This is my 843rd post since I started this blog on the last day of January in 2013. I’ve completely forgotten about a lot of my old posts, but sometimes I see on my dashboard that there’s a cluster of people who have been looking at a post I’d completely forgotten. This happens more often, now that there’s a real search engine on my blog (you have to go to the blog’s main page to use it).
My most
recent post, put up last Sunday, was about Joe
Weiss. I’ve written about ten posts on him, all quite critical of him. Sunday’s
post was no exception, and in it I referred to about four previous posts I’d
written about him. As I expected, I saw afterwards that people were reading
those posts.
But I was also surprised to see a post
from January 2016,
that I’d completely forgotten about, get a bunch of hits – in fact, even after
reading it now, I have no real recollection of writing it (although it sounds
like something I might write, so I have no reason to believe anybody broke into
my Blogspot account and wrote it!).
You can read this post, but here’s
my Cliff Notes summary of what’s important in it:
1.
In writing the post, I
was reacting to a press release by the Foundation for Resilient Societies,
which quoted Joe as complaining that “no current or proposed federal regulation
requires encryption or other cyber-protection of grid communications with
substations.”
2.
As a result, “foreign
governments have been able to implant malware” in the grid, presumably by
intercepting unencrypted communications between control centers (although he
mistakenly calls these “control rooms”, which means something else in the power
industry). And why have those governments been able to do this? Because the
utilities are using the “public internet” to handle these sensitive
communications.
3.
The allegation that communications
between substations and control centers had been intercepted by foreign
governments was of course a complete fabrication; nobody – and certainly not
Joe – has ever introduced evidence that this has happened.
4.
And the allegation
that utilities are using the public internet to communicate with substations? I
said at the time (and still do), “ I know of no electric utility that uses
the public internet to communicate with its substations, encrypted or
otherwise. The communications channel is always private (whether carrier-owned
or utility-owned), often serial or Frame Relay.” I should have added SONET to
that list. Again, a 100% fabrication.
So what’s Joe’s solution? Very
simple: The NERC CIP standards need to be revised to require encryption of
communications between control centers and substations. For the moment, let’s
put aside the fact that there’s no need for encryption on purely private
channels. What would happen if we did it anyway?
It’s pretty clear what would
happen. Substation communications require responses in fractions of a second. The
latency that would be induced by encryption would cause a lot of needed
commands (especially opening or closing a circuit breaker) to go unexecuted or to
be executed too late to do any good, leading to a lot of grid reliability
problems. And Joe knew this in 2016, since anybody involved with substation
automation would have told him that.
And this is why FERC, when they
ordered NERC to develop a standard for encryption of communications between
control centers (which is much less sensitive to latency) specifically didn’t
extend that requirement to substation communications. That order, Order 822 (which ordered development of CIP version 6, although the encryption
requirement for control centers was incorporated into a new standard, CIP-012)
came less than a week before I wrote the post.
The bottom line is that we’re
lucky that nobody in the power industry took Joe’s statements seriously then (which
they might well have done if they’d been supported by a single shred of
evidence). And since Joe’s normal modus operandi of totally unproven allegations
– nay, not just unproven, but fabricated out of thin air – continues, nobody in
the industry takes what Joe says seriously today, either. Instead of substation
communications, Joe now fulminates about the imminent danger from the Aurora
vulnerability, level 0 attacks, and of course “hardware backdoors” (as in the
Great WAPA Transformer Incident). He alleges – always without bothering to
provide a shred of evidence - that all of these threats have been realized in
successful attacks. But nobody in the industry believes him.
So why do I bother writing about
Joe? It’s because, despite nobody in the industry believing what he says, he
still has tremendous influence, due to the fact that so many people in DoE and
the power industry are afraid of the trouble he – and his legions of woefully
misled fans – can bring down on them. When someone brings up Joe’s latest lie
(and there seem to be lots of people who are eager to do that. Joe has a bunch
of devoted followers), these DoE people nod and scratch their heads and state
very solemnly that yes, these are serious questions, and we need to look into
them. Even worse, they do look into them, since they feel they have to –
despite the fact that they know there’s no truth to them (for example, think of
the huge amounts of time invested last year, in response to the EO, in
searching for sources of cyber vulnerability in devices that don’t even have a
microprocessor. About 20 of the 25 device types listed in the EO fell
into this category).
Yet it’s only recently that government
and industry have acknowledged that the most important source of cyber threat
to the power grid, or almost any other industry, is software vulnerabilities,
whether deliberately planted or (usually) due to poor development practices. Tracking
down these vulnerabilities, and especially the poor practices that led to them,
is much more difficult than going after the easy-to-understand movie plots
about bad devices causing catastrophic grid failures that Joe traffics in. This
is why the pressure Joe is exerting on people to investigate his fairy stories
– and especially DoE employees who fear for their jobs if they stand up to him
– is inevitably causing us to shortchange the real threats we’re facing. Hardware
backdoors aren’t one of them.
In my last post, I talked about
Senator Joe McCarthy’s lies, but I didn’t emphasize what a terribly destructive
effect he had on the US government, and especially on the State Department.
Because of him, the analysts who could size up a situation and make a rational
decision on the best course of action were all pushed out (or worse) and
replaced with hard-line anti-Communist ideologues. Those guys (almost all
males, to be sure), led us into the tremendously destructive quagmire of the
Vietnam War, as well as other foreign policy misadventures of the 1950’s and
1960’s.
By the same token, very minute a
DoE or utility employee spends worrying that he or she will get canned if they
don’t treat what Joe says with great respect is a minute they don’t spend acting
on the really important threats faced by the grid. This is the real problem with
Joe’s clown show. It’s time to call out Joe’s lies for what they are.
Repeatedly.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer as co-leader
of the Energy SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
Tony Turner, VP Security Solutions for Fortress Information Security, emailed to point out that "shared leased lines are not private. They are only isolated by tags. They are not dedicated lines. Frame relay and MPLS are not “secure”. This has long been a failure of compliance frameworks like PCI DSS that provide an exception.
ReplyDeleteOf course, Joe was accusing utilities of using unencrypted communications over the public internet, for control center communications with substations - which simply isn't happening, either now or in 2016. I know some utilities do use frame relay, but he's not the sort of guy to argue about security details. If you're going to tell a lie, you might as well tell a big one!
ReplyDelete