A cyber risk conversation
What's the logic behind a potential cyber attack?
We've run a number of pieces lately exploring the implications of further federal action on cyber security and the logic behind federal-industry interaction. And we've pointed to what state regulators are doing as well as work by municipal and cooperative utilities.
Today I provide an essay on the logic around the threat, the risk assessment.
Who would have an interest in disrupting electric service, either locally or on a mass scale? What would malefactors do and why? How would a perpetrator derive value from hacking or attacking? Are they looking to cause a blackout as a prelude to invasion, as Secretary of Defense Leon Panetta suggested Friday, or just monitor our systems until the right moment arrives?
While I have a few interviews pending on these subjects, a dialogue started in my head around the logic behind the cyber security threat. I've read enough recent reports in the news and by pertinent groups that the following exchange materialized.
Two utility executives walk into a bar, order drinks and start talking.
Executive One: If the cyber threat is real, why haven't there been any major attacks in the U.S.?
Executive Two: Well, we know that monitoring software of Chinese origin has been found on a number of systems, but we don't know whether that's the government spying or industrial espionage. Could be one and the same. Increasing numbers of system intrusions have been reported to the federal government's Computer Emergency Readiness Team. And we know that the Russians used cyber attacks against Georgia during hostilities in 2008. But you're right, no blackouts have resulted here. Still, I'm mighty concerned by what my IT and OT folks tell me. And the Secretary of Defense last week really put on a fine point on it.
Executive One: Maybe what we've been doing in cyber security is working; we've been hardening our industrial control systems as well as corporate IT for years now. But you just mentioned nation-states, which wouldn't launch a cyber attack on the U.S. since we announced that would be considered an act of war. Surely our main rivals would only launch a cyber attack as part of all-out war that nobody wants, right? That'd be mutually assured destruction, which kept nuclear war from occurring during the Cold War. It still works. So what other threats do we face?
Executive Two: Let's go down the list. Terrorist groups would love to damage our grid, harm people or cause a massive blackout with major economic consequences. Terrorists don't care who gets hurt and they don't need to profit, they just want to cause harm. So I'd guess they'd love to sabotage critical infrastructure and we know that homegrown Al Qaeda sympathizers crop up occasionally. But are they sophisticated enough to mount a cyber attack or blow up a generating station?
Executive One: I'd say if we keep up our cyber security stance, combined with physical security, we can avoid that possibility. And I doubt terrorists have the sophistication to launch a damaging assault from afar, though Secretary Panetta makes it sound like they can. I'd be surprised if they weren't trying. I'm more worried about criminal elements, like the Russian mob, or hacktivists, like that Assange fellow. What would they be after? Notoriety or profit?
Executive Two: Foreign gangs are very sophisticated and we know they have a foothold in the U.S. Perhaps they're after customer information that could be triangulated with other data to enable identity theft on a mass scale. That'd mean we don't need to worry about economic damage from a blackout, but more the destruction of a company's brand and the exploitation of its customers for gain. That's a credible threat. What about the hacktivists?
Executive One: Those guys are nuts. They'd penetrate our systems to show how smart they are or make some misguided attempt to "expose corporate evil." Good luck with that. All we're doing is providing electricity and collecting a pittance in return. But you're right, shutting down part of the grid or exposing competitive secrets might wreak havoc, even if all they get is an ego-rush. I think we're back to terrorists causing a blackout with economic consequences, hacktivists on a Quixotic mission or gangs stealing identity-related information. Maybe nation-states stealing industrial secrets. I think blackmail over the threat of a shutdown or theft of key data is too Hollywood. How could anyone get away with profiting? You pay them, you nab them, right? Is that the whole list?
Executive Two: Unfortunately not. We haven't talked about disgruntled insiders, our own employees. More realistically, several of the biggest grid-related incidents of the past couple years turned out to be mistakes with unintended consequences, by our own people.
Executive One: You're right. At the last conference I attended, the cyber security speakers hammered on a "security culture," "access controls," "confidentiality, integrity and accessibility" and the intersection of "cybersec and physec" that would prevent any individual from causing harm, even unintentionally. So we've required vendors to bake-in security with no back doors or loose ends, our IT architects are designing our smart grid to prevent, detect and resist an attack and we're impressing our people with the right practices. Did you know that "social engineering" tests have shown that a thumb drive picked up in the parking lot typically ends up getting plugged in at work within hours? That may be how Stuxnet got to the Iranian centrifuges! We can't afford that!
Executive Two: Calm down. If you provide your people with a sense of the risks and reward them for demonstrating sound security culture, plus put in those access controls and focus on detection, response and resiliency and maintain an aggressive stance, we'll stay one step ahead of bad actors or catastrophic mistakes.
Executive One: Yeah, but this stuff costs money. How do we balance risk with the cost of maintaining a security stance? And what will my state commission recognize as a prudent expense when it comes to cost recovery?
Executive Two: We've had discussions with our regulators and they're open to cooperation, but neither of us have a bead on the public's reaction to cyber security costs. And we can't really go public with what we're doing. All I know is that if my business is seriously disrupted, our brand value flies out the window, investors flee and customers will howl. Meanwhile, I'm busy spending time and money on complying with stuff the feds hand down, which is detracting from our real work on actual security.
Executive One: Me too. Let's have another round, a double. But first I gotta call Smithers in IT and see that he has what he needs this year. And check with HR on our security training. Or I won't be able to sleep tonight.
Intelligent Utility Daily