Note from Tom: If you’re only looking for
today’s pandemic post, please go to my new blog. If you’re looking for my
cyber/NERC CIP posts, you’ve come to the right place.
Yesterday, I wrote
about a report from Moody’s – which formed the backbone of a story in E&E
News – that said the recent Executive Order was “credit positive” for the electric
power industry, since it would force those nincompoops to do something that
they’re not doing now: taking steps to ensure the products they buy to run the
Bulk Power System are safe from a cyber security point of view.
My objection to that report was
that it’s completely untrue – and it’s disturbing that Moody’s didn’t seem to have
even tried to talk to any real electric utilities about their practices when
they wrote it. Moody’s is in the business of rating credit, so a lot of people
will take this very seriously. I’ll admit I thought the fact that they made
these statements. without any real attempt to verify with a few utilities about
whether this was true or not, was more funny/sad than anything else.
But Dick Brooks of Reliable
Energy Analytics emailed me this morning to point out that Moody’s might have
had another reason to issue this report. They have a new company called Cyber Assessments that
rates companies – like electric utilities - for cyber risk! So maybe the
statements from Moody’s in the E&E News article can be understood as
spreading some FUD that they hope will lead management of electric utilities to
believe they need to hire them to assess their cyber posture – although I’ll
say that I’ve never believed FUD was a good way to sell anything having to do
with security.
However, this isn’t all. Remember,
Moody’s is a credit rating company, and the report said the EO is “credit
positive” for the power industry – meaning, of course, that electric utilities
can expect higher ratings from Moody’s on bond issues, etc. if they get their
cyber act together (and the EO will help them do this, in some way – although as
I pointed out yesterday, exactly how is very unclear). This leads to an
interesting question: If a large utility company hires Cyber Assessments to
assess their security risk, might that lead to Moody’s itself (which in theory is
a completely separate company, although the speaker in the video I linked above
seemed to have no problem mentioning the two organizations almost in the same
breath) giving the utility a higher rating for the bond markets than they otherwise
would have?
Of course, this is a very
serious question, and I certainly don’t know the answer to it. However, I’ll
remind you (in case you’d forgotten) that Moody’s paid
$864 million to the US government in 2017 to settle the claim that they had
deliberately rated a lot of mortgage securities much higher than they should
have, given the fact that they mostly ended up being near-worthless when the
2008-9 meltdown hit. Was this just the result of Moody’s having a lot of bad
analysts? Not at all. Moody’s was being paid by financial companies to rate
their mortgage-backed securities, and – lo and behold! – their ratings turned
out to be very good, even though the actual securities ended up being toxic
junk.
Of course, I’m sure the
brochures for Cyber Assessments won’t say this explicitly – and there will be
all sorts of legal disclaimers – but utilities can put two and two together. I certainly
hope utilities won’t do business with Cyber Assessments for this reason. But if
it turns out that these people have a great handle on the state of cyber security
in the power industry, and they’re just very anxious to share that knowledge
with individual utilities, then yes – utilities should seriously consider
hiring them. But if Moody’s does have such great knowledge of the power
industry’s cyber practices, they sure didn’t exhibit it in their statements
reported in the news article.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment