Mike’s Blog

The Electric Utility Industry Lacks Effective Regulation

 

FERC Must Hold Electric Utility Industry Accountable

I previously described what smells like a electric utility industry cover-up of a massive cyber breach which endangered the electric grid – and endangered countless American lives. In sum, a large utility company exposed a massive amount of data that could enable hackers or state actors to gain access to the electric grid. This appears to be a major violation which jeopardized the reliability of the electric grid. [Click here for details.]electric utility industry

We are talking about a threat to national security. We already know for a fact that the Russians have hacked into the electric utility industry. We know for a fact that the Iranian Revolutionary Guard has hacked into numerous government entities including the Federal Energy Regulatory Commission (FERC) – the electric grid’s federal regulator. And we know for a fact that North Korean hackers have also targeted the electric grid.

Yet the regulatory response of the North American Electric Reliability Corporation (NERC) and the Western Electricity Coordinating Council (WECC) to this massive data breach amounted to an “oopsy.” The unidentified utility agreed to pay a paltry 2.7 million dollar fine, did not admit fault and had its identity withheld in the regulatory filings on the incident. This provides no incentive to companies in the electric utility industry to protect the grid. If they violate cyber security standards, they can essentially get away with it.

The public has a right to know who endangered them and the details of the “settlement.”  So, yesterday I filed a motion to intervene in the case with the Federal Energy Regulatory Commission (FERC), requesting that the federal government review this matter and disclose the name of the company that endangered the electric grid. Read the motion below. I have also filed a Freedom of Information Act (FOIA) request with FERC.

Is NERC a legitimate regulatory body, or simply a proxy for the electric utility industry? As I have discussed, it is a struggle to even get rudimentary regulations through NERC.  If the electric utility industry – and NERC – is going to continue to fight efforts to secure the grid from known threats, we need the federal government to step up.

For starters, the Federal Energy Regulatory Commission must not allow this electric utility industry cover-up to stand.

Click here for PDF copy of motion

Click here for PDF copy of FOIA request


UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION

 

NERC Full Notice of Penalty regarding                 )
Unidentified Registered Entity                               )            Docket No. NP18-7-000
 

 

REQUEST TO INTERVENE

Submitted to FERC on April 15, 2018

 

Michael Mabee, a private citizen, requests the Commission’s leave to intervene in the above captioned docket, pursuant to 18 C.F.R. § 39.7(e)(4)[1]. My proposed intervention is limited to requesting that the Commission review this Notice of Penalty to insure that it is in the public interest. Based on the limited public information available, this Notice of Penalty raises several significant public interest concerns.

Background on the Intervenor

I am a private citizen with expertise on emergency preparedness, specifically on community preparedness for a long-term power outage. My career includes experience as an urban emergency medical technician and paramedic, a suburban police officer, and in the federal civil service. In the U.S. Army, I served in two wartime deployments to Iraq and two humanitarian missions to Guatemala. I retired from the U.S. Army Reserve in 2006 at the rank of Command Sergeant Major (CSM). I was decorated by both the U.S. Army and the federal government for my actions on 9/11/2001 at the World Trade Center in New York City. In sum, I have a great deal of experience – both overseas and in the U.S. – working in worlds where things went wrong. I have studied the vulnerabilities of the U.S. electric grid to a variety of threats. My research lead me to write two books about how communities can prepare for and survive a long term power outage.[2] I continue to write extensively on emergency preparedness for blackout.

Background on FERC Docket No. NP18-7-000

On February 28, 2018 NERC issued a “Notice of Penalty regarding Unidentified Registered Entity”[3] in which the NERC-anonymized entity apparently agreed to pay penalties of $2,700,000 for two very serious violations of the Critical Infrastructure Protection (CIP) NERC Reliability Standards. According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s  Control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

Concerns Raised by the Publically Available Information Which Should Trigger Commission Review

  1. Prompt reporting requirement: It is unclear from the publically available information whether the Electric Reliability Organization (North American Electric Reliability Corporation) or the Regional Entity (Western Electricity Coordinating Council) “report[ed] promptly to the Commission any self-reported violation or investigation of a violation or an alleged violation of a Reliability Standard” in accordance with 18 CFR § 39.7(b). The Commission should determine whether this requirement was satisfactorily met.
  2. Identity of the “Unidentified Registered Entity.” NERC’s lack of transparency by hiding the identity of the “Unidentified Registered Entity” from the public is against the public interest and should not be allowed by the Commission.
    • At the time the matter was filed with the Commission, the name should have been disclosed publically. 18 CFR § 39.7(b)(4) states that: “Each violation or alleged violation shall be treated as nonpublic until the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk-Power System violated a Reliability Standard or by a settlement or other negotiated disposition.” [Emphasis added.] Therefore, when NERC filed their notice of penalty on February 28, 2018, the name of the entity should have been disclosed publically.
    • The notice of penalty is defective. In accordance with 18 CFR § 39.7(d)(1), the notice of penalty must include “[t]he name of the entity on whom the penalty is imposed.”
    • NERC cannot argue that the name of the entity is Critical Energy Infrastructure Information (CEII). FERC Order No. 833 holds that the Commission’s practice is that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII).[4] We also note that the name of the entity has been widely speculated in the media.[5] NERC withholding the name of the entity is against the public interest.
    • NERC cannot argue that this should be a non-public proceeding related to a “cybersecurity incident”[6] as this does not meet the regulatory definition of a “cybersecurity incident.”[7] According to NERC, this incident was a not “malicious act” as the definition of “cybersecurity incident” requires – rather it was a colossal blunder on the part of the regulated entity. The public has the right to know who endangered them.
  3. The terms of the settlement agreement are suspicious and should be reviewed by the commission to insure that they are fair and in the public interest. The relatively light penalty and non-admission clause raise immediate concerns. If the Western Electricity Coordinating Council truly concluded, as NERC states, that two violations of the Critical Infrastructure Protection (CIP) Reliability Standards were committed, why is the entity being allowed to enter an agreement where it “neither admits nor denies the violations”? Such an agreement is against the public interest as it does not serve as a deterrent for future violations in the industry. What strong incentive is there for regulated entities to adhere to Critical Infrastructure Protection (CIP) Reliability Standards if the penalties are light, they do not have to admit fault for violations, and their identity will not be disclosed.
  4. The settlement agreement should be released to the public. The terms of the agreement are only vaguely discussed in the notice of penalty and therefore should be available for public scrutiny. There could be terms that are contrary to the public interest (such as any form of confidentiality clause).

Conclusion:

For the forgoing reasons, I request that the Commission fully review the notice of penalty and the surrounding circumstances to insure that the resolution is in the public interest and that the identity of the “Unidentified Registered Entity” is promptly disclosed to the public.

 

Respectfully submitted by:

 

Michael Mabee


End Notes:

[1] On March 30, 2018, the Commission extended until May 29, 2018, the time period for consideration whether to review on its own motion the penalty contained in the Notice of Penalty in Docket No. NP18-7-000. 162 FERC ¶ 61,291.

[2] Mabee, Michael. The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community. ISBN-13: 978-1974320943, first edition published July 4, 2013, second edition published October 17, 2017.

[3] NERC “Full Notice of Penalty regarding Unidentified Registered Entity FERC Docket No. NP18-_-000.”  February 28, 2018. http://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_CIP_NOC-2569%20Full%20NOP.pdf (accessed April 7, 2018).

[4] Order No. 833 at pg. 17. Also see 18 C.F.R. §388.113(c)(1)(iv).

[5] Information Security Media Group. “US Power Company Fined $2.7 Million Over Data Exposure – Grid Regulator Says Company Left Critical Data Exposed for 70 Days.” March 14, 2018.  https://www.bankinfosecurity.com/us-power-company-fined-27-million-over-data-exposure-a-10715 (accessed April 7, 2018); Gizmodo Media Group. “US Power Company Fined $2.7 Million Over Security Flaws Impacting ‘Critical Assets’.” March 13, 2018. https://gizmodo.com/us-power-company-fined-2-7-million-over-security-flaws-1823745994 (accessed April 7, 2018).

[6] 18 CFR § 39.7(e)(7)

[7] 18 CFR § 39.1 defines “cybersecurity incident” as “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System.”


 


A NERC Cover-Up? Who Put the Electric Grid at Risk?

 

 

A NERC Cover-Up?

NERC Cover-UpThis incident has the olfactory bouquet of a NERC cover-up: On February 28, 2018 the North American Electric Reliability Corporation (NERC) submitted a proposed “Notice of Penalty” to the federal government against an “Unidentified Registered Entity.” This entity was responsible for a massive data breach that, according to NERC, posed a “serious or substantial risk” to the electric grid. Is there any legitimate reason that the public is not allowed to know who put us at risk?

Alas, a NERC cover-up really should not come as a surprise since NERC is actually just a proxy for the electric utility industry.

Q: Who actually regulates the grid? A: The grid.

Perhaps a bit of background is in order for those unfamiliar with the regulatory scheme of the electric grid. First of all, the federal regulator for the electric grid is an obscure agency called the Federal Energy Regulatory Commission (FERC). But in reality, “the grid” is self regulated. “The grid” is actually thousands of companies – both public and private sector – who are involved in the generation, transmission and distribution of electric power. These companies – much like Wall Street – regulate themselves through an entity known as the North American Electric Reliability Corporation, or NERC. The law allows FERC to designate an entity as what is known as the “Electric Reliability Organization” (ERO). This ERO makes the rules – including grid security regulations, and submits them to FERC for approval. NERC is the Commission-certified Electric Reliability Organization.

NERC’s annual funding is provided through assessments to the entities that it regulates. Moreover,  although technically anybody can become a “member” of NERC, the membership structure stacks the deck in favor of the electric industry as far as the election of NERC’s “independent trustees” (the board that governs NERC). NERC accomplishes this shell-game by assigning all members to one of 12 groups. According to NERC rules:

“Each member will join only 1 of 12 industry sectors and be eligible for selection as a sector representative on the NERC Member Representatives Committee (MRC). The MRC elects NERC’s independent trustees, votes on amendments to the bylaws, and provides advice and recommendations to the Board with respect to the development of annual budgets, business plans and funding mechanisms, and other matters pertinent to the purpose and operations of NERC.”

NERC cover-upSo what are the “12 industry sectors?”

1. Investor-owned utility
2. State/municipal utility
3. Cooperative utility
4. Federal or provincial utility/Federal Power Marketing Administration
5. Transmission-dependent utility
6. Merchant electricity generator
7. Electricity marketer
8. Large end-use electricity customer
9. Small end-use electricity customer
10. Independent system operator/regional transmission organization
11. Regional entity
12. Government representatives

In other words, two sectors are customers and one is the government. The other nine are the electric industry. The electric industry gets 9 votes – the customers and the government get 3. If that is not a stacked deck, I don’t know what is. So NERC is literally funded, run and its leadership elected by the electric utility industry  that it allegedly regulates. As we have seen lately in the fight for cybersecurity regulations, if the grid does not want to be regulated, it has means to resist being regulated.

Back to the NERC Cover-Up

The details provided by NERC are vague (likely in order to protect the guilty). At an unknown date in the past – but likely 2016 based on the “NERC Violation ID” number on page 2 – the NERC-anonymized entity experienced a horrific data breach. According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

NERC Cover Up

(Click to enlarge) FERC Docket No. NP18-7-000

This is really really bad. Imagine what would happen if North Korea, Iran, Russia or China came into possession of such a treasure trove of information to access the electric grid?

As bad as this is, the NERC-anonymized entity does not admit any fault and agrees to pay a paltry $2,700,000 fine for what might be the worst threat to national security of the 21st century. This is the settlement proposal that NERC wants the federal government to sign off on.

And, NERC thinks the public does not have a right to know who the violator is.

It appears from a separate filing, that is not available to the public, NERC is claiming that the identity of the violator is “Critical Energy Infrastructure Information” (CEII). We can’t tell for sure since we do not have access to the document. But FERC regulations and policy holds that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII). We agree. The breach is over and has been allegedly “mitigated” according to NERC. Why does the public not have the right to know who endangered us?

Message to FERC

Notwithstanding NERC’s lack of transparency in hiding the identity of the “Unidentified Registered Entity,” such a NERC cover-up is against the public interest and should not be allowed by FERC. On March 30, 2018, FERC announced that is is delaying approval of the NERC Notice of Penalty until May 29, 2018. (FERC Docket No. NP18-7-000.) One can only hope that this means FERC intends on reviewing this extremely fishy NERC cover-up.

 


(Possible Spoiler Alert: The identity of the NERC-anonymized entity has been speculated in the press here and here.)


 


Grid Cybersecurity: The Critical Infrastructures Are Under Attack

 

 

Click Here for PDF Copy

UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION

 

Supply Chain Risk Management                        )
Reliability Standards                                            )                           Docket No. RM17-13-000

 

COMMENTS OF MICHAEL MABEE
Submitted to FERC on March 25, 2018

Michael Mabee respectfully submits comments on FERC Docket No. RM17-13-000, Supply Chain Risk Management Reliability Standards.

 

Background:

I am a private citizen with expertise on emergency preparedness, specifically on community preparedness for a long-term power outage. My career includes experience as an urban emergency medical technician and paramedic, a suburban police officer, and in the federal civil service. In the U.S. Army, I served in two wartime deployments to Iraq and two humanitarian missions to Guatemala. I retired from the U.S. Army Reserve in 2006 at the rank of Command Sergeant Major (CSM). I was decorated by both the U.S. Army and the federal government for my actions on 9/11/2001 at the World Trade Center in New York City. In sum, I have a great deal of experience – both overseas and in the U.S. – working in worlds where things went wrong.

I have studied the vulnerabilities of the U.S. electric grid to a variety of threats. My research lead me to write two books about how communities can prepare for and survive a long term power outage.[1] I continue to write extensively on emergency preparedness for blackout.

 

The United States Critical Infrastructures Are Under Attack

On March 15, 2018, The U.S. Department of Homeland Security, US-CERT released an alert entitled “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.”[2] At the same time, it was widely reported in the press that the Trump Administration accused Russia of hacking into the U.S. electric grid.[3] A copy of US-CERT Alert TA18-074A is appended hereto as Exhibit 1 in order to place it in the docket record.

Significantly, DHS reported that: “Since at least March 2016, government cyber actors—hereafter referred to as ‘threat actors’—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

Further, DHS reported that: “This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as ‘staging targets’ throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the ‘intended target’.”

This was hardly news. On July 6, 2017 Bloomberg reported: “Hackers working for a foreign government recently breached at least a dozen U.S. power plants, including the Wolf Creek nuclear facility in Kansas, according to current and former U.S. officials, sparking concerns the attackers were searching for vulnerabilities in the electrical grid.”[4]

Also, On March 23, 2018, The U.S. Department of Justice reported that the Iranian Revolutionary Guard hacked numerous institutions including the Federal Energy Regulatory Commission (FERC).[5] The press release is attached as Exhibit 2 in order to place it in the docket record. This state-sponsored cyber incident was widely reported in the press.[6] According to the Washington Examiner article:

Justice Department lawyers pointed out during a press conference that the Federal Energy Regulatory Commission “has the details of some of this country’s most sensitive infrastructure,” said U.S. Attorney Geoffrey Berman. “That is the agency that regulates the interstate transmission of electricity, natural gas and oil.”

In a comment to Bloomberg, FERC Commissioner Neil Chatterjee noted on March 23, 2018 that: “cyberattacks have the potential to cause significant, widespread impacts on energy infrastructure. Sophisticated hacking tools are becoming more widely available, and cyber threats are constantly evolving, making such attacks more versatile.”[7]

The industry through its proxy, NERC, here again is attempting to take a minimalistic approach to grid cybersecurity because to do more would be “burdensome” to NERC’s constituents.

 

FERC’s Mandate to Act in the Public Interest

16 U.S.C. § 824o(d)(2)  provides that: “The Commission may approve, by rule or order, a proposed reliability standard or modification to a reliability standard if it determines that the standard is just, reasonable, not unduly discriminatory or preferential, and in the public interest.” [Emphasis added.]

Thus FERC is charged with serving the public interest. Not the interests of NERC and/or the electric utility industry.  The public interest demands that the federal government insure that the critical infrastructures are adequately protected against known threats. In this case, the cybersecurity of the U.S. bulk power system is not a matter of industry avoiding “burden”; it is a matter of paramount importance for the federal government.

In order to serve the public interest, FERC should not rubber-stamp NERC’s proposed rules, but exercise due diligence and carefully consider the public comments, particularly those from outside the regulated industry.

 

The Bulk Power System cannot be trusted to regulate itself on cybersecurity

Despite years of active attacks on the bulk power system (and its federal regulator) by state sponsored actors, the North American Electric Reliability Corporation (NERC) states that the proposed Reliability Standards should apply only to medium and high impact BES Cyber Systems – essentially making most systems “exempt” from the rules and leaving most of the discretion to apply the rules to the industry.

With apologies to Yogi Berra, “it’s déjà vu all over again.” As we saw from docket no. RM18-2-000 (Cyber Security Incident Reporting Reliability Standards), there is a “gap” between what the industry reports as a cybersecurity incident and what common sense would say is a cybersecurity incident. The evidence of the industry’s inability to regulate itself through “best practices” continues to mount.

For example, On May 30, 2016 cybersecurity expert Chris Vickery reported a massive data breach by Pacific Gas and Electric (PG&E).[8] According to Mr. Vickery:

“Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing. We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more. This would be a treasure trove for any hostile nation-state hacking group. That’s not to mention the 120 hashed employee passwords, or the plaintext NTLM, SOAP, and mail passwords.”

This breach sounds exceedingly bad. North Korea, Iran or Russia having access to PG&E’s systems is a national security concern. What would happen to neighboring parts of the bulk power system if PG&E was suddenly taken down by a cyberattack?

Then on February 28, 2018 NERC issued a “Notice of Penalty regarding Unidentified Registered Entity”[9] in which the NERC-anonymized entity apparently agreed to pay penalties of $2,700,000 for very serious cybersecurity violations. (FERC Docket No. NP18-7-000.) According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

Notwithstanding NERC’s lack of transparency in hiding the identity of the “Unidentified Registered Entity,” such a cover-up is against the public interest and should not be allowed by FERC. The PG&E data breach in 2016 and NERC’s cover-up of the identity of the “Unidentified Registered Entity” — who by NERC’s own admission was involved in a dangerous data breach[10] — is ample proof that a watchful regulator is necessary to protect the bulk power system.

 

Millions of Americans placed at risk so the industry can avoid “administrative burden”

NERC argues in its petition that it would be “overly burdensome” to require protections to low impact BES Cyber Systems.[11] NERC is egged on by the industry through largely template comments, for example:

  • “CHPD believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[12]
  • “PRPA believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[13]
  • “SRP believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[14]
  • “OUC believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[15]
  • “Santee Cooper believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[16]
  • “LCRA believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[17]
  • “XXX believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[18] (Note: Apparently, Austin Energy did not carefully proofread the industry’s template response before submitting it.)

In fact, there are 172 instances of the word “burden” in industry comments on FERC Docket RM17-13-000. The industry may believe that cybersecurity is a burden, but it is FERC’s job to protect the public by protecting the nation’s critical infrastructure.

North Korea, Iran, Russia, China and perhaps others would appreciate the Commission concluding that cybersecurity protection of the bulk power system is too much of an “administrative burden.” These foreign powers might submit comments in support of NERC’s proposals if it were not for the already diligent efforts of the utility industry to avoid appropriate cybersecurity regulation.

 

Conclusion:

According to the NOPR, “[t]he NERC Compliance Registry, as of December 2017, identifies approximately 1,250 unique U.S. entities that are subject to mandatory compliance with Reliability Standards.”[19] This is a large number of targets that, if they fail to secure their systems, can provide access to the nation’s critical electric infrastructure.

I urge FERC to require NERC to apply cybersecurity standards to all BES cyber systems – including allegedly “low impact” systems. The industry must not have the discretion to determine which cyber systems are easy (and inexpensive) to protect and which are “burdensome” to protect.

FERC’s duty here is clear. The Commission must protect electric reliability and by doing so, protect life. The threats to the electric grid constitute a national security issue. This is not a matter of a benevolent government being friendly to businesses. This is a matter of national security and the very real threat to millions of Americans’ lives.

 

Respectfully submitted by:

Michael Mabee


End Notes:

[1] Mabee, Michael. The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community. ISBN-13: 978-1974320943, first edition published July 4, 2013, second edition published October 17, 2017.

[2] Alert (TA18-074A) https://www.us-cert.gov/ncas/alerts/TA18-074A (accessed March 15, 2018).

[3] See for example, Gizmodo: “FBI and DHS Warn That Russia Has Been Poking at Our Energy Grid.” https://apple.news/AHv5RwYqbSf-EI-yIa355Jw (accessed March 15, 2018); Washington Free Beacon: “Russia Implicated in Ongoing Hack on U.S. Grid.” https://apple.news/AGs6ieh6wSP-1tQkUFttREA (accessed March 15, 2018); Slate: “What Does It Mean to Hack an Electrical Grid?” https://apple.news/Au5gy7bTlTDSovpvzg5j79w (accessed March 15, 2018); BuzzFeed News: “The Trump Administration Is Accusing Russia Of Trying To Hack The US Power Grid.” https://apple.news/AP5elUw2CQWmAZXgQBXLFKA (accessed March 15, 2018).

[4] Bloomberg. “Russians Are Suspects in Nuclear Site Hackings, Sources Say.” July 6, 2017. https://www.bloomberg.com/news/articles/2017-07-07/russians-are-said-to-be-suspects-in-hacks-involving-nuclear-site (accessed March 17, 2018).

[5] U.S. Department of Justice. “Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps.” March 23, 2018. https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary (accessed March 23, 2018).

[6] Washington Examiner: “Iranian hackers targeted power grid watchdog, Justice Department says.” March 23, 2018. https://www.washingtonexaminer.com/policy/energy/iranian-hackers-targeted-power-grid-watchdog-justice-department-says (accessed March 23, 2018).

[7] Bloomberg. “Threat from Cyber Hackers is Growing, U.S. Grid Regulator Says” https://www.bloomberg.com/news/articles/2018-03-23/threat-from-cyber-hackers-is-growing-u-s-grid-regulator-says (accessed March 24, 2018).

[8] Vickery, Chris. “Pacific Gas and Electric Database Exposed.” https://mackeeper.com/blog/post/231-pacific-gas-and-electric-database-exposed (accessed March 23, 2018).

[9] NERC “Full Notice of Penalty regarding Unidentified Registered Entity FERC Docket No. NP18-_-000.”  February 28, 2018. http://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_CIP_NOC-2569%20Full%20NOP.pdf (accessed march 23, 2018).

[10] FERC Docket No. NP18-7-000.

[11] Petition Of The North American Electric Reliability Corporation for Approval of Proposed Reliability Standards  CIP-013-1, CIP-005-6, and CIP-010-3 Addressing Supply Chain Cybersecurity Risk Management. September 26, 2017. Page 17.

[12] Id. At pg. 499.

[13] Id. At pg. 500.

[14] Id. At pg. 507.

[15] Id. At pg. 531.

[16] Id. At pg. 538.

[17] Id. At pg. 539.

[18] Id. At pg. 501.

[19] FERC NOPR Docket No. RM17-13-000 at pg. 28.


Exhibit 1 US-CERT Alert TA18-074A Russian Government Cyber Activity

Exhibit 2 US-DOJ Iranians Charged With Massive Cyber Theft