And The ICS Cybersecurity Debate Continues On…

And The ICS Cybersecurity Debate Continues On…

And The ICS Cybersecurity Debate Continues On… 1791 1007 ClintBodungen

Recently I ran across a post on Linkedin in response to DHS statements and media reports pertaining to Russian hacking against the U.S. power grid. A central theme of the post cautions readers to guard against “deliberate or recklessly misleading” and “exaggerated” statements. One of the post’s claims generated significant concern, “I see no possibility of a cyber attack that is purely focused on generation causing a major grid outage, cascading or not (for that matter, I see close to zero possibility that any purely cyber attack could cause a major outage)”, and further states that the Russians “haven’t even come close” to achieving their goal of gaining a foothold in U.S. grid control centers. These statements are wrong and misleading.

Granted, a great deal of FUD (fear, uncertainty, and doubt) marketing/selling does occur in this domain, and cautioning the industry against overly hyped dangers, especially hype that promotes unreasonable fear, is a good thing. However, the author’s authoritative statements such as “no possibility” and “close to zero chance,” as well as accusing DHS officials (to the point of using the term “fraud”) and “erroneous reporting”, is contrary to the facts and current situation. If taken literal, these statements could even do more harm than good.

For example, if electric power generation and grid operators were to take the author’s inaccurate statements at face value, they could be led into a false sense of security resulting in inaction against a viable, realistic and current threat. (Please note: I do believe there is sufficient evidence to suggest that they are inaccurate, which I discuss later). I’m not claiming that “the sky is falling” or that a catastrophic attack is imminent, but promoting a belief that the grid is essentially immune to a cyber attack with critical impact needs to be countered.

To support the author’s positions that he “see(s) close to zero possibility that any purely cyber attack could cause a major outage”, and that the Russians “haven’t even come close” to achieving their goal of gaining a foothold in U.S. grid control centers, the author asserts on the following claims:

  • “Most generation assets in the US aren’t owned by utilities, but by independent power producers. So it was very misleading that DHS’ statements all referred to “utilities” being penetrated.”
  • “If a small generating plant was penetrated and it was owned by a utility, even if the control room of the plant was penetrated by the attackers, this is very far from saying that the control center of the utility itself was penetrated.”
  • “There is strict separation between the IT and OT networks, and it would be very difficult, although not impossible, for an attacker who had penetrated the IT network to then pivot to penetrate the OT network.”
  • 200 or more organizations were known to have been targeted but only about 3 to 4 were [publicly] noted to have been actually compromised.

In the first two points put forth that the DHS claims were deliberately misleading and/or exaggerated because “most generation assets aren’t owned by utilities”, and “the ones that tend to be small municipalities or co-ops”. Therefore, the author posits that an attacker would most likely not be able to compromise an actual control center or one that would have a significant impact on an entire grid. The language used by DHS and/or the reporting is a bit convoluted, maybe even contradictory depending on what articles and cross-references you are reading, but welcome to the wonderful world of the media and news reporting. Outside of that, the author bases his claim on a presumption, saying, “It is very unlikely that the wind farm was owned by a utility. It is possible that the combustion turbine (presumably a small one, not subject to NERC CIP – which explains the ease with which the attackers obtained the screenshot) was owned by a small municipal or cooperative utility”.  

According to the U.S. Energy Information Administration, 1577 teraWatt hours of the 1641 total teraWatt hours generated in 2018 year to date is from utility owned and/or controlled power sources. That’s 96%. Of that, 908 teraWatt hours (55%) was from direct regulated generation that is owned and operated by an electric utility. Keep in mind that these numbers do not reflect the total generation capacity owned by electric utilities, but it does show that, currently, 96% of the electricity being used is electric utility owned.

(NOTE: The 1577 was all power from utilities and utility-controlled sources. Example: a wind farm that is owned by Siemens AG but operated by an IOU (investor-owned utility) would be included in that number. This is significant because those kinds of installations usually have direct connections with the control centers. the 908 was from direct utility owned and operated, no third-party involvement.)

Does this mean NERC CIP regulated control networks are even less likely to be compromised due to the strict separation of IT and OT networks? According to Dragos in 2017, 85% of control system compromises were found to have been most likely from adjacent networks. 64% of control systems vulnerabilities were due to “insecure by design”, where patches could not remediate the vulnerability. That means that as recent as 2017, most control systems were vulnerable and the overwhelming majority were compromised from adjacent networks. These reports don’t specify which verticals these findings were from, but one can look at the ICS-CERT advisories and ascertain that many of these vulnerable control systems devices and applications are in fact used in the electric utility. And at 85%, it’s also unreasonable to assume none of the adjacent network compromises were found in a NERC CIP regulated control network. Beyond referenceable data, I can speak from approximately two decades of experience in industrial security (to include more than 50 penetration testing projects and several regulated electric utilities), that the IT and OT networks are not always separated as they should be, and even when they are, pivoting from an adjacent IT network to an industrial control network is rarely difficult.

IT/OT network segmentation, as it turns out, is not what really keeps the bad guys from causing a major incident on our grids. What actually slows them down is the uniqueness and complexity of the systems. In order to black out a power grid or cause an explosion is not as simple as just gaining control of a PLC (programmable logic controller) or even an HMI (human machine interface) or engineering workstation. In most cases, the attackers must have a pretty solid understanding of how the process works and its interdependencies to understand what sequence of events to cause, and how to cause them. This point was articulated in the June 27 blog post.

(It should also be noted that our nation’s “power grid” is not a single grid. It’s actually several regional grids interconnected. Without going into detail, it would be difficult to achieve an entire nation-wide blackout. But there are more events to consider than just a complete blackout, which I will discuss.)

Could this added layer of complexity be the reason why we haven’t seen more incidents and why, to the author’s point, only about a handful of known compromises resulted from around targets? Possibly but not necessarily. Those who have been part of any ISAC, worked in the intelligence community, or as an asset owner/operator knows that not everything that happens gets reported to the public. Obviously, a catastrophic event would be noticed by the public and that’s not what I’m referring to. Joining your local Infragard chapter if you are in the U.S. or an ISAC for your industry vertical can help to better understand the threats that are targeting your industry. The E-ISAC, in particular, serves the electric power and utility industry.

“Why hasn’t it happened yet?” First, Cyber warfare is new, very new. Second, the significant damage, disruption, or even catastrophic event that malicious groups are seeking through industrial systems would in most cases be considered an act of war. Is it more likely that a nation-state adversary would launch a destructive cyber-weapon the moment they have the capability to do so, and potentially start a war? Or will they more likely seek to position themselves, gaining persistence and capability within their adversaries’ industrial network, and strike at the most opportune time? That might sound a bit like tin foil hat wearing territory, but I’ll leave the question with you. Another perspective to consider is that something like a national blackout might not be the intended goal. One could assume there is also strategic value in causing regional blackouts in important locations like the pipelines in the northeastern corridor that serve as the primary source of baseload power generation for very important utilities. Targeting these regions could cause cascading impacts to major ports, rail, water, hospitals, local distribution grids, and state level sub transmission areas.

A significant disruption, including blackout, due to a cyber attack may not be imminent for a variety of reasons. An attack of this nature isn’t trivial to pull off, either but we shouldn’t be so quick to dismiss the fact that it is possible and there are bad actors with the capability actively exploring ways to make it happen. It is wise and informed to acknowledge this fact and take necessary and adequate precautions. There are no silver bullet defenses and saying it won’t happen because it hasn’t happened is naïve and unwise. A false sense of security and complacency are the most dangerous assets we can give those wishing to do harm. Don’t give it to them. Stay diligent.