Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Grid Protection Posts
      • Video (EMP and Grid Security)
      • What is the Electric Grid and How is it Regulated?
    • Civil Defense Library
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • Fund The Fight!
  • Take Action!
  • About Me
    • About Michael
    • My Book
    • Michael in the Press
    • Subscribe to Mike’s Blog
    • Interviews
    • My Friends
    • Contact Me
Menu
Critical Infrastructure Attacks

Critical Infrastructure Attacks Expose Regulatory Failures

Posted on December 27, 2020December 29, 2020 by Michael Mabee
Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

Critical Infrastructure Attacks Expose Our Vulnerability – And Need For Change

Two recent successful critical infrastructure attacks and one thwarted attack call into question whether the “voluntary” protection of the critical infrastructure by private industry is working – and whether the U.S. Government is fulfilling its obligation to protect the American people.

It is a question we at the Secure The Grid Coalition (“STG”) have been asking for a long time.

In fact, STG has been actively working to protect the critical infrastructures and has found that our main “opposition” has been from the electric utility industry, aided and abetted (believe it or not) by the federal government. The “public-private partnership” fig leaf of infrastructure protection has fallen off, and now for all to see is a naked scam of a regulatory system. A clear failure of our government to protect us. More on that later.

Let’s quickly review three recent events.

SolarWinds Critical Infrastructure Attacks

In mid-December, we became aware of a major supply chain cybersecurity breach that impacted both the federal government and private sector companies, including companies in the energy industry. E&E News reported:

“It was not immediately clear how the global intrusion campaign could affect the operational technology that keeps the lights on and oil and gas facilities online. But experts said some critical infrastructure operators rely on Orion and had been hacked.”

This hack, believed to have have originated from Russia, potentially impacted companies in the electric grid. Unfortunately, it appears that the grid self-regulator did not even know two weeks after the hack was publicly reported what the impact was. According to this article,  The North American Electric Reliability Corp. (NERC), did not even ask the companies it regulates until December 22, 2020. And this is just for the “bulk Power System” which is essentially the interstate transmission portion of the electric grid.

The electric grid consists of 1. generation; 2. transmission; and 3. distribution. (Click HERE for a primer.) So who is asking the other thousands of public and private companies that comprise the entire electric grid? Well, that would be up to an unorganized gaggle of federal, state and local agencies and Commissions that make up the Rube Goldberg patchwork of electric grid regulation in the U.S. There is no central or even coordinated effort to protect the electric grid.

Is this flaccid effort by NERC an outlier? Unfortunately no. And it shouldn’t be a surprise. Consider the following three events.

First, some in Congress have know for years that “the Russians are already in the grid.” Yet the electric utility industry and the government have continually failed and refused to protected the grid from supply chain cyber threats. Here is Senator Angus King (I-Maine) in February of 2019 grilling the regulators on another known (and similar) cyber threat.

And yet, here we are in December of 2020 finding that the Russians are still residing comfortably in the grid.

Second, I filed a complaint with the Federal Energy Regulatory Commission (FERC), the federal agency that oversees the electric grid on May 11, 2020 about this exact issue – supply chain cybersecurity. On October 2, 2020 FERC dismissed the complaint. (173 FERC ¶ 61,010). A month and a half later, the SolarWinds hack came to light and the regulators – NERC and FERC – were apparently caught flat-footed.

Third, New Hampshire think-tank Foundation for Resilient Societies  has been blowing the whistle on the lack of supply chain cybersecurity for years. In 2017, Resilient Societies petitioned FERC to require malware detection, mitigation and removal. (i.e., exactly what just happened with SolarWinds hack.) On December 28, 2017, FERC declined to require malware detection, mitigation and removal. After all, the electric utility industry argued vehemently against it.

And here we are three years later with Russian malware installed in our critical infrastructures.  Obviously, something is not working.

Thwarted Neo-Nazi Critical Infrastructure Attacks

On December 21, 2020 news reports began to surface from a leaked search warrant, that a neo-Nazi group was plotting a coordinated physical attack against electric grid transformers in order to cause a large scale blackout. This is very concerning considering that the electric grid is physically attacked frequently. Often, the perpetrators are never found. Besides this neo-Nazi group, terrorists, criminals and state actors could target the critical infrastructures for a physical attack.

Historically, we have seen spectacular and sophisticated physical attacks against the electric grid such as

  •  2013 The Metcalf Sniper Attack. No arrests have ever been made in one of the most alarming physical attacks against the electric grid. The attack on the PG&E Metcalf substation raised Congressional concern which lead to the Commission directing the North American Electric Reliability Corporation (NERC) to develop a physical security standard. Unfortunately, the standard is fraught with loopholes and covers very few facilities. (More info HERE.)
  • 2013 The Arkansas grid attacks. In a period of a few weeks, attacks occurred against a two transmission lines and a substation. The perpetrator was eventually arrested but the attacks demonstrate the extreme vulnerability of transmission lines and substations to physical attack. (More info HERE.)
  • 2014 The Nogales IED attack. An improvised explosive device (IED) was used in an attempt to blow up a 50,000-gallon diesel fuel tank at a critical transformer substation. The bomb failed to ignite the fuel, but called into larger question the physical security of the grid. (More info HERE.)
  • 2014 The Hydro-Québec attack by airplane. While the details of the attack are under court seal, the attacker used an airplane to short out two major transmission lines, cutting off power to over 180,000 customers. This incident demonstrated the vulnerability of the grid to an attack by air. (More info HERE.)

There have been a total of 706 reported physical attacks against the electric grid since 2010. The physical security standards – which were written by the electric utility industry – are weak and do not cover the majority of the facilities. There is no requirement that companies in the electric grid consider the impacts of coordinated attacks.

On January 20, 2020 I filed a complaint with the Federal Energy Regulatory Commission (FERC) about this exact issue – inadequate physical security of the electric grid. I was joined by security experts, elected and appointed public officials as well as a former CIA Director. All believed that the grid physical security requirements needed to be improved.

However, the electric utility industry vehemently opposed strengthening the grid physical security standard. FERC, of course, drank the industry’s Kool-Aid and dismissed the complaint on June 9, 2020.

But as we can see from this latest thwarted attack by an unsophisticated neo-Nazi group, a physical attack on the electric grid is on the agenda of terrorists.

And the threat of a resulting outage is real.

Nashville AT&T Critical Infrastructure Bombing

Critical Infrastructure Attacks
AT&T building before the 12/25/2020 bombing. Click for larger view

Early in the morning on Christmas day this year, a vehicle-borne improvised explosive device (IED) went off in front of 166 Second Avenue North, Nashville, TN. This is the address of an AT&T facility which appears to be the target. The damaged caused a loss of cell service and internet service in Tennessee and Kentucky. More disturbingly, AT&T has contracts with the U.S. government for critical national security and homeland security functions. This was not just an attack on AT&T – it was an attack on our critical communications infrastructure.

As we have observed with our critical transformers, the security of this critical facility was lacking. In this case, the inadequacy of the physical security is proven by the fact that somebody parked a bomb next to it, detonated it and caused wide-scale communications outage. The physical security of this facility was clearly not adequate.

The same is true of our critical electric grid transformers.

What are the Critical Infrastructures?

Presidential Policy Directive 21 (PPD-21) “Critical Infrastructure Security and Resilience” (February 12, 2013) identifies 16 critical infrastructure sectors vital to the national security of the United States. these 16 critical infrastructure sectors are:

  1. Chemical Sector
  2. Commercial Facilities Sector
  3. Communications Sector
  4. Critical Manufacturing Sector
  5. Dams Sector
  6. Defense Industrial Base Sector
  7. Emergency Services Sector
  8. Energy Sector
  9. Financial Services Sector
  10. Food and Agriculture Sector
  11. Government Facilities Sector
  12. Healthcare and Public Health
  13. Information Technology Sector
  14. Nuclear Reactors, Materials, and Waste Sector
  15. Transportation Systems Sector
  16. Water and Wastewater Systems Sector

PPD-21 identifies the energy sector as uniquely critical due to the enabling functions it provides across all 16 critical infrastructure sectors. The bulk power system is the lynchpin: All 16 critical infrastructures – including the rest of the energy sector – depend on the bulk power system. Therefore, any threat to the bulk power system is a threat to U.S. national security.

Also, you may notice that the vast majority of the critical infrastructure sectors are comprised largely of private sector entities. Perhaps some industries do better than others, but the electric utility industry has fought efforts to strengthen supply-chain cyber security and physical security. In fact, this year they have spent over $107 million dollars in lobbying and political contributions to avoid regulation. (It’s sure hard for a Congressman to vote against the “advice” of an industry that is generously donating tens of thousand of dollars to them).

Every person in the United States is dependent on thousand of companies voluntarily doing the right thing. This is not working.

How the Electric Utility Industry (and FERC) Avoids Accountability for Their Failures.

The electric utility industry has devised a cover-up to avoid accountability for its security failures. Put simply, they have devised a system to keep the names of companies who violate critical infrastructure protection standards away from the public and Congress. The federal government (FERC) has allowed this to go on for a decade despite the mounting evidence of the industry’s (and FERC’s) failure to protect the critical electric infrastructure. And the cover-up continues despite the protects of citizens, Congress, Public Utility Commissions and security experts. (Details HERE.) I have filed a lawsuit against the federal government to end this cover-up and bring some modicum of accountability to the system.

Fixing this broken regulatory system and preventing critical infrastructure attacks must start with strong standards and accountability. Presently, we have neither.

 

[Top photo credit – Nashville Police Department]




 

Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

News

  • A Billion Reasons We Do Not Have Grid Security
  • Money Talks, Grid Security Walks
  • Critical Infrastructure Attacks Expose Regulatory Failures
  • Lawsuit: The Federal Government Must Secure The Grid
  • COVERUP UPDATE: CIP Violation Database and FOIAs
  • Securing America with Frank Gaffney: Threats to the Electric Grid
  • FERC: Who Will Be Responsible For All The Deaths If The Grid Goes Down?
  • Federal Energy Regulatory Commission Lays Down On The Job!
  • EMP Progress Report – A National Disgrace
  • EMP Ignorance Is Bliss – Dr. Peter Vincent Pry
  • China: EMP Threat – A New Report by Dr. Peter Pry
  • FERC Denies Grid Physical Security Complaint, BUT…
  • Secure the Grid Coalition Opposes Senate Bill S.3688
  • Electric Industry Lobbyist’s China Ties Questioned
  • Supply Chain Cybersecurity Complaint Filed with FERC
  • Executive Order 13920: Securing the United States Bulk-Power System
  • Electric Industry Wants to Defer Implementation of Cybersecurity
  • Electric Sector Protests Effective Grid Physical Security
  • Emergency Preparedness: Souhegan and Derry CERT
  • Coronavirus: Don’t Panic, Prepare!
  • New Hampshire Rep. David Testerman on Grid Physical Security
  • Former CIA Director James Woolsey on Grid Physical Security
  • Loopholes in Grid Physical Security Identified
  • FEMA’s Strategic Plan and the NDAA: A Perfect Fit
  • Greg Allison and Michael Mabee Talk Grid Security On YouTube
  • Complaint Filed About Inadequate Electric Grid Physical Security
  • Is the Tail Wagging The Dog in Grid Security?
  • Video: EMP Threat (KSNV News Las Vegas)
  • Why Thomas Popik should be a FERC Commissioner
  • “Wired for Greed: The Shocking Truth About America’s Electric Utilities”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

19 hours ago

The Civil Defense Book
Kim Jong Un Offers a Rare Sneak Peek at North Korea’s Weapons Program: Leader says Pyongyang is developing military drones, a nuclear-powered submarine and surveillance satellites. apple.news/AEW8HnWOTS0Wk23aOI9fZ1g ...

Kim Jong Un Offers a Rare Sneak Peek at North Korea’s Weapons Program — The Wall Street Journal

apple.news

As President-elect Joe Biden prepares to take office, Kim Jong Un offered details on Pyongyang’s pipeline of military hardware during a rare Workers’ Party Congress meeting that ended this week.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

1 day ago

The Civil Defense Book
Iranian missiles land within 20 miles of ship, 100 miles from Nimitz strike group in Indian Ocean: officialsapple.news/AS2qoJtG7R2ewr5C5T7qYyw ...

Iranian missiles land within 20 miles of ship, 100 miles from Nimitz strike group in Indian Ocean: officials — Fox News

apple.news

EXCLUSIVE: Long-range missiles from Iran splashed down dangerously close to a commercial ship in the Indian Ocean Saturday and 100 miles from the Nimitz aircraft carrier strike group, Fox News has learned, in the latest example of rising tensions in the region.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2021 Grid Security Now! | Theme by SuperbThemes