In yesterday’s
post,
the latest but probably not the last in a series of posts stemming from some
(either intentionally or unintentionally) misleading information that DHS
recently put out about Russian cyberattacks on the US power grid, I said “…the
utilities have done a wonderful job of resisting the concerted Russian attack
so far – and perhaps they should all be given the Medal of Freedom for that.
After all, after two years of pounding the utilities (and IPPs) from every
direction, the most the Russians were able to come up with was a compromise of
two wind turbines, with a likely total rated capacity of no more than 3 MW.”
Always
having been a numbers guy, I decided to quantify how big the Russian success
really was. So I divided 3 MW, the total generation penetrated[i] by the
Russians, by 10.2 gigawatts (billion watts), the total 2016 summer generation
capacity in the US.[ii]
I ominously announce that the (at least) two-year Russian campaign to penetrate
the US power grid has directly compromised a grand total of (drumroll, please)
.0000294117647 percent of total US generation capacity! I’ll pause here so you
can absorb the magnitude of this disaster, and perhaps start inquiring about
immigration visas to New Zealand. Better to get out now, before the rest of the
US population realizes the peril they’re in….
OK, if you’re
still with me now, you realize that the Russian campaign has so far been a
dismal failure by any stretch of the imagination (well, maybe not any stretch of the imagination. There
seem to be a few very imaginative people who think otherwise). Instead of
talking about the laughably inadequate cyber defenses of US utilities, we
should be talking about honoring the utilities for standing like Horatius at the Bridge,
guarding their fellow citizens (and legal immigrants, of course) against the
oncoming enemy army. This is a great success story.
Of course, I’m
certainly not saying that the utilities have found the key to permanent cyber
security, and they can now recline on their couches while good-looking Roman
citizens feed grapes into their mouths. In particular, the DHS briefings made
it very clear that the Russian attacks are continuing and that supply chain is
the preferred vector for attacks, at least in the near future. The briefings
also made it far from clear – but you
could find this if you pull their statements apart very carefully – that the
electric power vendor community definitely has weak cyber defenses, underlining
the need for even better[iii] supply
chain security.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[i]
Meaning the control systems controlling that generation were accessed, even
though the attackers didn’t take any action to shut it down. I get the 3 MW from my assumption that the average wind turbine has a capacity of 1.5 MW. That might be a little low or a little high, but it obviously doesn't change my argument.
[ii]
Since our concern here is really the total available power supply, not just
that part generated in the US, we should really add imports from Canada. The US
imported 72 Terawatt-hours of electricity from Canada, but trying to transform
that into a number that could be compared with total US generation would be
very hard, and above my pay grade. I’ll just stick with total US generation,
since that’s certainly large enough to make my point.
[iii]
One thing I noted about the DHS briefing and report: It sounded like the only
way that supply chain attacks on utilities and IPPs could bear fruit is through
remote access to OT systems. There are lots
of other vectors for supply chain attacks: infected patches, watering hole
attacks, tampering with products en route to the customer, etc. These all need
to be protected against.
No comments:
Post a Comment