I’ve written
five posts on the July Wall Street
Journal story that essentially said the Apocalypse was just around the
corner in the US, because hundreds of utility control centers have been
penetrated by the Russians - where they’re lying in wait for the signal from
the Kremlin to put the US in darkness for perhaps years. The story was based on
one reporter’s confused understanding of a briefing that DHS (the NCCIC,
specifically) gave, regarding a huge multi-year campaign by Russian
government-sponsored hackers to penetrate the US grid.
Unfortunately,
the reporter’s confusion was aided and abetted by the DHS presenters’ language
in the briefing, which was either deliberately misleading or recklessly worded.
Since the briefings, there have been a couple statements by DHS. The first one
pointed out that only one small generation facility was actually penetrated; the
second statement narrowed that even further, saying that only two wind turbines were penetrated. My
unprintable reaction to hearing these two statements was summarized in this post and in
the note I appended to it less than a week later. I then wrote a long post
attempting to thoroughly debunk
the claims, and followed it up with a polite suggestion
to DHS that they make a real effort to clear up this story – like a press
release stating that, while US utilities need to keep up and even increase
their cyber defenses, there is no imminent (or even remotely likely) threat of
the Russians shutting down the US grid through cyber means.
You will be
astounded to hear that DHS didn’t take me up on my suggestion. So guess what?
Today, a longtime industry observer called my attention to this press
release on Senator Ed Markey’s website. Sen. Markey is one of the Senators most
concerned with cyber security issues, and has introduced a number of bills
proposing cyber measures. He obviously has never been told that the WSJ story
isn’t to be believed.
This press
release announces that the Senator has sent queries to fourteen utilities (ten
investor-owned and four Federal power-marketing agencies like TVA and BPA) and four agencies (DoE, DHS, FERC and NERC). Why is he sending these? Sure enough,
the third sentence refers to the WSJ article and states “in 2016 and 2017,
hackers backed by the Russian government successfully penetrated the U.S.
electric grid through hundreds of power companies and third-party vendors”.
The query
asks 1) if the utilities have been penetrated (of course, the answer to this
question will be resoundingly “No”); 2) what measures the utilities are taking
to avoid being penetrated; and 3) how they’re mitigating three particular
vulnerabilities.
Of course,
this is all good clean fun; I’m not suggesting the Senator shouldn’t be asking
these questions, even though answering the second and third questions will require
a lot of work on the part of the utilities (all ultimately paid by the
ratepayers, to be sure). But I really wish DHS would set him straight and say:
a) We
exaggerated some things in our briefings, and the WSJ reporter got a little carried
away when she wrote the article. Furthermore, we didn’t immediately make any clarification,
which allowed the story to get widely established in the popular press as well
as in the cyber security community. Now it seems to have been accepted as fact
throughout the country, including Congress. Our two subsequent narrow clarifications
got very little attention, mainly because we didn’t make an effort to get the
word out beyond the immediate small audiences. We still haven’t (for whatever
reason) forcefully addressed the wildly inaccurate statements in the original
WSJ article, which are at the root of this madness.
b) We
seem not to be trying to actually squelch this story, but at the same time we’d
like you to know that the whole premises of your query are completely wrong.
c) This
isn’t to say it’s a bad idea to ask the utilities what they’re doing to protect
the grid – you’ll certainly receive volumes of information in response
(although if you expect the utilities to send you information about
vulnerabilities and counter-measures, you’re going to have to be able to
provide iron-clad assurances that it will be safe – which will be hard to do,
by the way. You may have to settle for some more general assertions without
details).
d) But
in place of premising your query on the idea that the grid has been thoroughly
compromised, you might instead premise it by saying the utilities have done a
wonderful job of resisting the concerted Russian attack so far – and perhaps
they should all be given the Medal of Freedom for that. After all, after two
years of pounding the utilities (and IPPs) from every direction, the most the
Russians were able to come up with was a compromise of two wind turbines, with
a likely total rated capacity of no more than 3 MW. Whoever is in charge of
this operation should be dreading the day he gets a phone call from his boss: “Boris,
please clean out your desk and come into my office, so we can discuss just
exactly what we’ve achieved with all this money you’ve spent trying to
penetrate the US power grid.”
Affectionately,
DHS
If I were
DHS, I would store some of the above letter as boilerplate, since they’ll need
it often in the coming months and years - as it’s clear nothing (or nobody) is
going to kill this story. I wouldn’t be surprised if, in one or two years’
time, this story starts to appear in history textbooks, so eighth graders can
learn that the electricity supply they depend on to maintain their entire
lifestyle will most likely disappear at any minute, leaving them to finish
their short, miserable lives in darkness, cold and hunger. Such is the power of
the press!
One other
note: There’s a guy at the top of the government who gets very excited about
stories in which it looks like the press has made a big mistake. If he knew
about this story, he would be convinced that it’s another plot by the liberal
media to undermine him, were it not for one inconvenient fact: The news outlet
that wrote the story isn’t normally considered part of the liberal media.[i] That
spoils the whole narrative.
Thank God
for small favors.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[i]
Truth be told, the Wall Street Journal
is really two papers: The news people are very much un-ideological and are
normally determined to follow the truth wherever it leads (and in fact, I
believe the WSJ has the best cyber reporting of any major US newspaper. The
confusion in the article in question is related to a lack of understanding of the
electric power industry and how it operates, not of cyber security). On the
other hand, the editorial page is very much old-school conservative. I’d love
to attend one of their office holiday parties.
No comments:
Post a Comment