Control system cyber events, 60 Minutes, disclosure, and FUD

Nov. 13, 2009

Control system cyber incident disclosure is a tough issue. Everyone wants to know if it has happened, but very few are willing to say it happened to them. Sunday, 60 Minutes ran a segment on hacking of the critical infrastructure with a focus on Brazil. This was ostensibly the case that Tom Donahue disclosed. The next day, the Brazilian government stated the 2007 outage was from insulator issues not hacking.  The SCADA listserver went crazy that 60 Minutes was FUD. Ironically, the next day, there was a nationwide outage in Brazil, which again Brazil’s energy minister vigorously denied was cyber. I wonder which is FUD – 60 Minutes or the Brazilian response?

When last year’s Florida cascading outage occurred, DHS was on the media continuously stating it wasn’t terrorism. It might not have taken very long to determine if the capacitor bank switch that blew up did so from a physical attack. However, it is very difficult and time consuming (if ever) to know if cyber was involved, malicious or not. The FRCC final report on the incident didn’t even mention the SCADA system, much less cyber. And yes, cyber was involved and was intentional, though not malicious. I consider this FUD when FRCC won’t even address a real problem. I know of only one case where a US electric SCADA system was malicious attacked and intentionally targeted. Even though the utility lost SCADA for two weeks, they did not lose power and therefore chose not to inform local law enforcement, the FBI, or the ES-ISAC.

There are numerous reasons for lack of disclosure.  I just attended a NERC-DOE High Impact-Low Frequency Workshop where among other subjects disclosure was high on the list. For non-cyber events, reliability coordinators can take actions on their own including disclosure. However, for cyber, because of compliance and other issues, reliability operators cannot take actions on their own including disclosure.

There are several reasons why there is so little disclosure of control system cyber incidents. The first is a control system-unique problem - lack of control system cyber forensics. That is, you can’t identify what you can’t see. I have found more than 140 control system cyber incidents. Almost none were identified as cyber. The second is a more general problem – companies do not want to identify themselves as having been hit.

There have been more than 50 control system cyber incidents between 2007 and 2009 including two major outages, several nuclear plant shutdowns, several process plant shutdowns, several water system shutdowns and other impacts, and at least one safety-system compromise. Two control system engineers thought it was so important to share this information, they took it upon themselves (their utilities wouldn’t financially support them) to provide information on their control system cyber incidents at the last month’s ACS Conference. Ironically, very few utilities and utility organizations were there. Apparently, it wasn’t important enough. Shame on the utilities and utility organizations who talk about how important cyber security is to them but have little desire to actually address it - isn't this a form of FUD?.

The NIST Smart Grid Security Working Group's Annabelle Lee stated the following in the meeting minutes from the November 11 Smart Grid Cyber Security Working Group: "Thanks to the 60 Minutes piece, and similar stories in the media, there seems to be a public perception that there are no protections in place that would keep devices from melting-down or blowing-up due to a cyber attack alone. There are physical and electrical protections in place to help keep these events from happening. This scenario outcome is not nearly as possible or likely as the media and other sources make it seem."  Unfortunately, those statement are misleading at best and demonstrate a major schism within NIST. Under contract to NIST in support of the NIST SP800-53 efforts to include industrial control systems, Marshall Abrams and I performed a detailed analysis of the Bellingham, WA pipeline rupture that killed 3 people. It was a cyber event and the failsafes did not work. This case study is posted at http://csrc.ncsl.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf.) The recent DC Metro train crash that killed 9 was a control system cyber incident where the failsafes didn't work (or may not have existed). There have been more than 140 control system cyber incidents that I have documented that have ranged from trivial to significant environmental damage, to significant equipment damage, to regional outages (three in the US), to deaths. The Aurora test demonstrated that cyber alone could destroy large rotating equipment by using the failsafes against the system. I believe NIST needs to get its house in order.

An even more egregious form of FUD is the extent certain utilities will go to avoid the NERC CIPs. That includes pulling IP connections, no longer providing black start capabilities, and reclassifying Control Centers as Control Rooms.

Joe Weiss