In June, SANS put out a Defense Use Case that took issue with an assertion that the consultant Joe Weiss made in a May blog post. He asserted that a large transformer intended for use by the Western Area Power Administration (WAPA) had been discovered to contain a “hardware backdoor”, that could have allowed attackers to penetrate the transformer in some way, and thereby damage the US power grid in some way.
The SANS authors (Robert M. Lee,
Tim Conway and Jeff Shearer) assigned the following scores to Joe’s assertion:
·
Credibility: 0
·
Amount of technical
information available: 0
So other than the fact that the
post can’t be believed and Joe provided no technical information to support his
assertion, they liked the post…😊
While SANS didn’t go this far, I
have a word I use for assertions that aren’t credible and aren’t supported by
any technical information: a lie. I also wrote
about Joe’s post, and I went a little further than SANS did (I wrote about five
or six more posts on the WAPA transformer after that, mostly on the question of
whether there’s any way a transformer even could be the subject of a cyberattack.
The answer to that question, IMO, is that a transformer considered by itself
can never be subject to a cyberattack, since it isn’t controlled by a
microprocessor. There are a couple common add-on devices like load tap changers
or dissolved gas analyzers that do have microprocessors, but it’s not at all
clear how they could be attacked, or what effect that would have – if any – on the
operation of the transformer itself. These are often sold and installed by a separate company, not the transformer manufacturer).
When the SANS document came out, there
was a lot of discussion on LinkedIn. In the discussion, Joe said he would
provide backup documentation for his claim, but I never saw any. However, I
considered Joe’s assertion to be dead and buried.
I was quite surprised, then, to
read in an online article by Joe a week or two ago that he was again claiming
the Chinese had planted a backdoor in the WAPA transformer (he was also criticizing
DoE for somehow covering up that “fact”). I posted a comment to the article in
which I linked the DUC; in a day or two the article had been amended to remove
the assertion.
So I was quite surprised yesterday
to see Joe post on LinkedIn a link to a Forbes article
that repeated the story! I commented on Joe’s post that I hadn’t seen any
documentation from him. Somebody deleted that comment, so I just put it up
again. I’ve also sent an email to the editor of Forbes about this.
This might all fall in the Low
Comedy department, were it not for one thing: In stating that the Chinese
launched a supply chain attack on the US power grid (and implying that the WAPA
transformer might have been one of many that were attacked), Joe was implicitly
stating that the Chinese had attacked US national security. If that’s the case,
why didn’t we take some stern measures against the Chinese? Perhaps fly a B52 over
Taiwan as a demonstration that we can retaliate massively (as we just did with
Iran)?
Fortunately, I don’t think anyone
in the national security establishment believes this ridiculous story either. I
sure hope we don’t see any more of it.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment