I have had a
number of email conversations brought on by my recent posts on DHS’ briefings
on the Russian hacking campaign against the power industry, and on some very
misleading statements made in the briefings – as well as wildly exaggerated
press reports afterwards. They have all come down to DHS. Here is the problem:
- The Russians have obviously been conducting – for a couple
years, it seems – a large-scale, sustained cyber attack on US utilities
and IPPs; that attack is ongoing.
- DHS has done a great job of thoroughly investigating what
is going on, and explaining it all in great detail. In doing so, they have
made it very clear that the power industry needs to focus on supply chain
security much more heavily now, since these attacks are currently coming
primarily through that vector.
- However, some of the speakers at their recent briefings
gave very misleading information about the results of this hacking,
implying that it’s possible and even likely that the Russians have a
lasting presence inside networks in utility control centers, where they’re
just waiting for the signal to start messing with the US power grid and
cause a major outage.
- After the first of these briefings, a reporter from the Wall Street Journal wrote an
article that said that about 200 “utility control rooms” had been
penetrated by the Russians. Of course, if that were really the case, it
would literally constitute a national emergency, not just because we all
might be in the dark for a while, but because we might then be forced to
consider a military response.
- The same week as the first briefing, two DHS spokespeople clarified
in meetings that no, it was just one very small generating asset whose
control network had been penetrated – and then it turned out that even
that was an exaggeration, since it was really two turbines in a wind farm
with probably hundreds of turbines. Yet there was no effort to counter the
news reports – these walk backs were heard only by a small group of
industry people.
- Even worse, the same WSJ reporter came out with another
story on Tuesday, which seemed to indicate that she hadn’t heard either of
the walk backs. And it seemed from her story that one person at DHS was
still peddling the idea that there had been widespread penetration of the
US grid. I was charitable and thought that she and the DHS person both
simply didn’t understand the terms that were being used, as well as some
particular facts about the structure of the US power industry. My post
yesterday tried to explicate these mysteries, in my usual mind-numbing
detail.
So the fact
is that we have a major national news source (actually two, since the New York Times put out their own article on
Friday, which I discussed in this
post. The sentence that I quote toward the beginning of that post is even more
alarming than anything the WSJ report said) saying there is a true national
emergency, and still DHS isn’t stepping up with something like a press release
- or even better a press conference - to calm things down. They need to explain
what really happened, while at the same time pointing out that there is a real
supply chain threat to the grid – and I will be fine if they say that the
industry isn’t doing enough to counter supply chain threats, as well as that
the new CIP standard for supply chain security will likely prove pretty
ineffective, unless NERC or somebody
steps up and tries to fix this situation (this is the topic of what I hope will
be my next blog post, although I won’t rule out some new development that will
require a new post on the Russian story).
DHS needs to
do something. Now.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
Honestly, I don't even believe their findings. They are vague enough to apply to nearly any sector and any country given the 100,000 PETABYTES that are shared across the internet every month.
ReplyDeleteFurthermore, the packaging strangely reminds me of my father's retelling of McCarthyism-style propaganda - again with Russia as the target of U.S. Government. "Find me the person (country?) and I'll create the crime."