Michael Mabee

Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • State Level Grid Security Efforts
      • Grid Protection Posts
      • Video (EMP and Grid Security)
      • What is the Electric Grid and How is it Regulated?
    • Civil Defense Library
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
    • CIP Violation Database
  • Fund The Fight!
  • Take Action!
  • About Me
    • About Michael
    • My Book
    • Michael in the Press
    • Subscribe to Mike’s Blog
    • Interviews
    • My Friends
    • Contact Me
Menu
Electric Grid Cyber Security

The Fight for Electric Grid Cyber Security

Posted on March 3, 2018March 4, 2018 by Michael Mabee
Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

 

 

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” – Justice Louis D. Brandeis

Recently I wrote about our campaign to fight for electric grid cyber security. The battle played out last week before an obscure federal agency that most people have never heard of – the Federal Energy Regulatory Commission (FERC). Because, as Justice Brandeis pointed out, there is nothing better than the light of day to hold the government accountable, this fight needs to be made public.

Petition for electric grid cyber security

electric grid cyber securityUnder a law called the Administrative Procedure Act (APA), “each agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.” This means that the public can file a petition with an agency to add, delete or change a regulation. This is how the Foundation for Resilient Societies picked this fight on January 13, 2017. In a petition for rulemaking to FERC, Resilient Societies forced the federal government to finally face the fact that electric grid cyber security is lacking.

But just who is the Foundation for Resilient Societies? They are a non-profit organization “engaged in scientific research and education with the goal of protecting technologically-advanced societies from infrequently occurring natural and man-made disasters.” In other words, they are trying to protect us from catastrophic disasters such as a loss of the electric grid from a cyber attack, geomagnetic disturbance (GMD), electromagnetic pulse (EMP) and other threats.

Resilient Societies has been active in petitioning the government to make regulations to protect the electric grid and nuclear power plants from catastrophic events for years. It is clear that for over two decades, the federal government has known about the existential threats to United States posed by the vulnerability of our critical infrastructures – including the lack of electric grid cyber security, and the government has failed to act. The Foundation for Resilient Societies is one of the members of the Secure The Grid Coalition working to hold the government accountable to protect us.

So, with their petition for rulemaking last year, Resilient Societies forced FERC (the government) to consider instituting stronger electric grid cyber security regulations. But this wasn’t going to happen without a fight. You see, as I explained in a previous article, the electric grid regulates itself. The federal government can’t easily tell the industry what to do. There is a mind-numbingly complex process involved.

The electric industry says that protecting your family’s lives is “unduly burdensome” and “unnecessary”

Not surprisingly, the industry, through it’s proxy the North American Electric Reliability Corporation (NERC), fought the effort for better electric grid cyber security. After all, the thousands of companies that comprise the electric grid are trying to make a profit. All of this regulation about cyber security and EMP and GMD are just a nuisance when you are worried about the bottom line. The industry attempted to harpoon the effort to increase electric grid cyber security by arguing to FERC that such rules are “unduly burdensome” and “unnecessary.”

Remember that people: The electric industry says that protecting your family’s lives is “unduly burdensome” and “unnecessary.”

The other side of the story is that lives are at stake. Millions of lives. In fact, on March 28, 2017 the Senate Committee on Homeland Security and Governmental Affairs reported this about the critical infrastructure:

“The United States depends on its critical infrastructure, particularly the electric power grid, as all critical infrastructure sectors are to some degree dependent on electricity to operate. A successful nuclear electromagnetic pulse (EMP) attack against the United States could cause the death of approximately 90 percent of the American population. Similarly, a geomagnetic disturbance (GMD) could have equally devastating effects on the power grid.” (Page 6.)

The threats to the electric grid are real. They are proven. They exist. Protecting America should not be “unduly burdensome” and “unnecessary.”

Is the regulator asleep at the switch?

Incredibly, FERC let the industry plow them over and issued an order on December 28, 2017 denying part of the petition for rulemaking. Specifically,

FERC Grid Cyber Security“The Foundation for Resilient Societies filed a petition asking the Commission to require additional measures for malware detection, mitigation, removal and reporting. We decline to propose additional Reliability Standard measures at this time for malware detection, mitigation and removal, based on the scope of existing Reliability Standards, Commission directed improvements already being developed and other ongoing efforts.”

What does that even mean?

What it means, is that the industry (through NERC) bullied FERC – or woke them up just long enough to have them sign this order. The industry told FERC that malware detection, mitigation and removal would be “unduly burdensome” and “unnecessary.”

Okay. Here is what we know.

  • On November 20, 2014, Admiral Michael Rogers, Commander, U.S. Cyber Command and Director, National Security Agency testified before the U.S. House Select Intelligence Committee that “foreign cyber actors are probing America’s critical infrastructure networks and in some cases have gained access to those control systems.”
  • On December 2, 2014, cyber security vendor Cylance published its “Operation Cleaver” report, demonstrating that Iran-based hackers had compromised at least one U.S. electric generation company.
  • On December 23, 2015, a cyberattack struck the Ukrainian grid causing 225,000 customers to lose power, using malware called “Black Energy.”
  • On December 17 and 18 2016 the Ukaranian power grid was again attacked, causing another blackout. This time with malware called “Crash Override.”
  • In December of 2016, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) publicly reported on a Russian developed malware tool, called “BlackEnergy.” BlackEnergy was previously identified by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the Department of Homeland Security (DHS) as being present in America’s energy sector.
  • “Crash Override” and “Black Energy” – the malware that took down the Ukrainian electric grid are a threat to the U.S. electric grid.

Recap: Malware is known to have taken down the electric grid in the Ukraine. Malware has been shown to be present in the U.S. critical infrastructures and hackers have gained access to the U.S. electric grid. Check.

Amazingly and disturbingly, FERC bought the industry’s argument that detecting malware on the electric grid would be “unduly burdensome” and “unnecessary.” So FERC “declined to propose” that the industry do anything about malware!

Did the U.S. government (FERC) really just say that protecting your family’s lives is “unduly burdensome” and “unnecessary”? Is the regulator asleep at the switch – or just too chummy with the regulated? Hmmm.

The fight for electric grid cyber security continues

electric Grid Cyber SecurityThe Secure The Grid Coalition and the Foundation for Resilient Societies are continuing the fight and we are taking the fight to the streets. Although FERC declined to do anything about malware, they did agree with one aspect of the petition:

“However, we propose to direct broader reporting requirements. Currently, incidents must be reported only if they have ‘‘compromised or disrupted one or more reliability tasks,’’ and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm.”

This reporting issue is almost too ridiculous to believe.

“The grid” reported only 3 cyber related incidents in 2014 and none (zero) in 2015 and 2016. Meanwhile, on April 14, 2016, the U.S. House of Representatives held a hearing and the Committee noted that:

“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)

Obviously there is a huge disconnect. The DHS and the NSA say that 40% of all cyber attacks are directed at the energy sector and the grid has been penetrated by entities that could take down the critical infrastructure.

But “the grid” reports few or no cyber related incidents during the same periods.

Electric Grid Cyber Security Comments
[Click to enlarge chart]
We do not trust NERC and the electric power industry with the safety and security of your family, our communities and America. We believe that your family’s safety and security is NOT “unduly burdensome” and “unnecessary.”

So we did something about it. Many members of the coalition submitted comments to FERC in the rulemaking process urging FERC to order NERC to improve electric grid cyber security reporting standards.

Not surprisingly, the usual suspects from the industry replied that this would all be “unduly burdensome” and “unnecessary.”

In order to bring this fight to the streets, we are publishing all the comments on this electric grid cyber security issue  below. (Be patient – it is a large PDF file). In the chart to the right, you can see in green are the comments in favor of better cyber security reporting standards. The comments in red are against better cyber security reporting standards. Many of the green comments are from members of the Secure The Grid Coalition.

Look for yourself. Decide for yourself. Is your family’s safety and security is “unduly burdensome” and “unnecessary”?

If you believe that the electric grid needs to be protected, write to your state or federal legislator. Send them a copy of this article. Tell them that the first job of the government is the protection of it’s citizens. They need to protect us by protecting the critical infrastructures.


FERC Docket RM18-2-000 and AD17-9-000 comments:

Click Here for Comments to FERC on Electric Grid Cyber Security.

The PDF file is 240 pages – be patient. Once the PDF opens in a separate window, click on the bookmarks icon (circled in red below) to navigate.

Electric Grid Cyber Security

 

Fun facts:

  • The word “burden” appears 56 times in these 240 pages.
  • The phrase “unduly burden” appears 6 times in these 240 pages.
  • Best (bureaucratically ridiculous) use of the word “unnecessary: “Such process adds significant additional administrative burden for all involved entities, which is inefficient and unnecessary…” (Page 83.)

 

Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

News

  • COVERUP UPDATE: CIP Violation Database and FOIAs
  • Multiple States to FERC: “The public has a right to know”
  • Lawsuit filed to end electric grid coverup
  • Frank Gaffney interviews Michael Mabee on the electric grid
  • Money Talks, Grid Security Walks
  • The cavalry is not coming
  • The Role of Transparency in Preventing Regulatory Failures
  • FERC White Paper: We Need YOU In This Fight!
  • Kat McGhee: New Hampshire Rep. Steps Up On Grid Security
  • Tommy Waller Breaks Down Grid Security – And What You Can Do!
  • Duke Redux – A Repeat Cybersecurity Violator Exposed!
  • Duke Energy Notice of Penalty Docket Shut Down!
  • EDTF Discredits False EPRI EMP Report
  • CIP Coverup: The Proverbial Cat is Out of the Bag
  • Prepper Chicks After Dark – Annie and Mike on the electric grid!
  • Electric Disturbance Events: What is the public allowed to know?
  • Jonathan Hollerman – EMP Attack Against Venezuela’s Grid?
  • Cybersecurity Hearing: The Grid is a Primary Target
  • FOIA with DHS Reveals Congressional Frustration on EMP / GMD
  • Free Aquaponics Book
  • State-Sponsored Cyber War: What You Need to Know
  • Electric Grid Cybersecurity: A Victory for the Secure the Grid Coalition
  • Pinehurst Texas: What Resilience Looks Like
  • Civil Defense Radio: Mike and Preston on EEI and China
  • FEMA’s Response To My Letter: A Blow Off
  • Is Edison Electric Institute Helping China Lobby For Less Grid Security?
  • Civil Defense Radio: Mike and Preston on Building a Culture of Preparedness
  • Annie Berdel and Michael Mabee Discuss the Grid
  • Regulatory Mutiny: The Grid Just Threatened FERC
  • EPRI EMP Study: Frank Gaffney and Michael Mabee Break It Down

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

10 hours ago

The Civil Defense Book

U.S. grounds Saudi pilots, halts military training after base shooting

apple.news/ABfr4XHYwScyzEtpoBUyIjw
...

Over 300 Saudi military aviation students grounded in U.S. after base shooting — Reuters

apple.news

The Pentagon announced on Tuesday it was halting operational training of all Saudi Arabian military personnel in the United States until further notice after a Saudi Air Force lieutenant shot and killed three people last week at a base in Florida.
View on Facebook
·Share

Share on FacebookShare on TwitterShare on Linked InShare by Email

The Civil Defense Book

21 hours ago

The Civil Defense Book

Afghanistan war metrics were manipulated to highlight battlefield success, according to bombshell WaPo report

www.militarytimes.com/flashpoints/2019/12/09/afghanistan-war-metrics-were-manipulated-to-highligh...
...

Afghanistan war metrics were manipulated to highlight battlefield success, according to bombshell WaPo report

www.militarytimes.com

Sopko told the Washington Post that the documents it obtained showed “the American people have constantly been lied to” about the state and progress of the conflict.
View on Facebook
·Share

Share on FacebookShare on TwitterShare on Linked InShare by Email

Fund The fight!


©2019 Michael Mabee | Theme by SuperbThemes