A long-time
colleague wrote in to me last Friday regarding Thursday’s post. He pointed
out to me that, not only were the statements from DHS staff members in the
briefings on the Russian hacking of the grid misleading, but at least two
slides they showed had text that directly conflicted with the statement from a
DHS spokesperson, which I had quoted in Thursday’s post: “While hundreds of
energy and non-energy companies were targeted, the incident where they gained
access to the industrial control system was a very small generation asset that
would not have had any impact on the larger grid if taken offline.”
Yet here are
the statements from slides 18 and 19 of the presentation at the Wednesday
briefing:
- (slide 18) “Used initial compromised vendor to access
several U.S. energy utilities and IT service providers”
- (slide 19) “Leveraged early victim to gain entry to two
previously accessed utilities and one new victim”
The
combination of these two statements leads to the conclusion that a minimum of
three “energy utilities” were “accessed”, as opposed to the one small
generating plant (which most likely wasn’t owned by an electric utility at all)
in the DHS spokesperson’s statement.[i] If DHS
wants to come out and say the spokesperson’s statement was wrong and three
utilities were actually accessed, so be it. But I certainly haven’t heard of
that happening (Kristjen N, if that is in fact the case, please email me at the
address below).
If even
three electric utilities had their control centers (and presumably their EMS
systems) compromised, that would be a bad thing, since a simultaneous attack on
all three could possibly lead to three widespread outages, although probably
not a cascading outage (like in 2003); there would then be justification for
raising the alarm flags. But here we’re talking about the control room of a
single very small generating plant that by DHS’ own admission doesn’t have any
real impact on the “larger grid”. In my opinion, this fact, combined with the
fact that hundreds of “utilities” were attacked by the Russians, leads me to
believe that the industry’s defenses are in pretty good shape, not the exact
opposite. This is a wakeup call, but not to cyber weakness in general at
utilities. Rather, it’s a call for all utilities and IPPs to beef up defenses
against supply chain attacks (as I pointed out in the first
post in this series).
Yet the idea
that the exact opposite is indeed the case seems to be spreading very rapidly.
I had two new articles called to my attention today, including this
one contributed by John Hargrove of Sam Houston Electric Coop, and this
one contributed by another friend. I’m sure there will be others. Both of
these articles include a quote (in fact the same one, even though it was
delivered by email) by Robert Lee of Dragos. Taking DHS at their word that “utilities”
had had their “control rooms” penetrated[ii], Robert
points out that the activities in question – purely reconnaissance – wouldn’t
be enough to be able to cause an outage.
However,
Robert didn’t need to go this far. It turns
out no utility control centers were
penetrated, period. And even if the generating plant whose control room was
penetrated was a very large one, and even if several similar generating plants
were also penetrated, this would be far from a danger to the grid itself, as
discussed in this
post.
In other words,
even though the DHS people who put together the briefings (and didn’t provide
any immediate corrections when the alarming news stories started flying) were
only trying to call attention to a problem, by exaggerating what had happened
they have damaged their credibility for future advisories. I hope it isn’t
fatally damaged, because they (specifically, the ICS-Cert) do a lot of really
excellent work!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[i]
I suppose you could interpret “accessed” to mean the attackers got into the IT
network of the utility, but not the OT network; but of course this doesn’t mean
they’re any closer to achieving their goal of being able to manipulate control
systems (which are on the OT network, or should be) to cause an outage. In any
case, if this is what DHS meant by “access”, they certainly have never stated
that.
[ii]
As I pointed out in my first
post about this problem, to speak of an electric utility’s “control room”
is essentially a non-sequitur, such as speaking of the Pope’s yarmulke. A
control room controls an individual generating plant or substation, and is
usually located at that asset. Utilities have control centers, which control
many assets that generate and transmit power, as well as the assets like
distribution substations that deliver that power to customers. But the single
small generating plant that was actually penetrated is almost certainly not owned
by a utility (most plants are owned by independent power producers, especially
the small ones), and in any case its control room doesn’t control anything more
than the plant itself.
No comments:
Post a Comment