On Friday, the President of the U.S. declared a national emergency as foreign adversaries threaten the electric grid with cyber attacks. The Presidential Executive Order on securing the bulk-power system essentially prohibits power producers and distributors from purchasing and deploying equipment made by companies under foreign control by foreign adversaries.
The Presidential Order goes on to say:
"...the bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk power system would present significant risks to our economy, human health and safety and would render the United States less capable of acting in defense of itself and its allies."
This comes at a time when allegations COVID-19 began at a "foreign adversary's" state-run bio lab in Wuhan. The U.S. intelligence community and Department of Homeland Security also reported they believe China made an attempt to cover up the extent of the outbreak in January in an effort to hoard medical supplies and equipment from the rest of the world needed for response and recovery.
Fast forward to May and the U.S. economy essentially has been shut down the past two months, 30 million people lost their jobs, economists believe we entered the largest recession since the Great Depression, and leading epidemiologists warn this is just the third inning.
For the past six years, I have been the co-founder and CEO of a cybersecurity company, Mission Secure, focused on detecting and protecting critical assets from industrial control system cyber-attacks. We work with domestic and global energy companies, the U.S. military and a variety of industrial and maritime clients trying to prevent precisely the type of cyber-attack that requires the President of the United States to declare a national emergency and form a special committee made up of the Secretaries of Defense, Homeland Security, and Energy—these are not lightweights. Prior to Mission Secure, I was co-founder and CEO of a small, clean energy company that bought and automated small hydroelectric power plants. What I can say from my personal experiences looking at a variety of industrial operations—including power generation and distribution as well as the supply chain of oil and gas to run the plants—is that we are not prepared for a sophisticated cyber-attack that could have a long-lasting impact on the supply of power to the businesses, military, and citizens of the United States.
What makes the Presidential directive particularly interesting is the focus on preventing "equipment" from being sold and deployed in our grid. This move attempts to thwart what cyber experts call a "supply chain interdiction." This method of attack has been around for many years. In fact, the core researchers and co-founders at Mission Secure were studying these types of embedded attacks at the University of Virginia for the Pentagon nearly ten years ago with a focus on supply chain attacks embedded into GPS receivers. We have seen control system software installed at a client's location with malware that essentially "wakes up" on a certain date.
Many may recall the story from a few years ago about how a "foreign adversary" embedded a tiny microchip into motherboards in servers. The servers were part of sensitive equipment found in the military and more than 30 major companies.
Unfortunately, the current state of cyber defense we often hear from companies is "we are air-gapped," and nothing can reach us from the inside, or "we have firewalls." Forget the fact industrial firewalls are rarely proactively monitored and managed, many are end of life and unpatched, or the misconception of "air-gapped" networks that don't' really exist (remember Stuxnet, a host of studies on bridging air gaps and the work at Mission Secure that always reveals a way in). If the embedded cyber attack is in the equipment installed BEHIND the firewall or air gap and virtually no defense mechanisms exist to (i) discover it, or worse (ii) stop it, the consequences can be severe. What we generally find in industrial environments are flat networks made for high reliability and safety. They are not IT networks designed for cyber resiliency. In fact, they usually have little if any cybersecurity within the network. For sure, the U.S. power sector has come a long way in the past few years by implementing improved cybersecurity standards and making efforts to comply with such standards. However, those standards as implemented today would not prevent a level 1 and 0 attack that takes place at the equipment level and controls a critical process (i.e., open protective relays like Russia did in Ukraine in 2015 taking fifty-plus substations off the grid and shutting down power with resulting issues that lasted for months).
The U.S. is simply unprepared for this type of cyber-attack. We were unprepared for COVID-19. As of today, 68,465 people have died from COVID-19 in the U.S., and counting, which is more than 20X the nearly 3,000 people who died from the attacks on September 11, 2001. If you add a prolonged, sustained power outage on top of the continuing COVID-19 attack, we can expect life in the United States and the U.S. as we have known and cherished it for many years to drastically change. In the first few days of COVID shut-ins, we flocked to the stores, waited in lines, and stuffed our pantries with as many beans and dry goods we could find. Freezers were full, toilet paper, if you could find it, stockpiled. Then we went home and waited to see if we would catch COVID-19. After a few weeks, we realized we were not going to starve to death, the grocery stories were fairly well stocked, the internet worked, we could all use ZOOM to collaborate, Amazon delivered and in a few more weeks we would be back to normal.
Now imagine a second lockdown, but this time the power goes out. It stays out for several weeks, maybe months. Pipelines delivering critical gas as fuel for the plants are taken offline. Gas stations quickly run out of gas. Coal mines and railroads are also targeted. Groceries stores won't be re-stocked. Water will be scarce. Zoom won't work as the home internet requires power for those routers, and the cell towers only have about 48-72 hours of back up fuel. Amazon won't be shipping, and UPS won't be delivering. The government can only do so much to save us.
I write this article as someone who spent the past twenty years building and running companies to help protect and save lives and as someone who has intimate knowledge of how vulnerable our systems, not just power, are from cyber-attacks. It is time for America and our friends and allies to wake up to this fact and begin taking proactive measures. The costs to understand the cyber risks and implement protective measures are vastly outweighed by the potential risks. If we can spend a few trillion dollars to prop the economy up a few months, we can invest a little to protect our nation. If we don't do it for ourselves, we owe it to our children and grandchildren.
This article was originally posted on LinkedIn by David Drescher on May 4, 2020.