If the Wall Street Journal reports it it must be true...

The Wall Street Journal is reporting that there are spies in the grid and hackers, too. Lions, and Tigers, and Bears, Oh My!

But really, we already knew this, and the fact that the WSJ and other mainstream media are beginning to report and ask the questions more intelligently is a big win.

Here's the lede from the article:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

So, let's ask ourselves, what does this mean for the technology we are all rushing to implement for Smart Grid?

When people like Michael Assante, CSO of NERC can write, as he did recently, that the electric utilities aren't even properly classifying their plants and substations as critical assets, then "Houston, we have a problem."

Here's what Assante said in reporting on the critical asset survey just conducted by NERC: "Closer analysis of the data, however, suggests that certain qualifying assets may not have been identified as “Critical.” Of particular concern are qualifying assets owned and operated by Generation Owners and Generation Operators, only 29 percent of which reported identifying at least one CA, and Transmission Owners, fewer than 63 percent of which identified at least one CA."

Maybe it is time to stop pillorying people like the CIA's Tom Donohue and realize that there actually is a significant "clear and present danger" of risk to our electric grid as it is currently configured, and ask ourselves if a race to install even more IEDs without clearly designing a functional security system that is grid-wise and grid-wide is the right thing to do.

Just sayin'.

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Well made points.

    Just think, at least NERC has standards, what about the rest of the control system community. Over 7,000 high-risk chemical facilities identified by DHS and how many of them have vulnerable control systems? How many water treatment plants using chlorine gas have vulnerable control systems? How long before the WSJ and the rest of the mainstream press recognise that potential problem? 

    Patrick Coyle

    Chemical Facility Security News

    Reply

  • In my disordered and misguided past, I once wrote about a third of the Manual of Practice on the Disinfection of Wastewater for what was then the Water Pollution Control Federation, so I can speak to the chlorine part. I don't know of any chlorine feeding or handling system that is "internet enabled" in the way that power grid IEDs (which does NOT stand for Improvised Explosive Device) are designed to be.

    Chemical facilities are indeed at high risk, but in my experience, the petrochemical industry is many years ahead of the power industry in understanding and working to mitigate the risks involved. They are not anywhere close to done, however, and need to be pushed. But at least they are not still navigating that river in Egypt...denial.

    Reply

  • “I saw it on TV, so it must be true” used to be a famous line by Conrad Bream (played by Robert De Niro) in the movie “Wag the dog”. Are threats getting more real if they get media coverage? What exactly are the “more intelligent questions”? Are we to assume a “clear and present danger” from an ill-informed WJS article? No offense Walt, but this is FUD as good as it gets.

    "Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told lawmakers. – Actually, we have seen ONE undisputed cyber attack, which the article doesn’t fail to mention. We have one desparado on the record who dumped a swimming pool’s load of sewage. That was back in 2000, and if you calculate risk over the years for any given individual critical infrastructure facility, you end up way beyond the right side of the decimal point. If we didn’t have old Vitek, we had zero publishable evidence. This guy was referred to by GAO reports, by ISA-99, NIST, by dozens of newspapers including the WSJ, and I hope somebody bothered to send him a fruitcake for Christmas. Ok, that’s cynical, but the fact is that anytime Maroochi pops up, everybody is reminded how infrequent cyber attacks really are.

    I must say I find the WJS story more than weak and everything but helpful. Why would a spy need to stage some form of cyber attack in order to obtain details of the grid? The layout of the US grid is public. There is no need to implant sophisticated spyware that “only the Chinese or the Russians” could have done. But it gets better: ‘Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."’ Oh really? Well then they must be pychics, as they would be capable of predicting the day and time when war starts, thereby fusing logical time bombs. Anybody who assumes that Internet connectivity and availability at war will be the same as in peace appears to be a bit naive, to say the least.

    “Just sayin’.”

    Innocent

    Reply

  • Something I do not understand is why people are so quick to assume that government statements or even media statements are FUD?

    Reply

  • I worked for 16 years as a process chemist in a specialty chemical company, not one of the bigees, but a sizeable operation. My boss was the Control Systems Engineer and he would routinely run distillations from home on his lap top via the internet. I was offered but refused off-site control capability, I just monitored processes from the house.

    The big chemical companies may understand security, but the bulk of the industry is made up of small operators that think security is locking the front gate when the plant is empty on the weekends. 

    Patrick Coyle

    Chemical Facility Security News

    Reply

RSS feed for comments on this page | RSS feed for all comments