Wednesday, December 11, 2019

Open email to Karen Evans


After my last post, I received an email from two retired former high-level cybersecurity officials in DHS and DoE (both of whom I know, although not well), suggesting we talk. We did so today, and they impressed upon me the need to do something more than complain (which I must admit is kind of my default mode) about the lack of an investigation of the reported Russian cyber penetration of the US power grid.

They first suggested that I reach out to the Electric Sector Coordinating Council, so they could discuss the need for an investigation at their next meeting; however, I pointed out that I’m not on a first name basis with any CEO’s of major utility organizations. They then suggested that I send an email to Karen Evans to suggest that DoE itself investigate. This made a lot of sense to me – it’s certainly worth a try.

Below is the email I just sent to Ms. Evans (I will send similar emails to both Illinois Senators, Dick Durbin and Tammy Duckworth – since I reside in Illinois). I’ll let you know if I receive a substantive response. I hope I do.


Dear Assistant Secretary Evans:

I am a longtime cybersecurity and compliance consultant to the electric power industry. I was very impressed with your speeches to NERC GridSecCon 2018 and 2019. This year, I was especially impressed that you pointed out to the audience the passage in the 2019 Worldwide Threat Assessment, which states that the Russians currently have the ability to “…generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours similar to those demonstrated in Ukraine in 2015 and 2016.”

This has been said in different terms by DHS, the Wall Street Journal, Symantec and the former Deputy Director of the NSA, as pointed out in my recent blog post discussing your speech (this post and its predecessors received a lot of attention in the power industry).

While you didn’t discuss this passage in your speech, it seemed you were urging the industry to take some sort of action. I agree that the industry should do this, but currently they know nothing about a) the identifiers of the malware that has presumably been implanted in their networks by the Russians; or b) how the Russians were able to get in to implant it.  If they knew the former, they would hopefully be able to find and root out the malware from their networks; if they knew the latter, they would be able to protect their networks from further penetration by the Russians.

However, neither the WTA nor the other sources I mentioned provided any of this information. It can only be obtained through an investigation of the electric utility networks that may have been affected. But here is the amazing part: No organization (governmental or non, although one would normally expect the Federal government to take the lead in doing this, as they did for the Ukraine attacks) has even launched such an investigation, let alone produced this information.

This contrasts remarkably with the Ukraine attacks. In both cases, investigators from multiple organizations in the US (including DoE) jumped on planes for the Ukraine seemingly within hours of the news of the attacks. Within days, they were producing various reports to the power industry. Within weeks, they were conducting both classified and unclassified briefings across the country, to let the industry know what to look for on their networks and how the attacks were perpetrated, so they could remove the malware and strengthen their defenses against similar attacks here.

In marked contrast to the Ukraine attacks, the WTA has been out since January, and there have been no investigations, no reports and no briefings (classified or unclassified). And of course, in this case we’re talking about an attack on the US, not a foreign country! This is beyond bizarre. Of course, one big difference is that the Ukraine attacks caused outages, whereas the attacks on the US haven’t done that yet (as far as we know). Does this mean our policy is to wait for the Russians to cause outages and then investigate? If so, this is a very sorry state of affairs.

As the Sector-Specific Agency for the US electric power industry, I respectfully suggest that DoE should undertake this investigation. Perhaps the investigation will determine that the reports were all misinformed and the Russians haven’t been able to place malware in the US power grid; this would definitely be the best result. But until this is done, the power industry is going to live under the suspicion that the grid can’t be trusted because it’s riddled with malware. This will lead to more proposals like Richard Clarke’s (mentioned in my post linked at the beginning of this email) that we spend hundreds of billions, or even trillions, of dollars building a completely “clean” and safe grid. This is of course an incredibly huge effort, but how can we be sure it isn’t needed, if we don’t investigate the government’s own statements?

Of course, I will be pleased to discuss this further with your or your representatives.

Respectfully yours,

Tom Alrich
  


 As always, you can discuss this post with me by emailing tom@tomalrich.com.




No comments:

Post a Comment