A cyber risk conversation

What's the logic behind a potential cyber attack?

Phil Carson | Oct 15, 2012

Share/Save  

We've run a number of pieces lately exploring the implications of further federal action on cyber security and the logic behind federal-industry interaction. And we've pointed to what state regulators are doing as well as work by municipal and cooperative utilities.

Today I provide an essay on the logic around the threat, the risk assessment. 

Who would have an interest in disrupting electric service, either locally or on a mass scale? What would malefactors do and why? How would a perpetrator derive value from hacking or attacking? Are they looking to cause a blackout as a prelude to invasion, as Secretary of Defense Leon Panetta suggested Friday, or just monitor our systems until the right moment arrives? 

While I have a few interviews pending on these subjects, a dialogue started in my head around the logic behind the cyber security threat. I've read enough recent reports in the news and by pertinent groups that the following exchange materialized.

Two utility executives walk into a bar, order drinks and start talking. 

Executive One: If the cyber threat is real, why haven't there been any major attacks in the U.S.? 

Executive Two: Well, we know that monitoring software of Chinese origin has been found on a number of systems, but we don't know whether that's the government spying or industrial espionage. Could be one and the same. Increasing numbers of system intrusions have been reported to the federal government's Computer Emergency Readiness Team. And we know that the Russians used cyber attacks against Georgia during hostilities in 2008. But you're right, no blackouts have resulted here. Still, I'm mighty concerned by what my IT and OT folks tell me. And the Secretary of Defense last week really put on a fine point on it. 

Executive One: Maybe what we've been doing in cyber security is working; we've been hardening our industrial control systems as well as corporate IT for years now. But you just mentioned nation-states, which wouldn't launch a cyber attack on the U.S. since we announced that would be considered an act of war. Surely our main rivals would only launch a cyber attack as part of all-out war that nobody wants, right? That'd be mutually assured destruction, which kept nuclear war from occurring during the Cold War. It still works. So what other threats do we face? 

Executive Two: Let's go down the list. Terrorist groups would love to damage our grid, harm people or cause a massive blackout with major economic consequences. Terrorists don't care who gets hurt and they don't need to profit, they just want to cause harm. So I'd guess they'd love to sabotage critical infrastructure and we know that homegrown Al Qaeda sympathizers crop up occasionally. But are they sophisticated enough to mount a cyber attack or blow up a generating station?

Executive One: I'd say if we keep up our cyber security stance, combined with physical security, we can avoid that possibility. And I doubt terrorists have the sophistication to launch a damaging assault from afar, though Secretary Panetta makes it sound like they can. I'd be surprised if they weren't trying. I'm more worried about criminal elements, like the Russian mob, or hacktivists, like that Assange fellow. What would they be after? Notoriety or profit? 

Executive Two: Foreign gangs are very sophisticated and we know they have a foothold in the U.S. Perhaps they're after customer information that could be triangulated with other data to enable identity theft on a mass scale. That'd mean we don't need to worry about economic damage from a blackout, but more the destruction of a company's brand and the exploitation of its customers for gain. That's a credible threat. What about the hacktivists? 

Executive One: Those guys are nuts. They'd penetrate our systems to show how smart they are or make some misguided attempt to "expose corporate evil." Good luck with that. All we're doing is providing electricity and collecting a pittance in return. But you're right, shutting down part of the grid or exposing competitive secrets might wreak havoc, even if all they get is an ego-rush. I think we're back to terrorists causing a blackout with economic consequences, hacktivists on a Quixotic mission or gangs stealing identity-related information. Maybe nation-states stealing industrial secrets. I think blackmail over the threat of a shutdown or theft of key data is too Hollywood. How could anyone get away with profiting? You pay them, you nab them, right? Is that the whole list? 

Executive Two: Unfortunately not. We haven't talked about disgruntled insiders, our own employees. More realistically, several of the biggest grid-related incidents of the past couple years turned out to be mistakes with unintended consequences, by our own people. 

Executive One: You're right. At the last conference I attended, the cyber security speakers hammered on a "security culture," "access controls," "confidentiality, integrity and accessibility" and the intersection of "cybersec and physec" that would prevent any individual from causing harm, even unintentionally. So we've required vendors to bake-in security with no back doors or loose ends, our IT architects are designing our smart grid to prevent, detect and resist an attack and we're impressing our people with the right practices. Did you know that "social engineering" tests have shown that a thumb drive picked up in the parking lot typically ends up getting plugged in at work within hours? That may be how Stuxnet got to the Iranian centrifuges! We can't afford that!

Executive Two: Calm down. If you provide your people with a sense of the risks and reward them for demonstrating sound security culture, plus put in those access controls and focus on detection, response and resiliency and maintain an aggressive stance, we'll stay one step ahead of bad actors or catastrophic mistakes. 

Executive One: Yeah, but this stuff costs money. How do we balance risk with the cost of maintaining a security stance? And what will my state commission recognize as a prudent expense when it comes to cost recovery? 

Executive Two: We've had discussions with our regulators and they're open to cooperation, but neither of us have a bead on the public's reaction to cyber security costs. And we can't really go public with what we're doing. All I know is that if my business is seriously disrupted, our brand value flies out the window, investors flee and customers will howl. Meanwhile, I'm busy spending time and money on complying with stuff the feds hand down, which is detracting from our real work on actual security. 

Executive One: Me too. Let's have another round, a double. But first I gotta call Smithers in IT and see that he has what he needs this year. And check with HR on our security training. Or I won't be able to sleep tonight. 

Phil Carson
Intelligent Utility Daily
pcarson@energycentral.com
303-228-4757  

 

 

 

 

 

 

 

Related Topics

Comments

Punctuation and credibility

Hmmm... while the actual nugget of alarm over a high altitude electro-magnetic pulse may have some validity, I typically find that the use (or lack) of punctuation is a leading clue to credibility. 

Yes, a HEMP is a potential danger. Your TV-inspired notion of an Iranian-Al Qaeda alliance, however, is not. Nor are utility executives in a position to deal with any of the what ifs contained in your hyperbolic post. 

But the underlying assertion that a HEMP could be a danger to the grid has some merit. Why not make a more cogent argument?

Regards, Phil Carson

So you DO suffer from Normalcy Bias...

Phil,

Instead of being a grammar Nazi - why not take the message at face value?

You don't think Iran is building a nuke?

You don't think Iran supports terrorism?

You don't think if they had a nuke they couldn't produce a single missile that could reach 300KM?

You don't think Al Qaeda would pilot a freighter off our coast and launch it if it was prepared to do that?

Have you forgotten 9/11 and the twin towers?  (I believe Al Qaeda was responsible for that)

I don't really care if Utilities can prepare for this - it is a real threat... and for a cogent argument - why don't you just read this official report and get back to me...

(So, did I butcher the English language so much you missed the point of this response?)

http://www.empcommission.org/docs/A2473-EMP_Commission-7MB.pdf  2008 report

http://www.empcommission.org/docs/empc_exec_rpt.pdf    2004 report

http://www.empactamerica.org/featuredreports.php  organization promoting education about  the threat of HEMP.

And, this is my personal observation - There was an English version Jihad online-magazine called "Inspire" dedicated to the defeat of America.  There were about 8 or 9 issues published.  I downloaded one and on the cover was a title of an article:  "EMP, the Ultimate Weapon".

 

The entire article was praising the idea of Jihadist acquiring a nuke to detonate above the US.  Would it be difficult?  Sure.  Is it unlikely?  Sure.  But so was the thought of 9/11 too.  But it happened.  Don't think for an instant if a terrorist could get their hands on a ability to launch a missile with a nuke warhead they wouldn't do it.  Yeah, it would be bad.  Laugh or scoff and solidify your Normalcy Bias - Bias...

Step away from the ledge

The simplest response is: utility executives aren't in the business of nuclear deterrence. 

But thanks for warning us. 

Regards, Phil Carson 

Do You Suffer From NORMALCY BIAS?

Or, can a "Black Swan" enet deliver a fatal blow to our entire grid?

All it takes for a unilateral well-placed strike and we'd be living like NBC's new show, Revolution, where the world loses all power and it never comes back on...

Don't think it can happen?

High Altitude Electromagnetic Pulse is all it would take (for the US anyway).

Let's say Iran was hell-bent on "killing" the Great Satan.  What would you do?

First, you need to be able to build one functioning high-capaicty bomb.  Check.  They're woking on that

Second, they need a way to deliver the nuke to the right place.  So, you need a missle - not an intercontinentla ballastic.. no, just one like they have been testing that keeps blowing up before it goes into orbit... Yay we say!  Their missle blew up!  Fail!

NOT.

It is the perfect "profile' for a HEMP event.  Once they have a bomb and they have their 350KM altitude Shahab missle ready they put it on an old freighter... hardened to avoid the tell-tale readioactive signuture and therefore we don't suspect a thing...

Then Iran (or NoKo if you prefer - they could do the same thing... or Russia) delivers the frieghter to Al Qaeda.  The take a leisurely cruise and when they are about 200 miles off the coast of the US (in international waters) they launch...  it speeds to the correct best-practice height to deliver a Gamma-packed high altitude Electronmagnetic Pulse that takes out the ENTIRE US GRID, most of Canada's and most of Mexico's...

 

BAM.

 

We are in dark-city.

And with all the king's horses and all the king's men no one will be able to replace the 2,000 some-odd high voltage back-bone required transformers (which have been turned to complete molten heaps of metal fried by the E3 component of the HEMP) and only Germany is in the business of manufacturing them at a very very very slow rate.

Of course, this does not count all the thousands and thousands of lovwer street-variety voltage transformers too.  And, since there is no communiciation, no gas pumps and most vehicles are fried.  How will anyone anywhere know or have ability to travel and work on the grid?

Infact, anything with an IC chip on a circiut board will fry from the E1 & E2 component.  All cell phones, computers, ECU units in your car... every SCADA system (think of all the gird controlled systems, plus gas pipelines etc) go up in a puff of a milisecond.

The Federal Gov't esttimates it could take years to get some semblence of a grid back working... and in the meantime they also estimate between 75% to 90% of our population would die in the first year due to starvation and diesease.

That means around 30 Million people may survive.   Hmmm, if I were an enemy, I'd sit back for a year and let the worst play out and then mosey on in to take over the balance...

Guess you execs drank a bit too much cuz they didn't mention this hypothetical... just wonder how hypothetical it is?