We can’t detect a cyber attack that trips a plant, but we immediately identify an outage as not being a cyber attack?

Aug. 12, 2019
It seems premature to immediately rule out an event being cyber-related when you don’t know the cause of the event.

The vast majority of the time, an upset condition like a power outage or plant shutdown will be induced by mechanical, electrical, personnel errors, or environmental conditions. However, a sophisticated attacker can make a cyber attack look like a malfunction, and it will be difficult to detect the difference. Additionally, in a complex control system such as an electric grid (with connections to external organizations) it becomes difficult to determine whether cyber compromises have occurred before the communications enter the electric system.

On August 9, 2019, the UK suffered a power outage affecting more than 800,000 customers. The director of National Grid said the company was certain the power failure had not been the result of “malicious” action or a cyber attack. Meanwhile, Ofgem, the power regulator in Britain, demanded an urgent investigation. Considering that only minimal control system cyber forensics are in place, and taking into account both the lack of cyber security training for substation engineers and the grid’s connectivity to other entities, National Grid’s conclusion about potential cyber threats is questionable. Quick and questionable conclusions about potential cyber impacts on grid outages are not unique to the recent power failure in the UK. The July 2019 Con Ed power outage was quickly determined to not be terrorism or a cyber attack before the exact cause was known.There have been many control system cyber incidents that were not identified as such (my database is 1,170 and growing). Earlier this year, “frozen” power flow measurements that were not identified as being cyber-related almost caused a massive European blackout. Malware was detected in a US electric utility that had been resident in the OT networks for more than 7 months. It was finally detected when the engineer was unable to remotely communicate with a critical piece of substation equipment. A “self-contained” petrochemical plant should be much easier to monitor for cyber threats than an interconnected grid. Yet, malware installed in the petrochemical plant’s engineering workstation (analogous to a SCADA master station) was not detected even after tripping the plant. If you can’t identify a cyber attack that tripped a plant, how can you be sure cyber was not involved in the UK incident?

According to reports, the UK outage was caused when a large wind farm and a combustion turbine facility tripped at almost the same time, which is an interesting coincidence to say the least. Between July 16th and 17th, I was at the US National Renewable Energy Laboratory (NREL) wind farm cyber security workshop. There are minimal cyber security protections for systems like those affected in the UK outage. There have also been numerous cases where combustion turbines have had cyber incidents. From a substation perspective, the 2008 Florida outage was a malicious cyber event caused by the substation engineer that impacted almost half the state of Florida for 8 hours yet DHS did not acknowledge that being a possibility. From a SCADA perspective, NERC stated that a specific SCADA outage was immediately identified as not being a cyber attack (just like the National Grid case) but it took the utility a significant period of time to determine a cause (which was actually cyber-related).

With the lack of appropriate control system cyber forensics at each stage (National Grid substations, National Grid SCADA, Orsted wind farm, and RWE gas turbines) how can such a firm conclusion that cyber wasn’t involved be made at such an early stage?

Ironically, the July 25-26, 2019 Naval War College Cyber War Games saw utility players take precipitous action when confronted with hypothetical malware on the OT networks - https://www.controlglobal.com/blogs/unfettered/the-gap-between-war-games-and-reality-observations-from-the-2019-naval-war-college-cyber-war-game

It therefore seems premature to immediately rule out an event being cyber-related when you don’t know the cause of the event. We should look forward to the detailed results of investigations into the National Grid outages with interest. We also need to reconcile the War Games actions where cyber was immediately accepted as a cause and actual cases where cyber is generally not.

Joe Weiss