If you're looking for my pandemic posts, go here.
As I write this, US hospitals are being hit with an
unprecedented ransomware
attack by Russian-speaking criminals; patient care is already being
affected. There’s no evidence that this is anything more than criminal activity
at this point, and if anything the hospitals are just catching up with other
sectors in terms of being targeted for ransomware – sectors like local
government and school districts have already been hit very hard.
It seems the criminals have come to realize that a hospital faces
much more pressure to quickly return to normal operations after a ransomware
attack than for example an insurance company, and thus may be more likely to
pay the ransom rather than wipe their systems and restore from backup. Part of
the pressure may be due to the fact that a death due to a ransomware attack on
a hospital
in Germany may have been the first documented death due to a cyberattack.
However, I think the current attacks on hospitals are
different and provide a warning signal for the operators of the US electric
grid. What catches my attention is that these attacks are clearly coordinated.
Sure, they’re probably coordinated by criminals, who aren’t likely to see much
advantage in targeting the grid. But there’s nothing to prevent them from being
coordinated by the Russian state instead. And there’s no doubt that the
Russians want
to have the power to cause big outages on the US grid, even if they don’t want
to exercise it currently.
As you know, ransomware attacks aren’t addressed at all by
the NERC CIP standards, and – given the current mostly prescriptive nature of
those standards – I don’t think they should be now, either. But I do think
there should be a NERC effort to make sure that electric utilities are taking
the necessary steps to protect against ransomware, including both technical and
non-technical steps (with anti-phishing training and testing being no. 1 on my
list).
Some people will want to point out that ransomware affects
IT networks, not OT ones. I’ll agree that’s true in the case of substations,
where the most important programmable grid control devices – electronic relays
and remote terminal units (RTUs) – are almost entirely impervious to most
ransomware. But this isn’t the case with Control Centers, where the devices
almost all run Windows or Linux. They’re much more like IT than “true” OT networks,
and some utilities consider them part of IT, not OT. However, the fact is they
play a crucial role in monitoring and controlling the grid, which is why they
play such a prominent role in the CIP standards.
And now someone might point out to me that, since Control
Centers are well-protected by NERC CIP, it would be virtually impossible for
ransomware to spread to them. I used to think that was the case, until I heard
about this
event in 2018. Anybody who thinks that Control Centers are immune to the
effects of ransomware is living in a fool’s paradise. They would be a great vector
for a serious ransomware attack aimed at disrupting the grid itself.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment