Last Friday, Politico ran a
well-researched article
about the Russian threat to the US grid. I was quoted saying that it would be
extremely difficult for the Russians to cause a widespread grid outage, in
large part because of NERC’s standards. And here I meant not just the NERC CIP
cybersecurity standards, but the other NERC standards that focus on measures
needed to keep the grid reliable. So events like the ones that led to the 2003
Northeast Blackout, whether or not induced by a cyberattack, simply wouldn’t be
able to cause an event anything like that one, if those same events occurred
today.
I also pointed the reporter to the
2019 Worldwide Threat Assessment, and made the same point to her that I
made in this
recent post: that if the US is really worried about Putin attacking our grid,
it would be a good idea to thoroughly investigate these statements. If it turns
out they’re completely wrong, then great…let’s hear about it. But if it turns
out they’re right and there is Russian malware planted in grid control centers
(since those would be the best points from which to cause outages. Attacking a substation
– even taking one out completely – is highly unlikely to cause any outage at
all, and certainly not a cascading one. The 2013 Metcalf substation
attack demonstrated this).
But I was concerned about the
article’s discussion of possible US “deterrence” of a Russian cyberattack on
the grid by threatening to respond in kind, presumably with a cyberattack on
our own (and the article repeats previous reports that the US has planted plenty
of malware in the Russian grid. I don’t doubt that those reports are true, although
I don’t have a way of knowing that). This idea is based on flawed logic:
1.
The Russians attack
the US grid and cause serious outages that lead to some loss of civilian lives.
2.
We turn around and
cause an even more serious outage in Russia, with presumably even more loss of civilian
lives.
The fact is that this scenario
will never happen. The US is never going to launch any sort of attack directly targeting
civilians in another country, unless we’re actually at war with the country. No
matter what Russia is doing in Ukraine, we’re simply not going to “launch a
devastating cyberattack” on their grid, no matter what sort of cyberattack they
launch on ours. Instead, we’ll impose other non-lethal punishment on the country
– beyond what we’ve already imposed. Sure, impoverish the people. But don’t
kill them.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
Encouraging words, Tom. Thanks. In these dark times, it isn't only the electric lights that too often dim.
ReplyDelete