Note from Tom: If you’re only looking for
today’s pandemic post, please go to my Pandemic Blog. If you’re
looking for my cyber/NERC CIP post, you’ve come to the right place.
Last week, Tim Conway, Robert M.
Lee and Jeff Shearer of the SANS ICS team published a “Defense Use Case” (DUC)
titled “Analysis of the recent report of supply chain attacks on US electric infrastructure
by Chinese Actors”. It was specifically focused on Joe Weiss’ blog post
regarding the large transformer that was ordered by a large US transmission
entity (later identified by the Wall Street Journal as the Western Area Power Authority or WAPA),
manufactured to order in China and – after its arrival in the US last summer –
diverted to Sandia National Labs for examination, where it remains to this day.
I discussed Joe’s post here and the WSJ article here.
The document opens by discussing
these events:
- The
issuance on May 1 of an Executive Order (EO) on supply chain security,
requiring operators of the Bulk Power System to get pre-clearance from the
Department of Energy for purchases of equipment for the BPS which
originate from, or in some way involve, a “foreign adversary”. There was
no specification of who or what those foreign adversaries are, although
they presumably don’t include the Vatican or UNICEF. Kevin Perry and I
analyzed the EO in this post. Joe claimed in his post that the EO
was probably issued due to a “hardware backdoor” that was discovered in
the transformer at Sandia National Labs, which he went on to describe as
based on the Aurora vulnerability.
- The blog
post by Joe Weiss, dated May 11.
- A formal
complaint filed with FERC by noted prepper Michael Mabee on May 12. This called
on FERC to a) require NERC to extend CIP-013 to cover low impact assets,
and b) require NERC to “revamp” all of the CIP cyber security standards to
address everything in the NIST Cyber Security Framework. The complaint
starts by stating that NERC CIP-013 doesn’t “comport with” the EO, but for
some reason nothing that would address this alleged deficiency made it
into the final recommendations.
The authors explain that the purpose
of a Defense Use Case (this is the seventh issued by SANS) is to analyze a
report of an ICS attack (in this case, the Joe Weiss post) and answer the
following three questions:
- Is it
credible?
- Is there
enough technical information available for ICS users (in this case
electric utilities) to take action?
- What are
possible defenses against the threat that was reported?
As to credibility, the authors
give the post a score of 0, which means “cannot be determined”. They point out
that Joe’s post makes two important claims. The first is that the EO resulted
from the “fact” that a “hardware backdoor” was found installed in the
transformer that Sandia examined. To be correct, Joe’s post doesn’t directly say
that this “discovery” directly led to the EO being issued. In fact, he executes
a much more subtle logical maneuver, which I’ve heard the military informally
describes as a “self-licking ice cream cone”: The EO is proof that a serious
vulnerability was discovered, and the vulnerability is proof that the EO was
properly issued.
However, I’m sad to report that the
authors of the DUC don’t appreciate the sheer beauty of this audacious logic
step. Even though Joe’s assertion shouldn’t be taken seriously from the point
of view of grid security, I suggest that Joe write a paper for the American
Philosophical Association explaining his newly-discovered method for proving
two propositions without providing evidence for either one! He may have missed
his true calling as a pioneering logician.
The second claim in Joe’s post
is one he states in big, bold letters: “What the Chinese did was install
hardware backdoors that can cause an Aurora or other type of damaging event at
a time of their choosing.” I pointed out in my post on Joe’s post that I
consider this to be Joe’s central assertion, and I stated that I couldn’t make
any sense out of this statement, let alone judge whether it’s true or not. As
the great physicist Wolfgang Pauli said when presented with a piece of
pseudoscience that didn’t make any scientific sense at all, “This isn’t even
wrong.” Of course, the authors of the DUC are more charitable than I am, so
they confine themselves to saying once again that no evidence is available to
prove this assertion.
The second question the authors
of the DUC answer is whether there is any technical information to back up
Joe’s claims in the post. Again, the score for that question is zero, meaning
there is no evidence at all.
However, when they get to the
question of how to defend against the attack, the authors take an interesting
step: They stipulate that Joe’s assertions are credible and backed by evidence.
Then they discuss how Joe’s second assertion (the heart of his technical
“argument”) might actually be realized. This includes discussion of the
Attacker, Capability, Motivation, and finally how this attack would map into
the ICS Kill Chain. What they write is very interesting, even though it’s entirely
based on assumptions they’ve already shown are false. The fact that they
actually draw some real conclusions that could help ICS defenders is pretty
amazing. This is known as turning a sow’s ear into a silk purse.
However, I now have a startling announcement
to make: I have learned – from sources that I unfortunately can’t reveal - that
Joe was entirely correct that a serious vulnerability was found in the WAPA
transformer. However, I would call this a physical, not a cyber, vulnerability:
Upon arrival in the US, the transformer was tested and found to be infected
with Covid-19!
Of course, as I believe has been
proven by electrical engineers (although I don’t seem to have the data readily
available), if one infected transformer is placed on the grid, it could easily
spread Covid-19 to lots of other transformers. This will happen even if they’re
in different substations - just as long as they’re on the same grid. This made
it absolutely imperative that the transformer not be installed, which is why it
was taken to Sandia and presumably pulled apart - although I hope the people
who did that practiced proper social distancing and wore face masks. So even
though Joe was wrong about the reason why the transformer was dangerous, he was
right in asserting that we’re lucky it was never installed on the grid. The US
hasn’t had a lot of lucky breaks lately, so we’ll take this one.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
Tom that last part made my day - belly laughs! Thanks for that!
ReplyDeleteThanks for the heads up Tom. Question: do you think thermal imaging can detect COVID-19 infected transformers? And do you think this transform is also infected?http://buildipedia.com/media/k2/items/cache/151e7f346a3cc480c1121a28cdb2ea01_XL.jpg
ReplyDeleteNo, I think you have to do the normal nucleic acids tests that you do on human beings. And to determine whether the transformer had the virus in the past, you would use the standard blood serum test.
ReplyDelete