Who is kidding whom about the cyber vulnerability of the electric grid?

Jan. 26, 2014
Paul Rosenzweig wrote a blog on Lawfare (http://www.lawfareblog.com/2014/01/how-likely-is-a-successful-attack-on-the-electric-grid/) on “How Likely Is A Successful Attack On The Electric Grid?” Paul’s question of how likely is a successful attack on the electric grid has an easy, but uncomfortable answer - near 100%. Paul talked to NERC about why a grid attack would be very, very hard. Why is NERC providing misleading answers and a misleading sense of security?

Paul Rosenzweig wrote a blog on Lawfare (http://www.lawfareblog.com/2014/01/how-likely-is-a-successful-attack-on-the-electric-grid/) on “How Likely Is A Successful Attack On The Electric Grid?” As Paul’s resume is very strong in the political (not technical) CIP community, his thoughts are important to know. According to Paul, “If you ask many of the folks on the front line of cybersecurity for our critical infrastructure they will tell you that a large-scale attack is very unlikely to succeed.  They will all acknowledge, as they must, that legacy control systems are vulnerable to attack.  But, they argue, one of the significant protections against a successful big attack against multiple targets (the type of attack, say, that would take down a large portion of the electric grid) is that the control systems are not homogeneous.  In other words, our security is enhanced by the diversity of the cyber systems controlling operations.  A piece of malware that would be successful in taking a PEPCO plant in Washington offline would not work against a generating facility in New York.   Thus, we have taken some comfort in the fact that an attacker would need to craft dozens (or more) different malware versions; intrude them all without observation; and then activate them all with near simultaneity to achieve a significant strategic advantage.  One plant = easy; the East Coast = very very hard.” 

Paul’s question of how likely is a successful attack on the electric grid has an easy, but uncomfortable answer - near 100%. The statement: “A piece of malware that would be successful in taking a PEPCO plant in Washington offline would not work against a generating facility in New York.” is bizarre. There are many common vendors and common protocols used in the PEPCO facilities and plants in New York. Consequently, malware that would affect a PEPCO facility could easily affect a New York facility or for that matter a California or Illinois facility. There is a reason that ICS-CERT provides advisories on ICS malware to the entire community not just to a single entity and that ICS vendors send out advisories to ALL of their customers.

One plant = easy, the East Coast= very very hard. Again, whoever provided this information apparently does not understand Stuxnet, Aurora, and/or the latest HART vulnerability.  The vulnerability to multiple facilities is even more of an issue when very few of the utilities in the Northeast (and elsewhere) have implemented the Aurora hardware mitigation which is the ONLY way to prevent Aurora (see previous blogs).

According to Paul, the “folks that are on the frontline of cybersecurity for our critical infrastructure” that he talked to were from NERC. NERC has some very smart people. Unless Paul was mistaken in what he was told, how can NERC make these kinds of statements unless they are intentionally trying to provide a misleading sense of security?

I should mention that after Paul read an article written by West Point researchers, “Power Grid Defense Against Malicious Cascading Failure”, he has seemed to change his mind. I should also mention that I discussed the West Point report with one of the authors of the report as even their report did not adequately address the unique issues of control system cyber security.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Why should American-Made Products be a top priority?

Within this white paper, Shalabh “Shalli” Kumar, founder of AVG Advanced Technologies, stresses the importance of prioritizing American-made products to safeguard the country'...