From: Joy Ditto
To: Public Power Utility Leadership
Re: Cybersecurity Concerns during Pandemic Response
I hope you and your staffs are well and continue to navigate this unprecedented and fluid situation. As many public power utilities implement work-from-home requirements for non-field staff, we wanted to share the guidance, below, developed in coordination with our government partners from the U.S. Department of Energy and Department of Homeland Security. This is a reminder that when we bring our computer equipment home, we also need to bring home our culture of cybersecurity to protect our networks from those who would exploit this national emergency for their personal gain.
We are following this guidance ourselves. As many of you have heard, APPA has closed its physical office through April 15, and our staff will continue operations remotely using company-issued laptops and commercial communications to access our corporate IT network and applications.
In addition, we’d like to remind you of some of the tools we’ve developed for you to support your cybersecurity efforts:
- Public Power Cybersecurity Scorecard Tool
- Cybersecurity Roadmap
- Public Power Incident Response Playbook
I have also attached a copy of the APPA Weekly Situation Report that is available to all members on our security list serv. If you are not currently signed up for our list servs please request access by emailing: [email protected]. Also share with us your insights and lessons learned as we all address the challenges of remote work for the near term.
Thank you and please let us know if APPA can be of service during these trying times. We have a portion of our website devoted to COVID-19 response that we encourage you to reference – www.publicpower.org
U.S. Department of Energy
Office of Cybersecurity, Energy Security, and Emergency Response
Maintaining Heightened Cybersecurity Awareness in the Energy Sector
In response to the COVID-19 pandemic, the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is in regular communication with energy sector partners across the government and energy industry. Please know that CESER will continue to coordinate with interagency and energy sector partners to closely monitor any threats or potential threats to the energy system.
Acting as the Sector Specific Agency for Energy and the coordinating agency for Emergency Support Function #12, CESER is advising energy sector partners to remain vigilant to cybersecurity threats.
Malicious actors may attempt to capitalize on public fears by launching phishing attacks to gain unauthorized access to critical energy control systems. A dynamic operating environment could allow bad actors to target companies with emails that contain malicious attachments or links to fraudulent websites in order to trick victims into revealing sensitive information or performing actions such as donating to fraudulent charities. CESER recommends that executive leadership emphasize with company personnel the need to be cognizant of the risk from external emails, phishing, and social engineering. Please exercise extreme caution when opening any emails related to COVID-19 and clearly establish good sources of communication to avoid confusion with misinformation.
CESER also encourages energy sector companies to assess the full breadth of risk within the supply chain, including that of managed service providers (MSPs) and how COVID-19 may affect service providers’ approaches to service delivery. In addition, companies will want to understand how MSP approaches may affect their overall risk posture, in particular with MSPs outside of the Continental United States.
Please reference Insights from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to help think through physical, supply chain, and cybersecurity issues that may arise from the spread of COVID-19.
Additionally, as many organizations may consider alternate workplace and telework options, CESER encourages you to adopt a heightened state of cybersecurity and review the March 13th CISA alert on Enterprise Virtual Private Network Security Concerns and Mitigations.