Friday, September 10, 2021

What bothers me most about Joe

This is my 843rd post since I started this blog on the last day of January in 2013. I’ve completely forgotten about a lot of my old posts, but sometimes I see on my dashboard that there’s a cluster of people who have been looking at a post I’d completely forgotten. This happens more often, now that there’s a real search engine on my blog (you have to go to the blog’s main page to use it).

My most recent post, put up last Sunday, was about Joe Weiss. I’ve written about ten posts on him, all quite critical of him. Sunday’s post was no exception, and in it I referred to about four previous posts I’d written about him. As I expected, I saw afterwards that people were reading those posts.

But I was also surprised to see a post from January 2016, that I’d completely forgotten about, get a bunch of hits – in fact, even after reading it now, I have no real recollection of writing it (although it sounds like something I might write, so I have no reason to believe anybody broke into my Blogspot account and wrote it!).

You can read this post, but here’s my Cliff Notes summary of what’s important in it:

1.      In writing the post, I was reacting to a press release by the Foundation for Resilient Societies, which quoted Joe as complaining that “no current or proposed federal regulation requires encryption or other cyber-protection of grid communications with substations.”

2.      As a result, “foreign governments have been able to implant malware” in the grid, presumably by intercepting unencrypted communications between control centers (although he mistakenly calls these “control rooms”, which means something else in the power industry). And why have those governments been able to do this? Because the utilities are using the “public internet” to handle these sensitive communications.

3.      The allegation that communications between substations and control centers had been intercepted by foreign governments was of course a complete fabrication; nobody – and certainly not Joe – has ever introduced evidence that this has happened.

4.      And the allegation that utilities are using the public internet to communicate with substations? I said at the time (and still do), “ I know of no electric utility that uses the public internet to communicate with its substations, encrypted or otherwise. The communications channel is always private (whether carrier-owned or utility-owned), often serial or Frame Relay.” I should have added SONET to that list. Again, a 100% fabrication.

So what’s Joe’s solution? Very simple: The NERC CIP standards need to be revised to require encryption of communications between control centers and substations. For the moment, let’s put aside the fact that there’s no need for encryption on purely private channels. What would happen if we did it anyway?

It’s pretty clear what would happen. Substation communications require responses in fractions of a second. The latency that would be induced by encryption would cause a lot of needed commands (especially opening or closing a circuit breaker) to go unexecuted or to be executed too late to do any good, leading to a lot of grid reliability problems. And Joe knew this in 2016, since anybody involved with substation automation would have told him that.

And this is why FERC, when they ordered NERC to develop a standard for encryption of communications between control centers (which is much less sensitive to latency) specifically didn’t extend that requirement to substation communications. That order, Order 822 (which ordered development of CIP version 6, although the encryption requirement for control centers was incorporated into a new standard, CIP-012) came less than a week before I wrote the post.

The bottom line is that we’re lucky that nobody in the power industry took Joe’s statements seriously then (which they might well have done if they’d been supported by a single shred of evidence). And since Joe’s normal modus operandi of totally unproven allegations – nay, not just unproven, but fabricated out of thin air – continues, nobody in the industry takes what Joe says seriously today, either. Instead of substation communications, Joe now fulminates about the imminent danger from the Aurora vulnerability, level 0 attacks, and of course “hardware backdoors” (as in the Great WAPA Transformer Incident). He alleges – always without bothering to provide a shred of evidence - that all of these threats have been realized in successful attacks. But nobody in the industry believes him.

So why do I bother writing about Joe? It’s because, despite nobody in the industry believing what he says, he still has tremendous influence, due to the fact that so many people in DoE and the power industry are afraid of the trouble he – and his legions of woefully misled fans – can bring down on them. When someone brings up Joe’s latest lie (and there seem to be lots of people who are eager to do that. Joe has a bunch of devoted followers), these DoE people nod and scratch their heads and state very solemnly that yes, these are serious questions, and we need to look into them. Even worse, they do look into them, since they feel they have to – despite the fact that they know there’s no truth to them (for example, think of the huge amounts of time invested last year, in response to the EO, in searching for sources of cyber vulnerability in devices that don’t even have a microprocessor. About 20 of the 25 device types listed in the EO fell into this category).

Yet it’s only recently that government and industry have acknowledged that the most important source of cyber threat to the power grid, or almost any other industry, is software vulnerabilities, whether deliberately planted or (usually) due to poor development practices. Tracking down these vulnerabilities, and especially the poor practices that led to them, is much more difficult than going after the easy-to-understand movie plots about bad devices causing catastrophic grid failures that Joe traffics in. This is why the pressure Joe is exerting on people to investigate his fairy stories – and especially DoE employees who fear for their jobs if they stand up to him – is inevitably causing us to shortchange the real threats we’re facing. Hardware backdoors aren’t one of them.

In my last post, I talked about Senator Joe McCarthy’s lies, but I didn’t emphasize what a terribly destructive effect he had on the US government, and especially on the State Department. Because of him, the analysts who could size up a situation and make a rational decision on the best course of action were all pushed out (or worse) and replaced with hard-line anti-Communist ideologues. Those guys (almost all males, to be sure), led us into the tremendously destructive quagmire of the Vietnam War, as well as other foreign policy misadventures of the 1950’s and 1960’s.

By the same token, very minute a DoE or utility employee spends worrying that he or she will get canned if they don’t treat what Joe says with great respect is a minute they don’t spend acting on the really important threats faced by the grid. This is the real problem with Joe’s clown show. It’s time to call out Joe’s lies for what they are. Repeatedly.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

2 comments:

  1. Tony Turner, VP Security Solutions for Fortress Information Security, emailed to point out that "shared leased lines are not private. They are only isolated by tags. They are not dedicated lines. Frame relay and MPLS are not “secure”. This has long been a failure of compliance frameworks like PCI DSS that provide an exception.

    ReplyDelete
  2. Of course, Joe was accusing utilities of using unencrypted communications over the public internet, for control center communications with substations - which simply isn't happening, either now or in 2016. I know some utilities do use frame relay, but he's not the sort of guy to argue about security details. If you're going to tell a lie, you might as well tell a big one!

    ReplyDelete