I’ve written
a lot previously about Wall Street
Journal articles about cyberattacks on the US power grid, including this
post and this
one. Now, WSJ reporters Rebecca Smith and Rob Barry are back with another
article on this topic, but this one quite different from the previous two.
While WSJ online articles are normally behind a paywall, Rob sent me this
free link.
The previous
two articles dealt with Russian attacks that came almost entirely through the
vendor community – in the case of the 2018 article, via attacks on the vendors’
remote access systems, and in the January 2019 article, via phishing attacks on
vendors.
In this new
article, they discuss direct attacks on utilities (in case you though those
weren’t happening any more – ha ha), and the provenance of those attacks isn’t
at all clear. It seems the attacks are coming partly through malware-laden
emails and partly through direct assault on firewalls; but the article doesn’t
describe any attacks coming through vendors or other third parties.
There are
two very interesting aspects to the new attacks (and this is a campaign that is
fairly recent, unlike the Russian supply chain attacks, which have been going
on literally for years): First, the utilities targeted are on the smallish
side. The largest of the utilities named in the article is a large Generation
and Transmission cooperative, and none are investor owned utilities (IOUs). Of
course, none of these attacks is said to have succeeded, even in penetrating
the IT network.
Second, the
utilities don’t seem to be targeted simply in order to cause economic
disruption through outages, but because they are located near particular
strategic facilities, such as the important Sault Ste. Marie Locks between
Lakes Superior and Huron, and Federal dams (even though the facilities may not
actually be served by the utility target – which the attackers, presumably from
overseas, wouldn’t usually know).
This was a
theme of Rebecca and Rob’s January article: the Russians, at least in some
cases, seem to be targeting specific facilities, including especially military
bases. No military targets are mentioned in the article, which might indicate
the attackers in this case are a different group than the one discussed in
January, and they might not be Russian at all.
Would you
like to know my big takeaway from this article?...I didn’t think so, but I’ll
tell you anyway. It’s that NERC and the industry may have been barking up the
wrong tree all along, in considering that the biggest goal of cyber attackers
would be causing a cascading outage in the Bulk Electric System; the right way
to counter that is through the NERC CIP standards, which apply exclusively to
BES assets. But if we’re talking about specific facilities like dams and
military bases, the substations and generating plants that serve them are often
purely distribution ones, to which the CIP standards don’t apply.
In theory,
distribution assets are regulated by the PUCs of the states in which they’re
located. However, a little-understood fact about PUCs is they usually have
direct authority only over IOUs, and as I said, none of the utilities mentioned
in the article are IOUs. So probably a majority of the substations and
generating plants that serve the strategic assets under attack aren’t subject
to any cyber regulations (and only a few state PUCs have true cyber
regulations, even for their IOUs).
Of course,
this doesn’t at all mean these utilities have bad security – and it certainly
doesn’t mean that the NERC CIP standards should be extended to them in some
way. But it does show that any faith in NERC CIP as the country’s primary bulwark
against the encircling cyber hordes is increasingly misplaced, even if it might
have been justified five or ten years ago.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment