Sunday, February 10, 2019

“Curiouser and curiouser, cried Alice…”

Imagine what might happen if the following news was announced:

“The Ukraine State Intelligence Service stated in its just-released Worldwide Threat Assessment that Moscow is now staging cyberattack assets to allow it to disrupt or damage the Ukraine’s civilian and military infrastructure during a crisis.

“It specifically noted the Russian planting of malware in the Ukraine electricity grid. Russia already has the ability to bring the grid down “for at least a few hours,” the assessment concluded, but is ‘mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.’”

And what if this news came only a few weeks after a Wall Street Journal article quoted the Technical Director of Security Response of Symantec Corp. as saying “…about two dozen Ukrainian utilities were breached. Hackers penetrated far enough to reach the industrial-control systems at eight or more utilities”?

Don’t you think this would cause a big stir? After all, in 2015, when the Russians staged a successful attack on three Ukrainian distribution utilities, causing about a five-hour outage that affected hundreds of thousands of people, the news hit the US power industry like a thunderclap. Top security professionals from the Department of Homeland Security, the NERC E-ISAC, SANS, DoE and other organizations immediately jumped on planes and headed to the Ukraine to investigate this. DHS held briefings in many American cities. Reports were published detailing what had happened down to the minute.

This was considered to be a watershed for the power industry worldwide (the first reported loss of load due to a cyber attack), and – while many industry observers gloated that the Russians would never be able to be so successful in the US, due to much stronger cyber security controls here and also due to the NERC CIP standards! – many others weren’t so sure, and said the Ukraine situation was more a case of “There but for the grace of God go I.”

Yet the 2015 attacks were on just three distribution utilities. Since the attacks described above breached two dozen utilities and penetrated the control systems of eight of those, it’s a very good assumption that malware was planted that could lead to a far more serious outage. Don’t you think there would be a much bigger response to these new reports? More specifically, don’t you think there would be another big investigation, for two reasons? First, out of simple goodwill toward the Ukrainian people, since they face a huge and ruthless foe? And second, out of concern that whatever attacks the Russians are conducting in the Ukraine are tests for attacks they could use on power grids worldwide?

At this point, you’re supposed to say “I would certainly think so!” And I agree with you 100%.

Well, the quotes above were actually published, the first in the Times and the second in the Journal. But there were a couple small differences between what I’ve quoted above and the actual quotes. One is that the country in question was the US, not the Ukraine. The other is that the agencies that wrote the 2019 Worldwide Threat Assessment were the FBI and CIA. I wrote about the NYT article in this post and the WSJ article in this one.

Yet where is the outrage? Where are the frenzied press releases and briefings? And where are all of the investigators rushing to find out what happened? Does anyone know where they are? I hope we don’t have to put them on milk cartons.

Let’s be clear. The Times quoted the 2019 Worldwide Threat Assessment put out by the FBI and CIA as saying

  • Moscow is now staging “cyberattack assets” (which presumably include malware) to allow it to disrupt or damage our civilian and military infrastructure during a crisis.
  • Malware has been implanted in the US grid that could be used today to cause outages.
  • Perhaps most ominously, Russia is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

At the same time, Symantec, who has collaborated with DHS in investigating the Russian attacks in the US, is saying very specifically that at least eight US utilities have been penetrated at the control system level, meaning malware is almost certainly planted in all of them. Hopefully the eight utilities don’t include Southern Cal Edison, PG&E, ConEd, Commonwealth Edison, CenterPoint and other utilities serving major metropolitan areas. But even if they’re all small distribution-only coops in the middle of North Dakota, eight US utility control networks penetrated is still eight more than are known to have been penetrated previously. And as we know, utility control centers are by their very nature connected to other utility control centers as well as to Regional Transmission Organizations like PJM. The infection might very well spread.

Here’s another quotation from the January WSJ article: “In briefings to utilities last summer, Jonathan Homer, industrial-control systems cybersecurity chief for (the Department of) Homeland Security, said the Russians had penetrated the control-system area of utilities through poorly protected jump boxes. The attackers had ‘legitimate access, the same as a technician,’ he said in one briefing, and were positioned to take actions that could have temporarily knocked out power.” Again, Mr. Homer wasn’t saying that outages were caused, but the fact that the Russians were “positioned” to do that almost certainly means they’ve planted malware in control systems operated by at least two utilities (since he used the plural).

Of course, none of these reports should just be taken at face value. Some of the people quoted may not have fully understood what they were saying; e.g. they may have meant “small generating plants” when they said “utilities”, etc. And I don’t know what kind of power expertise the FBI and CIA have, but it’s possible they may be misinterpreting data they’ve received. So there’s reason to be skeptical of these reports.

But here’s an idea: If we’re skeptical of these reports, why don’t we…you know…investigate them to determine whether they’re accurate or mistaken? Yet I’ve heard literally nothing about any investigation. Nor have I heard the slightest bit of outrage expressed – by the Federal government, the power industry, you name it – that the Russians are taking such deliberate steps to potentially cripple the US economy and our military capabilities. And DHS has amply documented that they are taking those steps, whether or not they’ve actually penetrated control networks. They’re trying really hard.

This lack of a response is more than passing strange. I would very much like to see one (or more) of the following organizations investigate this (they’re not in any particular order):

  1. The NERC E-ISAC
  2. FERC
  3. Idaho National Lab
  4. SANS
  5. DoE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER)
  6. Dragos, Inc. (who did a great job of investigating the malware used in the second Ukraine attacks, and due to that and other smart moves has become almost an ICS security institution, much to their credit)
  7. Hercule Poirot
  8. James Bond
  9. Judge Judy
  10. Sam Spade

In other words, I would like to see somebody get to the bottom of this and let us know what happened. And of course, if it turns out that malware has actually been implanted, wouldn’t it be kind of a good idea to…you know…let utilities know about it – so their cyber staff might just mosey over to their control systems, to see if the malware might be sitting there, too? Why would they want to do this, you ask? Well, curiosity for one reason – it would certain be interesting to know if your employer was a member of the first group of US utilities ever to be breached at the control system level. But also - and this might sound silly to you - it did occur to me that utilities might actually want to remove malware that’s implanted in their control networks. But they would need to know what to look for, since it’s not likely the Russians named the files Malware1, Malware2, etc. This is of course the main reason why we need an investigation, and I find it literally incomprehensible that one wasn’t launched at least after the Worldwide Threat Assessment in January.

As I pointed out in my previous post on this, there really are two investigations in question now. The immediate one is the one I just described – this is a technical investigation by experts. The second investigation would probably be a criminal one. It is only needed if it turns out the reports of Russian penetration of utility control centers are true, and it turns out that somebody deliberately tried to suppress them last summer, when Jonathan Homer of DHS first made them and people at DHS soon put out at least three mutually contradictory stories that minimized what the Russians had achieved. I certainly hope this second investigation isn’t needed – but again, unless we do the first investigation, we’ll never know if the second one is needed, will we?

Curiouser and curiouser, indeed!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at

No comments:

Post a Comment