Here’s an idea: Let’s investigate the threats we know are real. We can leave the highly unlikely ones for another day.

On Wednesday, I was quoted in a good article by Robert Walton in Utility Dive, about an FBI bulletin announcing “abnormal scanning” of five electric utilities and 18 other critical infrastructure organizations from Russian IP addresses. Cue the scary music.

My primary reaction to this was, does the FBI think this is news? Since just about every big utility in the country is scanned probably thousands of times an hour (and I’m sure a lot of those scans come from Russia), the fact that five of them are now getting a few extra scans from Russia doesn’t make me want to check my flashlight batteries and lay in a store of MREs for the coming dark days. And given that it would be nearly impossible for the Russians (or anybody else) to cause an outage through a direct attack from the internet, I’m not worried about what would happen, even in the unlikely event that the Russians did break through the firewalls.

But if FBI Director Christopher Wray is worried about the Russians attacking the grid, he might want to go back to something that he and Gina Haspel, then Director of the CIA, said in the Worldwide Threat Assessment briefing to Congress in January 2019: "Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure — such as disrupting an electrical distribution network for at least a few hours.”

In other words, in 2019, Director Wray implied that the Russians had planted malware in the grid and could cause outages anytime they want to. Yet it seems neither the FBI nor anyone else in the federal government ever investigated these statements, since there were never any reports or briefings (classified or unclassified) to the power sector of any kind (whereas after the first Ukraine grid attack in 2015, there were classified and unclassified briefings across the country, as well as some very good reports).

Which leads me to believe that, if the malware was there in January 2019 (and the former Deputy Director of the NSA told a similar story in May 2019, although with much larger numbers), it’s still there now. Why would the Russians want to knock themselves out trying to break through the firewalls of large utilities, if they can just activate their malware and cause some big outages?

And Director Wray can’t blame the lack of an investigation on his predecessor!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.