Skip Navigation

Groups Urge FERC To Convene Forum On Internal Network Security Monitoring Proposal

April 20, 2022

by Paul Ciampoli
APPA News Director
April 20, 2022

Before the Federal Energy Regulatory Commission (FERC) moves to develop new or modified mandatory reliability standards related to internal network security monitoring it should first convene a forum that would allow for an exchange of information on the state and availability of existing technology, as well as its cost and efficacy, the American Public Power Association (APPA) and several other trade associations recently said.

APPA was joined in submitting comments in late March at FERC by the Edison Electric Institute, the Electric Power Supply Association, the Large Public Power Council, and the National Rural Electric Cooperative Association (Docket No. RM22-3).

The trade groups submitted the comments in response to a FERC notice of proposed rulemaking (NOPR) issued in January 2022. The NOPR proposes to direct the North American Electric Reliability Corporation (NERC) to develop new or modified mandatory reliability standards requiring internal network security monitoring within a trusted critical infrastructure protection networked environment for high and medium impact bulk electric system (BES) cyber systems. 

The groups said that they agree with the Commission that the implementation of internal network security monitoring in some form may improve the security posture of responsible entities owning or operating high impact BES cyber systems.  

But they also argued that there are significant obstacles to the near-term implementation of this technology. 

APPA and the other groups noted that forms of internal network security monitoring are in their infancy, only now being utilized by a relatively small group of utilities, and the necessary technology is not widely available. 

Moreover, there is a limited group of subject matter experts (SMEs) capable of working with the technology, the groups told FERC.

“Further, related processes associated with the application of the technology (particularly, ‘baselining’ existing network traffic and ‘packet capture’ and analysis) are expected to be challenging, and consensus concerning best practices has not yet been reached,” the groups said in their comments.

Therefore, before issuing any directive, the groups said that FERC should convene a forum in which Commission staff, stakeholders, SMEs and NERC staff can exchange information on the state and availability of existing technology, as well as its cost and efficacy. 

APPA and the other groups said that this discussion could help inform decisions regarding the most effective ways to deploy internal network security monitoring for high-impact BES cyber systems, while also assessing the potential benefits and challenges of applying internal network security monitoring requirements to all medium-impact BES cyber systems, for which internal network security monitoring is likely to have limited utility.

The discussion could also include how to accomplish the security objectives the Commission seeks to achieve using the internal network security monitoring tool given the rapidly evolving market for cybersecurity tools, they went on to say. 

Following this discussion, and assuming the Commission moves ahead with a directive, the groups “ask that it be limited to high-impact BES cyber systems and medium-impact BES cyber systems at control centers for now.”

APPA and the other groups also said that use of internal network security monitoring for low-impact BES cyber systems is unlikely to be practicable, would increase rather than mitigate risk to the BES, and would not be cost-effective from a BES reliability perspective. 

“Accordingly, any directive issued by the Commission should not extend to low-impact assets, or to any subset thereof,” they said.

Agencies Warn Of Cyber Threats Against ICS/SCADA Devices

April 18, 2022

by Paul Ciampoli
APPA News Director
April 18, 2022

The Department of Energy, Cybersecurity and Infrastructure Security Agency, National Security Agency and Federal Bureau of Investigation are warning that certain advanced persistent threat actors have shown the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices.

Those devices include Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers, the agencies said in an alert.

The actors have developed custom-made tools for targeting industrial control system/supervisory control and data acquisition devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.

Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities, the agencies said.

By compromising and maintaining full system access to industrial control system/supervisory control and data acquisition devices, these actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

The agencies urged critical infrastructure organizations, especially energy sector organizations, to implement the detection and mitigation recommendations provided in the alert to detect potential malicious advanced persistent threat activity and harden their industrial control system/supervisory control and data acquisition devices.

The alert is available here.

Report Offers Recommendations Tied To Grid Security Exercise

April 13, 2022

by Paul Ciampoli
APPA News Director
April 13, 2022

Continuing to enhance routine and emergency operations coordination between the electricity industry and natural gas providers and boosting operational coordination between the electricity industry and communications providers are recommendations flowing from a November 2021 grid security exercise that included a significant number of public power participants.

Over two days, more than 700 planners led their organizations’ efforts to exercise their response and recovery plans in the face of simulated, coordinated cyber and physical attacks on the North American bulk power system and other critical infrastructure during the exercise, GridEx VI.

Hosted every two years by the North American Electric Reliability Corporation’s Electric Information Sharing and Analysis Center (E-ISAC), GridEx is the largest grid security exercise in North America.

In 2021, GridEx participants expanded to include more representation from public power, co-op and municipal entities, Canadian partners and other critical infrastructure sectors, such as natural gas, original equipment manufacturers, financial services, and telecommunications, NERC said. Approximately 60 public power utilities participated.

The E-ISAC divided play into two portions. Distributed Play, held on November 16–17, 2021, provided the opportunity for operational participants across North America to exercise the resilience of the electricity system. The Executive Tabletop, held on November 18, 2021, convened industry executives and government leadership from the United States and Canada to explore the challenges presented by a severe cyber and physical attack against the grid.

On April 7, 2022, NERC released a lessons learned report related to GridEx VI.

Executive Tabletop Overview

The GridEx VI Executive Tabletop saw executives and leaders from 88 organizations, and almost 200 individuals in total, join the Tabletop.

Participants included senior representation from U.S. and Canadian government entities and executive leaders representing U.S. and Canadian cooperatives, investor- and publicly-owned utilities, and independent system operators.

The lessons learned report said that the E-ISAC took steps to diversify participation in GridEx VI to account for a wider range of perspectives when exploring the Tabletop scenario.

This resulted in greater participation from interdependent industries, such as natural gas and telecommunications, an active role for Canadian Government partners, and wider U.S. Government representation, including representatives from state government. The active participation of representatives from the Canadian government and interdependent industries in particular added significant value to the Tabletop as reflected in the report’s recommendations, the report noted.

Details on Tabletop Scenario

The Tabletop scenario prompted participants to assess the impact of serious cyber and physical security attacks and take the actions needed to respond; communicate effectively; restore power; and address serious public health, safety, and grid security challenges.

The Tabletop exercise was designed in four phases to simulate how industry and government would respond to a sophisticated, well-coordinated cyber and physical attack.

These phases were as follows:

Phase 1—The First Hour after the Attacks: Challenging operating conditions further degrade reliability when the Western Interconnection splits into two islands after a transmission disturbance initially assumed to be caused by wildfires.

Phase 2—The Next Morning: Attacks on electricity and natural gas infrastructure cause widespread power outages affecting many high-priority customers, including defense-critical facilities.

Phase 3—Later that Day: Telecommunications disruptions impair power system restoration activities and complicate coordination with government. Wind generation resources are disrupted by widespread control and response issues.

Two Weeks and Beyond: The Western Interconnection is restored and customer load is eventually reconnected, but energy and capacity margins are tight for the foreseeable future. Active cyberattacks have ceased.

During plenary and breakout sessions, facilitators led participants through discussions designed to simulate the communication and coordination that would occur during a real event.

Executive Tabletop Recommendations

Among the recommendations included in the lessons learned report related to the executive tabletop is that industry and government should continue to build effective communications procedures and systems to share operational information.

“The electricity industry has robust grid monitoring and control capabilities that have withstood the test of emergency situations over decades of operation. However, the Tabletop scenario presented conditions that severely strained the industry’s ability to communicate operational status to their many external stakeholders, including state/provincial and local government,” the report said. “In addition, the scenario’s involvement of a nation-state adversary added a layer of complexity regarding how and with whom to share highly sensitive information.”

The report also recommends that there be continued enhancements to routine and emergency operations coordination between the electricity industry and natural gas providers.

The scenario included disruptions of natural gas to generating stations, the report noted. “Compared with the previous Tabletop two years ago, the discussion benefitted from the more robust participation of natural gas operators, the Oil and Natural Gas Subsector Coordinating Council, and natural gas trade associations in the United States and Canada.”

Strengthening operational coordination between the electricity industry and communications providers is another recommendation.

“The critical interdependencies between the electricity and communications sectors are well-understood and have often been a prominent component of the GridEx series of exercises,” the report said. “This time, the Tabletop scenario featured a widespread loss of landline and cellular communications while electricity utilities were recovering from the cyber and physical attacks and restoring the grid. Participants agreed that the loss of communications would essentially halt the grid restoration process.”

Other recommendations related to the tabletop exercise are:

Distributed Play Scenario

The GridEx VI Distributed Play scenario saw a nation-state target the North American grid with cyber and physical attacks that spanned two days.

Incidents ranged from disinformation on social media to cyberattacks that targeted industrial control systems.

The E-ISAC divided the two-day exercise into four moves. The E-ISAC also developed “Move 0,” which included optional material in the week preceding the exercise to prepare players for the incidents that would follow.

The E-ISAC developed a series of physical, cyber, and operational injects in partnership with subject matter experts, expert planners, and partners from the SANS Institute, Idaho National Laboratory, and the National Renewable Energy Laboratory to ensure that the exercise reflected the complex threat the grid faces today, the report noted.

The E-ISAC developed a scenario and a Master Scenario Event List, but the planners were encouraged to customize the scenario to meet their needs. Consequently, the timing, content, and substance of exercise play varied between participating organizations.

The Distributed Play Scenario drove observations and recommendations, captured in the GridEx VI lessons learned report, identifying specific actions the E-ISAC could pursue to improve future GridEx exercises, including ways to increase participation and effectiveness of future GridEx exercises.

Cyber Activity Used By Indicted Russian State-Sponsored Actors Detailed

March 25, 2022

by Paul Ciampoli
APPA News Director
March 25, 2022

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) recently published a joint cybersecurity advisory with information on multiple intrusion campaigns targeting U.S. and international energy sector organizations conducted by indicted Russian state-sponsored cyber actors from 2011 to 2018.

In conjunction with the Department of Justice unsealed indictments on March 24, the advisory provides the technical details of a global energy sector intrusion campaign using Havex malware, and the compromise of a Middle East-based energy sector organization using TRITON malware.  Additional details about the indictments are available here.

While the advisory details historical cyber activity, CISA, FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose an ongoing threat to U.S. energy sector networks.

The U.S. energy sector and critical infrastructure organizations more broadly are urged to apply the recommended mitigations, the agencies said.

Actions that executives and leaders can take now to protect their networks include:   

 “In light of the indictments announced today and evolving intelligence that the Russian Government is exploring options to conduct potential cyberattacks against the U.S., CISA, along with our FBI and DOE partners, is issuing this joint advisory to reinforce the demonstrated threat posed by Russian state-sponsored cyber actors,” said CISA Director Jen Easterly in a statement.

“While the intrusions highlighted in this advisory span an earlier period of time, the associated tactics, techniques, procedures, and mitigation steps are still highly relevant in the current threat environment,” she said.

In addition to the advisory, organizations should visit www.CISA.gov/shields-up for information on how to protect their networks.

President Biden Signs Federal Cyberattack Reporting Requirement Into Law

March 22, 2022

by Paul Ciampoli
APPA News Director
March 22, 2022

President Biden on March 15 signed into law a federal cyberattack reporting requirement aimed at protecting critical infrastructure in the U.S.

The law “Strengthening American Cybersecurity Act of 2022,” requires critical infrastructure organizations in 16 industry sectors, including the energy sector, identified by the federal government to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyberattack, and within 24 hours of making a ransomware payment.

The law further stipulates that CISA will have the authority to subpoena organizations within the identified industry sectors that fail to report cybersecurity incidents or ransomware payments and can refer non-compliant organizations to the Department of Justice.

CISA is required to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit and expand its information sharing efforts.

The text of the bill is available here.

Federal Government Warns Of Possible Satellite Communication Network Threats

March 21, 2022

by Paul Ciampoli
APPA News Director
March 21, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently released a joint cybersecurity advisory that warns organizations of possible threats to U.S. and international satellite communication (SATCOM) networks.

“Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments,” CISA and the FBI said in the alert.

“Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity,” the alert said.

To that end, CISA and FBI will update the advisory as new information becomes available so that SATCOM providers and their customers can take additional mitigation steps pertinent to their environments.

CISA and FBI strongly encouraged critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in the advisory to strengthen SATCOM network cybersecurity.

The complete list of mitigation measures recommended by CISA and the FBI is available in the advisory. Click here for the advisory.

Russian Cyber Threats: What You Need To Know

February 25, 2022

by Paul Ciampoli
APPA News Director
February 25, 2022

The Cybersecurity and Infrastructure Agency (CISA) is offering resources and guidance related to cyber threats from Russia, which launched a full-scale invasion of Ukraine on Feb. 24.

The Russian government “engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” CISA notes on its website.

Recent advisories published by CISA and other unclassified sources reveal that Russian state-sponsored threat actors are targeting a number of industries and organizations in the United States and other Western nations including energy, nuclear and water.

CISA notes that the same reporting associated Russian actors with a range of high-profile malicious cyber activity, including the 2020 compromise of the SolarWinds software supply chain, the 2020 targeting of U.S. companies developing COVID-19 vaccines, the 2018 targeting of U.S industrial control system infrastructure, and the 2017 NotPetya ransomware attack on organizations worldwide.

On Feb. 23, 2022, CISA, the United Kingdom’s National Cyber Security Centre (NCSC), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory identifying that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to as Cyclops Blink.

The NCSC, CISA, and FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian Main Centre for Special Technologies.

CISA’s website includes a Russian malicious cyber activity section that lists all CISA advisories, alerts, and malware analysis reports on Russian malicious cyber activities.

“SHIELDS UP” Guidance

CISA is also offering what it refers to as “SHIELDS UP” guidance related to cybersecurity.

“CISA recommends all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets,” it said.

Recommended actions include:

“Russia’s unprovoked attack on Ukraine, which has been accompanied by cyber-attacks on Ukrainian government and critical infrastructure organizations, may have consequences for our own nation’s critical infrastructure, a potential we’ve been warning about for months,” CISA said.

“While there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization — large and small — must be prepared to respond to disruptive cyber activity,” it noted.

CISA, along with its partners in the U.S. Intelligence Community, law enforcement, the military, and sector risk management agencies, is monitoring the threat environment 24/7 to discern whether those threats manifest themselves in risks to the U.S. homeland.

In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA is working closely with its Joint Cyber Defense Collaborative (JCDC) and international computer emergency readiness team (CERT) partners to understand and rapidly share information on these ongoing malicious cyber activities. 

“As the nation’s cyber defense agency, CISA stands ready to help organizations respond to cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack,” it said.

The current environment “requires us all to be laser-focused on resilience. This must include a focus on ensuring preparedness and a rapid, coordinated response to mitigate the impact of such disruptions on our national security, economic prosperity, or public health and safety.”

CISA said it has been working closely with its critical infrastructure partners over the past several months to ensure awareness of potential threats, “part of a paradigm shift from being reactive to being proactive.”

As part of this effort, “we recognize that many critical infrastructure or state, local, tribal, and territorial governments find it challenging to identify resources for urgent security improvements.”

In response, CISA has established a catalog of free services from government partners, the open-source community, and JCDC companies to assist with this critical need.

President Biden Addresses Cybersecurity Threat In Remarks

On Feb. 24, President Biden said that if Russia “pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond.” He made his remarks in a speech at the White House.

“For months, we have been working closely…with the private sector to harden their cyber defenses, sharpen our ability to respond to Russian cyberattacks as well,” he said.

Last summer, the Department of Energy (DOE) reported that federal government agencies and the electricity industry had made significant strides in support of White House goals aimed at boosting the cybersecurity of critical infrastructure in the U.S.

In April 2021, the Biden Administration launched an Industrial Control Systems (ICS) Cybersecurity Initiative to meet its goal of strengthening the cybersecurity of the critical infrastructure across the country.

The initiative was kicked off with a 100-day action plan for the U.S. electricity subsector led by DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in close coordination with CISA, and the Electricity Subsector Coordinating Council.

On July 28, 2021, President Biden further emphasized the importance of this initiative and broader cybersecurity efforts through his National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

APPA Offers Cybersecurity Resources

The American Public Power Association (APPA) offers a wide range of resources on cybersecurity for its members, including a Cybersecurity Defense Community.

Those resources include, among other things, the Public Power Cyber Incident Response Playbook, which walks through the steps and best practices a utility can follow in the event it experiences a cyber incident or attack. APPA is also working with the Department of Energy to help deploy Operational Technology, or OT, cybersecurity sensors at member utilities. 

Click here for additional information on APPA’s resources, or reach out to cybersecurity@publicpower.org to get involved.

Ditto Details Utility Sector’s Proactive Approach to Guard Against Cyberattacks

Among the many steps that the electricity sector takes to proactively guard against cyberattacks are tabletop exercises under which utility operators respond to a scenario and work through responses, said Joy Ditto, President and CEO of APPA, last October.

If such a scenario becomes a reality, “they have those lessons learned to apply,” Ditto said during a cyber summit held by the Aspen Institute.

Collaboration among the electric sector, government agencies and other industries plays a key role in the success of these exercises, Ditto pointed out.

FERC Moves To Close Gap In Reliability Standards For Electric Grid Cyber Systems

In January 2022, the Federal Energy Regulatory Commission (FERC) issued a notice of proposed rulemaking (NOPR) proposing to strengthen mandatory critical infrastructure protection (CIP) reliability standards by requiring internal network security monitoring for high- and medium-impact bulk electric system cyber systems.

The NOPR proposed to direct the North American Electric Reliability Corporation (NERC) to develop and submit new or modified reliability standards on internal network security monitoring to address what FERC regards as a gap in the current standards.

FERC Moves To Close Gap In Reliability Standards For Electric Grid Cyber Systems

February 3, 2022

by Paul Ciampoli
APPA News Director
February 3, 2022

The Federal Energy Regulatory Commission (FERC) on Jan. 20 issued a notice of proposed rulemaking (NOPR) proposing to strengthen mandatory critical infrastructure protection (CIP) reliability standards by requiring internal network security monitoring for high- and medium-impact bulk electric system cyber systems.

The NOPR proposes to direct the North American Electric Reliability Corporation (NERC) to develop and submit new or modified reliability standards on internal network security monitoring to address what FERC regards as a gap in the current standards.

Mandatory electric reliability standards, including the CIP standards, are developed by NERC and approved by FERC. The Commission also has authority to direct NERC to develop new or revised standards, and FERC is relying on that authority in the NOPR.

Under existing CIP reliability standards, network security monitoring is focused on defending the electronic security perimeter of networks that do not equate to an internal security network.

In proposing to direct NERC to expand or revise the existing CIP rules, FERC said that it is seeking to address concerns that the existing standards do not address potential vulnerabilities of the internal network to cyber threats

Internal network security monitoring addresses situations where vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk.

As an example, FERC said that the SolarWinds attack in 2020 demonstrated how an attacker can bypass network perimeter-based security controls used to identify and thwart attacks. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations, FERC said.

Incorporating internal network security monitoring requirements into the CIP reliability standards would help to ensure that utilities maintain visibility over communications in their protected networks, FERC said. Doing so can help detect an attacker’s presence and movements and give the utility time to take action before an attacker can fully compromise the network.

Internal network security monitoring also helps to improve vulnerability assessments and can speed recovery from an attack, FERC noted.

The NOPR seeks comment on all aspects of the proposed directive to develop and submit new or modified reliability standards for internal network security monitoring for high- and medium-impact cyber systems.  Although the proposal is currently limited to high- and medium-impact assets, as classified under NERC’s risk-based classification system, the NOPR also seeks comment on whether internal network security monitoring should be expanded to low-impact assets, or a subset of these assets.

At FERC’s January monthly open meeting, FERC Chairman Richard Glick emphasized that reliability of the bulk power system, including cybersecurity, is a top priority for the Commission. 

He noted that, if a hacker does breach an entity’s electronic perimeter, internal network monitoring can allow for a more effective and timely response. 

He encouraged interested parties to comment on the applicability of the proposal to low impact bulk electric system cyber systems, calling it “an interesting issue.”

Comments on the NOPR are due 60 days after publication in the Federal Register.

Click here to access the NOPR.

APPA, Other Groups Seek FCC Rulemaking for 6 GHz Low Power Indoor Devices

December 20, 2021

by Paul Ciampoli
APPA News Director
December 20, 2021

The American Public Power Association (APPA) and a coalition of critical infrastructure industries on Dec. 7 asked the Federal Communications Commission (FCC) to adopt a rulemaking that develops new rules for 6 GHz low-power indoor (LPI) devices.

While seeking a new rule, APPA and the other industry groups also sought an immediate stay of equipment authorization of unlicensed 6 GHz LPI devices. The stay, pending development of rules that are proven to avoid interference from these devices, will prevent harm to currently licensed microwave systems in the 6 GHz band.

Background

The FCC’s Report and Order (R&O) to open the 6 GHz band of spectrum to unlicensed usage went into effect in July 2020. 

The R&O allows two types of unlicensed operations — low powered indoor use and outdoor use protected with an automated frequency coordination (AFC) technology.

A broad coalition of incumbent license holders filed extensive comments raising concerns about interference to operations that could result from opening the band to unlicensed users and requesting further testing and protections from the FCC. Those concerns and comments were not addressed, leading APPA and others in the electric sector to file legal challenges.

In April 2021, investor-owned utility Southern Company and the Electric Power Research Institute (EPRI) acquired 6 GHz devices available on the market to conduct real world testing on impacts to electric utilities.

They operated them near a Southern Company microwave link operating between Fortson and Columbus, Ga., using the FCC thresholds for reportable interference. The tests showed that, even at low powered indoor use, the unlicensed devices would “cause harmful interference to licensed fixed microwave systems” greater than the FCC’s acceptable levels. This report was filed and presented to FCC staff. 

Petition For Rulemaking

The petition for rulemaking states that the current rules for LPI use are flawed because they rely on modeling and not real-world data and, as such, must be modified to protect incumbent license holders from harmful interference.

The petition further states that LPI devices should be controlled by an AFC system, the FCC should adopt rules for licensees to recover costs from monitoring and mitigating potential interference created by unlicensed systems, and the FCC should conduct independent testing to determine if new rules should be developed for standard power devices.

“Recent real-world tests have determined that 6 GHz LPI devices will cause harmful interference to licensed microwave systems in the band, due in part to beacon signals that will transmit constantly and thus endanger the functioning of services to public safety and critical infrastructure industries and seriously degrade, obstruct, or repeatedly interrupt their radio communications services,” the groups said.

“These tests also demonstrate that the data and the assumptions for the Commission’s rules for 6 GHz LPI devices are fundamentally flawed.”

The FCC should therefore exercise its rulemaking authority “to revise the rules and conduct open and transparent testing to prove these rules effectively prevent interference to licensed microwave systems.  In that regard, the Commission should require 6 GHz LPI devices to be controlled by AFC or use some other interference protection mechanism.”  

The groups also said that the FCC should establish a mechanism for cost recovery by incumbents to reimburse them for mitigating and resolving interference from unlicensed 6 GHz operations. 

They said that this is consistent with the Commission’s emerging technologies framework and Commission precedent. 

“Also, due to the flawed data and assumptions upon which the Commission relied, the Commission should conduct independent tests of standard power access devices to determine if new rules need to be developed that will prevent interference from these devices to licensed microwave systems in the band.”

Request For Stay

The request for stay asks the FCC to put a temporary halt on the equipment authorization of unlicensed 6 GHz LPI devices pending the adoption of rules that are proven to prevent interference to licensed systems.

The stay is necessary to prevent the imminent risk of irreparable harm from the interference that these unlicensed 6 GHz LPI devices are certain to cause to incumbent licensed systems in the band, such as electric utility SCADA and other system monitoring equipment. 

A temporary stay will not significantly harm the interests of other stakeholders, “and the public interest favors granting the stay immediately to protect public safety and critical infrastructure industries who provide essential services to the public at large” the petitioners stated.

APPA was joined in the filings by:

Federal Government, Partners Respond To Apache Software Vulnerability

December 14, 2021

by Paul Ciampoli
APPA News Director
December 14, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution vulnerability in Apache’s Log4j software library.

Specifically, CISA flagged versions 2.0-beta9 to 2.14.1, known as “Log4Shell” and “Logjam.”

Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications, as well as in operational technology products, to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

Apache released Log4j version 2.15.0 in a security update to address this vulnerability.

“However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update,” CISA noted.

CISA said that users of such products and services should refer to the vendors of these products and services for security updates.

Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urged vendors and users to take several actions.

Vendors should immediately identify, mitigate, and patch affected products using Log4j and inform their end users of products that contain this vulnerability and strongly urge them to prioritize software updates, CISA said.

With respect to affected organizations, CISA said such organizations should “enumerate external-facing devices that have Log4j” and ensure security operations center actions alerts on these devices and install a web application firewall with rules that automatically update.

In addition, affected organizations should review CISA’s upcoming GitHub repository for a list of affected vendor information and apply software updates as soon as they are available.

CISA also provides guidance for organizations running products with Log4j.

Additional information is available on CISA’s website here, while details about the Joint Cyber Defense Collaborative are available here.