Friday, December 6, 2019

News from the Russian front


One of my favorite experiences during NERC GridSecCon 2018 was hearing from Karen Evans, who earlier that year had become Assistant Secretary of DoE and head of the then-new DoE Office of Cybersecurity, Energy Security, and Emergency Response (CESER). She had received a lot of very good press, partly due to her appearances before Congress when she came into that role. And she didn’t disappoint when she spoke last year. She is quite dynamic, but also clearly someone who doesn’t just talk a good game, but executes a good game as well.

She returned to GridSecCon this year, and once again made a very good speech. I was most struck by one thing that she urged her listeners to do: read the bottom of page 5 and the top of page 6 of this year’s Worldwide Threat Assessment, which was presented to the Senate in January by the directors of the FBI, CIA and Office of National Intelligence. Here is the section that she referred to:


“We assess that Russia poses a cyber espionage, influence, and attack threat to the United States and our allies. Moscow continues to be a highly capable and effective adversary, integrating cyber espionage, attack, and influence operations to achieve its political and military objectives. Moscow is now staging cyber attack assets to allow it to disrupt or damage US civilian and military infrastructure during a crisis and poses a significant cyber influence threat—an issue discussed in the Online Influence Operations and Election Interference section of this report.

Russian intelligence and security services will continue targeting US information systems, as well as the networks of our NATO and Five Eyes partners, for technical information, military plans, and insight into our governments’ policies.

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.” (my emphasis)


Ms. Evans didn’t say much if anything about this passage, except that everybody should read it. Of course, the last paragraph is the one that she was undoubtedly most concerned about.

This isn’t news to any of us, so why I am I even bothering to bring this up now? Before I tell you why, I want to point out that this isn’t the first set of disturbing reports about Russian cyber activity against the US power grid. The other reports include:

  1. DHS’s briefings on Russian supply chain attacks on the power industry in July 2018.
  2. A Wall Street Journal article in January that a) described a different wave of Russian attacks through the supply chain, this one utilizing phishing emails, and b) quoted Vikram Thakur of Symantec as saying that “..his company knows firsthand that at least 60 utilities were targeted, including some outside the U.S., and about two dozen were breached. He says hackers penetrated far enough to reach the industrial-control systems at eight or more utilities.” (my emphasis).
  3. E&E News reported in May that 200,000 “implants” (i.e. pieces of malware) had been installed in US water, gas and oil, and electric power infrastructure, according to the former deputy director of the NSA. Who did this, you ask? Who else, but our good friends in St. Petersburg and Moscow?

Given this, if you dropped in the US from say Mars, you would be amazed if I told you there has been no activity (discernible by myself or anybody else I know, which includes a number of people with security clearances and an indisputable need to know about any malware implanted in the grid) to root out this malware that has been implanted, or at least to investigate whether the reports are true or not.

Of course, it’s possible that all of the people mentioned above have been misled in some way, or they just don’t have the technical knowledge required to make statements like this – and there is no truth at all to these reports. That’s why I’ve repeatedly called for an investigation by some body (part of the government or quasi-government, like NERC), to find out once and for all whether these reports are true. Maybe they’re all completely false, in which case everybody can sleep well from now on (or at least this will be one thing that won’t keep us awake at night. The Lord knows there are lots of others!). But until there’s an investigation, we have to believe there’s some truth to them, and the Russians could cause power outages in the US at any moment.

But if you’ve been reading this blog for a while, you must know that my calls for an investigation have fallen on totally deaf ears. I’ve heard no confirmation that any organization is investigating this, or that any organization is even considering doing so. Again, why am I bringing this up again? Why don’t I just drop the subject and do like a lot of others seem to be doing nowadays – making my accommodation with Russia, since they seem intent on having their way with us and we seem intent on letting them do that (of course, that’s natural. Their economy is about half the size of California’s, but they do have one thing that California doesn’t – a huge nuclear arsenal)? And here they even tried to give me a medal, which I would have accepted if they hadn’t asked me to come to the Russian embassy to accept it. Knowing what happened to Mr. Khashoggi at the Saudi embassy in Istanbul, I decided that the medal wasn’t worth it.

So what has changed? Yes, Karen Evans pointed out the WTO story for the .002% of the people in the hall who hadn’t already heard about it – but does this bring us any closer to an investigation? I’ll admit it probably doesn’t, but what I found significant is that it demonstrates conclusively that the two biggest reasons people have proffered to me for the lack of an investigation are invalid.

I’ve heard a lot of reasons why there’s no investigation (most of which are put forth by people who are naïve, but some of which may point to a murkier motive), and I hope to write a post one of these days listing them all – I’ve heard at least 15 so far. However, by far the two most common reasons are:

1.       There’s been an investigation, but the results are classified; and
2.       Appropriate agencies are actually working on this, but they’re not at the point yet where they can reveal any findings.

Both of these reasons can be easily debunked, but Ms. Evans’ talk in October did that for me. She wouldn’t have asked everyone to look at the WTA if she’d thought either one of these was true. If either one was true, she would have definitely known about it.

So why did she bring this up? Is she thinking we all need to press harder for an investigation? There’s clearly nothing the industry can do from a technical point of view – that they’re not doing already, of course – without knowing something about the malware that’s implanted and how it got there. It’s not likely the Russians named the malware files Russianmalware1, Russianmalware2, etc. The industry got specific information on the malware – in unclassified and classified briefings – within a few weeks (if not less time) of the Ukraine attacks. But here we are almost 11 months after the WTA came out, and there hasn’t been any word at all about the malware referred to in that report. And the WTA is talking about threats to the US, not the Ukraine!

So I assume Ms. Evans wants us to press harder, and I’m happy to oblige her. In fact, I’d like to press her on this.  One of the agencies that would be near the top of my list to do this investigation is Idaho National Laboratories, which is of course part of DoE. Why doesn’t she talk to them about doing it (although I know she doesn’t have direct authority over INL)?[i]

If I hear anything more on this, you’ll be the first to know!


Postscript
You might be inclined to think that it’s no big problem if these reports aren’t investigated, since nobody – in the power industry or the general public – seems too concerned about them. But here you’re wrong. This was pointed out to me by a book review that appeared in the Wall Street Journal on August 8 (I’ve had the print copy sitting on my desk since then, thinking I’d soon get time to write about it).

The review was of a book called “The Fifth Domain”, by Richard A. Clarke and Robert K. Knake. It’s about foreign cyberattacks on US private infrastructure. It contains this paragraph:


“The authors propose a new backup national power grid that would not be connected to the internet. Without it, they say, the U.S. is defenseless against “somebody like the Russian GRU, engaging in a cyberattack that would technologically revert us to the nineteenth century, but without all the equipment that people in the nineteenth century had to deal with life in a society without electricity.”


In other words, the authors of this book (and Richard Clarke is a very well-known figure with lots of high-level government experience) believe the US grid is so untrustworthy that we need to take the drastic step of building an entire backup grid that won’t be connected to the internet and therefore isn’t likely to be infected with all of the malware, etc. that the current grid is infected with.

Of course, this proposal is very unlikely to get anywhere, since it would require an absolutely enormous expenditure. But if sophisticated, well-connected people like Richard Clarke believe this needs to happen – in part because of reports that the current grid is already riddled with Russian malware – it’s almost inevitable that sooner or later there will be some call for other steps, such as taking the security of the grid completely away from NERC and FERC and handing it to the military, which will meet with real approval. And at that time, it will be quite hard for the power industry to argue that it’s absolutely sure the grid is very secure – except, of course for all the reports that say it isn’t, which haven’t been investigated at all. "Just trust us: Other than the malware discussed in those reports, our grid is completely secure!"


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.


[i] I might have asked this question after her talk, but there was no time for questions.

No comments:

Post a Comment