Grid Cybersecurity: The Critical Infrastructures Are Under Attack

Click Here for PDF Copy

COMMENTS OF MICHAEL MABEE
Submitted to FERC on March 25, 2018

Michael Mabee respectfully submits comments on FERC Docket No. RM17-13-000, Supply Chain Risk Management Reliability Standards.

Background:

I am a private citizen with expertise on emergency preparedness, specifically on community preparedness for a long-term power outage. My career includes experience as an urban emergency medical technician and paramedic, a suburban police officer, and in the federal civil service. In the U.S. Army, I served in two wartime deployments to Iraq and two humanitarian missions to Guatemala. I retired from the U.S. Army Reserve in 2006 at the rank of Command Sergeant Major (CSM). I was decorated by both the U.S. Army and the federal government for my actions on 9/11/2001 at the World Trade Center in New York City. In sum, I have a great deal of experience – both overseas and in the U.S. – working in worlds where things went wrong.

I have studied the vulnerabilities of the U.S. electric grid to a variety of threats. My research lead me to write two books about how communities can prepare for and survive a long term power outage.[1] I continue to write extensively on emergency preparedness for blackout.

The United States Critical Infrastructures Are Under Attack

On March 15, 2018, The U.S. Department of Homeland Security, US-CERT released an alert entitled “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.”[2] At the same time, it was widely reported in the press that the Trump Administration accused Russia of hacking into the U.S. electric grid.[3] A copy of US-CERT Alert TA18-074A is appended hereto as Exhibit 1 in order to place it in the docket record.

Significantly, DHS reported that: “Since at least March 2016, government cyber actors—hereafter referred to as ‘threat actors’—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

Further, DHS reported that: “This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as ‘staging targets’ throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the ‘intended target’.”

This was hardly news. On July 6, 2017 Bloomberg reported: “Hackers working for a foreign government recently breached at least a dozen U.S. power plants, including the Wolf Creek nuclear facility in Kansas, according to current and former U.S. officials, sparking concerns the attackers were searching for vulnerabilities in the electrical grid.”[4]

Also, On March 23, 2018, The U.S. Department of Justice reported that the Iranian Revolutionary Guard hacked numerous institutions including the Federal Energy Regulatory Commission (FERC).[5] The press release is attached as Exhibit 2 in order to place it in the docket record. This state-sponsored cyber incident was widely reported in the press.[6] According to the Washington Examiner article:

Justice Department lawyers pointed out during a press conference that the Federal Energy Regulatory Commission “has the details of some of this country’s most sensitive infrastructure,” said U.S. Attorney Geoffrey Berman. “That is the agency that regulates the interstate transmission of electricity, natural gas and oil.”

In a comment to Bloomberg, FERC Commissioner Neil Chatterjee noted on March 23, 2018 that: “cyberattacks have the potential to cause significant, widespread impacts on energy infrastructure. Sophisticated hacking tools are becoming more widely available, and cyber threats are constantly evolving, making such attacks more versatile.”[7]

The industry through its proxy, NERC, here again is attempting to take a minimalistic approach to grid cybersecurity because to do more would be “burdensome” to NERC’s constituents.

FERC’s Mandate to Act in the Public Interest

16 U.S.C. § 824o(d)(2)  provides that: “The Commission may approve, by rule or order, a proposed reliability standard or modification to a reliability standard if it determines that the standard is just, reasonable, not unduly discriminatory or preferential, and in the public interest.” [Emphasis added.]

Thus FERC is charged with serving the public interest. Not the interests of NERC and/or the electric utility industry.  The public interest demands that the federal government insure that the critical infrastructures are adequately protected against known threats. In this case, the cybersecurity of the U.S. bulk power system is not a matter of industry avoiding “burden”; it is a matter of paramount importance for the federal government.

In order to serve the public interest, FERC should not rubber-stamp NERC’s proposed rules, but exercise due diligence and carefully consider the public comments, particularly those from outside the regulated industry.

The Bulk Power System cannot be trusted to regulate itself on cybersecurity

Despite years of active attacks on the bulk power system (and its federal regulator) by state sponsored actors, the North American Electric Reliability Corporation (NERC) states that the proposed Reliability Standards should apply only to medium and high impact BES Cyber Systems – essentially making most systems “exempt” from the rules and leaving most of the discretion to apply the rules to the industry.

With apologies to Yogi Berra, “it’s déjà vu all over again.” As we saw from docket no. RM18-2-000 (Cyber Security Incident Reporting Reliability Standards), there is a “gap” between what the industry reports as a cybersecurity incident and what common sense would say is a cybersecurity incident. The evidence of the industry’s inability to regulate itself through “best practices” continues to mount.

For example, On May 30, 2016 cybersecurity expert Chris Vickery reported a massive data breach by Pacific Gas and Electric (PG&E).[8] According to Mr. Vickery:

“Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing. We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more. This would be a treasure trove for any hostile nation-state hacking group. That’s not to mention the 120 hashed employee passwords, or the plaintext NTLM, SOAP, and mail passwords.”

This breach sounds exceedingly bad. North Korea, Iran or Russia having access to PG&E’s systems is a national security concern. What would happen to neighboring parts of the bulk power system if PG&E was suddenly taken down by a cyberattack?

Then on February 28, 2018 NERC issued a “Notice of Penalty regarding Unidentified Registered Entity”[9] in which the NERC-anonymized entity apparently agreed to pay penalties of $2,700,000 for very serious cybersecurity violations. (FERC Docket No. NP18-7-000.) According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

Notwithstanding NERC’s lack of transparency in hiding the identity of the “Unidentified Registered Entity,” such a cover-up is against the public interest and should not be allowed by FERC. The PG&E data breach in 2016 and NERC’s cover-up of the identity of the “Unidentified Registered Entity” — who by NERC’s own admission was involved in a dangerous data breach[10] — is ample proof that a watchful regulator is necessary to protect the bulk power system.

Millions of Americans placed at risk so the industry can avoid “administrative burden”

NERC argues in its petition that it would be “overly burdensome” to require protections to low impact BES Cyber Systems.[11] NERC is egged on by the industry through largely template comments, for example:

• “CHPD believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[12]
• “PRPA believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[13]
• “SRP believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[14]
• “OUC believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[15]
• “Santee Cooper believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[16]
• “LCRA believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[17]
• “XXX believes this requirement will place substantial additional administrative burden on entities with low impact assets.”[18] (Note: Apparently, Austin Energy did not carefully proofread the industry’s template response before submitting it.)

In fact, there are 172 instances of the word “burden” in industry comments on FERC Docket RM17-13-000. The industry may believe that cybersecurity is a burden, but it is FERC’s job to protect the public by protecting the nation’s critical infrastructure.

North Korea, Iran, Russia, China and perhaps others would appreciate the Commission concluding that cybersecurity protection of the bulk power system is too much of an “administrative burden.” These foreign powers might submit comments in support of NERC’s proposals if it were not for the already diligent efforts of the utility industry to avoid appropriate cybersecurity regulation.

Conclusion:

According to the NOPR, “[t]he NERC Compliance Registry, as of December 2017, identifies approximately 1,250 unique U.S. entities that are subject to mandatory compliance with Reliability Standards.”[19] This is a large number of targets that, if they fail to secure their systems, can provide access to the nation’s critical electric infrastructure.

I urge FERC to require NERC to apply cybersecurity standards to all BES cyber systems – including allegedly “low impact” systems. The industry must not have the discretion to determine which cyber systems are easy (and inexpensive) to protect and which are “burdensome” to protect.

FERC’s duty here is clear. The Commission must protect electric reliability and by doing so, protect life. The threats to the electric grid constitute a national security issue. This is not a matter of a benevolent government being friendly to businesses. This is a matter of national security and the very real threat to millions of Americans’ lives.

Respectfully submitted by:

Michael Mabee

End Notes:

[1] Mabee, Michael. The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community. ISBN-13: 978-1974320943, first edition published July 4, 2013, second edition published October 17, 2017.

[2] Alert (TA18-074A) https://www.us-cert.gov/ncas/alerts/TA18-074A (accessed March 15, 2018).

[3] See for example, Gizmodo: “FBI and DHS Warn That Russia Has Been Poking at Our Energy Grid.” https://apple.news/AHv5RwYqbSf-EI-yIa355Jw (accessed March 15, 2018); Washington Free Beacon: “Russia Implicated in Ongoing Hack on U.S. Grid.” https://apple.news/AGs6ieh6wSP-1tQkUFttREA (accessed March 15, 2018); Slate: “What Does It Mean to Hack an Electrical Grid?” https://apple.news/Au5gy7bTlTDSovpvzg5j79w (accessed March 15, 2018); BuzzFeed News: “The Trump Administration Is Accusing Russia Of Trying To Hack The US Power Grid.” https://apple.news/AP5elUw2CQWmAZXgQBXLFKA (accessed March 15, 2018).

[4] Bloomberg. “Russians Are Suspects in Nuclear Site Hackings, Sources Say.” July 6, 2017. https://www.bloomberg.com/news/articles/2017-07-07/russians-are-said-to-be-suspects-in-hacks-involving-nuclear-site (accessed March 17, 2018).

[5] U.S. Department of Justice. “Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps.” March 23, 2018. https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary (accessed March 23, 2018).

[6] Washington Examiner: “Iranian hackers targeted power grid watchdog, Justice Department says.” March 23, 2018. https://www.washingtonexaminer.com/policy/energy/iranian-hackers-targeted-power-grid-watchdog-justice-department-says (accessed March 23, 2018).

[7] Bloomberg. “Threat from Cyber Hackers is Growing, U.S. Grid Regulator Says” https://www.bloomberg.com/news/articles/2018-03-23/threat-from-cyber-hackers-is-growing-u-s-grid-regulator-says (accessed March 24, 2018).

[8] Vickery, Chris. “Pacific Gas and Electric Database Exposed.” https://mackeeper.com/blog/post/231-pacific-gas-and-electric-database-exposed (accessed March 23, 2018).

[9] NERC “Full Notice of Penalty regarding Unidentified Registered Entity FERC Docket No. NP18-_-000.”  February 28, 2018. http://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_CIP_NOC-2569%20Full%20NOP.pdf (accessed march 23, 2018).

[10] FERC Docket No. NP18-7-000.

[11] Petition Of The North American Electric Reliability Corporation for Approval of Proposed Reliability Standards  CIP-013-1, CIP-005-6, and CIP-010-3 Addressing Supply Chain Cybersecurity Risk Management. September 26, 2017. Page 17.

[12] Id. At pg. 499.

[13] Id. At pg. 500.

[14] Id. At pg. 507.

[15] Id. At pg. 531.

[16] Id. At pg. 538.

[17] Id. At pg. 539.

[18] Id. At pg. 501.

[19] FERC NOPR Docket No. RM17-13-000 at pg. 28.

Exhibit 1 US-CERT Alert TA18-074A Russian Government Cyber Activity

Exhibit 2 US-DOJ Iranians Charged With Massive Cyber Theft