You’re Not Imagining It: Civilization is Flickering, Part 1

Posted on by Michael Assante

Competing, contradictory voices vie for our attention and trust. On one hand certain reputable experts tell us the sky is about to fall, the curtain is about to close on Western Civilization, and we’d better stockpile water, food and fuel in caves a la Dr. Strangelove. The other more sanguine side says while there is ample cause for concern, the government and the large companies that shape our lives are “managing the risks” and we should largely go about our lives as usual. This 2-part blog series  will give you a few tools to better judge for yourself which of these voices is closer to the ground truth so you can “manage” your actions and fears accordingly. Check back for part 2, posting on Wednesday. 

Every morning I experience relief when flicking the wall switch produces light, which like gravity, 99.99% of us take for granted. What it tells me is that there is no grid cyber security crisis where I live … at that moment. At the same time, I am unable to get the thought out of my head that the lack of a crisis in one moment does not mean we aren’t facing a looming crisis. As our reliance on connected digital systems becomes nearly total, and as computers’ susceptibility to manipulation by remote others is now well established, all well-informed citizens have ample cause to be anxious about their lights … and much more. 

In short bursts anxiety and fear can mean the difference between life and death, but over extended periods of time, anxiety and fear are not healthy emotions. With perpetual immersion in multiple streams of worrying news these days (and not just about cybersecurity), our biological responses keep us flipping between states of agitation and confusion. Confusion about how to know which risks require our greatest attention, and agitation because even if we think we understand which are the most proximate threats to ourselves, our family and friends, our business, our nation and our civilization, it’s far from clear what if anything we can do. For many, the lack of practical and actionable individual responses has us balancing our worries with hope. That is, hope that our concerns are overblown and that every tomorrow will be like today. 

Perhaps helpful thought experiments will center on likely future states. Based on what we have seen so far, do we believe the escalating trends of power system cyber incidents, compromises and impacts will stabilize, diminish or continue to progress? As it is reasonable to suggest that success breeds more knowledgeable and more capable cyber attackers, the reasonable man or woman will judge the more likely futures accordingly. Cyber adversaries then, if motivated to target electric grid and other critical infrastructures, will continue to improve their abilities to gain access to and exert increasing control over the most fundamental of our civilizational support structures. In sum, we can expect future mornings illuminated by dimmed or dimming lights, with our confidence in our modern way of life continuing as it has, shaken to the core. 

Civilization Depends Upon the Illusion of Control 

In order to function, 21st century civilization requires that we collectively embrace an illusion. We have grown to accept a temporary but useful “illusion of control” when it comes to complex and interconnected digital systems. The illusion has allowed us to confidently build out an amazing mesh of technical wizardry without having our creative impulses stifled by fear of what could go wrong. As long as it feels like the digital world is under our control, and as long as we don’t acknowledge our near-total dependence on it, we can continue to build autonomous systems and cooler, cloud-enabled IoT apps, knowing AI, blockchain, and maybe Quantum Encryption are coming to the cybersecurity rescue. Of course, hackers large and small will hasten to use all the above for malign purposes. 

Despite the pervasiveness of the illusion and the comfort in status quo behavior it affords us, I know, intellectually and deep down inside, that the illusion is just an illusion. There really is a looming problem with the reliability of our lights, the electric grid, and the rest of our digitally dominated world. And the illusion fades rapidly when you are the one who has responsibility for securing a critical system, or when you and your company simply cannot tolerate the loss of critical data or automation. I’ve been in that situation and the lessons and feelings have never left me. 

When the Illusion Wavers 

Once it happens to an individual, the illusion cannot be resuscitated. Even on larger scales, the strength of illusion falters from time to time. This occurred on September 11th, 2001, as terrorists hijacked civilian airliners and turned them into missiles. The chaos and panic that attended the temporary and vivid disruption of the illusion of control (in this case: safe air travel and built infrastructures) was profound. In the month and years that followed, the federal government and the commercial aviation industry were able to enact plans that largely brought the illusion back. They demonstrated that higher levels of safety and security were achievable even in the face of a persistent and determined adversary.  

If we were able to do it with air travel, could we do something comparable when similarly devastating cyber-attacks shake our faith, in say, the reliability of our electric grid? What do you think would it feel like the morning after the final day of the attack, once we knew it was over? Would the government form a team of experts and issue a report like it did with the 9/11 commission? Would government critical infrastructure protection programs and industry leaders be accused of a collective failure to imagine the imaginable? 

There is now plenty of evidence, from both commercial and government sources, that threat actors have repeatedly probed and in many cases compromised the cyber defense systems that support our energy infrastructures. The evidence does not tell us definitively if the compromises are shallow and superficial or rather deeper and more dangerous, and not all experts agree on these matters. Some argue that the files and data that have been surveilled or successfully removed have been operations-focused, which points to deeper penetration.  Regardless, irrefutable evidence is mounting that significant penetration has been achieved. Our collective belief of a US grid under full control of trusted operators is illusory. 

Everything’s Fine or We’re Doomed: The Great Debate 

The “Relax” Camp 

Many from industry (that’s grid owners and operators as well as equipment suppliers) immediately rebuke doomsayers by pointing out that none of the known intrusion incidents -- for example, Russian perpetrated disablement of the Ukraine power system and a physical attack on the Metcalfe substation near Silicon Valley -- have demonstrated an ability to keep US utilities from generating, transmitting, and delivering power. Stout cyber defenses and engineering designs that stress diversity and redundancy have prevented outages even as cyber compromises of varying degrees of seriousness are occurring. 

Mike’s Take on “Relax” 

I appreciate the strength of these defenses, but I have also experienced first-hand what it is like to look a power system operator in the face and see the fear and desperation that comes from losing their system to a cyber-attack. I am not nearly optimistic enough to suggest that the panic I’ve seen abroad could not one day be experienced by power system operators here at home. In fact, I have been involved in multiple efforts that have demonstrated how well intended security designs break down and have analyzed how attackers use credentials to gain authorized access across what was once believed to be impenetrable security segmentation.    

The “We’re Doomed” Camp 

The doomsayer camp likes to point to the intrusions that were discovered many months after the initial compromises and suggest that the sky may actually fall tomorrow. They interpret the evidence with an eye toward aggressive speculation. How bad can it be? Their answer: really bad. Many of these folks don’t fully appreciate some of the offsetting factors, but stress how easily one can disrupt control in the cyber dimension. There is merit in their argument as many systems believed to be secure have been compromised. Even the White House was compromised despite a dedicated effort to secure its systems from targeted attacks.  

Mike’s Take on “Doomed” 

Where their arguments show weakness is in their understanding of how the power system is organized. For example, there is no single grid in North America, but rather a series of inter-connected larger and smaller sub-grids. There is also the issue of diversity attackers must contend with. It’s not about the operators themselves, but rather the diversity of the equipment, configurations and protocols meaning attackers have a huge amount of research to accomplish if they intend to create large or very large effects. How bad it will be is likely a function of the attack resources brought to bear, combined with the goals of the attackers, mixed in with the nature of the targets. Some targets will have a lower potential for significant outage footprints while others could cause more widespread outages. And then there’s the issue of disruption vs. destruction. Operators are quite well versed in restoring power after planned and unplanned outages. Responding to wide-scale destruction of important, long-lead-time-to-replace equipment like large transformers is another matter entirely.  No matter though, I see little good coming from simply declaring that the end is nigh and seeking out the nearest cave. Although some may argue I’ve done just that by relocating my family to a small town in Wyoming! 

Check back on Wednesday for Part 2 of this post!

Michael Assante

Director of Industrials and Infrastructure, Lead for the ICS Curriculum, SANS Institute

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs