Yesterday, I posted about a New York Times article that pointed out
some very interesting new information about the SolarWinds attacks. However,
when I called the article “excellent” in the first sentence, I prefaced that
with “(mostly)”; I didn’t elaborate on why I did that. No I’ll explain why I
did that.
I thought the article was a great
piece of reporting until I reached these paragraphs:
Publicly, officials have said they
do not believe the hackers from Russia’s S.V.R. pierced classified systems
containing sensitive communications and plans. But privately, officials say
they still do not have a clear picture of what might have been stolen.
They said they worried about
delicate but unclassified data the hackers might have taken from victims like
the Federal Energy Regulatory Commission, including Black Start, the detailed
technical blueprints for how the United States plans to restore power in the
event of a cataclysmic blackout.
The plans would give Russia a hit
list of systems to target to keep power from being restored in an attack like
the one it pulled off in Ukraine in 2015, shutting off power for six hours in
the dead of winter. Moscow long
ago implanted malware in the American
electric grid, and the
United States has done the same to Russia as a deterrent.
Just about every word in the last
two paragraphs is wrong, except for “the” and “for”. Here’s why:
Since not everyone who reads this
may be familiar with the term blackstart (as the term is usually written in the
power industry), I’ll summarize it in a way I can understand (so I know you
will!). If you’re interested in learning more about this subject, you can go here. A lot of the information in the rest of this post comes
from Kevin Perry, former Chief CIP auditor of SPP Regional Entity and before
that, Supervisor-EMS and Director-IT Infrastructure for the Southwest Power
Pool ISO/RTO.
1.
Electric power
generators all require some power source in order to operate, since they depend
on electromagnets, not the kind of magnets you used to pick up iron filings in
grade school.
2.
Normally, that power
source is the generator itself – i.e. a small amount of the power generated is
used to keep the generator operating. In other cases, the plant needs to use
power from the grid to start up. This is especially true for plants that use
steam to operate turbines.
3.
Of course, as long as
the grid is functioning in the area where the plant is located, there’s no
problem – any plant can draw whatever amount of power it needs to restart.
4.
The problem arises
when there has been a widespread outage, which almost always means a cascading
outage. Almost all outages are local, meaning the grid is still functioning
close enough to the outage that power is available to restart any plants that
may be down. A cascading outage is what happened in the Northeast
Blackout of August 2003: An initial problem in
northeastern Ohio was inadvertently allowed to spread to much of the
northeastern US and most of Ontario, killing six people.
5.
Once the cascade ended
(it only took four minutes from when the problem first spread beyond
northeastern Ohio, to when the cascade ended and 55 million people were in the
dark), 508 generating units at 265 power plants had shut down. In large
portions of the blackout areas, there was no functioning power grid at all.
6.
So how did all of
these plants start back up? Where did they get their power from? Fortunately, there
are some types of generators that require very little or no power to start up. These
include a) hydro plants, since the rivers keep running even though the power is
out, b) backup generators running on diesel, kerosene, etc., and c)
specially-configured combustion turbine plants, usually between 50 and 100
megawatts. These are all called blackstart generators.
7.
These “self-starting”
generators can ultimately restart all of the other plants, but there’s a catch:
If these generators just throw their power randomly on the grid, it will never
reach the proper voltage to start the other generators. There needs to be a
plan in place showing which blackstart generators will energize which lines
going through which substations (these lines and substations are known as the
“cranking path”. I love that term), so that one-by-one the larger generators
can restart. Once something close to full generation capacity is online, all
remaining power users (known as “load”) can be reconnected, and the region is
back to normal.
8.
You probably get the
idea: There needs to be an elaborate plan to make sure all of this happens,
since without coordination, the grid will never be restored. Developing such a
plan is the responsibility of two types of organizations (some are also
electric utilities and some are not): Transmission Operators (TOP) and
Reliability Coordinators (RC).
9.
Both TOPs and RCs are
required to follow NERC Reliability Standard EOP-005, which governs the process of developing and coordinating blackstart
Restoration Plans.
10.
Each TOP is required by
EOP-005 to develop their own Restoration Plan, to restore power in their
service territory after a partial or complete blackout. Their RC is required to
coordinate and approve the plans.
The appropriate NERC Regional
Entity (RE – there are six of these) will normally have a copy of the plan for
each TOP in their footprint, because they audit the TOPs (and RCs) for
compliance with EOP-005. However, Kevin believes it is unlikely that the RE’s routinely
share these plans with NERC. Because blackstart restoration is a
regionally-managed process, NERC is not usually directly involved with it.
And because FERC is not involved
in any way with managing the power grid – including restoring it – it is very
unlikely they would have these plans sitting around on their network, just
waiting for a hacker to grab them. In fact, FERC, NERC and the six Regions are
all quite aware of the danger posed by hackers; in general, they aren’t
interested in holding any information – even briefly – that might be of value
to an entity that might use it to attack the grid. As illustration of this
point, some utilities will not send any sensitive information to their Region
at all when they’re being audited; they require the auditors to read it while
they are onsite.
All of this is to say it’s highly
unlikely there were any blackstart restoration plans on storage at FERC when
they were penetrated by the Russians. Whoever told the NYT reporters they
were “worried” about this should find something better to worry about.
But suppose the hackers had their
hands on the restoration plans. How would they be able to use them to attack
the US grid? The plans list power plants, lines and substations that play a
role in restoring power after a blackout. Of course, knowing those would allow
the Russians to target a physical attack – say, dropping paratroopers to take
out these resources. But no one considers that a likely prospect.
How about a cyberattack? What
information would the Russians need to launch one of those to prevent
restoration of power? They would need information about the specific “Cyber
Assets” (a NERC term meaning “programmable electronic devices”) that control
the physical systems in the power plants and substations listed in the restoration
plan – device names and types, physical location, IP addresses, etc. Of course,
the plans contain none of that information, since it isn’t at all required for
the purpose of the plan.
Finally, let’s assume this
information were in the plans and that by some chance the plans were
stored at FERC when the Russians attacked them. Would the hackers actually be
able to attack the Cyber Assets in question?
Kevin and I discussed this
question. The Cyber Assets that are most likely to be attacked would be electronic
relays, located in substations, that control circuit breakers. The circuit
breakers can open or close a line, but since they themselves aren’t
microprocessor-controlled, the relay tells them what to do. But the relays are
all controlled by the Control Center for the utility that operates the lines
and substations. Thus, any attack would have to come through the Control
Center, which is exactly what happened in the case of the Ukraine attacks in
2015 and 2016.
But the difference between the US
in 2021 and the Ukraine in 2015 is that the Control Centers are very well
protected, and even more importantly the Control Center’s network is well segregated
from the IT network. Since the Russians attacked the Ukrainian utilities by
first penetrating the IT network through phishing emails (at least this was
true for the 2015 attacks. The exact vector for the 2016 attacks is still not
clear), this segregation would make it very hard for them to get into the
Control Center network in a US utility – and thus for them to command the
substation relays to open circuit breakers and trip lines, as happened in the
Ukraine.
The moral of this story is that
whoever expressed their “worries” to the NYT reporters obviously wasn’t knowledgeable
about the US power industry. It would have been nice if one of the reporters
had then picked up the phone and talked to someone directly involved with the
industry. They would have set their fears at rest.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment