Forbes Magazine seems to be making a specialty out of publishing stories with the following simple marketing scheme, requiring that just two boxes be checked:
1.
Box One: The grid has
been compromised! No evidence is presented for this assertion, but hey – would Forbes
publish somebody who lies? Answer: Yes.
2.
Box Two: The only
thing that can really save the industry – and therefore the whole country - is
my (insert name of product here).
There’s almost a crystalline beauty
to this scheme. It seems people want to believe the power grid can be brought
down with the wink of an eye by some guy in China. And, of course, everybody
wants to think there’s a simple solution to their problems, especially when the
problems are imaginary ones.
So Forbes, being – according to their own logo – the “capitalist tool” par excellence, was the perfect venue to publish a story (written by a woman who sums up her work as "I distill energy policy and technology movements", whatever that means) about a box that’s going to save the grid. As Ron Indeck, CEO of Indeck Security, himself said, “What’s being used now is not working. We’ve seen water supplies compromised. We’ve seen oil and gas delivery systems compromised, and we’ve seen the electrical grid compromised.”
So there you have it. Ron Indeck –
you know him, don’t you? – says the grid has been compromised. That’s all you
need to know. Check the first box.
What can save the industry? Would
it astound you greatly if I told you that it’s a product that Ron just happens
to sell? And it’s just icing on the cake that it’s literally a box – in this case a
very simple box with just two ports: “Network” and “Endpoint” (and if you don’t
believe it’s that simple, look at the picture in the article. After all,
pictures don’t lie, even if Ron does). What could be simpler? You just plug the
network into the box, and according to what Ron says – remember, Ron doesn’t lie,
except about grid compromises – up to 2,000 endpoints will be protected.
Of course, Ron’s box is so simple,
yet so powerful, that no software reconfiguration is required on any of the
devices (and shame on you if you wonder whether this means the device doesn't do anything at all! You're obviously not enlightened enough to understand someone who "distills energy policy and technology movements"). All you have to do is plug in the network. Check the second box.
Now, if I were a skeptical person,
I might ask how the box is going to handle all the really critical devices
found in substations and generating plants that only connect via serial protocols,
and therefore won’t be able to connect to Ron’s box at all. But fortunately, I’m not a
skeptical person.
And I would also be quite skeptical
about the very helpful statement from a former FERC commissioner, Branko Terzic,
who says “They would be plant in service [rate base] and be depreciated over
their economic lives. The cost of the Q-Box like other assets is part of the
revenue requirement upon which rates are based. As rate base the Q-Box both
earns a return and creates a depreciation expense.”
I’ll note that people trying to
sell into the power industry often get enamored with the idea that the product
they’re selling will just go right into the rate base, so it’s essentially free
(it always helps your sales if your product is free. That’s why this blog
is so successful). Anybody who’s actually worked for a regulated utility will
tell you that, just because the utility wants to put something in the rate
base, that doesn’t mean the PUC will let them, and even if they do, it will be years
before the money comes back to them. Being a former utility regulator, one
would expect Mr. Terzic to know this. But fortunately, I’m not skeptical.
I also might have been skeptical when the article brought up yet another member of its rogue’s gallery, this time the CEO of Sedulous Consulting Services (although I wonder if that really means “Credulous”). Under a section heading reading “Who you can trust”, he – believe it or not – states that “We hear about Colonial [pipeline hacking] but those in the news are only a quarter of what’s really going on”. Wow! He sure sounds like he knows about the grid. Does he work with power sector companies? No, he's primarily a military contractor. But he has done some work (unspecified) for DoE - that's all you need to know.
So why should you trust him? Well, it seems “By November, DOD could add Sedulous to its list of four U.S. companies certified by the U.S. government to judge the capability and integrity of other cyber software companies.”
Very impressive! This guy’s company might get
added to a list of companies certified to judge other software companies! That’s
great. But…what if he doesn’t make the list? And more importantly, what does it
mean to judge the “capability and integrity” of a “cyber software” company,
anyway? It’s a good thing I’m not skeptical.
Is he a big supporter of Ron's box? No, he never mentions it. So why is he in this story? Beats me. I guess he's there to support the idea that the grid will collapse any day now, based on the fact that, well, he uses electricity. He must know what he's talking about!
I’ll stop here. It’s late now, and
I need to go to bed and think about how I can get on this gravy train that
Forbes is perfecting. Let me see…I just need to write a post that says two
things:
1.
Because of my special
knowledge of the US power grid and the idiots who run it without the slightest
thought about security, I can absolutely guarantee that – if we don’t do
something differently – the grid will go to hell in a handbasket by Thursday of
next week.
2.
Fortunately, I just
happen to know the secret tweak that every utility can make to its network, which
will make the grid absolutely immune to further attacks. If only a thousand
utilities will pay me $5,000 by next week, I’ll reveal the secret and save the
country (and forget what I just said about being idiots. You guys are really
geniuses. That’s why you will all immediately send me $5,000. You can even use
PayPal).
How could you possibly lose?
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer as co-leader
of the Energy SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment