Two recent successful critical infrastructure attacks and one thwarted attack call into question whether the “voluntary” protection of the critical infrastructure by private industry is working – and whether the U.S. Government is fulfilling its obligation to protect the American people.
It is a question that the Center for Security-sponsored Secure The Grid Coalition (“STG”) has been asking for a long time.
In fact, STG has been actively working to protect the critical infrastructures and has found that our main “opposition” has been from the electric utility industry, aided and abetted (believe it or not) by the federal government. The “public-private partnership” fig leaf of infrastructure protection has fallen off, and now for all to see is a naked scam of a regulatory system. A clear failure of our government to protect us. More on that later.
Let’s quickly review three recent events.
SolarWinds Critical Infrastructure Attacks
In mid-December, there was a major supply chain cybersecurity breach that impacted both the federal government and private sector companies, including companies in the energy industry. E&E News reported:
“It was not immediately clear how the global intrusion campaign could affect the operational technology that keeps the lights on and oil and gas facilities online. But experts said some critical infrastructure operators rely on Orion and had been hacked.”
This hack, believed to have originated from Russia, potentially impacted companies in the electric grid. Unfortunately, it appears that the grid self-regulator did not even know two weeks after the hack was publicly reported what the impact was. According to this article, The North American Electric Reliability Corp. (NERC), did not even ask the companies it regulates until December 22, 2020. And this is just for the “bulk Power System” which is essentially the interstate transmission portion of the electric grid.
The electric grid consists of 1. generation; 2. transmission; and 3. distribution. (Click HERE for a primer.) So who is asking the other thousands of public and private companies that comprise the entire electric grid? Well, that would be up to an unorganized gaggle of federal, state and local agencies and Commissions that make up the Rube Goldberg patchwork of electric grid regulation in the U.S. There is no central or even coordinated effort to protect the electric grid.
Is this flaccid effort by NERC an outlier? Unfortunately no. And it shouldn’t be a surprise. Consider the following:
First, some in Congress have known for years that “the Russians are already in the grid.” Yet the electric utility industry and the government have continually failed and refused to protected the grid from supply chain cyber threats. Here is Senator Angus King (I-Maine) in February of 2019 grilling the regulators on another known (and similar) cyber threat. And yet, here we are in December of 2020 finding that the Russians are still residing comfortably in the grid.
Second, I filed a complaint with the Federal Energy Regulatory Commission (FERC), the federal agency that oversees the electric grid on May 11, 2020 about this exact issue – supply chain cybersecurity. On October 2, 2020 FERC dismissed the complaint. (173 FERC ¶ 61,010). A month and a half later, the SolarWinds hack came to light and the regulators – NERC and FERC – were apparently caught flat-footed.
Third, New Hampshire think-tank Foundation for Resilient Societies has been blowing the whistle on the lack of supply chain cybersecurity for years. In 2017, Resilient Societies petitioned FERC to require malware detection, mitigation and removal. (i.e., exactly what just happened with SolarWinds hack.) On December 28, 2017, FERC declined to require malware detection, mitigation and removal. After all, the electric utility industry argued vehemently against it.
And here we are three years later with Russian malware installed in our critical infrastructures. Obviously, something is not working.
Thwarted Critical Infrastructure Attacks
On December 21, 2020 news reports began to surface from a leaked search warrant, that a neo-Nazi group was plotting a coordinated physical attack against electric grid transformers in order to cause a large scale blackout. This is very concerning considering that the electric grid is physically attacked frequently. Often, the perpetrators are never found. Besides this neo-Nazi group, terrorists, criminals and state actors could target the critical infrastructures for a physical attack.
Historically, we have seen spectacular and sophisticated physical attacks against the electric grid such as:
- 2013 The Metcalf Sniper Attack. No arrests have ever been made in one of the most alarming physical attacks against the electric grid. The attack on the PG&E Metcalf substation raised Congressional concern which leads to the Commission directing the North American Electric Reliability Corporation (NERC) to develop a physical security standard. Unfortunately, the standard is fraught with loopholes and covers very few facilities. (More info HERE.)
- 2013 The Arkansas grid attacks.In a period of a few weeks, attacks occurred against a two transmission lines and a substation. The perpetrator was eventually arrested but the attacks demonstrate the extreme vulnerability of transmission lines and substations to physical attack. (More info HERE.)
- 2014 The Nogales IED attack.An improvised explosive device (IED) was used in an attempt to blow up a 50,000-gallon diesel fuel tank at a critical transformer substation. The bomb failed to ignite the fuel, but called into larger question the physical security of the grid. (More info HERE.)
- 2014 The Hydro-Québec attack by airplane.While the details of the attack are under court seal, the attacker used an airplane to short out two major transmission lines, cutting off power to over 180,000 customers. This incident demonstrated the vulnerability of the grid to an attack by air. (More info HERE.)
There have been a total of 706 reported physical attacks against the electric grid since 2010. The physical security standards – which were written by the electric utility industry – are weak and do not cover the majority of the facilities. There is no requirement that companies in the electric grid consider the impacts of coordinated attacks.
On January 20, 2020 I filed a complaint with the Federal Energy Regulatory Commission (FERC) about this exact issue – inadequate physical security of the electric grid. I was joined by security experts, elected and appointed public officials as well as a former CIA Director. All believed that the grid physical security requirements needed to be improved.
However, the electric utility industry vehemently opposed strengthening the grid physical security standard. FERC, of course, drank the industry’s Kool-Aid and dismissed the complaint on June 9, 2020.
But the most recent plot from this unsophisticated neo-Nazi group demonstrates that a physical attack on the electric grid is squarely on the agenda of terrorists.
And the threat of a resulting outage is real.
Early in the morning on Christmas day 2020, a vehicle-borne improvised explosive device (IED) went off in front of 166 Second Avenue North, Nashville, TN. This is the address of an AT&T facility which appears to be the target. The damaged caused a loss of cell service and internet service in Tennessee and Kentucky. More disturbingly, AT&T has contracts with the U.S. government for critical national security and homeland security functions. This was not just an attack on AT&T – it was an attack on our critical communications infrastructure.
As we have observed with our critical transformers, the security of this critical facility was lacking. In this case, the inadequacy of the physical security is proven by the fact that somebody parked a bomb next to it, detonated it and caused wide-scale communications outage. The physical security of this facility was clearly not adequate.
The same is true of our critical electric grid transformers.
What are the Critical Infrastructures?
Presidential Policy Directive 21 (PPD-21) “Critical Infrastructure Security and Resilience” (February 12, 2013) identifies 16 critical infrastructure sectors vital to the national security of the United States. these 16 critical infrastructure sectors are:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Systems Sector
PPD-21 identifies the energy sector as uniquely critical due to the enabling functions it provides across all 16 critical infrastructure sectors. The bulk power system is the lynchpin: All 16 critical infrastructures – including the rest of the energy sector – depend on the bulk power system. Therefore, any threat to the bulk power system is a threat to U.S. national security.
Also, you may notice that the vast majority of the critical infrastructure sectors are comprised largely of private sector entities. Perhaps some industries do better than others, but the electric utility industry has fought efforts to strengthen supply-chain cyber security and physical security. In fact, this year they have spent over $107 million dollars in lobbying and political contributions to avoid regulation. (It’s sure hard for a Congressman to vote against the “advice” of an industry that is generously donating tens of thousand of dollars to them).
Every person in the United States is dependent on thousand of companies voluntarily doing the right thing. This is not working.
How the Electric Utility Industry (and FERC) Avoids Accountability for Their Failures
The electric utility industry has devised a cover-up to avoid accountability for its security failures. Put simply, they have devised a system to keep the names of companies who violate critical infrastructure protection standards away from the public and Congress. The federal government (FERC) has allowed this to go on for a decade despite the mounting evidence of the industry’s (and FERC’s) failure to protect the critical electric infrastructure. And the cover-up continues despite the protects of citizens, Congress, Public Utility Commissions and security experts. (Details HERE.) I have filed a lawsuit against the federal government to end this cover-up and bring some modicum of accountability to the system.
Fixing this broken regulatory system and preventing critical infrastructure attacks must start with strong standards and accountability. Presently, we have neither.