The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


I hate to be a pest, but…

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 371 items added with 120,157 views
  • Jan 28, 2022


On Friday the 28th, I’ll be Chris Blask’s guest on his interview show at 2PM EST. Chris is quite an interesting guy, while I’m a relentless scold (see below). So it should be interesting. I don’t know what we’ll talk about, but I think it might have something to do with SBOMs. But knowing Chris, it might have something to do with boats. Or maybe both. If you can’t make it on the 28th, it will be available on YouTube next week; I’ll publish the link when I get it.

Perhaps you’ve read something about how Vladimir Putin, my favorite dictator/kleptocrat/cybercriminal, is now threatening the Ukraine with invasion – although it seems he forgot to bring more than half of the army he will need to conduct a successful invasion. On the other hand, maybe he’s emulating George W Bush, who forced Army Chief of Staff Erik Shinseki to retire in 2003, after he predicted that “several hundred thousand troops” would be needed to pacify Iraq if we invaded. Bush invaded with about half that number.

That move didn’t work out very well, so for that reason I think the Ukrainians can sleep fairly peacefully in their beds, knowing that Putin doesn’t intend to invade with the 100,000 troops he’s arrayed now. From the ruthless giant that I (and everyone else in the US, it seems) believed Russia to be up until the Soviet Union fell, Russia has now become The Mouse that Roared. Plus, he’s made it clear that he won’t miss the opening of the Winter Olympics in Beijing in two weeks – hardly a sign that the tanks will be rolling anytime soon.

But just because he won’t invade doesn’t mean that Putin won’t cause a lot of trouble for Europe and the US, using his favorite “hybrid warfare” tactic: hard-hitting cyberattacks, with the power grid being the favorite target. So it might be expected that he’ll turn his attention back to the grid he loves to attack over all others – yes, even over Ukraine’s: that’s the US grid.

Fortunately for Uncle Vlad, he’s been diligently seeding the US grid with the malware he knows will come in handy on a rainy day – and that day may well be coming very soon. How do I know he’s planted this malware? Consider the people who have been saying that:

  1. The directors of the FBI and CIA, in their Worldwide Threat Assessment in January 2019.
  2. Vikram Thakur of Symantec, in the Wall Street Journal in January 2019.
  3. The former deputy director of the NSA, in May 2019.
  4. The WSJ in November 2019.

With all these people waving a red flag, what has been done to investigate these reports of the Russians planting malware in our grid (and likely in control centers, since they were said to be in a position to cause outages)? After all, when the Russians attacked Ukraine’s grid in 2015 and 2016, US investigators were as thick as flies over there – and they came back and gave a whole series of classified and unclassified briefings in cities across the US. Wouldn’t you expect that there would have been a similar investigation here, along with briefings for utilities, to tell them how to remove the malware? After all, isn’t the US grid much more important to us than Ukraine’s?

One would think so. But nothing ever happened. No briefings, classified or unclassified. No high level reports. No red alerts to the industry. No Facebook posts. Nothing.

So I have to assume either that all of the above people are boldface liars, or the Russian malware is still sitting in those control centers, waiting for the Dark Lord in his Dark Tower in Moscow to raise his hand…

Have a good night! And make sure your flashlight has batteries.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they necessarily shared by CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at


Matt Chester's picture
Matt Chester on Jan 28, 2022

It's alarming how present these stories are without it raising to a top story in media or in pressure being put on leaders. I suspect if (when?) the first instance occurs, the tune will change moving forward-- unfortunately people need it to affect them first before it becomes real to them. 

Tom Alrich's picture
Tom Alrich on Feb 1, 2022

One has to assume so. However, the leaders shouldn't need pressure. Shouldn't they investigate this on their own?

Bob Meinetz's picture
Bob Meinetz on Jan 28, 2022

"But nothing ever happened. No briefings, classified or unclassified. No high level reports. No red alerts to the industry. No Facebook posts. Nothing."

Tom, your sources are 2-3 years old. Are you cleared to review classified documents? I would tend to believe the Department of Homeland Security is on this one.

A personal friend, with a brilliant career in civil, mechanical, and electrical engineering, is a contract employee for DHS. Though for obvious reasons I don't know the details of his work, I'm led to believe there is an extremely competent group of analysts at the top who are evaluating any and all threats to the U.S., and assigning them appropriate weight and resources. 24/7/365.

I don't know for sure because I'm not supposed to know. But I can assure you of one thing: the last place you'll learn about any response to this threat is Facebook.

Tom Alrich's picture
Tom Alrich on Feb 1, 2022

That's a reasonable assumption, Bob, but it's wrong in this case. After the Ukraine attacks, DHS held classified and unclassified briefings in a number of cities, put out classified and unclassified documents, etc. I know a number of utility cyber people with classifications, and none of them has heard one word about this, classified or not. 

The point is that, when there's a report of malware in SCADA systems (especially from the FBI and CIA), it's imperative that the potential victims be informed of how to get rid of it if it's there, or simply be reassured there's nothing to the stories, if that's the case. Not saying anything at all isn't an acceptable answer.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »