The above is
the title of a really hilarious film
I remember from my childhood, in which – at the height of the Cold War – a
Russian sub runs aground near a small island off New England. Crew members head
into town to find a boat to pull them off, and in the process some of the
townspeople become convinced they are the spearhead of an invasion, and almost
ignite World War III. It seems we have a modern-day version of this film
playing out with DHS, since their exaggeration of
the success of Russian hackers in penetrating the US power grid is
unfortunately becoming a fast-spreading meme that may be unstoppable.[i]
Here is an
excerpt from an article that appeared on the New York Times website on
Friday:
This week, the Department of Homeland
Security reported that over the last year, Russia’s military intelligence
agency had infiltrated the control rooms of power plants across the United
States. In theory, that could enable it to take control of parts of the grid by
remote control.[ii]
Yesterday
evening, after seeing this article, I sent the following letter to the news
editors of the Times (which by the way I think is a great paper, very
dedicated to finding the truth. But being dedicated to the truth doesn’t mean
you can’t be misled by people in government who have more information than you
do, and have exaggerated an already-serious situation, for whatever reason):
Please stop promoting the story that
the Russians have substantially penetrated the US power grid. While that was
the tenor of DHS' initial briefing, it turns out DHS was wildly exaggerating.
While hundreds of power plants (not utilities per se) were targeted by the
Russians, they succeeded in penetrating the control systems of exactly one very
small generating plant, which by DHS' own admission would have no significant
impact on the power grid:
"While hundreds of energy and
non-energy companies were targeted, the incident where they gained access to
the industrial control system was a very small generation asset that would not
have had any impact on the larger grid if taken offline." (this is a quote
from DHS spokesperson Lesley Fulop, which appeared in an article
on Power magazine's website on July 24)
Of course, it is true that the Russians
are targeting the power grid constantly, and as your article points out, this
has stepped up lately as election hacking seems to have fallen out of fashion
in Russia. However, so far they have made no significant headway. Electric
utilities in the US have invested very heavily in cyber security and continue
to do so. While the utilities need to step up their efforts even further - and
they are doing so - there is no need for Americans to lose sleep worrying whether
a major cyber attack will bring down the US power grid. It isn't going to
happen.
I sincerely doubt we’ve heard the end of this
story.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[i]
The biggest difference between the film and the current situation is that the
Russian hackers are actually malign – or at least they’re being paid to be
such. The Russian sailors in the film had nothing but good will toward the
Americans, and the film had a very happy ending.
One reason the film was so funny is that one of its
stars was Jonathan Winters, perhaps the funniest man that ever lived. He could
have read the phone book and had you in stitches.
[ii]
While the article does go on to point out that the hackers made no attempt to
actually take control of the plants (which is also what DHS said), it repeats
the canard that a large number of “control rooms” were penetrated – leaving
open the possibility that malware has been implanted, so that just a single future
signal would bring down scores of generating plants. This is simply not true.
One very small plant was penetrated, and I’m sure it’s probably been made one
of the most secure power plants in the world after this incident was
discovered.
No comments:
Post a Comment