Chat With Us
We are here for you!
Talk to a fellow human.
The Root Causes podcast explores the important issues behind today’s world of PKI, online trust, and digital certificates. In this episode hosts Jason Soroko (CTO of IoT, Sectigo) and Tim Callan (Senior Fellow, Sectigo) continue their earlier discussion of energy grids and cyber vulnerability, including disturbing trends in state-sponsored attacks against energy grids.
(Lightly edited for flow and brevity, this podcast originally appeared June 18, 2019.)
Tim: We just recently spoke about the Texas energy grid and new legislation. At the time, we felt like we were covering a recent news item. We didn’t realize that so much of this news was still in front of us. Therefore, we decided we had to return to this topic because there has been a whole lot going on with energy grids and protection.
Jason: What we talked about in that last podcast just as a reminder to everybody was two state bills that the state of Texas was in the process of passing. Both of those bills together looked like they were just trying to say “Hey, let’s get our act together and become better experts in information sharing around cyber security in the grid.” And there was some wording that looked to me like they were trying to put together a pot of money to help to pay for that. As you know, Tim, the electrical generation industry is very low margin and they typically need a bit of help whenever it comes to raising some cash for extra projects like that.
Tim: Right, and it seemed like the two of those things were supposed to go together. For reasons that probably make sense though they’re subtle to me, that it was better to break it into those two bills than have them as one. But they both passed at the same time and they seemed to really be intended to hold hands and work on the problem as a pair of bills.
The other thing we talked about with the Texas legislation is, is this really showing the way for the nation? Because Texas is very forward thinking when it comes to energy policy. They’re one of the leading states in that space, and where Texas goes in the world of energy, often others follow.
Jason: That’s absolutely the case, and I remember living in Texas and if I’m not mistaken, they’re connected to the entire North American grid but they essentially have their own electrical generation grid. Just like the Province of Quebec in Canada, it’s fairly independent in terms of how they operate. I think the juicy tidbit out of the Texas news though, Tim, just to remind everybody, was a rumor, and that rumor was that some western state had lost visibility to its control systems with regards to electrical generation and that’s what was prompting this, which perhaps suggested that Texas was that victim and that Texas was trying to get its act together to move on to have a better security posture.
Tim: Yeah, what was obscurely described as an incident. Because incidents occur all the time. They had some kind of incident and then of course this made us wonder how does that incident connect to the security legislation and all the rest?
One of the things that we’ve seen happening subsequently and this is June 12 is that now the U.S. House Appropriations Committee in particular is focused on initiatives that involve protecting the electric grid, and they will allocate $150 million to try to focus on this issue.
Jason: Yeah, that was June 10th when it passed committee, and apparently, it’s thirty million dollars higher than the 2019 levels of spending. So, something is prompting this. I’d be shocked if it wasn’t associated with the Texas situation. But, there is more news on this overall.
Tim: Yes, so that’s just the beginning of it. Part of this whole bubbling mess of things all happening at the same time we have some news about the TRISIS Group.
Jason: Dragos, who do a lot of reporting on these incidents, had reported on the Saudi Arabia petrochemical industry and that the Triton malware that was found within it. It was very, very scary because it was built by people who really understood those industrial control systems well. In the latest report it looks like a lot of energy companies have been scanned. We’ll get into what that means later, but this roaming around for information and sniffing around of networking systems is being attributed to the same group who was responsible for that malware attack on the Saudi Arabian petrochemical industry. Or at the very least or it was a group who has the same kinds of capabilities.
This is awfully scary. You don’t hear too much about the pokings and proddings of the North American grid cyber systems, but this is one of the first times where it is in the news, and it’s in the news in a bad way. Bad people are sticking their nose into those systems. It’s not a shock, but it’s happening.
Tim: I remember a headline on this same topic back from a few months ago. Another vulnerability was being attributed to TRISIS, once again in the energy sector. And so part of what’s interesting here is there’s a strong theme, a series of attacks that are focused on energy and utilities.
Jason: What a lot of the previous attacks looked like, Tim, to me, they look like dry runs. It looks like the bad guys are practicing.
Think about what happened in the Ukraine. The entire Crimean Peninsula power went out, and that was attributed to Russian government playing games with the Ukraine. And because it’s the Ukraine, I hate to say it, but a lot of people in the west kind of just ignore it. Therefore it was a safe place for Russia to test its capabilities for turning out the lights.
They were successful, and now we’re hearing about these scans of North American systems. But I think Tim, it goes both ways.
There was a New York Times article, June 15th David Stanger, Nicole Perlroth, describing the fact that there’s news getting out about U.S. cyber offensive capabilities being imbedded in Russia. I’ll stop short of saying exactly what those capabilities are, you can read the article, but it looks a bit of a tit for tat, especially when this news article came up literally 24 hours after the Dragos response to the TRISIS group.
Tim: Gosh what a constellation of occurrences. We’ve got credible evidence of U.S. energy and grid being attacked at the exact same time as we have credible evidence of a response to that, an equal response in terms of setting up the ability to hit back at others using the exact same methods, using their energy grid.
And then in the light of all of this, all of a sudden, what happens in South America?
Jason: I think the news release was on June 16. Maybe 24 hours, 48 hours, 72 hours after all of what we just heard about, the grid in South America goes down. In fact, Argentina and Uruguay are still struggling to bring back power. We’re not saying that this is a cyber-attack. It could have been, who knows, maybe a bird in a wire. It could be anything. We definitely don’t have any news that this is cyber.
But the coincidence of it happening literally within hours, so it’s really too difficult to ignore.
Tim: You gotta wonder, at a bare minimum. I’m certain that people are asking that question, as they should be.
Jason: There’s so little of what we would call cyber security within those operational systems for the electrical system. And it’s not because the people who run those substations and generation stations don’t know what they’re doing. These are tremendous people who know exactly what they’re doing for uptime and reliability. I’m sitting in a room right now where the lights are on Tim, and it’s because those people do a really great job.
Tim: Same here.
Jason: Security is hard, and there’s only a few of us in the world who really dive into it as hard as we do.
Tim: Jay, in a way, don’t these people have a kind of a unique and difficult cyber security mandate, for a few reasons?
First, there’s this large physical attack surface that is part and parcel of what they need to defend.
Second, they need to split their attention. Not only are they thinking about cyber security, but ultimately, they’re thinking about other flavors of security, things like car bombs.
Third, these systems have a deep, deep legacy. They’re working with infrastructure with roots that go back a hundred years. Your enterprise IT department has nothing that’s been around for anything close to that.
So all three of these things give them a more difficult and a highly unusual set of security challenges.
Jason: I remember as a child visiting one of the local hydro stations back where I live in Canada. One of the things that the engineering manager was very proud to tell us was that the big Westinghouse generating machines were personally signed off by Nicola Tesla himself back in the day. These things were built to last, Tim, and it really is a testament to the level of engineering that goes into electrical systems.
Tim: With all of this going on what are the things that you think we need to be keeping our eyes on? And keeping our radar up for in the weeks to come?
Jason: Well I’m going to go buy a generator, for one. But, number two, I think in the weeks to come, to me it sounds like an interesting tit for tat in the media, which is “Yeah, I’ve got you by the neck, and you’ve got me by the neck. So, this is kind of like mutually assured destruction of the power grid.”
One of the reasons we probably have not seen more electrical grids go down was simply because the parties at play realize this is a high stakes game. Once you start turning out people’s lights and people start getting hurt, that’s grounds for bad, bad, things.
Turning out the lights in Crimea, meh, you know, the West couldn’t care less about Crimea. Europe just gets scared by it and they don’t really talk about it too much. They’re tired of war themselves.
So, all the groundwork has been laid. All the dry runs that probably need to have happened, have happened. Maybe even South America is just another dry run or it’s another way of saying “Hey, the North American grid, we can turn that out. Watch this: Here goes South America.” I don’t know; that’s speculation at this point.
I think it would be realistic to assume that you know the East and the West both have the capability of turning out each other’s lights. That’s a scary prospect, but I believe it’s the truth.
Tim: One of the things that we shouldn’t lose sight of is in the world of cyber security, these things have this tendency to get away from us. I always wind up referencing, Stuxnet, but that’s what Stuxnet was. It was supposed to be controlled, and it became uncontrolled. Or another example is just in Root Causes Episode 22 we talked about the EternalBlue cyber weapon, which once again was intended to be controlled, and then it became uncontrolled. So once people start deploying these mechanisms and putting their malware on these networks, you never know when these things will fire their payloads even if they’re not supposed to.
Jason: I’ll always remember something Charlie Miller said at a Black Hat talk when he was first talking about the Jeep/Chrysler attack and this, he was standing next to Chris Valasek, who was working with him, and he said the hardest part of that attack was to keep it contained to just the one vehicle that they were showing to the journalist.
It would have been a heck of a lot easier to just pwn all the cars on the road that were vulnerable. And a very large chunk of his work had to do with containing it. So it’s exactly what you just said, Tim.
Tim: So, that’s another thing to worry about. Once people lace the world with their little landmines you’ve got to worry about those landmines going off. First of all, because someone decides to press the button. But, second of all, those landmines deciding to go off on their own. And we’ve seen that happen.
Then the other thing I think about is, you know there will be moments where one group might feel that they have more to gain than to lose if everybody has a blackout on this particular day. For example, the first Tuesday in November next year will be a very high stakes day for whether or not the electricity is running in the United States.
Jason: If you want to interfere with an election, turning out all the lights might be a way of doing it.
Tim: Turning out all the lights would do that, and so my head starts to go in that direction as well. Hopefully there is nothing there, but that is certainly something that occurs to me.
Jason: The news is coming fast, and some of it is speculation, so we’re going to be keeping a close eye on it, Tim.
Tim: You bet we will.