Imagine what
might happen if the following news was announced:
“The Ukraine State Intelligence Service stated in its just-released Worldwide Threat Assessment that Moscow is now staging cyberattack assets to allow it to
disrupt or damage the Ukraine’s civilian and military infrastructure during a
crisis.
“It specifically noted the Russian
planting of malware in the Ukraine electricity grid. Russia already has the
ability to bring the grid down “for at least a few hours,” the assessment
concluded, but is ‘mapping our critical infrastructure with the long-term goal
of being able to cause substantial damage.’”
And what if
this news came only a few weeks after a Wall
Street Journal article quoted the Technical Director of Security Response
of Symantec Corp. as saying “…about two dozen Ukrainian utilities were
breached. Hackers penetrated far enough to reach the industrial-control systems
at eight or more utilities”?
Don’t you think this would cause a big stir?
After all, in 2015, when the Russians staged a successful attack on three
Ukrainian distribution utilities, causing about a five-hour outage that
affected hundreds of thousands of people, the news hit the US power industry
like a thunderclap. Top security professionals from the Department of Homeland
Security, the NERC E-ISAC, SANS, DoE and other organizations immediately jumped
on planes and headed to the Ukraine to investigate this. DHS held briefings in
many American cities. Reports were published detailing what had happened down
to the minute.
This was considered to be a watershed for the
power industry worldwide (the first reported loss of load due to a cyber
attack), and – while many industry observers gloated that the Russians would
never be able to be so successful in the US, due to much stronger cyber
security controls here and also due to the NERC CIP standards! – many others
weren’t so sure, and said the Ukraine situation was more a case of “There but
for the grace of God go I.”
Yet the 2015 attacks were on just three
distribution utilities. Since the attacks described above breached two dozen utilities and penetrated the
control systems of eight of those, it’s a very good assumption that malware was
planted that could lead to a far more serious outage. Don’t you think there
would be a much bigger response to these new reports? More specifically, don’t
you think there would be another big investigation, for two reasons? First, out
of simple goodwill toward the Ukrainian people, since they face a huge and
ruthless foe? And second, out of concern that whatever attacks the Russians are
conducting in the Ukraine are tests for attacks they could use on power grids
worldwide?
At this point, you’re supposed to say “I
would certainly think so!” And I agree with you 100%.
Well, the quotes above were actually
published, the first in the Times and
the second in the Journal. But there
were a couple small differences between what I’ve quoted above and the actual quotes. One is that the country in question was the US, not the Ukraine. The other is that the agencies that wrote the 2019 Worldwide Threat Assessment were the FBI and CIA. I wrote
about the NYT article in this
post and the WSJ article in this
one.
Yet where is the outrage? Where are the
frenzied press releases and briefings? And where are all of the investigators
rushing to find out what happened? Does anyone know where they are? I hope we
don’t have to put them on milk cartons.
Let’s be clear. The Times quoted the 2019 Worldwide
Threat Assessment put out by the FBI and CIA as saying
- Moscow is now
staging “cyberattack assets” (which presumably include malware) to allow
it to disrupt or damage our civilian and military infrastructure during a
crisis.
- Malware has been
implanted in the US grid that could be used today to cause outages.
- Perhaps most
ominously, Russia is mapping our critical infrastructure with the
long-term goal of being able to cause substantial damage.
At the same time, Symantec, who has collaborated
with DHS in investigating the Russian attacks in the US, is saying very
specifically that at least eight US utilities have been penetrated at the
control system level, meaning malware is almost certainly planted in all of
them. Hopefully the eight utilities don’t include Southern Cal Edison,
PG&E, ConEd, Commonwealth Edison, CenterPoint and other utilities serving
major metropolitan areas. But even if they’re all small distribution-only coops
in the middle of North Dakota, eight US utility control networks penetrated is
still eight more than are known to have been penetrated previously. And as we
know, utility control centers are by their very nature connected to other utility
control centers as well as to Regional Transmission Organizations like PJM. The
infection might very well spread.
Here’s another quotation from the January WSJ article: “In briefings to utilities
last summer, Jonathan Homer, industrial-control systems cybersecurity chief for
(the Department of) Homeland Security, said the Russians had penetrated the
control-system area of utilities through poorly protected jump boxes. The
attackers had ‘legitimate access, the same as a technician,’ he said in one
briefing, and were positioned to take actions that could have temporarily
knocked out power.” Again, Mr. Homer wasn’t saying that outages were caused,
but the fact that the Russians were “positioned” to do that almost certainly
means they’ve planted malware in control systems operated by at least two
utilities (since he used the plural).
Of course, none of these reports should just be
taken at face value. Some of the people quoted may not have fully understood
what they were saying; e.g. they may have meant “small generating plants” when
they said “utilities”, etc. And I don’t know what kind of power expertise the FBI
and CIA have, but it’s possible they may be misinterpreting data they’ve
received. So there’s reason to be skeptical of these reports.
But here’s an idea: If we’re skeptical of
these reports, why don’t we…you know…investigate
them to determine whether they’re accurate or mistaken? Yet I’ve heard
literally nothing about any investigation. Nor have I heard the slightest bit
of outrage expressed – by the Federal government, the power industry, you name
it – that the Russians are taking such deliberate steps to potentially cripple
the US economy and our military capabilities. And DHS has amply documented that
they are taking those steps, whether or not they’ve actually penetrated control
networks. They’re trying really hard.
This lack of a response is more than passing
strange. I would very much like to see one (or more) of the following
organizations investigate this (they’re not in any particular order):
- The NERC E-ISAC
- FERC
- Idaho National Lab
- SANS
- DoE’s Office of
Cybersecurity, Energy Security, and Emergency Response (CESER)
- Dragos, Inc. (who did
a great job of investigating the malware used in the second Ukraine
attacks, and due to that and other smart moves has become almost an ICS
security institution, much to their credit)
- Hercule Poirot
- James Bond
- Judge Judy
- Sam Spade
In other words, I would like to see somebody get to the bottom of this and
let us know what happened. And of course, if it turns out that malware has
actually been implanted, wouldn’t it be kind of a good idea to…you know…let utilities know about it – so their
cyber staff might just mosey over to their control systems, to see if the
malware might be sitting there, too? Why would they want to do this, you ask?
Well, curiosity for one reason – it would certain be interesting to know if
your employer was a member of the first group of US utilities ever to be
breached at the control system level. But also - and this might sound silly to
you - it did occur to me that utilities might actually want to remove malware that’s implanted in their
control networks. But they would need to know what to look for, since it’s not
likely the Russians named the files Malware1, Malware2, etc. This is of course
the main reason why we need an investigation, and I find it literally incomprehensible
that one wasn’t launched at least after the Worldwide
Threat Assessment in January.
As I pointed out in my previous post
on this, there really are two investigations in question now. The immediate one
is the one I just described – this is a technical investigation by experts. The
second investigation would probably be a criminal one. It is only needed if it
turns out the reports of Russian penetration of utility control centers are
true, and it turns out that somebody deliberately tried to suppress them last
summer, when Jonathan Homer of DHS first made them and people at DHS soon put
out at least three mutually contradictory stories that minimized what the
Russians had achieved. I certainly hope this second investigation isn’t needed –
but again, unless we do the first investigation, we’ll never know if the second
one is needed, will we?
Curiouser and curiouser, indeed!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment