Control system cyber incidents can have a significant impact and kill people. As previously noted, the San Bruno natural gas pipeline rupture was a control system cyber incident caused by scheduled maintenance of the SCADA system in PG&E’s Milpitas control center. In April 2015, the California Public Utility Commission (CPUC) imposed a $1.6 Billion penalty on PG&E for causing the explosion. January 27, 2017, penalties were imposed on the criminal case against PG&E (http://www.wsj.com/amp/articles/pg-e-fined-3-million-ending-san-bruno-explosion-case-1485461825). PG&E is now a convicted felon, fined $3Million, and required to have a monitor for their natural gas operations (beyond the oversite of the CPUC). Additionally, the judge ordered PG&E to serve five years of probation – the maximum amount of time legally authorized and PG&E must run a three month advertising campaign on television publicizing PG&E’s convictions, what punishment the company received and the steps being taken to prevent a repeat of the types of crimes PG&E committed. This court-ordered requirement is to refute the on-going PG&E ratepayer-funded advertising campaign on the importance of safety in PG&E’s gas distribution business.
What has PG&E learned? In 2013, PG&E turned down an opportunity to work with DOD on Aurora hardware mitigation and has yet to adequately address the Aurora vulnerability in any of their more than 10,000 electric substations. In July 2014, DHS declassified approximately 840 pages on the Aurora hardware vulnerability. Three of the specific industry impacts identified directly affect PG&E. One actually identifies the specific PG&E substations that could be used to destroy the rotating equipment in a refinery served by PG&E. Another slide identifies how Aurora can damage natural gas compressor stations which can cause multiple “San Brunos”. Yet no further action was taken by PG&E to adequately address Aurora.
Why is this an issue? Since October 2014, BlackEnergy2 has been in our US electric grids. The Russians modified the malware (BlackEnergy3) to use in their cyber attacks against the Ukraine. In both the 2015 and 2016 cyber attacks against the Ukrainian electric grids, the attackers remotely opened the substation breakers (step 1 of Aurora) but chose not to reclose the breakers (the final step of Aurora). If the attackers would have reclosed the breakers out-of-phase with the grid, the outages would have been “6 months not 6 hours”.
Why isn’t more being done to address control system cyber issues before more people are killed?