The US electric grid has been cyber attacked for years yet NERC won’t acknowledge facts

This blog is focusing on cyber attacks of the US electric grid. Consequently, I will not address known cyber attacks such as Stuxnet and Triton that were not against the US electric grid (though they certainly could be as the US electric grid utilizes the control systems attacked by Stuxnet and Triton). It should also be noted that cyber attacks can be made to look like malfunctions. Additionally, the only difference between a malicious insider threat versus an unintentional mistake is motivation yet the end result is the same. This can be seen the 2008 Florida outage example.

On September 6, 2019, EENews reported about the “first” U.S. grid cyber attack (https://www.eenews.net/stories/1061111289).  My database has identified more than 300 actual control system cyber incidents in the North American electric system including 6 major outages affecting at least 90,000 customers. Moreover, since 2010, the electric industry has reported 29 cyber-attacks in the mandatory DOE OE-417 reporting forms. As noted below, there have been numerous cyber attacks behind properly and improperly configured firewalls. Why does EENews and more importantly NERC, say there have been no previous cyber attacks against the US electric grid?

To the best of my knowledge, the first case of cyber attacking the US grid was China cyber attacking CA ISO in 2001. The Chinese were not successful at compromising SCADA, but they tried.

The first successful cyber attack of the US grid was in 2004 when a utility’s SCADA system was maliciously compromised and inoperable for 2 weeks (the culprit was not identified as the trail was lost on the second or third hop into Eastern Europe). I had the utility engineer present the case at my 2004 ICS Cyber Security Conference. He and I did an assessment of the financial impact of the cyber attack (a first on a control system cyber attack) which can be found in my book – Protecting Industrial Control Systems from Electronic Threats.

A major incident that had all of the hallmarks of a malicious incident was the 2008 Florida outage which affected more than 6 million customers for almost 8 hours. In this case, an engineer was sent to an electric substation to perform diagnostics on a large substation device - a capacitor bank switch (viewed as a distribution device and so outside NERC CIP scope). Instead of only disabling the protection on this device and leaving all of the other protection in place, the engineer disabled ALL relay protection and then called the SCADA operator to remotely energize the affected device. However, the SCADA operator was not told that all protection had been disabled and the SCADA system did not identify the loss of protection. Consequently, the SCADA operator remotely energized the suspect device via a serial link (again, outside NERC CIP scope) resulting in the capacitor bank switch exploding and the resulting cascading outage. As an aside, DHS was on the radio continuously saying the event wasn’t terrorism. The Florida event gets magnified as the Russians targeted capacitor banks in 2018 – https://www.controlglobal.com/blogs/unfettered/russia-has-compromised-the-us-grid-this-year/.

In 2012, the major control system supplier Telvent had its internal firewall and security systems breached by the Chinese. This was a major issue as Telvent had direct remote access to its customers’ control systems many of which were in the electric and energy industries.

The Russians were in the US grid in April 2014 through a Microsoft flaw affecting three major control system vendors’ HMIs with Havex and BlackEnergy2 malware. In December 2015, the Russians exercised their “lessons learned” by cyber attacking Ukrainian distribution systems with upgraded Havex and BlackEnergy3 malware. As the NERC CIPs have no requirements to remove malware, the Russian malware is still in our electric grids. 

The EEnews article states this was a first-of-its-kind cyberattack on the U.S. grid creating blind spots at a grid control center and several small power generation sites in the western United States. According to the article, the unprecedented cyber disruption this spring did not cause any blackouts, and none of the signal outages at the "low-impact" control center lasted for longer than five minutes Contrast that to an incident that occurred in December 2015 when router bandwidth for network traffic between control centers saturated and led to a flat-line condition (effectively denial-of-service). As a result of the bandwidth saturation, the control center lost the ability to monitor and control its portion of the Bulk Electric System for approximately 39 minutes. This Lessons Learned event was disclosed less than 2 weeks after the 2015 Ukrainian power grid cyber attack. Why won’t NERC identify this, and many other incidents like this, as being cyber-related? 

In 2019, a major international control system vendor issued a warning to their customers about counterfeit process transmitters which is the heart of reliability and safety (https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses/). However, these devices are out of scope for both the NERC CIPs and the NERC Supply Chain requirements. This incongruity was questioned at the 2019 US Naval War College Cyber War Games - https://www.controlglobal.com/blogs/unfettered/the-gap-between-war-games-and-reality-observations-from-the-2019-naval-war-college-cyber-war-game/

The EENews article has a pointer to the NERC Lessons Learned disclosure – “Risks Posed by Firewall Firmware Vulnerabilities". Unfortunately, NERC chose to remove this Lessons Learned disclosure from their website even though NERC Lessons Learned are supposed to be public and do not identify utilities by name. Where is the transparency and information sharing NERC keeps promising?

The key points are:

- Malicious cyber incidents affecting the US grid from compromising control system vendors as well as the utilities themselves have been on-going for more than 15 years.

- Unintentional cyber incidents (at least they appear to be unintentional) have also been occurring for years with similar impacts as malicious incidents.

- NERC continues to refuse to acknowledge actual control system cyber incidents. Disclosure requirements identified by the FERC/NERC white paper on incident reporting - “Joint Staff White Paper on Notices of penalty Pertaining to Violation of Critical Infrastructure Protection Reliability Standards” - will be meaningless when NERC simply refuses to call cyber incidents “cyber”.

- The need for a cyber playbook is critical –https://www.controlglobal.com/blogs/unfettered/control-system-cyber-incident-hunting-input-for-a-playbook-on-control-system-cyber-incident-investigations-2/

Joe Weiss