I received
two interesting comments today, from quite knowledgeable people, about my post
about what looks like a cyber attack that disrupted grid operations – without causing
an outage – in four counties in the West in March.
The first
comment was from Bill Lawrence, Director of the NERC E-ISAC and VP/CSO of NERC.
In an obviously very carefully worded statement, he says “The E-ISAC is aware
of this event which did not show any impact to generation and did not cause
electrical system separation. If more details emerge, they will be shared with
our members.”
Of course,
as with any official statement like this (and Bill said something similar to me
yesterday before I wrote the post, but since he couldn’t make it official at the
time, I couldn’t include the statement yesterday), what can be even more
important than what is said is what isn’t said. Note:
- By saying there was no generation impact, he seems to be
leaving on the table the idea that there was transmission impact. And
frankly, I’m not very worried about purely
generation attacks – transmission is pretty much the whole game if you’re
trying to cause serious damage to the grid. My translation: This could
have been a serious attack, but we lucked out this time.
- And saying the attack didn’t cause electrical system
separation, which would be quite serious, is like telling somebody that
their mother had a car accident and went to the hospital, but not to worry
because she has almost all of her major organs still intact. It doesn’t
give you a particularly warm and fuzzy feeling, to say the least.
- What Bill definitely didn’t say is something like “We
investigated, and this was purely a case of an operator pushing the wrong
button, nothing more. We all went out and had a drink and then caught our
flight home.” So I think it’s very likely this was a cyber attack.
The other
email was from a longtime industry observer, who said:
“If it was
Peak Reliability, my best speculation would be a disruption of ICCP communications
between the RC (Peak) and several of its BAs and/or TOPs. Peak does not directly control BES assets,
but loss of ICCP would impact its ability to perform situational awareness
functions. This would be different than
a loss of Peak’s ICCP or SCADA/EMS that would have impacted its entire
reliability area (and a complete loss of monitoring categorization in the
OE-417).
“That said,
I would have expected one or more entities who have (and would have lost) ICCP
associations with Peak to also have reported, since they get real-time data
from their neighbors over ICCP, but who knows...”
ICCP stands
for Inter-Control Center Communications Protocol – although I just realized
that has too many C words. It’s the international standard that control centers
use to communicate with each other. The observer is saying:
- If Peak Reliability was the original target of the attack,
the disruption would have to be in ICCP, since Peak doesn’t actually
control any BES assets (as an ISO would). Therefore, this was inherently a
less serious occurrence than if – say – an ISO or even a major Balancing
Authority had lost SCADA for their whole control area, which would have
triggered an OE-417 category of “Complete loss of monitoring or control
capability at its staffed Bulk Electric System control center for 30
continuous minutes or more." As I mentioned yesterday (and it was
this same industry observer who pointed that out to me), this category of
event gets reported very often.
- However, if what happened is that Peak lost ICCP
connections with three entities that it monitors, the observer is
surprised that those entities wouldn’t themselves have filed an OE-417
report.
So is this a
case of “Move along. Nothing to see here”? Not at all. If this is really the
first cyber attack that disrupted grid operations in North America – even if it
didn’t cause any loss of load or loss of control of assets – that’s a very big
deal in itself.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
Nice blog. Here you shared some type of cyber attack. Today cyber attacks are very intense, by creating cyber security attack scenarios you can understand how to fight against such attacks.
ReplyDelete