Thursday, March 17, 2022

A Russian cyberattack can’t take down the grid. But what can it do?

Last week,  I was contacted by one of the five reporters who were working on this CNN story that appeared yesterday. I’ve never had as much interaction with a reporter for one story – we emailed and talked several times, and I wrote a small position paper for her, mainly so I could get my ideas straight and not give her a jumbled mess of statements.

It was interesting to see her evolution (which I believe was the evolution of the other reporters as well). When she first contacted me, what she really wanted to know about was how the Russians could take down the grid – not whether it could be done at all. As I argued in this post last year, it’s physically impossible for any kind of disturbance – other than an EMP attack, which is by far the worst threat the US faces, other than a full nuclear war, of course – to take down all three Interconnections that make up the US grid.

Even taking down one Interconnect would be close to impossible. That is, except for ERCOT, the small Interconnect that covers most of Texas, which almost succeeded in taking itself down early in the morning of February 15, 2021. But you can’t blame the Russians for that one!

Her main thrust then became that the Russians could cause a lot of small outages by attacking small utilities (especially distribution ones) that aren’t covered by the NERC CIP cybersecurity standards. But I pointed out that there’s never been a cyberattack that’s caused an outage, no matter how small, in North America. How is Russia going to cause a bunch of small attacks? And more importantly, how would you distinguish these from the daily attacks caused by the two most important causes of power outages: squirrels and copper theft?

But then what do I think are the biggest cyber threats to the grid? As I said in the article (near the end), there are really two. First, a ransomware attack that takes down the IT network results in the OT network having to be brought down as well, even though it wasn’t directly compromised. This isn’t a theoretical risk. This is what happened with Colonial Pipeline.

And more relevant for the article (although the reporter didn’t mention this), a devastating 2018 ransomware attack on the IT network of a very large electric utility resulted in the utility having to bring down a thousand or so systems in their control centers and re-image them. They lost the ability to monitor the grid in real time and also lost their VOIP phones. What saved the grid in the 3-5 states that were dependent on those control centers? Pure luck and a bunch of dedicated control center staff members who pulled out their cell phones and kept things on an even keel. For 24 hours.

Fortunately, there were no serious incidents that could have caused a sudden cascading outage, but without real-time monitoring, it’s very unlikely they would have even known there was a problem, if such an incident had occurred.

The second threat I pointed to was a software supply chain attack. I honestly can’t think of a likely scenario where such an attack would cause a widespread grid outage. But, given that software supply chain attacks increased by something like 10,000% in the last decade (and are still doubling or tripling every year. Read the story of the dependency confusion attacks in 2021, in which a researcher’s demonstration of a successful attack he conducted – without damage, of course – led within days to thousands of copycat attacks), it’s hard to rule anything out with software supply chain attacks.

So there’s plenty to worry about in grid attacks, even though there’s no chance that the whole country will go dark….Other than an EMP attack, of course. Or full-scale nuclear war. But then the lack of power will be the least of our problems.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment