Mike Assante wrote two blogs: You're Not Imagining It: Civilization is Flickering, part 1 and 2. I wanted to provide my thoughts as an engineer, not a threat analyst. Consequently, I can only address what can be done, not who would do it or why.
Our industrial and commercial infrastructures were designed to be reliable and safe, not cyber secure. They were also designed without appropriate control system cyber forensics. Consequently, it may not be possible to identify an incident as being the result of unintentional activities or a cyber attack. The lack of control system cyber security includes analog devices and systems that have no cyber security nor capability of adding cyber security. It also applies to some digital systems that are also cyber vulnerable, often by design. These cyber vulnerabilities can be design features and therefore cannot be changed. It has been shown in laboratory demonstrations and actual incidents that cyber vulnerabilities exist that can physically damage equipment such as transformers, motors, generators, etc. Damaging this critical equipment can lead to long term outages of electric systems, refineries, manufacturing, etc.
According to Mike (and I agree), “Complex interconnected cyber systems dwell in a perpetual state of unknown integrity. Intrusions into one part of a larger highly networked system-of-systems may remain isolated or may have expanded into other parts of the network or system. What we do know is that we are at a point where a number of actors are interested in achieving and developing, at a minimum, persistent, reliable access. Arguing against that point is difficult because 1) we know we are unable to detect all intrusions; 2) we lack the ability to prove (to ourselves and others) that a system has not been compromised; and 3) it is almost impossible to contain a compromise that one doesn’t even detect. Hence, they must be taken extremely seriously.” Mike is assuming the monitoring is from the network which cannot determine what specific equipment is being affected as opposed to monitoring the process sensors which directly indicates how the process is working, including system interactions. Mike is saying is what I have been saying: network monitoring of control system networks is necessary but not sufficient. However, monitoring the process sensors can enable complex, interconnected cyber systems to have known integrity, because you are directly monitoring the process not the “cyber systems”.
According to Mike from the “Relax Camp”, “Many from industry (that’s grid owners and operators as well as equipment suppliers) immediately rebuke doomsayers by pointing out that none of the known intrusion incidents -- for example, Russian perpetrated disablement of the Ukraine power system and a physical attack on the Metcalfe substation near Silicon Valley -- have demonstrated an ability to keep US utilities from generating, transmitting, and delivering power. Stout cyber defenses and engineering designs that stress diversity and redundancy have prevented outages even as cyber compromises of varying degrees of seriousness are occurring.” Again according to Mike, “Where their arguments show weakness is in their understanding of how the power system is organized. For example, there is no single grid in North America, but rather a series of inter-connected larger and smaller sub-grids. There is also the issue of diversity attackers must contend with. It’s not about the operators themselves, but rather the diversity of the equipment, configurations and protocols meaning attackers have a huge amount of research to accomplish if they intend to create large or very large effects. How bad it will be is likely a function of the attack resources brought to bear, combined with the goals of the attackers, mixed in with the nature of the targets. Some targets will have a lower potential for significant outage footprints while others could cause more widespread outages. And then there’s the issue of disruption vs. destruction. Operators are quite well versed in restoring power after planned and unplanned outages. Responding to wide-scale destruction of important, long-lead-time-to-replace equipment like large transformers is another matter entirely.” I agree with Mike which is why the concept of mutual aid for cyber attacks may not be viable. The Aurora vulnerability is one example of using cyber to operate equipment in a “do not operate” regime can cause long-term damage. This type of attack is independent of the vendor because you are “attacking” physics not the vendor and the physics applies to any vendor. There are hardware solutions to some these problems but they have not been uniformly applied making our system vulnerable to exploits that are known as well as new “control system zero day” attacks such as Stuxnet and the data center attacks identified in https://www.controlglobal.com/blogs/unfettered/data-centers-have-been-damaged-and-they-are-not-being-adequately-cyber-secured/
While you cannot fully secure a control system network, you can monitor the process in real time to understand if the process is changing for any reason. This leads back to the need for a paradigm shift for control system cyber security - https://www.controlglobal.com/blogs/unfettered/changing-the-paradigm-of-control-system-cyber-security/
Joe Weiss
