The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Here’s how somebody could really impact the US grid

As I write this, US hospitals are being hit with an unprecedented ransomware attack by Russian-speaking criminals; patient care is already being affected. There’s no evidence that this is anything more than criminal activity at this point, and if anything the hospitals are just catching up with other sectors in terms of being targeted for ransomware – sectors like local government and school districts have already been hit very hard.

It seems the criminals have come to realize that a hospital faces much more pressure to quickly return to normal operations after a ransomware attack than for example an insurance company, and thus may be more likely to pay the ransom rather than wipe their systems and restore from backup. Part of the pressure may be due to the fact that a death due to a ransomware attack on a hospital in Germany may have been the first documented death due to a cyberattack.

However, I think the current attacks on hospitals are different and provide a warning signal for the operators of the US electric grid. What catches my attention is that these attacks are clearly coordinated. Sure, they’re probably coordinated by criminals, who aren’t likely to see much advantage in targeting the grid. But there’s nothing to prevent them from being coordinated by the Russian state instead. And there’s no doubt that the Russians want to have the power to cause big outages on the US grid, even if they don’t want to exercise it currently.

As you know, ransomware attacks aren’t addressed at all by the NERC CIP standards, and – given the current mostly prescriptive nature of those standards – I don’t think they should be now, either. But I do think there should be a NERC effort to make sure that electric utilities are taking the necessary steps to protect against ransomware, including both technical and non-technical steps (with anti-phishing training and testing being no. 1 on my list).

Some people will want to point out that ransomware affects IT networks, not OT ones. I’ll agree that’s true in the case of substations, where the most important programmable grid control devices – electronic relays and remote terminal units (RTUs) – are almost entirely impervious to most ransomware. But this isn’t the case with Control Centers, where the devices almost all run Windows or Linux. They’re much more like IT than “true” OT networks, and some utilities consider them part of IT, not OT. However, the fact is they play a crucial role in monitoring and controlling the grid, which is why they play such a prominent role in the CIP standards.

And now someone might point out to me that, since Control Centers are well-protected by NERC CIP, it would be virtually impossible for ransomware to spread to them. I used to think that was the case, until I heard about this event in 2018. Anybody who thinks that Control Centers are immune to the effects of ransomware is living in a fool’s paradise. They would be a great vector for a serious ransomware attack aimed at disrupting the grid itself.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Discussions

Richard Brooks's picture
Richard Brooks on Oct 30, 2020

Good point Tom. This is precisely why I recommend that entities perform a comprehensive software supply chain risk assessment before any attempt to install a software package.

Tom Alrich's picture

Thank Tom for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »