of $43,792 per day. The FTC website contains helpful information that offers tips for app developers, along with a mobile health app interactive tool to assist in determining which federal laws might apply.

The Cybersecurity & Infrastructure Security Agency (CISA), in tandem with the FBI and National Security Agency, issued a Cybersecurity Advisory on January 22, 2022, to warn organizations, and especially critical infrastructure operators, to be on heightened alert that Russian state-sponsored cyber operations may again use the tensions with the U.S. to attack U.S. companies.

The Advisory, entitled Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, outlines various measures organizations can take to prepare for, enhance their cyber posture, and increase organizational vigilance against Russian-sponsored attacks.

The Advisory states:

“CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.”

The Advisory is a must read.

The U.S. Army tested drones and autonomous technology for the delivery of medical supplies on the battlefield last week in Fort Pickett, Virginia. In partnership with Near Earth Autonomy, a Pittsburgh-based drone research and development company, the Army conducted several test flights using Near Earth’s autonomous flight systems technology on an L3Harris FVR-90 hybrid unmanned aerial vehicle to see how drones could be used to send supplies back and forth over hundreds of miles. During these operations, the Near Earth sensors were able to find open areas for landing or, when landing was not possible, drop pods filled with medical supplies at a low altitude or via parachute from higher altitudes. In sum, all scenarios were tested to find the optimal method of delivery.

The goal of these test flights is to find a more efficient way to transport supplies to the Army’s operational units. The FVR-90 can carry up to 20 pounds, (including refrigerated pods of blood and other medical supplies), fly up to 16 hours, and travel approximately 50 miles. The goal is to reduce the amount of blood that is often wasted during such operations. Blood is viewed as a commodity in that unused blood usually cannot be returned to blood banks before it expires. With these drones and autonomous technology, medics could send return unused blood to the blood bank or send it on to another medic in a remote area who might need it.

The Army now seeks feedback from medics on this type of drone use and hopes to expand these types of operations to non-medical logistics as well.