A long-time colleague wrote in to me last Friday regarding Thursday’s post. He pointed out to me that, not only were the statements from DHS staff members in the briefings on the Russian hacking of the grid misleading, but at least two slides they showed had text that directly conflicted with the statement from a DHS spokesperson, which I had quoted in Thursday’s post: “While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline.”
Yet here are the statements from slides 18 and 19 of the presentation at the Wednesday briefing:
- (slide 18) “Used initial compromised vendor to access several U.S. energy utilities and IT service providers”
- (slide 19) “Leveraged early victim to gain entry to two previously accessed utilities and one new victim”
The combination of these two statements leads to the conclusion that a minimum of three “energy utilities” were “accessed”, as opposed to the one small generating plant (which most likely wasn’t owned by an electric utility at all) in the DHS spokesperson’s statement.[i] If DHS wants to come out and say the spokesperson’s statement was wrong and three utilities were actually accessed, so be it. But I certainly haven’t heard of that happening (Kristjen N, if that is in fact the case, please email me at the address below).
If even three electric utilities had their control centers (and presumably their EMS systems) compromised, that would be a bad thing, since a simultaneous attack on all three could possibly lead to three widespread outages, although probably not a cascading outage (like in 2003); there would then be justification for raising the alarm flags. But here we’re talking about the control room of a single very small generating plant that by DHS’ own admission doesn’t have any real impact on the “larger grid”. In my opinion, this fact, combined with the fact that hundreds of “utilities” were attacked by the Russians, leads me to believe that the industry’s defenses are in pretty good shape, not the exact opposite. This is a wakeup call, but not to cyber weakness in general at utilities. Rather, it’s a call for all utilities and IPPs to beef up defenses against supply chain attacks (as I pointed out in the first post in this series).
Yet the idea that the exact opposite is indeed the case seems to be spreading very rapidly. I had two new articles called to my attention today, including this one contributed by John Hargrove of Sam Houston Electric Coop, and this one contributed by another friend. I’m sure there will be others. Both of these articles include a quote (in fact the same one, even though it was delivered by email) by Robert Lee of Dragos. Taking DHS at their word that “utilities” had had their “control rooms” penetrated[ii], Robert points out that the activities in question – purely reconnaissance – wouldn’t be enough to be able to cause an outage.
However, Robert didn’t need to go this far. It turns out no utility control centers were penetrated, period. And even if the generating plant whose control room was penetrated was a very large one, and even if several similar generating plants were also penetrated, this would be far from a danger to the grid itself, as discussed in this post.
In other words, even though the DHS people who put together the briefings (and didn’t provide any immediate corrections when the alarming news stories started flying) were only trying to call attention to a problem, by exaggerating what had happened they have damaged their credibility for future advisories. I hope it isn’t fatally damaged, because they (specifically, the ICS-Cert) do a lot of really excellent work!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.
[i] I suppose you could interpret “accessed” to mean the attackers got into the IT network of the utility, but not the OT network; but of course this doesn’t mean they’re any closer to achieving their goal of being able to manipulate control systems (which are on the OT network, or should be) to cause an outage. In any case, if this is what DHS meant by “access”, they certainly have never stated that.
[ii] As I pointed out in my first post about this problem, to speak of an electric utility’s “control room” is essentially a non-sequitur, such as speaking of the Pope’s yarmulke. A control room controls an individual generating plant or substation, and is usually located at that asset. Utilities have control centers, which control many assets that generate and transmit power, as well as the assets like distribution substations that deliver that power to customers. But the single small generating plant that was actually penetrated is almost certainly not owned by a utility (most plants are owned by independent power producers, especially the small ones), and in any case its control room doesn’t control anything more than the plant itself.