FERC Requires New NERC Reliability Standards for Reporting Cyber Incidents

The Federal Energy Regulatory Commission (FERC) announced on July 19, 2018, that it is directing the North American Electric Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of cybersecurity incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).”

The rule will become effective 60 days after it is published in the Federal Register.

The 64-page Final Rule requires NERC to develop and submit modifications to the Reliability Standards to require the reporting of cybersecurity incidents “that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).” Presently, reporting entities are only required to report cyber incidents that have “compromised or disrupted one or more reliability tasks.” The change is intended to “improve awareness of existing and future cybersecurity threats and potential vulnerabilities.”

The Final Rule consists of “four elements intended to augment” the current reporting requirements:

  1. “Responsible entities must report cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s ESP or associates EACMS:
  2. Required information in cybersecurity incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  3. Filing deadlines for cybersecurity incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity; and
  4. Cybersecurity incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).”

The Final Rule also requires NERC to file an annual, public, and anonymized summary of the reports filed by entities with the Commission.

Virginia Bank, Hacked Twice with Phishing Schemes, Losing $2.4 Million

In a lawsuit against its insurance company requesting reimbursement for close to $2.4 million from two different hacking incidents, National Bank of Blacksburg detailed the intrusions, which are instructive of a sophisticated scheme against the financial services industry.

According to the lawsuit, the first theft took place on Memorial Day weekend of 2016. In that incident, an employee of the bank clicked on a phishing email (which reportedly was an infected Microsoft Word document) that was targeted to the employee. The opening of the document allowed malware to be introduced into the bank’s system, allowing the intruders access to a network that handles debit card transactions. The hackers were then able to disable security protections and used hundreds of Automatic Teller Machines (ATMs) across North America to steal from customer accounts to the tune of approximately $569,000.

The second incident occurred in January 2017. What appears to be the same hacking group originating in Russia gained access to the bank’s system through another phishing email scheme. During that incident, the hackers were able to access the same debit card system as the first time, and also to compromise a system that manages credits and debits to customers’ accounts. They used the system to credit more than $2 million to various accounts, then changed security protocols and measures and withdrew the fraudulent credits again using hundreds of ATMs. The intruders actually watched the bank’s system monitoring the money being taken out of customer accounts through ATMs.

The lawsuit outlines details of the schemes targeted against the bank’s employees, which is a sobering reminder of how vulnerable the financial services industry is, and how important employees are in the process of identifying and combating security incidents and fraud.

Air Force Drone Program Documents For Sale on Dark Web

It is being reported that a hacker is attempting to sell on the dark web classified U.S. Air Force documents related to the MQ-9 drone program. The reports state that a single hacker with moderate technical skills was able to infiltrate the computer of “a captain at the 432nd Aircraft Maintenance Squadron Reaper AMU OIC” to obtain highly sensitive information about the capabilities of the drone program. The hacker seeks payment of up to $200 for the information.

Equally concerning is the fact that the hacker responsible for the drone program information theft also has indicated having possession of additional military documents from an unidentified officer.

Uniform Law Commission Proposes New Drone Legislation

New model legislation introduced by the National Conference of Commissioners on Uniform State Laws (Uniform Law Commission) seeks to give property owners the right to the airspace above their property from 200 feet and below. In 1946, the U.S. Supreme Court decided that the airspace belonged to the federal government; in 1962, a court decision affirmed that federal law pre-empted local laws when it comes to aviation.

The model legislation seeks to regulate a largely unregulated area—the lowest reaches of the national airspace. Section 49 of the U.S. Code states that the Federal Aviation Administration (FAA) has the power to regulate “navigable airspace.” However, “navigable airspace” was never really defined. In 1946, the U.S. Supreme Court decided that the airspace belonged to the federal government; in 1962, a court decision affirmed that federal law pre-empted local laws when it comes to aviation. The FAA’s commercial drone usage regulations (Part 107) restrict, drone operators to 400 feet or less in most cases. This proposed legislation assigns the lower 200 feet of airspace to state governments for the purpose of creating an aerial trespass offense. Therefore, under this proposed legislation, if a drone operator were to fly over a yard at 199 feet, the drone would be trespassing. The proposed legislation mirrors land-trespass in that it would make the drone operator liable for trespass “irrespective of whether he… causes harm to any legally protected interest of the other.”

The FAA’s general counsel sent the Uniform Law Commission a letter this week stating that it had misrepresented the FAA’s viewpoints in drafts of its model rule and that “decades” of precedent contradicted what the Uniform Law Commission was trying to accomplish.

It’s possible that the FAA’s letter will end the Uniform Law Commission’s pursuit of this legislation; however, several property rights interest groups and municipalities are supporting it. On the other hand, delivery companies, air traffic control companies, and media outlets are strongly against such legislation.

The Uniform Law Commission is scheduled to discuss this proposed legislation during its annual meeting this week.

Privacy Tip #149 – LifeLock Customers Could Be Targeted with Phishing Campaign

We previously reported that LifeLock suffered a data breach and has been sued by the Federal Trade Commission for allegations of misleading customers [view related post], for which it settled with the FTC for $116 million [view related post] and then settled a suit alleging false statements to customers for $68 million [view related post].

If that isn’t enough, it is now being reported that LifeLock recently had a vulnerability in its website that allowed anyone with a web browser to index email addresses of millions of LifeLock’s customers. This could have allowed bad actors to have access to millions of legitimate email addresses that can be used in targeted phishing campaigns.

Apparently, LifeLock recently fixed the vulnerability, but security experts are concerned that because of the vulnerability, LifeLock customers may be targeted with phishing schemes that use LifeLock’s brand to trick them into clicking on malicious links and attachments that could introduce malware, ransomware or steal personal information of LifeLock’s customers.

LifeLock customers may wish to be extra vigilant (or as I like to say—“wicked paranoid”) about emails and phishing campaigns due to this vulnerability exposing their email addresses.

U.S. Moves Ahead with Federal “Fintech Sandbox” — CFPB Announces Creation of Office of Innovation

In an effort to promote the development of new financial technology (fintech) products, Mick Mulvaney, Acting Director of the Consumer Financial Protection Bureau (CFPB), announced last week the creation of the Office of Innovation. Mulvaney said the new division, to be run by Paul Watkins under the umbrella of the CFPB, is designed to foster an “environment where companies can advance new products and services without being unduly restricted by red tape that belongs in the 20th century.” A CFPB press release stated that the new office will focus on creating policies to facilitate innovation, engaging with entrepreneurs and regulators, and reviewing outdated or unnecessary regulations.

Watkins is notable for helping Arizona establish a similar state-level “regulatory sandbox” for cryptocurrencies and blockchain technology. Arizona’s FinTech Regulatory Sandbox, the first state fintech sandbox in the country, allows companies limited access to the Arizona marketplace in exchange for relaxed regulations. Other states, including Illinois, are currently exploring developing their own fintech sandboxes.

The CFPB’s sandbox is designed to take a similar approach and provide relief from certain regulatory requirements, creating a space where fintech firms will be free to toy with newer fintech products involving cryptocurrencies, other blockchain applications, microlending (lending by individuals rather than institutions) and mobile payments. In creating the Office of Innovation, the CFPB is working closely with the Commodities Futures Trading Commission, which last year established its own regulatory sandbox called “LabCFTC.”

While Arizona was the first state to institute a fintech “sandbox,” other countries, including the UK, Singapore, Australia, and United Arab Emirates, had already established their own “sandboxes” by the time Arizona joined the “sandbox” movement.

States Race to Embrace Blockchain Technology

Add Connecticut, Ohio and Vermont to the list of states passing legislation focused on the potential disruptive impact of blockchain – the technology underlying cryptocurrencies such as Bitcoin. As federal regulators continue to monitor and offer guidance in the cryptocurrency space, with particular focus on Initial Coin Offerings (ICOs), state legislatures around the country are looking to favorably position their respective states to attract businesses developing blockchain-based applications.

In Connecticut, the state legislature passed Special Act 18-8, which was signed by the governor on June 6, 2018, and which commissions the formation of a blockchain working group. Under the law, the working group is tasked with developing a “master plan for fostering the expansion of the blockchain industry” in Connecticut and with recommending  “policies and state investments to make Connecticut a leader in blockchain technology.” The working group’s findings and recommendations are scheduled to be submitted by January 1, 2019.

In Ohio, the legislature passed Senate Bill 220, which, in part, confirms that transactions recorded by blockchain technology are enforceable. The bill, passed on June 27 and awaiting signature from Governor John Kasich, is similar to bills previously passed in Arizona, Nevada and Vermont and grants legal recognition to blockchain transactions as being explicitly covered by the State’s Uniform Electronic Transactions Act.

Meanwhile, Vermont passed additional legislation directed to blockchain business models. Act No. 205 went into effect on July 1, 2018, and includes provisions authorizing the creation of “Blockchain-Based Limited Liability Companies” (BBLLCs), defined in the Act as a business that utilizes blockchain technology for a “material portion of its business activities.” If designated as a BBLLC, the business may use blockchain technology in performing corporate governance functions, including adopting voting procedures using smart contracts carried out on the blockchain. The law also tasks the Vermont State Archives and Records Administration and other public agencies with evaluating blockchain technology as a means for the “systematic and efficient management of public records” and to report on its findings and make legislative recommendations by January 15, 2019.

iPhone Users Targeted by New Malware Campaign

Cisco Talos has discovered a new menace to iPhone users—a sophisticated malware campaign targeting iPhones to trick users into downloading an open-source Mobile Device Management (MDM) solution that gives the hackers control of the phone. It is reported that Cisco and Apple are working together to combat the threat.

According to reports, once the MDM tool is downloaded and the hackers have control of the phone, they can steal information from the infected devices, including the phone number, serial number, location, contact information and basically everything else on the phone.

Cisco reports that the infected phones use iOS versions 10.2.1 to 11.2.6. It believes that the attackers were able to obtain the permissions required to infect the phones through extensive social engineering efforts.

Although the confirmed attacks against particular iPhone users are low, because they used malicious versions of Telegram and WhatsApp, security experts are warning users to be vigilant about downloading apps onto their phone, including mobile device management solutions, and to confirm that the MDM solution is sanctioned by employers or others issuing the solution.

Malware Attacks Up 75 Percent According to New Report

A new report issued by Positive Technologies finds that cyber incidents have increased 32 percent from the first quarter of 2017 to the first quarter of 2018. It also notes that the theft of account credentials is on the rise.

Alarmingly, the report states that the greatest increase in cyber-attacks was the use of malware attacks, which increased 75 percent from the first quarter of 2017 to the first quarter of 2018, and that malware was used in 63 percent of all attacks.

Spyware is used the most often, in order to obtain credentials to the system, and individuals continue to be the primary victims of malware attacks. Interestingly, 23 percent of malware attacks were conducted by cryptocurrency miners.

The report flagged the financial services industry, stating that IT professionals in the banking sector should be aware that hackers are targeting them not only to steal credentials, but also to gain sensitive access to client account balances, and that customer databases should be secured as much as possible.

MLB to Use Biometrics to Replace Traditional Ticketing

Traditional tickets (paper, that is) have already been replaced with mobile tickets for many Major League Baseball (MLB) stadiums across the country, but now, MLB has teamed up with CLEAR, which provides biometric authentication, to implement biometric ticketing at select stadiums. CLEAR will allow baseball fans to use their fingerprints, and eventually facial recognition, to enter the stadium. This program will begin later this season, and the full rollout will happen sometime next season.

In order for fans to use this CLEAR service, fans need to link their MLB.com account with a CLEAR account. MLB’s executive vice president, Noah Garden, said, “Our collaboration with CLEAR is an important new technology initiative, delivering safe, simple and seamless experience for fans. Developing a partnership that will truly unify emerging identity technology and ticketing is reflective of our commitments to always improving ballpark accessibility and maintaining critical security standards.”

Eventually, this program will expand to concession stands, allowing fans to pay for their food and drink with biometrics using their CLEAR accounts as well. CLEAR will even be able to validate the individuals age for alcohol sales.

LexBlog