Note from Tom: If you’re only looking for
today’s pandemic post, please go to my new blog. If you’re looking for my
cyber/NERC CIP posts, you’ve come to the right place.
The Executive Order doesn’t make
any more sense to me today than it did when I wrote this post
on Saturday. I simply can’t understand what it’s trying to achieve.
Of course, the stated purpose is
very clear. The first paragraph reads
I, DONALD J. TRUMP, President of the United States of America, find
that foreign adversaries are increasingly creating and exploiting
vulnerabilities in the United States bulk-power system, which provides the
electricity that supports our national defense, vital emergency services,
critical infrastructure, economy, and way of life. The bulk-power system is a target of those
seeking to commit malicious acts against the United States and its people,
including malicious cyber activities, because a successful attack on our
bulk-power system would present significant risks to our economy, human health
and safety, and would render the United States less capable of acting in
defense of itself and its allies.
So it’s all about preventing
cyber attacks, right? I totally agree that bad people are targeting the bulk
power system with cyber attacks all the time. The number one culprit in that regard
is Russia, and the 2019 Worldwide
Threat Assessment stated that Russia has planted malware in the grid
and could cause outages at any time; yet there’s been no investigation of this
threat, let alone rooting out the malware, etc.
But of course, the EO isn’t
targeting that kind of attack. It targets supply chain cyber attacks, in which
malware is embedded in software or firmware on devices that run the grid. The
general idea is that the malware will be activated at a later date, usually by
some sort of signal sent through the internet; this will cause the device to
misoperate or not operate at all, leading to some sort of effect on the grid.
Yet I can see just about zero possibility that the EO could help mitigate this
threat.
First, what kind of devices are
the subject of cyber attacks? Ones with microprocessors in them, of course. I’m
not worried about a cyber attack taking down my steam iron or toaster, but I could
worry about an attack on my computer, my smart phone, my car, etc. – these all
have microprocessors.
So what devices on the power
grid have microprocessors (or more generally, programmable logic circuits,
since there wouldn’t necessarily have to be a microprocessor for it to be
attacked by cyber means)? Fortunately, due to the NERC CIP standards, we have a
collective term for these: Cyber Assets, defined as “programmable electronic
devices”.
What does the EO apply to?
That’s very clear (Sec. 4(b)): “..items used in bulk-power system substations,
control rooms, or power generating stations, including reactors, capacitors,
substation transformers, current coupling capacitors, large generators, backup
generators, substation voltage regulators, shunt capacitor equipment, automatic
circuit reclosers, instrument transformers, coupling capacity voltage
transformers, protective relaying, metering equipment, high voltage circuit
breakers, generation turbines, industrial control systems, distributed control
systems, and safety instrumented systems.
Items not included in
the preceding list and that have broader application of use beyond the
bulk-power system are outside the scope of this order.”
So here’s the question: Which of
these items typically have a microprocessor? This comes down to the question
“Which of these items are Cyber Assets?” There are only three that are guaranteed
to have a microprocessor – “industrial control systems, distributed control
systems, and safety instrumented systems”. That’s because these are by
definition programmable electronic devices. The only other two devices that
usually have microprocessors are protective relays and usually backup
generators.
As far as the other devices go,
they are dumb and they’re deliberately dumb. They’re meant to take their orders
from a control system. For example, circuit breakers are probably the devices
that can have the greatest impact on the grid if misoperated. But they don’t
make decisions on their own; they’re always controlled by a relay, which
nowadays almost always has a microprocessor in it.
As another example, transformers
are extremely important to the grid, since the grid wouldn’t work without them
– in fact, news articles I’ve seen consider these to be a big target of the
order. Yet these don’t have microprocessors. They don’t need direction in order
to do their job, either; the laws of physics give them almost all the
instructions they need. My friend Kevin Perry wrote “There may be some new,
smart transformers that have microprocessors, but as a general rule, I don’t
think the high voltage transformer has electronic systems that can be
hacked. At best, there are sensors
throughout the transformer that allow operating conditions to be monitored. That is not much different than the
transducers scattered around a generating plant. To the extent the transducer voltage output
can be recalibrated to produce false readings is about the only issue I am
aware of. But usually you need to be in
close proximity to be able to manage such a device.”
So transformers can’t be hacked,
as well as most of the other devices on the list in the Order. This leads to
the question: Why does the Order apply to essentially all devices, dumb or
smart, on the grid, when only smart devices can be targeted in a cyber attack?
Remember, for every one of these devices, utilities are going to have to get
permission in order to buy them now. Of course, the Order does say that the
Secretary of Energy can decide to pre-qualify vendors and products, to maybe
speed up the process. But how long will it take for that to happen? The Order
says the Secretary will publish rules in 150 days, yet it took effect
immediately last Thursday. So all purchasing of grid equipment is going to be
very uncertain for at least 150 days and the uncertainty will go on from there,
unless the White House puts out an amended order right away that says the only
devices it applies to are Cyber Assets. Of course, they’re not going to do that
– and this means we’re placing a big burden on the grid right now (as if the
current Covid-19 situation weren’t already a pretty significant burden!), in
order to protect a small subset of the devices the order applies to.
Now let’s focus on that small
subset: protective relays, backup generators, industrial control systems,
distributed control systems, and safety instrumented systems. Which of these
could have a significant impact on the grid, if compromised or destroyed?
Here’s another way the NERC CIP terms can help us. Within the universe of Cyber
Assets, there’s a subset called BES Cyber Assets. These are devices whose
misoperation or loss could impact the Bulk Electric System (essentially, the
same as the Bulk Power System). The Order should really just be focused on
these, not even Cyber Assets in general.
Now the question becomes: What
BES Cyber Assets are made with some sort of significant foreign involvement, by
organizations headquartered in or possibly controlled by governments that pose
a threat to the US? And face it: The governments we’re talking about here are
Russia and China. On Saturday and today, Kevin Perry and I brainstormed about this
question. What was our answer?
First, there’s an important
semantic question to be resolved. The order says it applies to “items used in
bulk-power system substations, control rooms, or power generating stations..”
Substations and generating stations are clear, but “control rooms” isn’t. This
is because that term usually applies to a room in a generating plant that
contains the control systems that run the equipment in the plant. But since “generating
stations” are already included in the list, Kevin and I guessed that what was
really meant were Control Centers. These are really the heart of the grid,
since their job is to balance electric power and supply in real time (i.e.
microsecond-to-microsecond). You can’t be five minutes late in delivering something
that’s needed right away!
I wish to point out at this point that the fact that
whoever drafted this Order didn’t know the difference between a control room
and a Control Center just reinforces my suspicion that the Order was put
together with very little input from the electric power industry. After all,
why ask them? What do they know, anyway?
So let’s assume Control Centers
are in scope for the Order. There’s an important difference between Control
Centers and the other two types of locations: substations and generating
stations: The equipment in Control Centers is almost all the same kind of
low-voltage computing equipment that you would find on any corporate desktop or
data center in the country: mostly Dell or HP servers and workstations, Cisco firewalls
and switches, etc. More specifically, there is no “bulk-power system equipment”
in a control center, since that is invariably operated at a much higher voltage
than is found in any office or data center.
So if Control Centers are
covered by this order (and as I mentioned, they’re the heart of the grid. If
you’re trying to disrupt the bulk power system, you would first try to attack a
Control Center in some way, but lots of luck even getting in – they’re
extremely well protected, both physically and electronically), then does that
mean you’re going to say that generic Dell, HP and Cisco products – which are used
by all industries and government agencies – are going to be covered as “bulk-power
system equipment”?
To be honest, there are
certainly real risks that apply to these products. Even though they’re sold by
big US companies, they’re often assembled or even manufactured in China. A lot
of HP workstations are manufactured in China; Dell assembles some of their
servers there; and Cisco manufactures their “Fixed Switching products” and “Power
Supplies” there, according to their web site.
So it might be worthwhile
investigating HP, Dell and Cisco, to confirm they’re vetting their suppliers in
China very carefully (I’ll guess they are, but it wouldn’t hurt to look at
that). But let’s say the Secretary of Energy (who is in charge of this whole
program, although my guess is there weren’t champagne corks popping across DoE when they heard that this
was getting dumped in their laps) decides that one of these vendors actually
does a poor job of vetting their Chinese suppliers – so their products that are
made or assembled in China should be banned.
Is Cisco going to be banned from
selling any switches in the US? Will HP be banned from selling any workstations?
And if not (and they certainly won’t be banned!), then how can DoE tell HP that
they can sell workstations to any industry but power? Even more importantly, is
it at all likely that the nefarious Chinese government would plant attacks designed
just to damage the power industry – yet embed these in every server made or
assembled in China, since there’s no way they could know in advance which ones
were going to the power industry and which weren’t?
So outside of Control Centers,
which Cyber Assets in substations and generating stations would qualify as BES
Cyber Assets? Kevin could only identify a) the generic HP, Dell and Cisco
systems just discussed; b) protective relays; c) backup generators; and d)
programmable logic controllers (and Kevin has been in lots of substations and
generating plants – as well as Control Centers – in his long power industry
career, especially his almost ten-year gig as Chief CIP Auditor for SPP
Regional Entity).
How many Chinese companies sell
these devices to the power industry? Kevin doesn’t know of any. Then how many
of these devices are often assembled or manufactured in China? Again, Kevin
doesn’t know of any. Therefore, if you want to ask what computing devices are actually
covered by this order (which means they qualify as BES Cyber Assets and are sometimes manufactured in China), the answer has to be: just switches, routers, firewalls,
servers and workstations. None of these are actually sold by Chinese companies,
but some of them are manufactured or assembled in China. But none of these are
at all unique to the power industry, so they really don’t meeting the
definition of “bulk-power system equipment” – which is supposedly what the
order applies to. This means, that technically speaking - i.e. what a lawyer would argue in court - the EO doesn't apply to these devices.
What if we get below the device
level? Is there risk there? There certainly is, because now we get into the
chips (microprocessors and other kinds of chips) that form the smarts of the
Cyber Assets that are found just in substations and generating plants,
including relays and PLCs. There’s no question that a lot of these are made in
China, so there’s certainly some risk from them – if their manufacturer were
controlled by a “hostile power”.
However, asking each utility to
ramp up a big program to a) determine what chips will be found in a product
they’re purchasing – before they buy it!; b) determine the real provenance of
those chips (not just the middle man that sold them to the device manufacturer,
if you can even learn that); c) research each of the companies in the supply
chain of the chip to determine what risk it posed; and d) document all of this
for the Secretary of Energy so that he or she can determine the degree of risk
posed to the BPS by that chip, would be nuts, period.
When it comes to chips and other
small components like them, the only course for an organization smaller than
say the Department of Defense is to make sure that the manufacturers whose products
you’re buying take great care to vet their chip suppliers, and they don’t just
buy the cheapest chips they can find, without any concern about who made them
or handled them along the way.
As an illustration of this
point, I want to bring up Schweitzer Engineering Labs. They are by far the
largest maker of relays in the US (probably the world?); I would further add that they're almost certainly one of the few largest manufacturers of Cyber Assets that are essential to the operation of the US power grid. Dave Whitehead, their
CEO, spoke on the panel on supply chain security that I moderated at NERC
GridSecCon last year, and afterward put together a very good document called “How
does SEL address supply chain vulnerabilities?” I included the document in this
post last year.
The whole post is worth reading,
but note this section:
Ensure Component Integrity
- SEL verifies the performance of ALL
purchased components against our supplier product specs.
- We continuously test our products
throughout the manufacturing process.
- We take additional steps to ensure the integrity of the components in our products. For example, we use x-rays, inspect packaging, and consult the manufacturer’s design drawings. (I invite anyone who wants to come to our HQ in Pullman to visit and check out our x-ray machines, manufacturing operations, and R&D facilities).
I really think this is the only
way to address the question of chip integrity: buy only from suppliers that you
trust to have a good handle on the vetting and testing process. There’s simply
no way that any utility could possibly make these judgments on its own. If the
Federal government feels this is a huge issue, then they should stand up the
mechanism to do this for the utilities (in fact, I’m sure it already exists in
the Dept. of Defense).
In conclusion…
In order to address a very
narrow problem – Intel-based servers and workstations, as well as networking
devices, that are manufactured or assembled in China – the Executive Order requires
any purchase of any type of “bulk-power system equipment” to be approved by the
Secretary of Energy, even if it has no more smarts than my alarm clock. Moreover,
since the devices just mentioned are sold to all industries, not just the power
industry, they really can’t be banned. Plus it’s almost impossible to see how
they could be used to carry out a supply chain attack on the power industry in
the first place.
This would all be funny, were it not likely that most purchasing of products - with or without a microprocessor - for the Bulk Power System are likely to be significantly delayed, until the promised guidelines are released in 150 days. Let's hope that was just a high estimate, and that the guidelines will actually be clear and helpful, once released.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment