One of my
favorite experiences during NERC GridSecCon 2018 was hearing from Karen Evans,
who earlier that year had become Assistant Secretary of DoE and head of the
then-new DoE Office of Cybersecurity, Energy Security, and Emergency Response
(CESER). She had received a lot of very good press, partly due to her
appearances before Congress when she came into that role. And she didn’t
disappoint when she spoke last year. She is quite dynamic, but also clearly
someone who doesn’t just talk a good game, but executes a good game as well.
She returned
to GridSecCon this year, and once again made a very good speech. I was most
struck by one thing that she urged her listeners to do: read the bottom of page
5 and the top of page 6 of this year’s Worldwide Threat Assessment, which was
presented to the Senate in January
by the directors of the FBI, CIA and Office of National Intelligence. Here is
the section that she referred to:
“We assess
that Russia poses a cyber espionage, influence, and attack threat to the United
States and our allies. Moscow continues to be a highly capable and effective
adversary, integrating cyber espionage, attack, and influence operations to
achieve its political and military objectives. Moscow is now staging cyber
attack assets to allow it to disrupt or damage US civilian and military
infrastructure during a crisis and poses a significant cyber influence
threat—an issue discussed in the Online Influence Operations and Election
Interference section of this report.
Russian
intelligence and security services will continue targeting US information
systems, as well as the networks of our NATO and Five Eyes partners, for
technical information, military plans, and insight into our governments’
policies.
Russia has the ability to execute cyber
attacks in the United States that generate localized, temporary disruptive
effects on critical infrastructure—such as disrupting an electrical distribution
network for at least a few hours—similar to those demonstrated in Ukraine in
2015 and 2016. Moscow is mapping our critical infrastructure with the long-term
goal of being able to cause substantial damage.” (my emphasis)
Ms. Evans
didn’t say much if anything about this passage, except that everybody should
read it. Of course, the last paragraph is the one that she was undoubtedly most
concerned about.
This isn’t
news to any of us, so why I am I even bothering to bring this up now? Before I
tell you why, I want to point out that this isn’t the first set of disturbing
reports about Russian cyber activity against the US power grid. The other
reports include:
- DHS’s briefings
on Russian supply chain attacks on the power industry in July 2018.
- A Wall Street
Journal article
in January that a) described a different wave of Russian attacks through
the supply chain, this one utilizing phishing emails, and b) quoted Vikram
Thakur of Symantec as saying that “..his company knows firsthand that at
least 60 utilities were targeted, including some outside the U.S., and
about two dozen were breached. He
says hackers penetrated far enough to reach the industrial-control systems
at eight or more utilities.” (my emphasis).
- E&E News reported
in May that 200,000 “implants” (i.e. pieces of malware) had been installed
in US water, gas and oil, and electric power infrastructure, according to
the former deputy director of the NSA. Who did this, you ask? Who else,
but our good friends in St. Petersburg and Moscow?
Given this,
if you dropped in the US from say Mars, you would be amazed if I told you there
has been no activity (discernible by myself or anybody else I know, which
includes a number of people with security clearances and an indisputable need
to know about any malware implanted in the grid) to root out this malware that
has been implanted, or at least to investigate whether the reports are true or
not.
Of course,
it’s possible that all of the people mentioned above have been misled in some
way, or they just don’t have the technical knowledge required to make
statements like this – and there is no truth at all to these reports. That’s
why I’ve repeatedly called
for an investigation by some body (part of the government or quasi-government,
like NERC), to find out once and for all whether these reports are true. Maybe
they’re all completely false, in which case everybody can sleep well from now on
(or at least this will be one thing that won’t
keep us awake at night. The Lord knows there are lots of others!). But until
there’s an investigation, we have to believe there’s some truth to them, and
the Russians could cause power outages in the US at any moment.
But if you’ve
been reading this blog for a while, you must know that my calls for an
investigation have fallen on totally deaf ears. I’ve heard no confirmation that
any organization is investigating this, or that any organization is even
considering doing so. Again, why am I bringing this up again? Why don’t I just
drop the subject and do like a lot of others seem to be doing nowadays – making
my accommodation with Russia, since they seem intent on having their way with
us and we seem intent on letting them do that (of course, that’s natural. Their
economy is about half the size of California’s, but they do have one thing that
California doesn’t – a huge nuclear arsenal)? And here they even tried to give
me a medal,
which I would have accepted if they hadn’t asked me to come to the Russian
embassy to accept it. Knowing what happened to Mr. Khashoggi at the Saudi
embassy in Istanbul, I decided that the medal wasn’t worth it.
So what has
changed? Yes, Karen Evans pointed out the WTO story for the .002% of the people
in the hall who hadn’t already heard about it – but does this bring us any
closer to an investigation? I’ll admit it probably doesn’t, but what I found
significant is that it demonstrates conclusively that the two biggest reasons
people have proffered to me for the lack of an investigation are invalid.
I’ve heard a
lot of reasons why there’s no investigation (most of which are put forth by
people who are naïve, but some of which may point to a murkier motive), and I
hope to write a post one of these days listing them all – I’ve heard at least
15 so far. However, by far the two most common reasons are:
1. There’s
been an investigation, but the results are classified; and
2. Appropriate
agencies are actually working on this, but they’re not at the point yet where
they can reveal any findings.
Both of
these reasons can be easily debunked, but Ms. Evans’ talk in October did that
for me. She wouldn’t have asked everyone to look at the WTA if she’d thought
either one of these was true. If either one was true, she would have definitely
known about it.
So why did
she bring this up? Is she thinking we all need to press harder for an investigation?
There’s clearly nothing the industry can do from a technical point of view –
that they’re not doing already, of course – without knowing something about the
malware that’s implanted and how it got there. It’s not likely the Russians named
the malware files Russianmalware1, Russianmalware2, etc. The industry got specific
information on the malware – in unclassified and classified briefings – within a
few weeks (if not less time) of the Ukraine attacks. But here we are almost 11
months after the WTA came out, and there hasn’t been any word at all about the
malware referred to in that report. And the WTA is talking about threats to the
US, not the Ukraine!
So I assume
Ms. Evans wants us to press harder, and I’m happy to oblige her. In fact, I’d
like to press her on this. One of the
agencies that would be near the top of my list to do this investigation is
Idaho National Laboratories, which is of course part of DoE. Why doesn’t she
talk to them about doing it (although I know she doesn’t have direct authority
over INL)?[i]
If I hear
anything more on this, you’ll be the first to know!
Postscript
You might be
inclined to think that it’s no big problem if these reports aren’t
investigated, since nobody – in the power industry or the general public –
seems too concerned about them. But here you’re wrong. This was pointed out to
me by a book
review that appeared in the Wall Street Journal on August 8 (I’ve had the
print copy sitting on my desk since then, thinking I’d soon get time to write
about it).
The review
was of a book called “The Fifth Domain”, by Richard A. Clarke
and Robert K. Knake. It’s about foreign cyberattacks on US private infrastructure.
It contains this paragraph:
“The authors
propose a new backup national power grid that would not be connected to the
internet. Without it, they say, the U.S. is defenseless against “somebody like
the Russian GRU, engaging in a cyberattack that would technologically revert us
to the nineteenth century, but without all the equipment that people in the
nineteenth century had to deal with life in a society without electricity.”
In other
words, the authors of this book (and Richard Clarke is a very well-known figure
with lots of high-level government experience) believe the US grid is so
untrustworthy that we need to take the drastic step of building an entire
backup grid that won’t be connected to the internet and therefore isn’t likely
to be infected with all of the malware, etc. that the current grid is infected
with.
Of course,
this proposal is very unlikely to get anywhere, since it would require an
absolutely enormous expenditure. But if sophisticated, well-connected people
like Richard Clarke believe this needs to happen – in part because of reports
that the current grid is already riddled with Russian malware – it’s almost
inevitable that sooner or later there will be some call for other steps, such as
taking the security of the grid completely away from NERC and FERC and handing
it to the military, which will meet with real approval. And at that time, it
will be quite hard for the power industry to argue that it’s absolutely sure
the grid is very secure – except, of course for all the reports that say it isn’t,
which haven’t been investigated at all. "Just trust us: Other than the malware discussed in those reports, our grid is completely secure!"
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment