Note from Tom: If you’re only looking for
today’s pandemic post, go to my new blog (and if you’re not
subscribing to that blog, sign up for it. This blog will increasingly be
devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post
the pandemic posts here as well – but they won’t get picked up by the email
feed on days when I post on both topics). If you’re looking for my cyber/NERC
CIP posts, you’re come to the right place.
In case you
haven’t seen it, on May 1 the White House issued an Executive
Order on “Securing the United States Bulk-Power System”. First off, this
was a complete surprise to me, as well as to a few other people who would
normally have heard something about
this beforehand. Second off, it’s not in any way a comprehensive order to
secure the BPS (aka the BES, although I’m told there’s some minor difference in
what the two terms apply to), but applies only to the supply chain.
Let me be
clear: Unless there was some particular recent event that occasioned this –
which I’ve certainly not heard about (if you have, please drop me an email) -
or unless some important group like the Electric Sector Coordinating Council
considered this was step wasnecessary (again, for a reason I have not heard
about) and requested that the administration issue the order, the order is a
huge mistake. It will end up making the BPS much less secure, rather than the
other way around.
Essentially,
the order requires that any new procurement of just about anything for the BPS –
not just control systems – be first approved by the Secretary of Energy.
Specifically, Section 1(a) states that “any acquisition, importation, transfer,
or installation” of any BPS equipment is prohibited, “where the transaction
involves any property in which any foreign country or a national thereof has
any interest (including through an interest in a contract for the provision of
the equipment), where the transaction was initiated after the date of this
order”, and also where the Secretary has determined that the transaction meets
two conditions:
- It “ involves bulk-power system electric equipment
designed, developed, manufactured, or supplied, by persons owned by,
controlled by, or subject to the jurisdiction or direction of a foreign adversary”;
and the transaction
- “poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States; poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States; or otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
Of course,
the Secretary can suggest mitigation measures, pre-qualify vendors, etc. But
for the moment, I think the whole industry has to assume that any equipment
they buy for the BPS (which is defined as 69kV and above, although the Order
does state that any equipment used just for Distribution isn’t covered) first
has to be cleared by DoE (by the way, would you say it’s likely that on Monday
morning DOE will have all the forms ready for seeking approval, and whoever you
talk to on the phone will know exactly who can answer any particular question
you may have? I don’t, either).
I discussed
this with Kevin Perry, former chief CIP auditor of SPP RE, this morning. We
agreed that it’s hard to say what this order is intended to apply to. Since Kaspersky
software was ordered removed from the BES a few years ago, we don’t believe
there are any Russian or Chinese vendors at all who are now providing equipment
to the BPS (and it’s hard to identify any other nations that would meet the “adversary”
definition, since I don’t know of any trade now going on with North Korea and I
don’t believe al Qaeda or ISIS sell electrical equipment). But here’s what the
order might apply to:
- Dell and HP servers in Control Centers (BTW, the order
just refers to “control rooms”, which normally means a room at a
generating station or substation where control equipment is located, not
an actual Control Center meeting the NERC definition), which are often
assembled in Asian countries or Mexico. But since these are commodity
items produced for a huge market – essentially, every governmental or
non-governmental organization in North America – it’s quite a stretch to theorize
that somebody in China has figured out how to bring down the US grid by implanting
a backdoor just in the servers that will end up in grid Control Centers.
And it’s even harder to theorize how those people will identify and send a
signal to all of those servers when the time for the dreaded Grid
Apocalypse arrives.
- Chips and other components of equipment and control systems. A lot of these probably are made in China, or might come from a small company in Singapore that might actually be sourcing them from China. But how is your average electric utility (or even a large one) going to be able to even learn the identities of the chips on a Dell motherboard, let alone determine who manufactured, assembled or traded them?
So I predict
there will be massive confusion and wasted time, and ultimately very little
risk mitigated, as a result of this hasty and ill-conceived order. As we all
know, folks at electric utilities have lots of time on their hands now, since
nothing significant in particular is going on otherwise in the US. I’m sure
they’re all looking forward to those long mornings on the phone with DoE,
trying to find out who even might know the answer to their question, let alone
the answer itself – and to not knowing whether they’ll even get the same answer if they call
back tomorrow.
But other
than that these small quibbles, I think it’s a great order. For example, the
font it’s written in conveys a great sense of presidential authority. And the
signature is a great example of less is more: “DONALD J. TRUMP, THE WHITE
HOUSE, May 1, 2020”. Ya gotta’ love it.
P.S.
It just occurred to me that,
rather than waste the industry’s time trying to solve non-existent problems,
there’s one clear security risk to the BES as we speak. It was brought to our
attention most notably when the Directors of the FBI, CIA and Office of
National Intelligence presented
the 2019 Worldwide Threat Assessment to the Senate that January.
One sentence in that report read
“Russia has the ability to execute cyber attacks in the United States that
generate localized, temporary disruptive effects on critical
infrastructure—such as disrupting an electrical distribution network for at
least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.” And
an article
in E&E News in May 2019 quoted the former deputy director of the NSA
as saying that the Russians had deployed 200,000 “implants” (i.e. malware) in
US critical infrastructure, including electric power, natural gas and water.
Yet to this day, there has been
no investigation by any governmental or industry body of these two statements –
and if there were, no information has been passed on to the industry, in either
classified or non-classified form (and wouldn’t the industry want to know about
malware that’s out there now, especially how to identify and remove it?). Now there’s
a real problem.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment