Leland McMillan, Supervisor, NERC Services

NAES participates in and tracks various industry initiatives and organizations to stay abreast of pertinent issues.  The Electricity Information Sharing and Analysis Center (E-ISAC), in collaboration with the Department of Energy (DOE) and the Electricity Subsector Coordinating Council (ESCC), serves as the primary security communications channel for the electric industry and enhances industry’s ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents.

Recently, the Department of Homeland Security issued an alert “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad.” The following is a summary and the full E-ISAC Bulletin is located here.

E-ISAC BULLETIN:

As was widely reported in the media on January 2, 2020, a US airstrike outside Baghdad International Airport in Iraq killed six personnel, including the commander of Iran’s Quds Force Major General Qassem Soleimani, and Soleimani’s associate and de facto leader of the Iraqi Popular Mobilization Forces Abu Mahdi al-Muhandis. The Government of Iran has vowed “harsh retaliation” in response to Soleimani’s death but did not specify how or where.

This strike is the latest in a series of escalating tension and conflict in the last week, following US airstrikes in Syria targeting Iranian militia in response for several rocket attacks on US bases, and Iran-backed groups storming a portion of the US Embassy in Baghdad and staging violent demonstrations in the outer area of the facility.

Iran has a wide range of kinetic and cyber capabilities and has demonstrated the willingness to use them either directly or via proxy forces. Iran has historically used cyber capabilities as part of their response to geopolitical tension. Recent relevant activity attributed to Iranian actors can be found on the E-ISAC Portal.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends organizations take the following actions:

1. Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
2. Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
3. Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below).
4. Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.

While there is presently no specific credible threat to the energy sector in North America, the E-ISAC recommends members heighten awareness of the situation and continue to exchange information with the E-ISAC. Additional details will be disseminated as this situation develops.  For additional information or to join E-ISAC, visit this link.