It always amazes me that people within and without the electric power industry can get so worked up about very low-likelihood threats, while at the same time huge ones are completely ignored. My case in point is an article in the June issue of Control Engineering, a magazine which often has quite good articles on ICS cybersecurity. The article is titled “Throwback attack: Lessons from the Aurora vulnerability”.
The article is pretty good, up
until the last section. It starts with a description of the Aurora test
conducted at Idaho National Laboratories in 2007. The test became famous because
it succeeded in its goal: get a generator to self-destruct due to a
cyberattack. This resulted in a (still) widely-watched video, accompanied by a
level of fear ever since that the same thing was going to happen to a large
percentage of generators in the US any day now, and we’d all be left in the
dark for the next 50 years or so.
I have no problem with the article’s
describing that event in detail (in fact, it provides more detail than I’ve
seen released in public so far, not that I think this puts the country in any real
danger). And the eight steps the author, Daniel E. Capano, recommends that generating
plants (and industrial facilities with on-site generators) implement to protect
themselves from Aurora attacks are all good practices, although hardly specific
ways to prevent an Aurora attack from happening.
But now we get to the last section,
titled “Cybersecurity breaches, cautions”. The first paragraph describes
Stuxnet, and does a decent job of that – including pointing out that it was a
supply chain attack, although the article doesn’t use that term.
But in the second paragraph of
that article, the author, Daniel Capano, decides to go into the 2016 Russian
attack on the Ukrainian power grid. This attack
was on a transmission substation that served part of the city of Kyiv (of
course, this is different from the more famous 2015 Ukraine attack on multiple
distribution substations). The attack caused an outage of about one hour. There
was no other damage reported, although there were some simultaneous Russian attacks
on different (non-power grid) targets in the Ukraine. These caused a number of
IT problems for the Ministry of Finance, the State Treasury and the Pension
Fund.
Of course, a one-hour outage in
part of a city of over 2 million people is nothing to be dismissed, and the
fact that it was caused by a cyberattack was serious. However, Mr. Capano seems
to have gotten his information on the event from comic books, since he says the
attack caused “widespread outages and collateral damage.” He continues to say
that “an overlooked item” was that “the worm targeted key pieces of equipment
such as PLCs and PCs used for…power generation. Several generators were damaged
or destroyed using Aurora-type attacks; transformers and substations were
damaged using similar techniques.”
The only thing that’s accurate in
this passage is that this was an “overlooked item”. It certainly was overlooked
– because it never happened. Sure a single substation was damaged, and perhaps
a transformer or two in the substation. But no generating stations or
generators were either targeted or damaged – and certainly not with “Aurora-type”
attacks. The Aurora vulnerability has nothing to do with anything except rotating
generation equipment, and there has never been a successful Aurora attack,
other than the one conducted by INL. A transformer or substation could no more
be subject to an “Aurora-type” attack than my living room sofa could.
Transformers don’t rotate at 1800 rpm, like a lot of generators do (although it
might be 1500 rpm in Europe); neither does my sofa.
The author evidently decided that
the above misinformation wasn’t enough, so he followed it in the next paragraph
with the statement that “The Aurora vulnerability sent shockwaves…after it was
revealed in 2009” in a FOIA request. A simple Google search would have found
plenty of news reports of the test from 2007 (including this video), since it was
publicly reported about seven months after it happened. There was no nefarious cover-up by the good
folks at INL!
I don’t think Mr. Capano fabricated
his story about the Ukraine attack. He was merely following the lead of a well-known
consultant who has seemingly blamed
Aurora for everything except the Japanese attack on Pearl Harbor. At least
three times, I thought I’d finally driven
a stake through the heart of this lie, but it keeps coming back. Sad.
However, if you can’t get through
the day without worrying about an imminent threat to the power grid, I have a
real one for you to chew on: In January 2019, the Director of National
Intelligence and heads of the CIA and FBI, in the annual Worldwide Threat
Assessment, said
the Russians have the ability to bring the grid down “for at least a few hours”,
and they’re mapping it so they can accomplish something much worse.
That’s pretty scary, huh? What’s
being done about this? What would you say if I told you that this report hasn’t
even been investigated?
And that the Worldwide Threat Assessment hasn’t even been published since 2019?
Is that because there aren’t any more worldwide threats for us to worry about?
There certainly are lots of worldwide threats. But the fact that this report has never been investigated perhaps means that the real threats are domestic. “We have met the enemy, and he is us”, to quote the philosopher I read religiously in my boyhood, Pogo. Where’s Pogo when we need him most?
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment