A very
interesting story by
the always-interesting Blake Sobczak came out in E&E News this morning (and thanks to Blake for forwarding the
free link), pointing out that there was an even more interesting OE-417
disturbance report filed with DoE about an incident on March 5. The report
concerned a “Cyber event that causes interruptions of electrical system
operations”, which is one of the categories of disturbances that needs to be
reported using form OE-417.
The event
occurred over a ten-hour period in four counties in the Western Interconnect:
two in California, one in Wyoming and one in Utah (perhaps significantly, it
was Salt Lake County). While there was an interruption of electrical system
operations, there was no loss of load.
Of course,
this is described as a cyber event, not a cyber attack (in fact, I doubt there
is a category for cyber attacks in the OE-417 report). A longtime industry
observer pointed out to me that a Control Center temporarily losing SCADA happens
frequently. However, it really doesn’t seem to be that, for several reasons:
- For an event to be happening simultaneously in four separate
locations in three non-contiguous states, there would have to be a single
common operating entity involved – and the only common entity for those
four locations is Peak Reliability, the Reliability Coordinator for 14
Western states (which is based in Salt Lake City). Is it possible they are
the entity that lost SCADA?
- It’s possible, but not likely, since there is a different OE-417
classification for SCADA loss: "Complete loss of monitoring or
control capability at its staffed Bulk Electric System control center for
30 continuous minutes or more." In fact, since the beginning of the
year, this seems to have happened more than 10 times in the US. But could
some other event – not a cyber attack – that occurred in Peak’s systems
have caused the incidents in the other three locations?
- That’s not known, but I do believe that the NERC E-ISAC is
still investigating this event – almost two months later. If the event
clearly had another cause than a cyber attack, I would guess the E-ISAC
would have quickly wound up its investigation. If it’s true that they
haven’t, at the least this means there’s still a strong possibility it was
a cyber attack.
This – and what
was reported in E&E News – is all
the information I have now, and I’m not going to speculate about this. However,
I hope that whoever investigates this also decides to investigate the Russian penetration
of the US grid, reported in the Office of National Intelligence Worldwide
Threat Assessment. After all, I’ve heard that at least some of those
penetrations were in the West. The investigators might save some air fares by
looking for those as well.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment