Friday, October 30, 2020

Here’s how somebody could really impact the US grid

If you're looking for my pandemic posts, go here.

As I write this, US hospitals are being hit with an unprecedented ransomware attack by Russian-speaking criminals; patient care is already being affected. There’s no evidence that this is anything more than criminal activity at this point, and if anything the hospitals are just catching up with other sectors in terms of being targeted for ransomware – sectors like local government and school districts have already been hit very hard.

It seems the criminals have come to realize that a hospital faces much more pressure to quickly return to normal operations after a ransomware attack than for example an insurance company, and thus may be more likely to pay the ransom rather than wipe their systems and restore from backup. Part of the pressure may be due to the fact that a death due to a ransomware attack on a hospital in Germany may have been the first documented death due to a cyberattack.

However, I think the current attacks on hospitals are different and provide a warning signal for the operators of the US electric grid. What catches my attention is that these attacks are clearly coordinated. Sure, they’re probably coordinated by criminals, who aren’t likely to see much advantage in targeting the grid. But there’s nothing to prevent them from being coordinated by the Russian state instead. And there’s no doubt that the Russians want to have the power to cause big outages on the US grid, even if they don’t want to exercise it currently.

As you know, ransomware attacks aren’t addressed at all by the NERC CIP standards, and – given the current mostly prescriptive nature of those standards – I don’t think they should be now, either. But I do think there should be a NERC effort to make sure that electric utilities are taking the necessary steps to protect against ransomware, including both technical and non-technical steps (with anti-phishing training and testing being no. 1 on my list).

Some people will want to point out that ransomware affects IT networks, not OT ones. I’ll agree that’s true in the case of substations, where the most important programmable grid control devices – electronic relays and remote terminal units (RTUs) – are almost entirely impervious to most ransomware. But this isn’t the case with Control Centers, where the devices almost all run Windows or Linux. They’re much more like IT than “true” OT networks, and some utilities consider them part of IT, not OT. However, the fact is they play a crucial role in monitoring and controlling the grid, which is why they play such a prominent role in the CIP standards.

And now someone might point out to me that, since Control Centers are well-protected by NERC CIP, it would be virtually impossible for ransomware to spread to them. I used to think that was the case, until I heard about this event in 2018. Anybody who thinks that Control Centers are immune to the effects of ransomware is living in a fool’s paradise. They would be a great vector for a serious ransomware attack aimed at disrupting the grid itself.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment