After my
last post,
I received an email from two retired former high-level cybersecurity officials
in DHS and DoE (both of whom I know, although not well), suggesting we talk. We
did so today, and they impressed upon me the need to do something more than
complain (which I must admit is kind of my default mode) about the lack of an
investigation of the reported Russian cyber penetration of the US power grid.
They first
suggested that I reach out to the Electric Sector Coordinating
Council, so they could discuss the need for an investigation at their next
meeting; however, I pointed out that I’m not on a first name basis with any CEO’s
of major utility organizations. They then suggested that I send an email to
Karen Evans to suggest that DoE itself investigate. This made a lot of sense to
me – it’s certainly worth a try.
Below is the
email I just sent to Ms. Evans (I will send similar emails to both Illinois
Senators, Dick Durbin and Tammy Duckworth – since I reside in Illinois). I’ll
let you know if I receive a substantive response. I hope I do.
Dear
Assistant Secretary Evans:
I am a
longtime cybersecurity and compliance consultant to the electric power
industry. I was very impressed with your speeches to NERC GridSecCon 2018 and
2019. This year, I was especially impressed that you pointed out to the
audience the passage in the 2019 Worldwide Threat Assessment, which
states that the Russians currently have the ability to “…generate localized,
temporary disruptive effects on critical infrastructure—such as disrupting an
electrical distribution network for at least a few hours similar to those
demonstrated in Ukraine in 2015 and 2016.”
This has
been said in different terms by DHS, the Wall
Street Journal, Symantec and the former Deputy Director of the NSA, as
pointed out in my recent blog
post discussing your speech (this post and its predecessors received a lot of attention in the power
industry).
While you
didn’t discuss this passage in your speech, it seemed you were urging the
industry to take some sort of action. I agree that the industry should do this,
but currently they know nothing about a) the identifiers of the malware that
has presumably been implanted in their networks by the Russians; or b) how the
Russians were able to get in to implant it.
If they knew the former, they would hopefully be able to find and root
out the malware from their networks; if they knew the latter, they would be
able to protect their networks from further penetration by the Russians.
However,
neither the WTA nor the other sources I mentioned provided any of this
information. It can only be obtained through an investigation of the electric
utility networks that may have been affected. But here is the amazing part: No
organization (governmental or non, although one would normally expect the Federal
government to take the lead in doing this, as they did for the Ukraine attacks)
has even launched such an investigation, let alone produced this information.
This
contrasts remarkably with the Ukraine attacks. In both cases, investigators
from multiple organizations in the US (including DoE) jumped on planes for the
Ukraine seemingly within hours of the news of the attacks. Within days, they were producing various
reports to the power industry. Within weeks, they were conducting both
classified and unclassified briefings across the country, to let the industry
know what to look for on their networks and how the attacks were perpetrated,
so they could remove the malware and strengthen their defenses against similar
attacks here.
In marked
contrast to the Ukraine attacks, the WTA has been out since January, and there
have been no investigations, no reports and no briefings (classified or
unclassified). And of course, in this case we’re talking about an attack on the
US, not a foreign country! This is beyond bizarre. Of course, one big
difference is that the Ukraine attacks caused outages, whereas the attacks on
the US haven’t done that yet (as far as we know). Does this mean our policy is
to wait for the Russians to cause outages and then investigate? If so, this is
a very sorry state of affairs.
As the Sector-Specific
Agency for the US electric power industry, I respectfully suggest that DoE
should undertake this investigation. Perhaps the investigation will determine that the reports
were all misinformed and the Russians haven’t been able to place malware in
the US power grid; this would definitely be the best result. But until this is
done, the power industry is going to live under the suspicion that the grid can’t
be trusted because it’s riddled with malware. This will lead to more proposals
like Richard Clarke’s (mentioned in my post linked at the beginning of this email)
that we spend hundreds of billions, or even trillions, of dollars building a completely
“clean” and safe grid. This is of course an incredibly huge effort, but how can
we be sure it isn’t needed, if we don’t investigate the government’s own
statements?
Of course, I
will be pleased to discuss this further with your or your representatives.
Respectfully
yours,
Tom Alrich
No comments:
Post a Comment