Friday, August 31, 2018

The Sweet Smell of Success



In yesterday’s post, the latest but probably not the last in a series of posts stemming from some (either intentionally or unintentionally) misleading information that DHS recently put out about Russian cyberattacks on the US power grid, I said “…the utilities have done a wonderful job of resisting the concerted Russian attack so far – and perhaps they should all be given the Medal of Freedom for that. After all, after two years of pounding the utilities (and IPPs) from every direction, the most the Russians were able to come up with was a compromise of two wind turbines, with a likely total rated capacity of no more than 3 MW.”

Always having been a numbers guy, I decided to quantify how big the Russian success really was. So I divided 3 MW, the total generation penetrated[i] by the Russians, by 10.2 gigawatts (billion watts), the total 2016 summer generation capacity in the US.[ii] I ominously announce that the (at least) two-year Russian campaign to penetrate the US power grid has directly compromised a grand total of (drumroll, please) .0000294117647 percent of total US generation capacity! I’ll pause here so you can absorb the magnitude of this disaster, and perhaps start inquiring about immigration visas to New Zealand. Better to get out now, before the rest of the US population realizes the peril they’re in….

OK, if you’re still with me now, you realize that the Russian campaign has so far been a dismal failure by any stretch of the imagination (well, maybe not any stretch of the imagination. There seem to be a few very imaginative people who think otherwise). Instead of talking about the laughably inadequate cyber defenses of US utilities, we should be talking about honoring the utilities for standing like Horatius at the Bridge, guarding their fellow citizens (and legal immigrants, of course) against the oncoming enemy army. This is a great success story.

Of course, I’m certainly not saying that the utilities have found the key to permanent cyber security, and they can now recline on their couches while good-looking Roman citizens feed grapes into their mouths. In particular, the DHS briefings made it very clear that the Russian attacks are continuing and that supply chain is the preferred vector for attacks, at least in the near future. The briefings also made it far from clear – but you could find this if you pull their statements apart very carefully – that the electric power vendor community definitely has weak cyber defenses, underlining the need for even better[iii] supply chain security.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         



[i] Meaning the control systems controlling that generation were accessed, even though the attackers didn’t take any action to shut it down. I get the 3 MW from my assumption that the average wind turbine has a capacity of 1.5 MW. That might be a little low or a little high, but it obviously doesn't change my argument.

[ii] Since our concern here is really the total available power supply, not just that part generated in the US, we should really add imports from Canada. The US imported 72 Terawatt-hours of electricity from Canada, but trying to transform that into a number that could be compared with total US generation would be very hard, and above my pay grade. I’ll just stick with total US generation, since that’s certainly large enough to make my point.

[iii] One thing I noted about the DHS briefing and report: It sounded like the only way that supply chain attacks on utilities and IPPs could bear fruit is through remote access to OT systems. There are lots of other vectors for supply chain attacks: infected patches, watering hole attacks, tampering with products en route to the customer, etc. These all need to be protected against.

Thursday, August 30, 2018

The story that refuses to die



I’ve written five posts on the July Wall Street Journal story that essentially said the Apocalypse was just around the corner in the US, because hundreds of utility control centers have been penetrated by the Russians - where they’re lying in wait for the signal from the Kremlin to put the US in darkness for perhaps years. The story was based on one reporter’s confused understanding of a briefing that DHS (the NCCIC, specifically) gave, regarding a huge multi-year campaign by Russian government-sponsored hackers to penetrate the US grid.

Unfortunately, the reporter’s confusion was aided and abetted by the DHS presenters’ language in the briefing, which was either deliberately misleading or recklessly worded. Since the briefings, there have been a couple statements by DHS. The first one pointed out that only one small generation facility was actually penetrated; the second statement narrowed that even further, saying that only two wind turbines were penetrated. My unprintable reaction to hearing these two statements was summarized in this post and in the note I appended to it less than a week later. I then wrote a long post attempting to thoroughly debunk the claims, and followed it up with a polite suggestion to DHS that they make a real effort to clear up this story – like a press release stating that, while US utilities need to keep up and even increase their cyber defenses, there is no imminent (or even remotely likely) threat of the Russians shutting down the US grid through cyber means.

You will be astounded to hear that DHS didn’t take me up on my suggestion. So guess what? Today, a longtime industry observer called my attention to this press release on Senator Ed Markey’s website. Sen. Markey is one of the Senators most concerned with cyber security issues, and has introduced a number of bills proposing cyber measures. He obviously has never been told that the WSJ story isn’t to be believed.

This press release announces that the Senator has sent queries to fourteen utilities (ten investor-owned and four Federal power-marketing agencies like TVA and BPA) and four agencies (DoE, DHS, FERC and NERC). Why is he sending these? Sure enough, the third sentence refers to the WSJ article and states “in 2016 and 2017, hackers backed by the Russian government successfully penetrated the U.S. electric grid through hundreds of power companies and third-party vendors”.

The query asks 1) if the utilities have been penetrated (of course, the answer to this question will be resoundingly “No”); 2) what measures the utilities are taking to avoid being penetrated; and 3) how they’re mitigating three particular vulnerabilities.

Of course, this is all good clean fun; I’m not suggesting the Senator shouldn’t be asking these questions, even though answering the second and third questions will require a lot of work on the part of the utilities (all ultimately paid by the ratepayers, to be sure). But I really wish DHS would set him straight and say:

a)      We exaggerated some things in our briefings, and the WSJ reporter got a little carried away when she wrote the article. Furthermore, we didn’t immediately make any clarification, which allowed the story to get widely established in the popular press as well as in the cyber security community. Now it seems to have been accepted as fact throughout the country, including Congress. Our two subsequent narrow clarifications got very little attention, mainly because we didn’t make an effort to get the word out beyond the immediate small audiences. We still haven’t (for whatever reason) forcefully addressed the wildly inaccurate statements in the original WSJ article, which are at the root of this madness.
b)      We seem not to be trying to actually squelch this story, but at the same time we’d like you to know that the whole premises of your query are completely wrong.
c)       This isn’t to say it’s a bad idea to ask the utilities what they’re doing to protect the grid – you’ll certainly receive volumes of information in response (although if you expect the utilities to send you information about vulnerabilities and counter-measures, you’re going to have to be able to provide iron-clad assurances that it will be safe – which will be hard to do, by the way. You may have to settle for some more general assertions without details).
d)      But in place of premising your query on the idea that the grid has been thoroughly compromised, you might instead premise it by saying the utilities have done a wonderful job of resisting the concerted Russian attack so far – and perhaps they should all be given the Medal of Freedom for that. After all, after two years of pounding the utilities (and IPPs) from every direction, the most the Russians were able to come up with was a compromise of two wind turbines, with a likely total rated capacity of no more than 3 MW. Whoever is in charge of this operation should be dreading the day he gets a phone call from his boss: “Boris, please clean out your desk and come into my office, so we can discuss just exactly what we’ve achieved with all this money you’ve spent trying to penetrate the US power grid.”

Affectionately,
DHS

If I were DHS, I would store some of the above letter as boilerplate, since they’ll need it often in the coming months and years - as it’s clear nothing (or nobody) is going to kill this story. I wouldn’t be surprised if, in one or two years’ time, this story starts to appear in history textbooks, so eighth graders can learn that the electricity supply they depend on to maintain their entire lifestyle will most likely disappear at any minute, leaving them to finish their short, miserable lives in darkness, cold and hunger. Such is the power of the press!

One other note: There’s a guy at the top of the government who gets very excited about stories in which it looks like the press has made a big mistake. If he knew about this story, he would be convinced that it’s another plot by the liberal media to undermine him, were it not for one inconvenient fact: The news outlet that wrote the story isn’t normally considered part of the liberal media.[i] That spoils the whole narrative.

Thank God for small favors.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.                    



[i] Truth be told, the Wall Street Journal is really two papers: The news people are very much un-ideological and are normally determined to follow the truth wherever it leads (and in fact, I believe the WSJ has the best cyber reporting of any major US newspaper. The confusion in the article in question is related to a lack of understanding of the electric power industry and how it operates, not of cyber security). On the other hand, the editorial page is very much old-school conservative. I’d love to attend one of their office holiday parties.

Sunday, August 26, 2018

A Great Article



A friend of mine sent me this link today, and I found it to be a very good read. Of course, I’ve known about how NotPetya happened, and I knew that it had caused widespread damage, especially to Maersk – although I didn’t know the details. But I think it teaches three important lessons.

The first lesson is fairly simple: Be sure to back up your domain controllers! The second is much more far-reaching: We need to start holding nation-states legally liable for cyber attacks – of course, this means Russia in the current case, but Iran, North Korea and China have also attacked the US with cyber weapons. The US did impose sanctions on Russia for this (although as the article points out, the message was muddled since the sanctions were attributed to several Russian transgressions, not just NotPetya), but sanctions don’t address the problem of liability.

Maersk says it lost $250-300 million due to NotPetya, but the article points out that some Maersk employees state anonymously that the real cost must have been much larger (Merck said it lost $870 million. Of course, Merck is a public company and has to report accurate numbers. Maersk is privately owned, although it has 87,000 registered shareholders. Presumably they have been told the real cost). The article describes the huge payments to customers that Maersk made to make up for at least some of the costs and losses they incurred. Then it goes on to point out that other groups of people incurred big losses as well, but they received no monetary compensation. The example used is the many trucking companies that lost money due to having picked up loads bound for the Maersk terminals but not being able to deliver them when the terminals shut down because of the systems outage; however, there are certainly many more third-party victims. The article points to a White House assessment that supposedly estimated the total damages (worldwide, I believe) at more than $10 billion.

Of course, there are (and will be) the usual lawsuits, etc. against Russia by the many victims, and I’m sure at least some of those will bear some fruit many years from now. But this doesn’t seem to be sufficient deterrent since, as we well know, Russia continues to target US elections and the electric power industry. How about this?

  1. We label Russia’s actions an act of war;
  2. We order immediate freezing or seizure of Russian government assets (and perhaps private assets of individuals that the US intelligence agencies have already identified as doing the bidding of the Russian government in these matters – i.e. some of the oligarchs), sufficient to pay all of the documented losses incurred by any US citizens or companies; and
  3. Within a year, if the Russian government hasn’t demonstrated that NotPetya wasn’t their fault, those assets are liquidated to compensate those losses.

If a car driven by a Russian embassy employee hits my car while on an urgent government errand, I will be entitled to compensation from the Russian government. Yet when Russia recklessly launches a cyber attack on the Ukraine as part of their undeclared war on that country, knowing full well that it will spread elsewhere (and, as the article points out, spreading outside the Ukraine was probably one of the goals of the attack – in order to damage Ukraine’s reputation as a safe place to do business), there is no compensation for its victims unless they spend a lot of time and money pursuing lawsuits. This isn’t right.

(And while we’re at it, where is the compensation for the families of the victims of the shooting down of Malaysian Airlines flight 17 over the Ukraine in July, 2012? Sure, a commission finally concluded last year that a Russian launcher loaned to the Russian-backed rebels in the Ukraine brought the plane down. And there are now various lawsuits going on against Russia. So maybe in 5-10 years the families of those victims – those still alive - will be compensated in some way. But a member of the Duma - the Russian parliament - admitted 1-2 weeks after the incident that Russia was at fault.[i] I think Russian aircraft should have been immediately banned from all international airspace until full compensation was paid to all victims. And it’s still not too late to do that)

The third lesson is this: There should be some sort of mandatory cyber security regulation on all critical infrastructure, not just the electric power industry. I’ve always thought of the power industry as unique, because of the great harm that a serious attack on the grid would cause to lots of people. And it’s indisputable that a grid cyberattack would cause more harm than an attack on any other CI industry.

But the Maersk attack did cause a huge amount of damage to a lot of entities and people other than Maersk. And it’s pretty clear that Maersk didn’t take some of the basic measures that the power industry now takes for granted. The most important of these is separation of the IT and OT networks. Since the disturbance began on what should have been the IT network, a proper separation would most likely have prevented this from spreading to their operational systems.[ii] Another is – of course – regular patching, since Microsoft had patched the primary vulnerability that NotPetya exploited.

So am I advocating that the current NERC CIP standards be applied to all CI industries? Of course not. But I am advocating that a flexible format for mandatory cyber security standards be developed, which would apply to all CI industries, to greater (electric power) or lesser (say, food and agriculture) degree.[iii]

And this is a note to the huge surge of Russian readers I had during my posts on the DHS briefings and news stores on the Russia cyberattacks on the power industry[iv]: Please let your boss Mr. P know that the world isn’t going to stand by much longer and pretend that Russian cyberattacks are just one of those hazards like storms that we all have to live with. There’s some amount of pressure that will get him to stop. We obviously haven’t reached that point yet, so we need to try harder.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         


[i] As described in this Wikipedia article.

[ii] I realize that separating IT and OT networks would probably be a lot harder for Maersk, since there are so many IT-type documents – orders, bills of lading, invoices – that play an actual role in the OT processes. Separation of IT and OT would probably have prevented the Target breach of 2013 as well, but again it would be much harder to separate the two in a retail environment.

[iii] Of course, describing this format is the end goal of the book I am currently working on.

[iv] It seems those readers have almost entirely left me, not that I’m shedding bitter tears about that. So if you happen to know who they were, please drop them a friendly email suggesting they read this post.

Friday, August 24, 2018

What’s the SDT up to nowadays?



The CIP Modifications Standards Drafting Team seems to have about eight different pots cooking on the stove now. I wrote in July about their new direction on virtualization – which by the way might in the process produce some much-needed reform in the whole structure of the CIP standards; and if you own a Control Center you are probably familiar with the current drafting and balloting on CIP-012. But someone who follows what the SDT is doing much more closely than I can is Mike Johnson.

Yesterday, Mike put up two posts related to the revised standards posted for comment and balloting by the SDT earlier this week. The first post is about CIP-003-8 (yes, folks, just after FERC approved CIP-003 version 7, now we’re up to version 8!). This is because, when FERC approved CIP-003-7, they pointed out that the new requirement for Transient Cyber Assets used at Low impact assets just required, for TCA and RM owned by a third party like a vendor, that the Responsible Entity review the controls the third party had in place to prevent malware; it didn’t require the RE to do anything if the review revealed the third party didn’t have adequate controls in place to prevent malware.

Of course, the idea that any NERC entity (either a Responsible or an Irresponsible Entity) would not take any action if they decided a particular vendor wasn’t doing a good job to prevent their own devices from infecting the entity’s systems is pretty far-fetched. But FERC wanted an abundance of caution, so they ordered this deficiency be corrected. That was done by adding Section 5.2.2 to Attachment 1, which reads “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset.”

The second post is about CIP-002-6. This might be surprising to those who haven’t been following Mike’s blog closely. The original reason for amending CIP-002-5 was to revise criterion 2.12 of Attachment 1, which specifies which Control Centers owned by Transmission Owners should be classified as Medium impact. You may know that this change was approved by 93% of the ballots in May. So why does there need to be another ballot for CIP-002-6? The reason is that, as Mike explains in his second post from yesterday, it was announced in June that FAC-010-3 would be retired (no word on whether a gold watch will be presented). One consequence of this is that two terms from that standard will be changed. Since those terms are currently referred to in criteria 2.6 and 2.9 of Attachment 1, those criteria needed to be changed to reflect this.

Mike also provides some good advice on how to cast ballots (which he has included in previous posts as well).



Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         
               


Tuesday, August 21, 2018

Back to CIP-014



In July, I wrote a post describing an email discussion I’d had with an auditor about CIP-014. It was actually a rehash of a disagreement we’d had last fall (which I don’t think I ever wrote about in this blog) regarding this post from last December. The subject of both disagreements was CIP-014, the CIP standard for physical security of key substations, drawn up in the wake of the Metcalf attack in 2012, in which some large transformers were fired on and disabled at a key substation in Silicon Valley.

Here is the essence of both disagreements: In the December post, I described how, in their CIP-014 audit last year, a utility was given a PNC (potential non-compliance) finding because their physical security plan prepared for compliance with CIP-014 R5 didn’t specifically provide protections for transformers. The utility argued that all of the wording in CIP-014 applies to protecting the substation as a whole, not to particular pieces of equipment located in the substation. The auditor, in his July email to me (prompted by another post, although not related to CIP-014), argued that it would be reasonable to assume that CIP-014 was about more than just protecting the substation as a whole, since the Metcalf attack had been on transformers, not the whole substation.

Note from Tom, later on 8/21: The person in charge of CIP compliance at the utility in question just read the post and emailed me that their reasoning for only protecting on the level of the entire substation wasn't based on the fact that this is what the requirement said, but on the fact that their own engineering study had found that, if any subset of the equipment were destroyed, there wouldn't be the kind of BES impact ("instability, uncontrolled separation, or Cascading within an Interconnection") that is required for the substation to be in scope for CIP-014 in the first place. So if they tried to protect individual pieces of equipment, they wouldn't actually be doing anything that would result in greater protection for the BES itself. However, the auditor would have none of that argument. He wanted the transformers protected, period.

I didn’t contest that it was reasonable to expect the utility to include protection of transformers in their physical security plan, but I did contest the idea that they could be found in violation of the requirement, since that says nothing about anything except protecting the substation as a whole.

After that post, I got an email from Ross Johnson of Capital Power in Edmonton, Alberta (which by the way is a really beautiful city, especially if you visit in the warmer months!). Ross said:

I was on the CIP-014 SDT, and we saw the substation fence line as a component in the protection of what was inside - not the only part worth protecting.  When we talked about protecting the substation, we also talked about protecting the most important components within, and considered that all part and parcel of the substation proper.

I don’t understand the logic of saying that because Metcalf transformers were shot up that any solution that didn’t protect the transformers from gunfire was inadequate.  That’s why we put the term ‘geographic proximity’ in R4.2 (Prior history of attacks on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events).  Substations far away from threats of this kind should have that fact weighed and considered in their R4.

I live in Canada, and gun crimes are exceedingly rare.  Other than the odd power-pole transformer, gunfire attacks on electricity sector infrastructure are almost unheard of, and have never approached the scale of Metcalf.  Most of our large substations are in isolated or rural areas, and many have never, ever, had an attack of any kind - even theft by copper thieves.  To demand that they pay millions of dollars to protect infrastructure from a crime that happened a couple of thousand miles away in a different culture with a vastly different threat profile seems difficult to justify given the more modest demands of the standard.

If the intent of the standard was to armour transformers to protect them from gunfire, then it would have stated that.

Now, I have always been against taking the recollections of drafting team members as something that can shed light on the meaning of a CIP requirement, so I’m not trying to say that Ross’s word should be taken as the preferred interpretation of a CIP-014 requirement. But in this case, we have an argument about what should be implied in the wording of a requirement. Ross says it would be wrong to draw the implication that transformers need to be protected, since CIP-014 R4.2 says the entity should consider (in the threat and vulnerability assessment that forms the basis for the physical security plan in R5): “Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events”.

In other words, the entity needs to consider threats that are clearly relevant for the substation in question. One of the bases for identifying those threats is incidents that are likely to occur in the particular geography of the substation. Ross pointed out in a subsequent email that “in Canada, some of our assets are protected by 400 miles of grizzly bears…” Clearly, ballistic attacks on transformers aren’t what keeps Ross awake at night.

On the other hand, Ross is also saying that, even though the strict wording of the requirements in CIP-014 says nothing about protecting the Facilities (e.g. transformers, circuit breakers, etc.) located within the substation, it would be wrong to say that the only threats that need to be protected against are those that affect the entire substation – this isn’t in the strict wording of the requirements, either.

What are the lessons to be learned from this whole discussion? They are:

  1. The utility shouldn’t have been given a PNC for not addressing threats to transformers in their physical security plan, since there is nothing in the strict language of the requirements that mandates the entity should do anything more than protect the whole substation.
  2. On the other hand, the utility certainly should have been given an Area of Concern (which isn’t a violation, of course) for this. That is what a second utility (also discussed in the December post) received. They were also cited for not specifically addressing the threat of ballistic attack on transformers.
  3. Any mandatory standards regime needs to have procedures by which compliance can be verified. In the case of the NERC CIP regime, compliance is verified by audits – did they do X or didn’t they do X? Because this is the case, future plan-based requirements (and all of the important CIP requirements drafted since CIP version 5 have been plan-based. This has quickly become recognized as the only type of requirement that makes sense in the CIP context – since prescriptive requirements simply don’t work well) should all include some guide to the threats that need to be identified and mitigated in the plan; they can’t just say something like “identify all the threats that apply to your environment and mitigate them” – which is essentially what CIP-014 says, as well as CIP-013.[i]
  4. My poster child for a good plan-based requirement is CIP-010 R4, where Attachment 1 (which is called out by the requirement and thus is incorporated into it by reference) describes (at a high level) a number of threats that must be included in the plan (although the term used is risks, not threats. While I think risks is a workable term, I think threats is a better one in this context, for several reasons). I think all future drafting teams would do well to emulate this requirement when they draw up new plan-based requirements (or even revise existing ones. Since it’s likely that FERC will order some changes when they approve CIP-013, and since this means there will have to be another version, I would recommend that the SDT look to CIP-010 R4 inspiration on how they can make the standard auditable, since the primary requirement, R1.1, isn’t auditable as it stands now).
  5. Ultimately, there will need to be a different compliance verification process for the CIP standards (and I believe the current audit-based process is fine for the O&P standards, although if anyone thinks differently I’d love to hear about it), which will be designed for plan-based requirements. It will need to include a) review by the Region of the entity’s plan before it is implemented, so that the entity can make any needed modifications before it is put in place; b) review by the Region of the entity’s implementation of that plan, so that any big mistakes can be corrected, rather than be allowed to fester (with attendant security vulnerabilities) until the next audit; and c) compliance guidance by the Regions (indeed, by NERC itself) being not only allowed but encouraged.
  6. Unfortunately, until this new compliance verification process is actually implemented (and I’m not naïve enough to think this is likely to happen in the next few years), there will continue to be lots of disputes like the CIP-014 disputes I’ve been discussing. The auditors will always have their ideas about what needs to be in a plan, and in many cases that will differ from what the utility believes. There is no way to settle these disputes, except by simply agreeing that no violations can be assessed for anything that isn’t in the strict language of the requirement, although certainly Areas of Concern are appropriate. As more plan-based requirements are written on the model of CIP-010 R4, these requirements will be more auditable. However, the real solution is a different compliance verification process for the CIP standards.
  7. Even though plan-based CIP requirements should include a list of types of threats that need to be considered in the plan, it should be up to the entity to determine exactly which threats belong in their plan. In Ross Johnson’s neighborhood, high-powered rifles are much less likely to be used in crimes than they are south of the 49th parallel, so that particular threat might be discounted. On the other hand, threats related to cold weather and snow might pose greater risk in northern Alberta than they do in Silicon Valley.
  8. There should be some central body – composed of SME’s from NERC entities, NERC and the Regions, FERC (at least as observers), and perhaps representatives of the general power-using public – charged with developing and regularly updating a list of threats that must be considered in CIP-013 and CIP-014 plans (CIP-013 requires updating the plan every 15 months. CIP-014 requires more or less continual evaluation of new physical threats to substations). Of course, in many cases an entity will decide not to include a particular threat in their plan because it doesn’t apply to them; but in any case the entity will need to document why they did this.[ii] The reason this is needed is that it shouldn’t be left up to individual utilities – no matter how large or small – to comb through all the reports of cyber threats and mitigations worldwide, and determine which ones pose serious risks in North America and which ones don’t. There needs to be a central, regularly-updated list, although it will be up to the individual entities to determine which threats specifically apply to them.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         



[i] I want to point out that I’m not blaming either the CIP-013 or CIP-014 drafting teams for this situation. They were both given very tight deadlines by FERC, one year in the case of CIP-013 and three months in the case of CIP-014. In these time periods, they had to develop, ballot, re-ballot, re-re-ballot, and get NERC BoT approval for the new standard. They didn’t have time to include language in the requirements that would have taken a long time to draft, or that would have sparked a lot of controversy. A lesson learned for FERC is to be very careful about assigning deadlines for new standards, because it often doesn’t seem to work out very well.

[ii] I am writing a book on how the NERC CIP standards – as well as the compliance regime built around them – could be rewritten to eliminate five big current problems with CIP. One of my recommendations is that there be a central body that reviews and publishes a list of all cyber threats to the BES (and perhaps physical threats as well), as well as mitigation measures for those threats. In addition, this body would meet regularly to review new threats as well as mitigation measures, and update the list at least annually. The NERC entities would be required to a) determine which threats on the list pose the biggest risks in their environment and b) mitigate those threats.

Monday, August 13, 2018

Is CIP-013 R1.1 auditable? No. Does this mean you’re off the hook? No.



In this recent story about the Russian hacking from E&E News last week, I was quoted as saying “..it's not clear whether the federal rules on supply chain vulnerabilities can be effective..” Of course, this was referring to CIP-013, which came up in this story since the Russian attacks were (and are) all coming through the supply chain.

I was referring here to something I brought up in this post from April, when I pointed out that R1.1 is probably not auditable because it simply requires that the entity develop a supply chain cyber security risk management plan - the requirement doesn’t provide any information about the risks that should be addressed in that plan. I pointed to CIP-010 R4 as an example (definitely the best so far) of a plan-based requirement that does provide high-level criteria for what should be addressed in the plan (these are provided in Attachment 1, which is called out in the requirement itself and is therefore part of the requirement. That is important – Attachment 1 isn’t just some sort of guidance, but is part of the requirement).

In the April post, I noted that R1.1 simply requires the entity to develop a supply chain cyber security risk management plan; it says nothing about what that plan should contain[i]. I originally thought this was a good idea because of its purity: After all, cyber security is about risk management. The best way to deal with cyber threats is to put together a risk management plan, since there is no way anybody could ever write a set of prescriptive requirements (whether or not they’re mandatory) that would make the entity perfectly secure. The best that can be done is for the entity to assess the risks and develop a plan to mitigate the highest risks[ii] (this is what R1.1 requires the entity to do, although unfortunately the SDT left out the word “mitigate”. But the whole standard makes no sense if that word isn’t assumed to be in R1.1).

However, I later came to realize that, given NERC’s prescriptive auditing process, requiring an entity just to develop a plan, without saying what has to be in it, is a recipe for having a non-auditable requirement. Either a) the auditors will decide what they think should be in your plan and then try to hold you in violation if your plan doesn’t agree with their ideas, or b) the auditors will simply give everyone a pass as long as the plan is at least halfway credible. This is why R1.1 is unauditable.

I think b) is a much more likely scenario for what will happen with CIP-013 R1.1. So this leaves the entity (that would be you, Dear Reader) with two choices:

  1. You can develop a minimal R1.1 plan, perhaps just addressing the six items in R1.2 (since we already know they have to be in the plan - for a recipe on how to do this, go to my April post). This will make your CIP-013 compliance job much easier. And even though it’s likely your auditor will berate you – and most likely issue an Area of Concern - for not having developed much of a plan, you can still sleep at night, knowing that he or she won’t be able to give you a PNC for this (and if they do, it won’t hold up); or
  2. You can Do the Right Thing (to quote the title of a great Spike Lee movie) and actually develop a real supply chain cyber security risk management plan. This will probably put you at greater compliance risk, since if you list a risk in the plan, you will have to take steps to mitigate it. And if you don’t do a good job of mitigation, you can probably still be held in violation of R2, even though you wouldn’t be in violation of R1.1 (i.e., NERC can’t audit the plan itself, but it can audit whether or not you actually did what you said you’d do in the plan).

So which course do I recommend? Door Number 1, the easier path which may allow you to leave at 5:00 now and then? Or Door Number 2, the hard path, where you’ll have to really sit down and think about what your supply chain cyber risks are and how you will mitigate the most important risks - and then, if you don’t mitigate them to the auditor’s taste, you might well receive a PNC for violating R2?

I’m sure you can guess which door I’m advocating you should take: It’s Door Number 2. Why do I say this? All you have to do is read this post on the Russian attacks. Even though it turns out DHS greatly exaggerated the success of those attacks, that doesn’t change the most important lesson to be learned from them: Supply chain security is the number one problem for the electric power industry (and probably for most other industries as well). The attacks described by DHS (both in their briefings, and in their excellent Alert from March) were all supply chain attacks. They’ve been going on for a couple years and will most likely continue, despite the increased scrutiny after DHS’ briefings. And if you want to see the damage that a supply chain attack can cause, you just need to look at two: the Target breach of 2013 and last year’s NotPetya malware.

In almost any other question of CIP compliance, I will always take the position that the entity’s job is to design procedures and policies that provide minimal compliance with the requirements. Most of the currently-enforced CIP requirements are prescriptive, and of course all CIP requirements – as all NERC requirements in general – are audited in a very prescriptive, did-they-do-it-or-didn’t-they fashion. Even if your organization might feel that good security practice is to go beyond what a particular requirement mandates, you definitely don’t want to design CIP compliance procedures that go beyond the requirement. If you do, you’re simply inviting compliance risk.[iii]

However, for a plan-based requirement, and especially one that explicitly allows the entity to consider risk, as is the case with CIP-013, this position doesn’t apply. The whole idea of developing a plan to manage risk is that you need to allocate the resources you have (staff time and money) in a way that will mitigate the most risk possible – i.e. you need to allocate your resources so that they get the most bang for the buck.

This requires considering all the major threats (which in the case of CIP-013 are supply chain cyber threats), then ranking them by the degree of risk they pose to the BES (remember, that is what risk means in any NERC standard. It’s always risk to the BES, not to the individual entity). Then you need to go through the list, starting at the top, and decide how much in the way or resources to allocate to mitigating each risk. When you feel you have mitigated the important risks, you stop.[iv] In my opinion, that is how you develop a risk management plan.

I hope to start doing some posts in the near future that elaborate on – at a high level – the steps you need to take to develop a plan for CIP-013 R1.1. If you are with a NERC entity or a vendor that is looking for a more in-depth discussion in order to start preparing for CIP-013 compliance, ask me about my free workshop offer, described in this post.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.                   



[i] R1.2 lists six items – they are risk mitigations, rather than risks themselves – that should be included in the plan. That isn’t because these are the six actions that the SDT decided were the most important supply chain security risks to mitigate. The six items are there because FERC specifically called for them in Order 829, which ordered NERC to develop the standard in the first place. The R1.1 supply chain cyber security risk management plan needs to include these six items, but only including them doesn’t give you a good plan.

[ii] If you’re wondering how a small utility might have the resources and know-how to conduct this whole risk-management exercise by themselves, so am I! Of course, since CIP-013-1 only applies to High and Medium impact assets – and since most of the organizations that own these assets probably do have at least some resources and know-how in this area – I don’t see this as an immediate problem for CIP-013. But for the future when Lows are included in CIP-013 in some way (and FERC might order this when they approve CIP-013-1), this will be a big issue. I would hope NRECA, EPSA, EEI and APPA could step up and help their smaller members in this process.

[iii] Of course, I’m not saying that you should limit the steps you actually take in any particular area of cyber security to the strict wording of the CIP requirement. For example, suppose you think that CIP-010 R1 doesn’t do a good enough job of capturing what an organization like yours should be doing for configuration management of BES Cyber Systems. You should definitely do whatever more you think is necessary; but just make sure not to include that in your actual compliance procedures for CIP-010 R1.

[iv] Of course, I’m glossing over the fact that it’s possible you may run out of budget before you have sufficiently mitigated the most important risks. When you see that is happening (and hopefully you’ll see it during the planning phase, not at the end of the implementation phase), you should try to get the additional resources needed to mitigate all the important risks. But if you don’t get those resources and you have to leave some important risk unmitigated, you will at least know that you mitigated the most risk possible with the resources you had - since you mitigated the different supply chain threats in the order of the risk they posed.

Wednesday, August 8, 2018

What should DHS do?



I have had a number of email conversations brought on by my recent posts on DHS’ briefings on the Russian hacking campaign against the power industry, and on some very misleading statements made in the briefings – as well as wildly exaggerated press reports afterwards. They have all come down to DHS. Here is the problem:

  • The Russians have obviously been conducting – for a couple years, it seems – a large-scale, sustained cyber attack on US utilities and IPPs; that attack is ongoing.
  • DHS has done a great job of thoroughly investigating what is going on, and explaining it all in great detail. In doing so, they have made it very clear that the power industry needs to focus on supply chain security much more heavily now, since these attacks are currently coming primarily through that vector.
  • However, some of the speakers at their recent briefings gave very misleading information about the results of this hacking, implying that it’s possible and even likely that the Russians have a lasting presence inside networks in utility control centers, where they’re just waiting for the signal to start messing with the US power grid and cause a major outage.
  • After the first of these briefings, a reporter from the Wall Street Journal wrote an article that said that about 200 “utility control rooms” had been penetrated by the Russians. Of course, if that were really the case, it would literally constitute a national emergency, not just because we all might be in the dark for a while, but because we might then be forced to consider a military response.
  • The same week as the first briefing, two DHS spokespeople clarified in meetings that no, it was just one very small generating asset whose control network had been penetrated – and then it turned out that even that was an exaggeration, since it was really two turbines in a wind farm with probably hundreds of turbines. Yet there was no effort to counter the news reports – these walk backs were heard only by a small group of industry people.
  • Even worse, the same WSJ reporter came out with another story on Tuesday, which seemed to indicate that she hadn’t heard either of the walk backs. And it seemed from her story that one person at DHS was still peddling the idea that there had been widespread penetration of the US grid. I was charitable and thought that she and the DHS person both simply didn’t understand the terms that were being used, as well as some particular facts about the structure of the US power industry. My post yesterday tried to explicate these mysteries, in my usual mind-numbing detail.

So the fact is that we have a major national news source (actually two, since the New York Times put out their own article on Friday, which I discussed in this post. The sentence that I quote toward the beginning of that post is even more alarming than anything the WSJ report said) saying there is a true national emergency, and still DHS isn’t stepping up with something like a press release - or even better a press conference - to calm things down. They need to explain what really happened, while at the same time pointing out that there is a real supply chain threat to the grid – and I will be fine if they say that the industry isn’t doing enough to counter supply chain threats, as well as that the new CIP standard for supply chain security will likely prove pretty ineffective, unless NERC or somebody steps up and tries to fix this situation (this is the topic of what I hope will be my next blog post, although I won’t rule out some new development that will require a new post on the Russian story).

DHS needs to do something. Now.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         
               


Tuesday, August 7, 2018

Obviously, this one isn't going to go away very soon



After writing four posts in a row on the Russian hacking campaign against the US power grid – three of which were really about how it was characterized and reported by DHS and the press – I thought I was finished with this issue, and I could get back to writing about what I think is really of national importance, like CIP-013 (and I’m not kidding about CIP-013 being of national importance, since all the Russian attacks were supply chain attacks, and they continue to this day).

Specifically, I thought that, after a spokesperson for DHS admitted that the only control network that was penetrated was that of a “very small” generating plant, and after a high level DHS official further qualified that statement by saying - at a meeting where the Secretaries of DHS and DoE were in the room, as well as the US Vice President – that just two wind turbines on a wind farm were compromised (not even the whole wind farm), everyone involved in the misleading statements, and the erroneous reporting of them, would have felt properly shamed and would be more careful in the future.

Thus, I was surprised – to say the least – to read a front-page article in the Wall Street Journal today entitled “U.S. Steps up Grid Defense”,[i] which indicated a) at least one DHS official continues to put out deliberately misleading statements, which contradict the statements of other supposedly official spokespersons for DHS; and b) the same reporter who wrote the original WSJ article that set off this firestorm about two weeks ago doesn’t seem to have changed her narrative of what happened at all, despite DHS’ attempts to walk this back.

I find both conclusions quite disturbing, but I also find b) to be very puzzling. The four possible explanations I can think of are:

  1. The reporter has been living in an inaccessible cave since she wrote that article, and therefore missed DHS’ walk backs of the story; or
  2. She didn’t understand what the other official DHS spokespeople said when they issued the walk backs; or
  3. She was deliberately misled again by the DHS official who made the misleading statements quoted in her first article; or (finally)
  4. That DHS official – Jonathan Homer, whose title is Chief of Industrial Control Systems Group, Hunt and Incident Response Team – doesn’t himself understand the walk backs, because of his continued misunderstanding of a few power industry terms and facts.

I’m a fairly charitable person, so I prefer either explanation 2 or 4; of course they could both be true at the same time. So this is hopefully mostly a case of two people not understanding some important facts about, and terms used by, the US utility industry (although some DHS statements were still either deliberately or recklessly misleading). I’m also a very helpful person, so I will try to lay out those facts and terms using language that all can understand (which I didn’t do when I discussed them in previous posts).

1. Who owns the stuff, anyway?
First, most generation assets in the US aren’t owned by utilities, but by independent power producers.[ii] So it was very misleading that DHS’ statements all referred to “utilities” being penetrated. But there were only two assets that they specifically said were “penetrated” by the attackers. One was the wind farm where the control network was penetrated. The other was a combustion turbine plant. DHS didn’t specifically say that a CT was penetrated, but they did display a schematic drawing (which they said in the briefing was a screen shot of a Human-Machine Interface computer, or HMI) of a CT that they said had been obtained by the attackers. It is very unlikely that the wind farm was owned by a utility. It is possible that the CT (presumably a small one, not subject to NERC CIP – which explains the ease with which the attackers obtained the screen shot) was owned by a small municipal or cooperative utility.

2. Control rooms vs. control centers
But if the CT was owned by a small muni or coop, then this points to another problem with DHS’ statements: If a small generating plant was penetrated and it was owned by a utility, even if the control room of the plant was penetrated by the attackers, this is very far from saying that the control center of the utility itself was penetrated. A control room controls a single plant, period. A control center can control multiple plants, but more often it is much more comprehensive. At utilities that are designated Balancing Authorities by NERC, the control centers balance load (demand for power) and supply (generating assets as well as power generated elsewhere that is “imported” on transmission lines) in  real time – if they aren’t balanced, then bad things happen and some of the lights may go out. So whether or not a generation asset is owned by a utility, even if it is so owned and even if the utility’s control room is penetrated, that doesn’t mean there is any higher likelihood that the attackers would be able to get into the utility’s control center, than if the control room hadn’t been penetrated in the first place.

But some of DHS’ statements, quoted by the WSJ, deliberately imply that control centers were compromised. In the first article (published July 24), the following appears: “’They got to the point where they could have thrown switches’ and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS.” You can’t disrupt power flows in the control room of a generating plant; the only thing you can do there is affect the generator(s) itself, possibly shutting it down. Only in a utility’s control center can you disrupt power flows.

DHS went even further in today’s WSJ article, saying:

In March, Homeland Security and the FBI pinned responsibility on a Russian group, often called Dragonfly or Energetic Bear, for intrusions into utilities that gave attackers remote access to critical industrial-control systems, called SCADA. These systems govern power flows and keep electricity supplies balanced with demand and thus prevent blackouts.

“They’ve had access to the button but they haven’t pushed it,” said Jonathan Homer, Homeland Security’s chief of industrial control system analysis.

SCADA systems aren’t found in power plants or wind farms. In the electric power industry, SCADA systems are only found in utility control centers, although they are usually called Energy Management Systems (EMS) there. So today, DHS - and specifically Mr. Homer - has stated that at least two utility control centers were compromised (penetrated, accessed, whatever). Of course, this means that the control networks were compromised (since SCADA systems are always on a separate control network, at least in the power industry). And Mr. Homer adds a nice little flourish by implying that the Russians have placed malware in those SCADA systems, ready to throw the US into darkness on a single word from Vladimir Putin.

Now that I think of it, this is the most depressing quote of all from DHS. After two deliberate repudiations of this idea by DHS spokespeople (see the second paragraph above), Mr. Homer is still saying the sky is falling; we should all head for the country with our guns and appropriate some property, where we can practice subsistence farming.

3. A penetrating analysis
And now there’s the word “penetrate”. Improper use of this word has gotten the US government in trouble before.[iii] Here, the problem is that DHS talked of “utilities” being “penetrated”, without saying what was penetrated. Putting aside the fact that true utilities probably weren’t penetrated in any way, the fact is that most power assets (and all utility main offices) have separate IT and OT networks. Penetration of the IT network at a generating plant is of course unfortunate, but in all but perhaps the smallest generating plants and wind farms (and in all utility offices), there is strict separation between the IT and OT networks, and it would be very difficult, although not impossible, for an attacker who had penetrated the IT network to then pivot to penetrate the OT network.

Yet DHS says that three or four “utilities” were “accessed”, although they’re saying that in only one case (the wind farm) was the control network (which is the OT network) accessed. This means that a few utility IT networks were penetrated by the attackers. Of course, this is a bad thing, but it certainly doesn’t justify the alarming statements by Mr. Homer in today’s article. IT networks don’t control power flows.

4. Who were the “victims”?
DHS uses the word “victims” very carelessly in their statements (at least I hope it was careless. If it wasn’t, we’re all victims of fraud). In the first WSJ article, the DHS briefers were quoted as saying there were “hundreds of victims”. They obviously weren’t referring to the two wind turbines that had their control systems penetrated. They also weren’t referring to the three or four “utilities” (which probably means generating plants owned by IPPs) whose IT networks were compromised. So what did they mean?

In the DHS webinar that I attended on July 24, they tried to make clear that a “victim” was an organization that was targeted or compromised. So that makes around 200 or more organizations that the Russians tried to break into but didn’t. Let’s stop here for a moment. DHS is saying that hundreds of organizations were targeted, but at most 3 or 4 were compromised, meaning that the campaign had a two percent success rate, at the very best. Is this going to set the vodka glasses clinking in St. Petersburg and Moscow? I don’t really think so; I think some official is going to get a phone call from his or her irritated boss, asking “Just how much did you say this whole thing is costing us, anyway?” My guess is there’s almost no American industry that you could target with an intensive two-year hacking campaign, that wouldn’t yield at least a two percent success rate.

But I digress. We were asking who these “hundreds” of victims are. We know they were almost all just targeted, not penetrated. But what kind of organizations were they? Were they power market participants, as again DHS implies more than once[iv]? That is highly unlikely, given a number of other things DHS said. They must mean that hundreds of vendors and “utilities” were targeted. True, the three or four organizations that were penetrated were all “utilities”. But the majority of the organizations that were targeted were almost surely vendors (including probably IT services vendors), and probably the majority of the rest were IT networks of utilities. But even calling vendors “targets” is very problematic. The Russians were aiming to obtain the ability to control assets that are essential to the US power grid, not a bunch of vendors. They decided that vendors were the best way to get into these assets (and I would agree with them in that judgment, since utilities and most IPPs have very good security for their own networks, but of course their vendors are another story).

I’d like to emphasize something else: It is very likely that even the three or four generation assets that were compromised (three just on the IT network side) were very small. This means that, even if all of their OT networks were compromised and all of the plants were taken down by the Russians simultaneously (and even if they all were very close to one another), there would have been zero impact on the grid, since the Independent System Operators and Regional Transmission Operators that actually run the grid[v] would easily be able to make up for these power losses from other sources - if they even noticed them in the first place.

Not only would there have been no immediate grid impact, but there would have been close to zero chance of the simultaneous loss of these four plants leading to a cascading outage, even if all four were actually 2500-megawatt behemoths. This is why I said previously that I see no possibility of a cyber attack that is purely focused on generation causing a major grid outage, cascading or not (for that matter, I see close to zero possibility that any purely cyber attack could cause a major outage).

P.S.
I’d like to add one postscript to this post (as well as my previous three posts on this subject): There are at least two journalists on the energy cyber beat who actually believe in waiting until they have gathered and understand all the facts before they publish anything, even though government officials might be encouraging them to rush to print with a horror story. I’m referring to Blake Sobczak and Peter Behr of the online publication Energy and Environment News.

At least Peter had attended the original DHS briefing on Monday, July 23, and after the first WSJ article came out the next day, he and I talked for about an hour on this topic. I thought I was disappointing him because I spent so much time talking about the many areas of uncertainty that still needed to be resolved, before we drew any conclusions about the import of these briefings.

As it turns out, he was as skeptical as I was, and he and Blake doggedly talked to a number of people over the rest of that week and early last week. They read DHS’ first walk back attempt, which said that only a small generation plant had been compromised. They also checked with Congressional staffers, who confirmed that DHS’ briefings to them had also emphasized the walk back. And they finally published their first article on the whole affair last Tuesday, a whole week after the first WSJ story. They followed it up the next day with an article on the briefing in New York, which Blake attended. Both articles emphasized the large scale of the Russian threat and the fact that it’s continuing, but they also both emphasized that the Russians haven’t achieved their goal of gaining a foothold in U.S. grid control centers. They haven’t even come close.

P.P.S.
I hope you don’t think I’m trying to be easy on the Russians in any of these comments. I think it’s outrageous that they undertook – and continue to undertake – these attacks. And I think it’s even more outrageous that a certain individual at the top of the U.S. government, who clearly has a good relationship with Vladimir Putin, hasn’t taken it upon himself to tell the latter person that both the grid and electoral system attacks need to stop today – because there are certainly a lot of good non-military weapons still left in the U.S. arsenal to punish any further attacks.

But it’s also reprehensible that DHS officials and staff members have both misrepresented the Russian threat to the grid and allowed much wilder misrepresentations to be published, without any public statement specifically repudiating them. I am sure they think they’re serving the greater good with these exaggerations (and their very impressive and dogged investigations are the only reason we’re having this conversation in the first place), but I can assure them that their statements and inaction are only harming the cause of grid security, not helping it.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.                    



[i] Because the WSJ’s web site is behind a paywall, you might have a problem reading this link. Since I have the article in hard copy, send me an email if you would like to see it in scanned form.

[ii] Although there are some generating plants (including some wind farms) that are owned by holding companies that also own utilities. But because of deregulation of generation, it is very rare that a utility itself owns generation assets nowadays.

[iii] The use of American military forces in Viet Nam was “sanctioned” by the 1964 Gulf of Tonkin Resolution, which was occasioned by the Gulf of Tonkin Incident. In that incident, North Vietnamese patrol boats were alleged to have fired torpedoes at a US warship in international waters, while the North Vietnamese said the ship had actually penetrated their waters. In the official Navy report on the incident, the words were used (and I just read this a few years later in some magazine. I haven’t been able to verify it through an online search) “Penetration, no matter how slight…is sufficient to constitute an offense.”  Supposedly, these words were copied verbatim from the US military’s definition of rape.

[iv] And if they didn’t mean this at all, why didn’t they try to correct the press reports – including the WSJ’s, of course – that implied that hundreds of “utilities” had been compromised?

[v] And of course, when I have talked of “the grid” in this post – as well as many other posts – I should more correctly say the grids, since there are four Interconnects in North America: Eastern, Western, Texas and Quebec. You could completely take down any one of these and have zero direct impact on any of the others.