A new WSJ story on utility cyberattacks, with a difference

I’ve written a lot previously about Wall Street Journal articles about cyberattacks on the US power grid, including this post and this one. Now, WSJ reporters Rebecca Smith and Rob Barry are back with another article on this topic, but this one quite different from the previous two. While WSJ online articles are normally behind a paywall, Rob sent me this free link.

The previous two articles dealt with Russian attacks that came almost entirely through the vendor community – in the case of the 2018 article, via attacks on the vendors’ remote access systems, and in the January 2019 article, via phishing attacks on vendors.

In this new article, they discuss direct attacks on utilities (in case you though those weren’t happening any more – ha ha), and the provenance of those attacks isn’t at all clear. It seems the attacks are coming partly through malware-laden emails and partly through direct assault on firewalls; but the article doesn’t describe any attacks coming through vendors or other third parties.

There are two very interesting aspects to the new attacks (and this is a campaign that is fairly recent, unlike the Russian supply chain attacks, which have been going on literally for years): First, the utilities targeted are on the smallish side. The largest of the utilities named in the article is a large Generation and Transmission cooperative, and none are investor owned utilities (IOUs). Of course, none of these attacks is said to have succeeded, even in penetrating the IT network.

Second, the utilities don’t seem to be targeted simply in order to cause economic disruption through outages, but because they are located near particular strategic facilities, such as the important Sault Ste. Marie Locks between Lakes Superior and Huron, and Federal dams (even though the facilities may not actually be served by the utility target – which the attackers, presumably from overseas, wouldn’t usually know).

This was a theme of Rebecca and Rob’s January article: the Russians, at least in some cases, seem to be targeting specific facilities, including especially military bases. No military targets are mentioned in the article, which might indicate the attackers in this case are a different group than the one discussed in January, and they might not be Russian at all.

Would you like to know my big takeaway from this article?...I didn’t think so, but I’ll tell you anyway. It’s that NERC and the industry may have been barking up the wrong tree all along, in considering that the biggest goal of cyber attackers would be causing a cascading outage in the Bulk Electric System; the right way to counter that is through the NERC CIP standards, which apply exclusively to BES assets. But if we’re talking about specific facilities like dams and military bases, the substations and generating plants that serve them are often purely distribution ones, to which the CIP standards don’t apply.

In theory, distribution assets are regulated by the PUCs of the states in which they’re located. However, a little-understood fact about PUCs is they usually have direct authority only over IOUs, and as I said, none of the utilities mentioned in the article are IOUs. So probably a majority of the substations and generating plants that serve the strategic assets under attack aren’t subject to any cyber regulations (and only a few state PUCs have true cyber regulations, even for their IOUs).

Of course, this doesn’t at all mean these utilities have bad security – and it certainly doesn’t mean that the NERC CIP standards should be extended to them in some way. But it does show that any faith in NERC CIP as the country’s primary bulwark against the encircling cyber hordes is increasingly misplaced, even if it might have been justified five or ten years ago.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.