Thursday, May 23, 2019

Just in case you thought the Russians were our friends…



Blake Sobczak of E&E News struck again yesterday, with another great article that points to the heart of the biggest cybersecurity threat faced by the power industry today: namely, the ongoing Russian campaign to penetrate the grid and plant malware in it. And as usual, he didn’t have to jump up and down to make his point – he merely quoted from an important government official.

This article unfortunately isn’t available outside of the paywall, but I’m of course free to excerpt from it. Here is essentially the first half of the article (which is quite short – something that’s unusual for Blake’s articles, as well as my posts. Both of us understand the importance of not letting a foolish concern with conciseness get in the way of saying what needs to be said!):

Russian hackers pose a greater threat to U.S. critical infrastructure than their Chinese counterparts, a former intelligence official warned water utility executives in Washington yesterday.

"When I think about the Chinese and the Russians, they're both dangerous: Both of those are in conflict with us," said Chris Inglis, former deputy director of the National Security Agency. "But the Russians are far more dangerous because they mean to do us harm. Only by doing us harm can they achieve their end purposes."

Beijing poses a major cyberespionage threat to U.S. companies but, in contrast to Russia's government, can be more effectively deterred based on its close ties to the American economy, Inglis said at a cybersecurity symposium hosted by the National Association of Water Companies.

"Why are the Russians, as we speak, managing 200,000 implants in U.S. critical infrastructure — malware, which has no purpose to be there for any legitimate intelligence reason?" asked Inglis, now managing director at Paladin Capital Group and a visiting professor at the U.S. Naval Academy. "Probably as a signal to us to say: We can affect you as much as your sanctions can affect us."

I was actually surprised to see this, since everything else I’ve seen or heard from the Federal government recently seems to downplay a) the threat posed by Russia’s ongoing attacks on the US grid and especially b) the success the Russians have had so far (of course, it’s probably significant that Mr. Inglis isn’t currently part of the government. The article mentions that he may lead the NSA in the near future, and if he does, I hope he doesn’t catch the strange bug that seems to have infested a lot of his former colleagues on the cyber ramparts of the US economy, which causes sudden muteness when asked about Russian attacks on the grid. I believe the medical community is racing to find the cause of this syndrome). He says two important things:

  1. The Russians’ purpose is clearly malign – to have the capability to cause significant disruption to our society (to say nothing of disabling US military bases - as described in a January article in the Wall Street Journal), and perhaps even to cause a cascading power outage that could immobilize a lot of the country; and
  2. They have already had a significant amount of success, evidenced by the fact that they are currently managing (i.e. the devices are already in place and connected to C&C servers) 200,000 “implants in U.S. critical infrastructure”, which presumably includes other CI industries like oil and natural gas pipelines, water treatment plants, oil refineries, and petrochemical plants, besides power facilities. 

I’m also very impressed with the fact that Mr. Inglis gives short shrift to the popular (again, in current Federal government circles) idea that the Chinese and Russian attacks on US critical infrastructure are essentially two peas in one pod. Here’s the quote again: "But the Russians are far more dangerous because they mean to do us harm. Only by doing us harm can they achieve their end purposes." Amen, brother. And he’s not the only person saying this: the Russians themselves are!

A paragraph after the above section, the article says “Energy and water utilities' interest in Chinese and Russian cyberwarfare capabilities has spiked since January, when U.S. intelligence director Dan Coats assessed that either country could disrupt U.S. critical infrastructure by cutting off a gas pipeline or temporarily disabling part of the power grid.”

You know, I’d almost forgotten about that! The Director of National Intelligence, as well as the heads of the FBI and CIA, went before the Senate Intelligence Committee in January to discuss their Worldwide Threat Assessment for 2019, which said “Moscow is now staging cyberattack assets to allow it to disrupt or damage U.S. civilian and military infrastructure during a crisis.”

In normal times, one would have expected this story to set off a frenzy of activity in the Federal government and the power industry to investigate what actually happened, so that the malware could be identified and rooted out, and so that defenses could be beefed up to prevent further penetration. But these are evidently not normal times, since despite my complaints (or perhaps because of them), there is no visible movement on the part of anybody with responsibility for grid security to investigate what the report says. This is in stark contrast to the Ukrainian attacks in 2015, which set off a firestorm of investigations, reports, classified and unclassified briefings, etc. Why am I concerned about this, you ask? After all, why would I expect the US government to treat the US and Ukrainian grids equally? I didn’t expect that, of course. But I kinda thought...you know…that they would be more concerned with the US grid than the Ukrainian one. Silly me.

So now we have Mr. Inglis putting a number on the problem, saying there are 200,000 implants already in place. This is about a thousand times more than I would have suspected. This will set off a real investigation, right?...Ya gotta’ be kidding.

To quote the ancient Greeks, “Those whom the gods wish to destroy, they first make mad.”

  
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment