A wake-up call to ignoring cyber threats – PG&E indicted on criminal charges

April 3, 2014
April 1st, a federal grand jury indicted PG&E on 12 counts of knowingly and willfully violating the federal Pipeline Safety Act leading to the San Bruno pipeline rupture. As San Bruno was a control system cyber incident, the cyber security implications include the following. It doesn’t need to be a malicious cyber incident to cause significant damage and now even to be a potential criminal event. A cyber threat to the utilities can have a direct impact on their customers’ facilities and their customers’ physical safety. Just like the Target hack, PG&E and others may be judged on what they SHOULD HAVE known.  

April 1st, a federal grand jury indicted PG&E on 12 counts of knowingly and willfully violating the federal Pipeline Safety Act leading to the San Bruno natural gas pipeline rupture. Why is this news when it comes to cyber security? The San Bruno pipeline explosion was a control system cyber incident. It was almost identical to the 1999 Olympic Pipeline Company gasoline pipeline rupture that killed three and resulted in three people going to jail. In Bellingham, like San Bruno, the SCADA system was the proximate cause of the pressure increase that caused the pipe failure. Marshall Abrams from MITRE and myself gave a presentation on the Bellingham, WA pipeline explosion at the 2008 RSA Conference in San Francisco with PG&E in attendance (the Bellingham case history is in my book – Protecting Industrial Control Systems from Electronic Threats - and the detailed analysis has been on the NIST website since the 2008 time frame). After learning the details of the San Bruno accident, I provided a detailed comparison of the Bellingham accident to the San Bruno accident to the NTSB as they were eerily similar. I also offered the same to PG&E with no response. Additionally, I had the lead NTSB investigator on San Bruno speak at the 2011 ICS Cyber Security Conference in Washington DC – neither PG&E nor the California Public Utilities Commission (PUC) attended.

The implications of the San Bruno incident are wide-ranging when it comes to cyber security:

  • It doesn’t need to be a malicious cyber incident to cause significant damage and now even be a potential criminal event.

  • A cyber threat to the utilities can have a direct impact on the utility's customers facilities and the utility's customers physical safety.

  • Just like the Target hack, PG&E and others may be judged on what they SHOULD HAVE known.

During Y2K, the lawyers identified a date, the “Dilbert date” when all entities could no longer claim to not know about the Y2K issue. This is similar to cyber and Aurora. Since the early 2000’s cyber attacks have been a significant public issue. In 2007, CNN published the tape of the Aurora test at the Idaho National Laboratory (INL) and NERC issued several Aurora Advisories. In July 2010, Stuxnet was publicly identified.

Aurora stands out “like a sore thumb” as far as utilities not addressing the real problem. Aurora is a physical gap in protection of the electric grid that can only be mitigated by hardware. It was demonstrated by the 2007 CNN tape. However, PG&E, as well as most of the other utilities under the NERC CIP umbrella, NERC, and even EPRI refuse to address the real problem and instead concentrate on “paper solutions” for compliance. Specifically with respect to PG&E and Aurora, DOD offered to support PG&E on an Aurora hardware demonstration project in 2013. One would have thought after San Bruno and PG&E's Metcalf substation attack, PG&E would want to be a leader in security. However, PG&E chose not to work with DOD on addressing the Aurora vulnerability.

The California PUC was guilty of ignoring the problems that led up to San Bruno and is equally guilty for ignoring the Aurora problem. March 26th, I had a call with a California PUC staffer who is now working on electric distribution but also worked on cyber security. When I started discussing Aurora, he brushed me off saying he was told it was not plausible because his experts, including PG&E, told him so.  I mentioned this past October, a US electric utility had distribution substation equipment directly connected to the Internet on one side and SCADA on the other. Moreover, the equipment connected to the Internet had a website that would allow the equipment to be remotely configured.  It is not beyond the realm of possibility to use this equipment and its compromised connectivity to SCADA to cause an Aurora event. His reaction was the California investor-owned utilities – PG&E, SCE, and SDG&E - would never do this. Doesn’t he recognize he is supposed to be protecting the citizens of California not the utilities?

For the utilities’ financial sake and for the health of their customers, I hope the utilities wake up before it is too late.

Joe Weiss