Thursday, May 2, 2019

Some clarity, but also a deeper mystery



Blake Sobczak of E&E News came out with another very good article on the “cyber event” that was reported on form OE-417 on March 5 by some entity in the West – and if you haven’t read my previous two posts, you should do so before going any further in this one. I think all of my readers can rejoice that both of those posts, as well as this one, share one important feature: they’re all short!

Today’s article clears some of the fog about this event, but it also deepens it. It makes very clear that this event, which involved a still-unspecified grid disruption, was a cyber attack – specifically a Denial of Service attack, although I realize that term can apply to a host of different attack types. Moreover, the attack took advantage of a vulnerability for which a patch had already been distributed by the vendor (whoever that is, and whatever the product is that was attacked). The source of this statement is a “DoE official”. Since OE-417 is DoE’s form, that seems like a pretty authoritative source to me.

The mystery is who the entity is that was attacked – and reported it. It had to be an entity with connections in two counties in California (Los Angeles and Kern Counties. Kern County includes Bakersfield), Converse County in Wyoming, and Salt Lake County in Utah. Two days ago, it seemed to me – and others I talked to about this – that only one entity, Peak Reliability, would have that sort of footprint[i]. Peak (formerly part of WECC) is the Reliability Coordinator for 14 Western states, including all three states that were attacked.

However, in today’s article, Blake quotes Peak as saying they weren’t attacked, which leaves…no possibilities that I know of. Sigh.

But we do now know that the North American grid has had the first reported disruption due to a cyber attack, although no load was lost. So we’re still a little ahead of the Ukraine, since there was not only disruption but load loss there. As my old boss used to say, thank God for small favors. 


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

[i] Actually, I can think of another entity, the Western Area Power Authority, which distributes power from Federally-owned dams across the entire West. But two days ago, WAPA denied they were attacked. Blake (or someone he talked to on Tuesday) also identified Berkshire Hathaway Energy as a possible vector for this attack. BHE has utilities that cover both Utah and Wyoming, but not California. BHE has a renewables unit in California, but in Blake’s article today, the DoE official says no generation was affected (Bill Lawrence, Director of the E-ISAC, said the same thing in a quote in my post yesterday), and that’s what that unit does. In any case, BHE also denies they were attacked.

No comments:

Post a Comment