This Week in Critical Infrastructure, we have reports spanning multiple sectors and countries: the National Law Review looks at new FERC orders from June concerning NERC Critical Infrastructure Protection Reliability Standards; Wired examines the latest bug bounty program from Apple, rewarding cybersecurity experts who identify flaws in the company’s products; the Safe & Sound blog from Quarles & Brady, LLP, cover new guidance from the Health and Human Services Office of Civil Rights looking at HIPAA and ransomware; V3 summarizes the findings of a recent ICS-CERT report identifying over 600 vulnerabilities in systems across the United States; NPR brings the latest news on reported denial-of-service (DoS) attacks that have disrupted Australia’s first attempt at an online census; and finally, the Atlantic Council hosted a webcast of a panel discussing the policy impacts and implications of major U.S. hacker conferences.
FERC Issues Orders Concerning NERC Critical Infrastructure Protection Reliability Standards
Debra Ann Palmer and Melan Patel from Schiff Hardin LLP provide an overview of recent FERC orders related to NERC Critical Infrastructure Protection Reliability Standards. The latest rules address information security vulnerabilities with an emphasis on supply chain risk management.
Apple’s Finally Offering Bug Bounties—With the Highest Rewards Ever
Lily Hay Newman from Wired writes about Apple’s new bug bounty program. With this initiative, Apple joins other major tech companies in offering rewards to security professionals who identify and share vulnerability information for the company’s products. Though some have argued that Apple is late to the bug bounty game, the company is poised to offer some of the highest rewards offered in the field.
New Guidance Released by OCR on Ransomware
In this article from late July, Jennifer Rathburn and Rachel Bryers writing for the Safe & Sound blog discuss new guidance from the U.S. Dept. of Health and Human Services Office of Civil Rights on HIPAA and ransomware.
Over 600 Weaknesses Found in US Critical Infrastructure Systems, Warns ICS-CERT
Dan Worth of V3 reports on a recent study released by the U.S. Dept. of Homeland Security Industrial Control System Computer Emergency Response Team (ICS-CERT) examining vulnerabilities in systems across the nation. Looking at 112 assessments from 2015, ICS-CERT identified 638 weaknesses in critical infrastructure systems, with the most common being boundary protection vulnerabilities.
Cyberattack Halts Australia’s First Online Census
Alina Selyukh from NPR reports on a cyber attack that targeted Australia’s first attempt at an online census. After first launching the census website last early in the week, the Australian government was forced to take the site down in response to multiple denial-of-service (DoS) attacks. Typically performed every five years, this is the first time Australia has been unable to complete a census in its 105-year history.
A Public Policy Lens on the Hacker Conferences
The Atlantic Council and CSM Passcode host a panel discussion on the subject of hacker conferences and their implications for public policy. Each summer, Las Vegas hosts a number of high-profile hacker events, such as Black Hat and DEF CON, that inevitably bring new threats and vulnerabilities in everyday tech to light. Officials in Washington have typically watched from the outside, speculating about the potential consequences of these findings on national security policy. Experts from the organizations behind these events, as well as representatives from the government, meet to discuss the potential for greater interaction between policymakers and benevolent hackers in the current tech ecosystem.