What should DHS do?

I have had a number of email conversations brought on by my recent posts on DHS’ briefings on the Russian hacking campaign against the power industry, and on some very misleading statements made in the briefings – as well as wildly exaggerated press reports afterwards. They have all come down to DHS. Here is the problem:

• The Russians have obviously been conducting – for a couple years, it seems – a large-scale, sustained cyber attack on US utilities and IPPs; that attack is ongoing.
• DHS has done a great job of thoroughly investigating what is going on, and explaining it all in great detail. In doing so, they have made it very clear that the power industry needs to focus on supply chain security much more heavily now, since these attacks are currently coming primarily through that vector.
• However, some of the speakers at their recent briefings gave very misleading information about the results of this hacking, implying that it’s possible and even likely that the Russians have a lasting presence inside networks in utility control centers, where they’re just waiting for the signal to start messing with the US power grid and cause a major outage.
• After the first of these briefings, a reporter from the Wall Street Journal wrote an article that said that about 200 “utility control rooms” had been penetrated by the Russians. Of course, if that were really the case, it would literally constitute a national emergency, not just because we all might be in the dark for a while, but because we might then be forced to consider a military response.
• The same week as the first briefing, two DHS spokespeople clarified in meetings that no, it was just one very small generating asset whose control network had been penetrated – and then it turned out that even that was an exaggeration, since it was really two turbines in a wind farm with probably hundreds of turbines. Yet there was no effort to counter the news reports – these walk backs were heard only by a small group of industry people.
• Even worse, the same WSJ reporter came out with another story on Tuesday, which seemed to indicate that she hadn’t heard either of the walk backs. And it seemed from her story that one person at DHS was still peddling the idea that there had been widespread penetration of the US grid. I was charitable and thought that she and the DHS person both simply didn’t understand the terms that were being used, as well as some particular facts about the structure of the US power industry. My post yesterday tried to explicate these mysteries, in my usual mind-numbing detail.

So the fact is that we have a major national news source (actually two, since the New York Times put out their own article on Friday, which I discussed in this post. The sentence that I quote toward the beginning of that post is even more alarming than anything the WSJ report said) saying there is a true national emergency, and still DHS isn’t stepping up with something like a press release - or even better a press conference - to calm things down. They need to explain what really happened, while at the same time pointing out that there is a real supply chain threat to the grid – and I will be fine if they say that the industry isn’t doing enough to counter supply chain threats, as well as that the new CIP standard for supply chain security will likely prove pretty ineffective, unless NERC or somebody steps up and tries to fix this situation (this is the topic of what I hope will be my next blog post, although I won’t rule out some new development that will require a new post on the Russian story).

DHS needs to do something. Now.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.