Sunday, June 27, 2021

Where’s that wooden spike when you really need it?

It always amazes me that people within and without the electric power industry can get so worked up about very low-likelihood threats, while at the same time huge ones are completely ignored. My case in point is an article in the June issue of Control Engineering, a magazine which often has quite good articles on ICS cybersecurity. The article is titled “Throwback attack: Lessons from the Aurora vulnerability”.

The article is pretty good, up until the last section. It starts with a description of the Aurora test conducted at Idaho National Laboratories in 2007. The test became famous because it succeeded in its goal: get a generator to self-destruct due to a cyberattack. This resulted in a (still) widely-watched video, accompanied by a level of fear ever since that the same thing was going to happen to a large percentage of generators in the US any day now, and we’d all be left in the dark for the next 50 years or so.

I have no problem with the article’s describing that event in detail (in fact, it provides more detail than I’ve seen released in public so far, not that I think this puts the country in any real danger). And the eight steps the author, Daniel E. Capano, recommends that generating plants (and industrial facilities with on-site generators) implement to protect themselves from Aurora attacks are all good practices, although hardly specific ways to prevent an Aurora attack from happening.

But now we get to the last section, titled “Cybersecurity breaches, cautions”. The first paragraph describes Stuxnet, and does a decent job of that – including pointing out that it was a supply chain attack, although the article doesn’t use that term.

But in the second paragraph of that article, the author, Daniel Capano, decides to go into the 2016 Russian attack on the Ukrainian power grid. This attack was on a transmission substation that served part of the city of Kyiv (of course, this is different from the more famous 2015 Ukraine attack on multiple distribution substations). The attack caused an outage of about one hour. There was no other damage reported, although there were some simultaneous Russian attacks on different (non-power grid) targets in the Ukraine. These caused a number of IT problems for the Ministry of Finance, the State Treasury and the Pension Fund.

Of course, a one-hour outage in part of a city of over 2 million people is nothing to be dismissed, and the fact that it was caused by a cyberattack was serious. However, Mr. Capano seems to have gotten his information on the event from comic books, since he says the attack caused “widespread outages and collateral damage.” He continues to say that “an overlooked item” was that “the worm targeted key pieces of equipment such as PLCs and PCs used for…power generation. Several generators were damaged or destroyed using Aurora-type attacks; transformers and substations were damaged using similar techniques.”

The only thing that’s accurate in this passage is that this was an “overlooked item”. It certainly was overlooked – because it never happened. Sure a single substation was damaged, and perhaps a transformer or two in the substation. But no generating stations or generators were either targeted or damaged – and certainly not with “Aurora-type” attacks. The Aurora vulnerability has nothing to do with anything except rotating generation equipment, and there has never been a successful Aurora attack, other than the one conducted by INL. A transformer or substation could no more be subject to an “Aurora-type” attack than my living room sofa could. Transformers don’t rotate at 1800 rpm, like a lot of generators do (although it might be 1500 rpm in Europe); neither does my sofa.

The author evidently decided that the above misinformation wasn’t enough, so he followed it in the next paragraph with the statement that “The Aurora vulnerability sent shockwaves…after it was revealed in 2009” in a FOIA request. A simple Google search would have found plenty of news reports of the test from 2007 (including this video), since it was publicly reported about seven months after it happened. There was no nefarious cover-up by the good folks at INL!

I don’t think Mr. Capano fabricated his story about the Ukraine attack. He was merely following the lead of a well-known consultant who has seemingly blamed Aurora for everything except the Japanese attack on Pearl Harbor. At least three times, I thought I’d finally driven a stake through the heart of this lie, but it keeps coming back. Sad.

However, if you can’t get through the day without worrying about an imminent threat to the power grid, I have a real one for you to chew on: In January 2019, the Director of National Intelligence and heads of the CIA and FBI, in the annual Worldwide Threat Assessment, said the Russians have the ability to bring the grid down “for at least a few hours”, and they’re mapping it so they can accomplish something much worse.

That’s pretty scary, huh? What’s being done about this? What would you say if I told you that this report hasn’t even been investigated? And that the Worldwide Threat Assessment hasn’t even been published since 2019? Is that because there aren’t any more worldwide threats for us to worry about?

There certainly are lots of worldwide threats. But the fact that this report has never been investigated perhaps means that the real threats are domestic. “We have met the enemy, and he is us”, to quote the philosopher I read religiously in my boyhood, Pogo. Where’s Pogo when we need him most? 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment