Monday, October 14, 2019

The mother of all supply chain attacks



I’ve known Matt Miller for a long time. He spent 28 years at the Western Area Power Administration, retiring as VP of Risk Management and Reliability Compliance. He is currently with Dakota Consulting. He pointed out to me today that our government perpetrated perhaps the greatest supply chain attack of all time, which played a role in the fall of the Soviet Union. While I knew the US was behind the huge Russian pipeline explosion in 1982 and that it was because of a backdoor the US had planted in pipeline equipment, I didn’t realize this wasn’t an isolated attack, but part of an extensive campaign – whose main purpose wasn’t to cause damage per se, but to undermine the Soviets’ confidence in their shiny new infrastructure, a lot of which they had stolen from the US.

Of course, the Soviets’ big mistake was that they wanted to save a few rubles by stealing the technology they needed rather than purchasing it fair and square, which they could surely have done (as Lenin said, “When it comes time to hang the capitalists, they’ll be glad to sell us the rope”). So one lesson for the power industry is not to steal the technology you want to use; you can’t very well sue your “vendors” if what they sell you doesn’t work, or more importantly blows up.

However, the real lesson is that there can be very bad stuff hidden in what you buy to run the grid. But you already knew that…


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)