As I noted in my previous post about a recent 60 Minutes segment, we often rely on rumor and innuendo as the basis for journalism in critical infrastructure. If a current or former high-ranking public official says he heard something, then it must be true. Unfortunately, Project Grey Goose, whose stated objective was “to answer the question of whether there has been any successful hacker attacks against the power grid, both domestically and internationally,” falls victim to much of the same fear, uncertainty, and doubt. As in all media reports, there are factual bases for findings that exaggerated the true state of the electric grid. For example, their statement that “90% of the U.S. Department of Defense's (DOD) most critical assets are entirely dependent on the bulk power grid” is presumably taken from a Government Accountability Office (GAO) report noting that 85 percent of critical DoD assets rely on commercial electric power. However, the “entirely dependent” statement ignores the wide variety of backup generators that support these assets, and while not adequate, are nonetheless a significant contribution to the reliability of critical DoD assets. So rather than sounding the alarm that military bases, for the most part, do not have their own power plants, a better response would have been to suggest that the military expand the use of backup generators and micro-grid technology to augment commercial power as the GAO report does. Of course, that would not grab as many headlines.
Similarly, the Grey Goose Report note that “[m]ost Grid asset owners and operators have been historically resistant to report cyber attacks against their networks as well as make the necessary investments to upgrade and secure their networks.” While it may be true that incidents are underreported, the implication that the electricity industry is deficient compared to other industrial sectors is misleading or even wrong. Most companies do not report security incidents unless legally required to or to mitigate the harm to their customers, and even then the evidence of an intrusion and theft of data had better be definitive. Lost laptops and backup tapes are one thing. You cannot say they are within your control if they go missing. However, organizations in general have a horrible record of even detecting when a successful attack has occurred let alone what was taken. Like many industries, the electricity industry has struggled to pinpoint the source of many disruptions associated with their network infrastructure. More often than not, the problems were inadvertent and not malicious. We can certainly do better, and with technologies like Smart Grid, we have to. However, calling out the electricity industry for failures that we’ve all been subjected to is not very productive.
The other statements made about the vulnerabilities in the electricity sector are misleading. While North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) still does not apply to many aspects of the electrical grid for a variety of jurisdictional reasons, where it does apply, it is not voluntary, as the many utilities subjected to rigorous and painful audits can attest. The process may not be perfect, but utilities are being subjected to scrutiny. Moreover, anyone receiving stimulus grants under the Department of Energy’s Smart Grid grant program has to demonstrate a very rigorous approach to cyber security through the entire implementation life cycle.
Finally, the report cites a litany of vulnerabilities discovered in various Smart Grid devices such as meters and perpetuates speculation about the potential impact on the grid without considering compensating security controls. Nowhere does the report cite names of vulnerable vendors nor does it provide any information about whether these vulnerable products have actually been implemented. It’s like saying that tests on personal computers showed that they were vulnerable to attack without identifying the operating system or the applications running on the device.