Thursday, July 26, 2018


8/1 - It turns out that the "hundreds of utilities" that might have been compromised is now down to less than the single small plant that I believed when I wrote this post. It's now just a couple of wind turbines (which are of course part of a wind farm that might be hundreds or thousands of turbines), as was revealed by DHS in their meeting with CEOs (and Mike Pence and Rick Perry) in New York City yesterday. It is simply amazing that the DHS people who presented at least the first two briefings didn't do anything to dampen down the erroneous news articles about what had happened, and indeed encouraged it by the misdirection in what they said.

Here is an excellent article on that meeting - which Blake attended - by Blake Sobczak of E&E News)

I’ve been meaning to tell everybody about a wonderful group called the Western Transmission Forum…OK, that’s not really what this title refers to. It really describes my feelings when I found out today that the number of assets that were actually penetrated by the Russian attackers, that DHS has been thoroughly publicizing this week, wasn’t “hundreds” (as at least some people who attended the Monday DHS webinar thought was said, including the Wall Street Journal, whose article on Tuesday kicked off a frenzy); and that it also wasn’t just multiple assets (as was clearly implied in the webinar I attended yesterday. I estimated in my post yesterday that under 25 generation assets were impacted, and they were all either Low impact BES assets or distribution assets, meaning they were rated at less than 75 MW).

No, I learned today, from an article on Power Magazine’s web site, and confirmed with a source who knew the contents of Congressional briefings by DHS, that the true number of assets compromised was….envelope, please….one. And by the way, it was a very insignificant generating plant whose loss would have no impact on the grid.

Here is a quote in the Power article from Lesley Fulop of DHS: “While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline.”

I can’t speak for what was said in the Monday webinar, since I didn’t attend that (evidently there were some technical problems during the webinar, so some people may not have heard it all and may have extrapolated “facts” that weren’t actually presented). But here are some of the points that I know were made in yesterday’s webinar (although of course these aren’t exact quotes since I don’t have a transcript),

  • Hundreds of assets were “targeted or affected”. Probably having seen the WSJ article, which came out the day before, the presenters were trying to dispel the idea that hundreds of assets were affected when they said this. However, a much better way to describe the situation would have been to say “Hundreds of assets were targeted, but fortunately only one was affected”. Even in our current “post-truth” political environment, this is a little bit too much of an exaggeration to be inadvertent.
  • Generation, transmission and distribution assets (note plural) were “targeted or affected”. If the DHS people had really wanted to be accurate, they would have said “Generation, transmission and distribution assets were targeted, but only one small generation asset[i] was affected.”
  • “All victims” had externally-facing, single-factor-authenticated VPN systems (of course, one of the points of the webinar was that multi-factor authentication would have prevented these attacks – although “this attack” would have been more accurate – from occurring). The plural of victims certainly indicates that more than one asset was compromised.
  • In some cases, victims’ (note plural) primary remote-access systems had two-factor authentication but they also had single-factor-authenticated systems as well – and this was how the attackers got in. Again, it’s hard to reconcile this sentence with the fact that there was only a single victim.

What does this mean for my post yesterday? In the post, I pointed to two primary lessons to be learned. The first was “If anybody had any doubt that supply chain security is the number one cyber security issue for the electric power industry today – as well as for probably most other industries as well – there is now a smoking gun.”

I still stand by this lesson 100%, although it’s clear that the smoking gun described by DHS was actually a pellet gun that had given one victim a superficial skin wound. Starting with the Target breach, and going forward to NotPetya and other breaches, it’s now clear that cyber attackers who are aiming at sophisticated targets (as opposed to “spray and pray” attackers like ransomware or cryptominers) realize that the way to achieve their goals isn’t to mount a full assault on the front gates of the castle, but to break the single lock on the small back door where the tradesmen come in – in other words, the supply chain. The fact that the Russians only succeeded with one target so far doesn’t mean they and others won’t keep trying, and refining their methods.

My second lesson learned, set out in the last paragraph in the post, was that NERC, FERC and the trade associations should look at whether the CIP requirements applying to Low impact assets should be made stronger. I still stand by this, because I know that these parties are always considering that question. They may at some point decide to take further steps (FERC raised that possibility in their NOPR for CIP-003-7 last fall, although they dropped the idea when they actually approved CIP-003-7 in April) – but I certainly don’t believe now that there is any sort of emergency requiring action (and as you’ll see if you read the last paragraph of yesterday’s post, I didn’t believe it was an emergency then, either).

In the last sentence of the post, I pointed out that “..the PUCs need to start thinking seriously about how to get owners/operators of purely distribution assets more concerned about supply chain security.” I still stand by that conclusion, since a) the one asset compromised was obviously a distribution asset (a generating plant < 75 MW), and b) while a few PUCs have developed cyber regulations for their utilities (the best of which is New Jersey’s, although I’ll admit it’s a year or two since I’ve looked into this, so some other state may have stepped up), I don’t think any PUC has implemented supply chain cyber security regulations for their utilities.

For DHS (specifically the ICS-Cert and NCCIC, who did the investigation and conducted the briefing), I’d just like to say that you people have clearly done a great job of tracking how the Russian attackers worked (and presumably are working now); I highly recommend that anyone who didn’t attend one of the briefings this week attend one of the two briefings next week, and/or download the alert that was put out in March.

On the other hand, DHS, I can’t understand why you would want to pretend that a lot of assets had been penetrated, when it was only one small one. By doing so, you raised this threat from one that all power industry asset owners should be aware of and should be taking steps to prevent, to something approaching an imminent threat to our national security. And it just isn’t that.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         

[i] Presumably, this single generation asset was the compromised asset, a screen shot of whose HMI was shown in the webinar yesterday – the presenters said it had been uploaded by the attackers. Of course, in the webinar the presenter didn’t mention that this was the only asset that was compromised; from what he said, it sounded like taking screen shots was the modus operandi of the attackers, which DHS had seen in multiple instances. Obviously, unless an asset was actually penetrated, not simply targeted, there would be no screen shot available.

No comments:

Post a Comment