The grid has been compromised! You need to buy my stuff!

Forbes Magazine seems to be making a specialty out of publishing stories with the following simple marketing scheme, requiring that just two boxes be checked:

1.      Box One: The grid has been compromised! No evidence is presented for this assertion, but hey – would Forbes publish somebody who lies? Answer: Yes.

2.      Box Two: The only thing that can really save the industry – and therefore the whole country - is my (insert name of product here).

There’s almost a crystalline beauty to this scheme. It seems people want to believe the power grid can be brought down with the wink of an eye by some guy in China. And, of course, everybody wants to think there’s a simple solution to their problems, especially when the problems are imaginary ones.

So Forbes, being – according to their own logo – the “capitalist tool” par excellence, was the perfect venue to publish a story (written by a woman who sums up her work as "I distill energy policy and technology movements", whatever that means) about a box that’s going to save the grid. As Ron Indeck, CEO of Indeck Security, himself said, “What’s being used now is not working. We’ve seen water supplies compromised. We’ve seen oil and gas delivery systems compromised, and we’ve seen the electrical grid compromised.”

So there you have it. Ron Indeck – you know him, don’t you? – says the grid has been compromised. That’s all you need to know. Check the first box.

What can save the industry? Would it astound you greatly if I told you that it’s a product that Ron just happens to sell? And it’s just icing on the cake that it’s literally a box – in this case a very simple box with just two ports: “Network” and “Endpoint” (and if you don’t believe it’s that simple, look at the picture in the article. After all, pictures don’t lie, even if Ron does). What could be simpler? You just plug the network into the box, and according to what Ron says – remember, Ron doesn’t lie, except about grid compromises – up to 2,000 endpoints will be protected.

Of course, Ron’s box is so simple, yet so powerful, that no software reconfiguration is required on any of the devices (and shame on you if you wonder whether this means the device doesn't do anything at all! You're obviously not enlightened enough to understand someone who "distills energy policy and technology movements"). All you have to do is plug in the network. Check the second box.

Now, if I were a skeptical person, I might ask how the box is going to handle all the really critical devices found in substations and generating plants that only connect via serial protocols, and therefore won’t be able to connect to Ron’s box at all. But fortunately, I’m not a skeptical person.

And I would also be quite skeptical about the very helpful statement from a former FERC commissioner, Branko Terzic, who says “They would be plant in service [rate base] and be depreciated over their economic lives. The cost of the Q-Box like other assets is part of the revenue requirement upon which rates are based. As rate base the Q-Box both earns a return and creates a depreciation expense.”

I’ll note that people trying to sell into the power industry often get enamored with the idea that the product they’re selling will just go right into the rate base, so it’s essentially free (it always helps your sales if your product is free. That’s why this blog is so successful). Anybody who’s actually worked for a regulated utility will tell you that, just because the utility wants to put something in the rate base, that doesn’t mean the PUC will let them, and even if they do, it will be years before the money comes back to them. Being a former utility regulator, one would expect Mr. Terzic to know this. But fortunately, I’m not skeptical.

I also might have been skeptical when the article brought up yet another member of its rogue’s gallery, this time the CEO of Sedulous Consulting Services (although I wonder if that really means “Credulous”). Under a section heading reading “Who you can trust”, he – believe it or not – states that “We hear about Colonial [pipeline hacking] but those in the news are only a quarter of what’s really going on”. Wow! He sure sounds like he knows about the grid. Does he work with power sector companies? No, he's primarily a military contractor. But he has done some work (unspecified) for DoE - that's all you need to know.

So why should you trust him? Well, it seems “By November, DOD could add Sedulous to its list of four U.S. companies certified by the U.S. government to judge the capability and integrity of other cyber software companies.”

Very impressive! This guy’s company might get added to a list of companies certified to judge other software companies! That’s great. But…what if he doesn’t make the list? And more importantly, what does it mean to judge the “capability and integrity” of a “cyber software” company, anyway? It’s a good thing I’m not skeptical.

Is he a big supporter of Ron's box? No, he never mentions it. So why is he in this story? Beats me. I guess he's there to support the idea that the grid will collapse any day now, based on the fact that, well, he uses electricity. He must know what he's talking about!

I’ll stop here. It’s late now, and I need to go to bed and think about how I can get on this gravy train that Forbes is perfecting. Let me see…I just need to write a post that says two things:

1.      Because of my special knowledge of the US power grid and the idiots who run it without the slightest thought about security, I can absolutely guarantee that – if we don’t do something differently – the grid will go to hell in a handbasket by Thursday of next week.

2.      Fortunately, I just happen to know the secret tweak that every utility can make to its network, which will make the grid absolutely immune to further attacks. If only a thousand utilities will pay me $5,000 by next week, I’ll reveal the secret and save the country (and forget what I just said about being idiots. You guys are really geniuses. That’s why you will all immediately send me $5,000. You can even use PayPal).

How could you possibly lose?

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.