Saturday, July 28, 2018

The Russians are coming! The Russians are coming!

The above is the title of a really hilarious film I remember from my childhood, in which – at the height of the Cold War – a Russian sub runs aground near a small island off New England. Crew members head into town to find a boat to pull them off, and in the process some of the townspeople become convinced they are the spearhead of an invasion, and almost ignite World War III. It seems we have a modern-day version of this film playing out with DHS, since their exaggeration of the success of Russian hackers in penetrating the US power grid is unfortunately becoming a fast-spreading meme that may be unstoppable.[i]

Here is an excerpt from an article that appeared on the New York Times website on Friday:

This week, the Department of Homeland Security reported that over the last year, Russia’s military intelligence agency had infiltrated the control rooms of power plants across the United States. In theory, that could enable it to take control of parts of the grid by remote control.[ii]

Yesterday evening, after seeing this article, I sent the following letter to the news editors of the Times (which by the way I think is a great paper, very dedicated to finding the truth. But being dedicated to the truth doesn’t mean you can’t be misled by people in government who have more information than you do, and have exaggerated an already-serious situation, for whatever reason):

Please stop promoting the story that the Russians have substantially penetrated the US power grid. While that was the tenor of DHS' initial briefing, it turns out DHS was wildly exaggerating. While hundreds of power plants (not utilities per se) were targeted by the Russians, they succeeded in penetrating the control systems of exactly one very small generating plant, which by DHS' own admission would have no significant impact on the power grid:

"While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline." (this is a quote from DHS spokesperson Lesley Fulop, which appeared in an article on Power magazine's website on July 24)

Of course, it is true that the Russians are targeting the power grid constantly, and as your article points out, this has stepped up lately as election hacking seems to have fallen out of fashion in Russia. However, so far they have made no significant headway. Electric utilities in the US have invested very heavily in cyber security and continue to do so. While the utilities need to step up their efforts even further - and they are doing so - there is no need for Americans to lose sleep worrying whether a major cyber attack will bring down the US power grid. It isn't going to happen.

I sincerely doubt we’ve heard the end of this story.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.         

[i] The biggest difference between the film and the current situation is that the Russian hackers are actually malign – or at least they’re being paid to be such. The Russian sailors in the film had nothing but good will toward the Americans, and the film had a very happy ending.

One reason the film was so funny is that one of its stars was Jonathan Winters, perhaps the funniest man that ever lived. He could have read the phone book and had you in stitches.

[ii] While the article does go on to point out that the hackers made no attempt to actually take control of the plants (which is also what DHS said), it repeats the canard that a large number of “control rooms” were penetrated – leaving open the possibility that malware has been implanted, so that just a single future signal would bring down scores of generating plants. This is simply not true. One very small plant was penetrated, and I’m sure it’s probably been made one of the most secure power plants in the world after this incident was discovered.

No comments:

Post a Comment