More on the attack

I received two interesting comments today, from quite knowledgeable people, about my post about what looks like a cyber attack that disrupted grid operations – without causing an outage – in four counties in the West in March.

The first comment was from Bill Lawrence, Director of the NERC E-ISAC and VP/CSO of NERC. In an obviously very carefully worded statement, he says “The E-ISAC is aware of this event which did not show any impact to generation and did not cause electrical system separation. If more details emerge, they will be shared with our members.”

Of course, as with any official statement like this (and Bill said something similar to me yesterday before I wrote the post, but since he couldn’t make it official at the time, I couldn’t include the statement yesterday), what can be even more important than what is said is what isn’t said. Note:

1. By saying there was no generation impact, he seems to be leaving on the table the idea that there was transmission impact. And frankly, I’m not very worried about purely generation attacks – transmission is pretty much the whole game if you’re trying to cause serious damage to the grid. My translation: This could have been a serious attack, but we lucked out this time.
2. And saying the attack didn’t cause electrical system separation, which would be quite serious, is like telling somebody that their mother had a car accident and went to the hospital, but not to worry because she has almost all of her major organs still intact. It doesn’t give you a particularly warm and fuzzy feeling, to say the least.
3. What Bill definitely didn’t say is something like “We investigated, and this was purely a case of an operator pushing the wrong button, nothing more. We all went out and had a drink and then caught our flight home.” So I think it’s very likely this was a cyber attack.

The other email was from a longtime industry observer, who said:

“If it was Peak Reliability, my best speculation would be a disruption of ICCP communications between the RC (Peak) and several of its BAs and/or TOPs.  Peak does not directly control BES assets, but loss of ICCP would impact its ability to perform situational awareness functions.  This would be different than a loss of Peak’s ICCP or SCADA/EMS that would have impacted its entire reliability area (and a complete loss of monitoring categorization in the OE-417).

“That said, I would have expected one or more entities who have (and would have lost) ICCP associations with Peak to also have reported, since they get real-time data from their neighbors over ICCP, but who knows...”

ICCP stands for Inter-Control Center Communications Protocol – although I just realized that has too many C words. It’s the international standard that control centers use to communicate with each other. The observer is saying:

1. If Peak Reliability was the original target of the attack, the disruption would have to be in ICCP, since Peak doesn’t actually control any BES assets (as an ISO would). Therefore, this was inherently a less serious occurrence than if – say – an ISO or even a major Balancing Authority had lost SCADA for their whole control area, which would have triggered an OE-417 category of “Complete loss of monitoring or control capability at its staffed Bulk Electric System control center for 30 continuous minutes or more." As I mentioned yesterday (and it was this same industry observer who pointed that out to me), this category of event gets reported very often.
2. However, if what happened is that Peak lost ICCP connections with three entities that it monitors, the observer is surprised that those entities wouldn’t themselves have filed an OE-417 report.

So is this a case of “Move along. Nothing to see here”? Not at all. If this is really the first cyber attack that disrupted grid operations in North America – even if it didn’t cause any loss of load or loss of control of assets – that’s a very big deal in itself.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.