This is a
post I’ve been intending to write ever since I wrote this
post a few weeks ago, about the Wall
Street Journal’s most recent article on the Russian cyber attacks on the US
power grid. I thought I would take my time (and I don’t have a lot of free time
lately, due to my day job) to write it, since there were still questions in my
mind about the position I wanted to take. I wanted to make sure I provided
enough supporting evidence for my position.
However,
there was a development today that provided all the supporting evidence I could
possibly need. Specifically, this was a report in the New York Times about the
testimony before the Senate Intelligence Committee (and don’t tell me that name
is an oxymoron!) by Gina Haspel, the CIA director, Christopher Wray, FBI director, and Dan Coats, the director
of national intelligence. They were discussing the 2019 “Worldwide Threat Assessment”, which
was released today. Of course, the testimony covered a lot of different topics,
but what struck me were these two paragraphs from the Times article:
The assessment also argues that while
Russia’s ability to conduct cyberespionage and influence campaigns is similar
to the one it ran in the 2016 American presidential election, the bigger
concern is that “Moscow is now staging cyberattack assets to allow it to
disrupt or damage U.S. civilian and military infrastructure during a crisis.”
It specifically noted the Russian
planting of malware in the United States electricity grid. Russia already has
the ability to bring the grid down “for at least a few hours,” the assessment
concluded, but is “mapping our critical infrastructure with the long-term goal
of being able to cause substantial damage.”
So why is
this so important? You’ve heard it before, right? Specifically, you may have
noted, in the above-linked post on the recent WSJ article, that I quoted this paragraph from that article:
In briefings to utilities last summer,
Jonathan Homer, industrial-control systems cybersecurity chief for Homeland
Security, said the Russians had penetrated the control-system area of utilities
through poorly protected jump boxes. The attackers had “legitimate access, the
same as a technician,” he said in one briefing, and were positioned to take
actions that could have temporarily knocked out power.
The quote
from Jonathan Homer first appeared in the July WSJ article by Rebecca Smith, one of the two reporters who wrote
the recent article. Of course, the July article set off a firestorm of
amplifications by many other news outlets, and a chain of events that I
wrote about in ten posts last summer, starting with this
one.
Here is as
brief a summary of previous events as I can make, while still providing the important
facts:
- DHS (specifically the NCCIC, which incorporates what was
the ICS-CERT. And if you think this is TMA – too many acronyms – I couldn’t
agree with you more!) announced a series of four briefings to update on
the Russian cyber attacks against the US electric power industry, which
they had first announced last
March. Even though the March report said only generation was the
target, and the Russian’s hadn’t penetrated any control systems at the
plants[i],
the first briefing on July 23 painted a very different picture, which was
vividly described in the first WSJ
article. It seemed very clear from what was said (as quoted in the article
– I didn’t attend that first briefing), that the Russians had penetrated
control centers (definitely plural) of US utilities, where they had most
likely planted malware; and that malware might well be used at some point
to cause a major grid disturbance.
- I was skeptical that actual control centers of power transmission
or distribution utilities had been penetrated, and I said in my post the
day after the WSJ article appeared (linked two paragraphs above) that what
the presenters must have meant was that control rooms of generating plants were penetrated. This can’t
produce a major grid outage, but having a bunch of plants go down at
one time would certainly be annoying; given the alarmist tone of the first
briefing, I assumed there must have been a number of substantial plants
penetrated (at the control system level, of course) – I guessed up to 25.
But my biggest reason for skepticism about the WSJ article was that, if it
were really true that a bunch of utility control centers were penetrated, there would have been alarm
bells ringing at the highest level of government, and utilities would
pretty much have been told to drop everything and look for malware on
their control systems, as well as take further steps to beef up their already-strong defenses. Given that that those bells never rang, I found it
very hard to believe the statements quoted in the article. I assumed the statements in that first
briefing were the product of a few DHS people getting overly excited, and thinking
that exaggerating the seriousness of the situation would make utilities
pay a lot more attention to cyber security (and it would be hard to see
how they could pay much more attention than they already are!).
- However, the day after that post – July 26 – it was
reported that a DHS spokesperson announced that, not only were no utility
control centers penetrated, but the only control systems penetrated were
those in a small generating plant that couldn’t have any significant grid
impact. This I found very surprising,
to say the least. Yea, greatly was I wroth, and I rent my garments in
frustration. But I continued to attribute the tone of the July 23 briefing
to over-zealousness on the part of the NCCIC staff members who led it.
- I continued in that belief even though a friend pointed
out to me the next day that the slides from the July 23 briefing directly
contradicted the later statement that only one small plant was penetrated.
And I continued to continue in that belief when Rebecca Smith wrote a new
article that seemed to still follow the narrative from the first briefing,
and didn’t mention the DHS walkback at all. I expressed
amazement that she wouldn’t have changed the tone of her articles, and
attributed this to her being either naïve or having lived in an
inaccessible cave for the past few days (I now greatly regret the tone of
my remarks about Rebecca, and want to apologize to her. It seems I may
have been the one living in a cave, not her. Continue reading, to see what
I mean).
- Not being satisfied with just putting out three different
stories of what the Russians had achieved, DHS put out another story –
which contradicted the other three – at a July 31 briefing for top
utility executives in New York, which the Secretaries of DHS and DoE both
participated in. This time, the story was that only two wind turbines had
been penetrated. I later castigated
DHS for being so confused in their stories, and in particular for not
stepping forward to point out what seemed to be the errors in the WSJ story, and the flurry of news reports based on it. But I continued to believe there was no way the original DHS
briefing could be true.
- And I’m proud to report that I witnessed firsthand the
promulgation of yet another DHS story, trying to walk back the original
briefing story. This one came at the Software
and Supply Chain Assurance Forum in McLean, VA in late September.
There, a fairly low-level NCCIC employee – although the head of NCCIC had
already addressed the same meeting, and may have been still in the room –
stated that the confusion was that, in the first briefing, the speakers
didn’t understand the difference between vendors and utilities. Therefore,
when they were saying that utilities were penetrated, they really meant
vendors. Since there’s no dispute that vendors were penetrated (and the
latest WSJ article describes how in vivid detail), the speaker implied
(although he didn’t state it) that this is why the original briefing was
so different from the true story – which would presumably be one of the
three DHS walkbacks already described. I found this statement amazing,
especially because the speaker was able to keep a straight face when he
said it. I couldn’t have done that.
- What was even weirder was that, despite DHS' frenzied efforts to walk back the dire narrative in the first briefing, in the second briefing - two days after the first one - I heard what seemed to be pretty much the same story as in the first briefing (which I didn't attend). And the following week, when the third and fourth briefings were given (DHS had known up front they would be very well attended, so they scheduled four, all covering the same material), they didn't differ from the first one either. Yet this was all after a different DHS spokesperson had directly contradicted what was said in the first briefing.
So now we’re
back at the recent WSJ article, from which I also quoted this paragraph:
Vikram Thakur, technical director of
security response for Symantec Corp., a California-based cybersecurity firm,
says his company knows firsthand that at least 60 utilities were targeted,
including some outside the U.S., and about two dozen were breached. He says
hackers penetrated far enough to reach the industrial-control systems at eight
or more utilities. He declined to name them.
This completely
turns things around, in my opinion. After all, “eight or more utilities” isn’t
two wind farms or one small CT plant, period. So either Mr. Thakur isn’t telling
the truth (and he worked with DHS in investigating the Russian attacks), or both he and the speakers at the original DHS briefing (especially
Jonathan Homer) are the ones telling the truth. If so, this means that the four later attempts
by DHS to walk back this story are themselves based on “alternative facts”.
However, as
I mentioned above, I was still hesitant to write something about this until I
was sure I had all the facts straight about who said what when - that is, until I read
the NY Times article a couple of
hours ago. Now it seems the national intelligence community is firmly on the
side of Mr. Thakur and Jonathan Homer. Even then, I find it very hard to
conclude that they’re right, simply because there hasn’t been any huge hue and
cry over this penetration of our grid. I think that would truly constitute a
national emergency (in contrast to the “national emergency” currently being
discussed). You remember all the frenzy that (rightly) surrounded the
announcement of the first Ukraine attack in 2015? This would be literally ten
times as great, and it should be.
So I think
there need to be two investigations. The subject of the first, and by far the more urgent one,
is whether it’s really true that malware has been implanted in utility control
centers by the Russians. Of course, if that’s the case, there needs to be a
major effort to remove it, and to hold Russia accountable (in fact, the
relatively weak response so far to the undisputed fact that they have been
trying so hard to penetrate the US grid – whether or not they’ve succeeded – is
something I also don’t understand. Or maybe I do understand it, which is even scarier). And there’s probably a lot more that needs
to be done, including perhaps with the CIP standards.
The second
investigation isn’t as urgent, but in my mind it’s even more serious: How did
it happen that DHS was quickly falling all over itself to walk back what was
said in the first briefing last July, if in fact that briefing was largely
correct – and the Russians had penetrated utility control centers? That is
something for the Department of Justice, since it’s definitely a criminal
investigation - one involving national security. But it's only needed if in fact the first investigation finds that there was indeed penetration of utility control networks.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013; we also work with security product or service vendors that need help
articulating their message to the power industry. To discuss this, you can
email me at the same address.
[i]
Although I just noticed a quote where it seems someone from DHS did imply in
March that utility control centers were penetrated and malware had probably
been implanted. I must have missed that part, as I assume the rest of the
industry did as well - since I don't remember any big hue and cry then, either.
Great recap of this topic, Tom. I wonder if politics are playing into this or something else. One would think that any RE cyber compromise would be reported to the E-ISAC and shared, but installation of malware that doesn't compromise or disrupt one or more reliability tasks does not meet the current definition of Reportable CSI. It could be that no-one wants to be the first to report their security controls were breached. It'll be interesting to see how this develops.
ReplyDeleteThanks, Allen. If it's really true that control networks were penetrated, that should have been broadcast far and wide by DHS, since they were following all of this. But..it WAS broadcast far and wide by DHS-NCCIC in July, and then the story was propagated that it was just a couple wind turbines. But that story may be the real one after all. But now we have the FBI and CIA saying otherwise. Not good.
ReplyDelete