In yesterday’s post, the latest but probably not the last in a series of posts stemming from some (either intentionally or unintentionally) misleading information that DHS recently put out about Russian cyberattacks on the US power grid, I said “…the utilities have done a wonderful job of resisting the concerted Russian attack so far – and perhaps they should all be given the Medal of Freedom for that. After all, after two years of pounding the utilities (and IPPs) from every direction, the most the Russians were able to come up with was a compromise of two wind turbines, with a likely total rated capacity of no more than 3 MW.”
Always having been a numbers guy, I decided to quantify how big the Russian success really was. So I divided 3 MW, the total generation penetrated[i] by the Russians, by 10.2 gigawatts (billion watts), the total 2016 summer generation capacity in the US.[ii] I ominously announce that the (at least) two-year Russian campaign to penetrate the US power grid has directly compromised a grand total of (drumroll, please) .0000294117647 percent of total US generation capacity! I’ll pause here so you can absorb the magnitude of this disaster, and perhaps start inquiring about immigration visas to New Zealand. Better to get out now, before the rest of the US population realizes the peril they’re in….
OK, if you’re still with me now, you realize that the Russian campaign has so far been a dismal failure by any stretch of the imagination (well, maybe not any stretch of the imagination. There seem to be a few very imaginative people who think otherwise). Instead of talking about the laughably inadequate cyber defenses of US utilities, we should be talking about honoring the utilities for standing like Horatius at the Bridge, guarding their fellow citizens (and legal immigrants, of course) against the oncoming enemy army. This is a great success story.
Of course, I’m certainly not saying that the utilities have found the key to permanent cyber security, and they can now recline on their couches while good-looking Roman citizens feed grapes into their mouths. In particular, the DHS briefings made it very clear that the Russian attacks are continuing and that supply chain is the preferred vector for attacks, at least in the near future. The briefings also made it far from clear – but you could find this if you pull their statements apart very carefully – that the electric power vendor community definitely has weak cyber defenses, underlining the need for even better[iii] supply chain security.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.
[i] Meaning the control systems controlling that generation were accessed, even though the attackers didn’t take any action to shut it down. I get the 3 MW from my assumption that the average wind turbine has a capacity of 1.5 MW. That might be a little low or a little high, but it obviously doesn't change my argument.
[ii] Since our concern here is really the total available power supply, not just that part generated in the US, we should really add imports from Canada. The US imported 72 Terawatt-hours of electricity from Canada, but trying to transform that into a number that could be compared with total US generation would be very hard, and above my pay grade. I’ll just stick with total US generation, since that’s certainly large enough to make my point.
[iii] One thing I noted about the DHS briefing and report: It sounded like the only way that supply chain attacks on utilities and IPPs could bear fruit is through remote access to OT systems. There are lots of other vectors for supply chain attacks: infected patches, watering hole attacks, tampering with products en route to the customer, etc. These all need to be protected against.