Last week a Bloomberg article covered the Biden Administration’s plan for a 100-day sprint to secure the power grid. I’ll comment on the three focus areas the article lays out and more broadly on 100-day efforts.
Monitoring The Grid And Sending Data To The USG
the Biden administration’s so-called “action plan” will incentivize power utilities to install sophisticated new monitoring equipment to more quickly detect hackers, and to share that information widely with the U.S. government.
This is the most aggressive of the the three areas discussed in the article. The history of ICS voluntary public / private partnerships is riddled with failures. In most cases the private utilities do not see the benefit of providing information to the government. In theory this would lead to information and services coming back from the government, but this has not been realized in most cases. Many, if not most, utilities need to get the benefits prior to sharing anything with a risk of this information being disclosed. This information disclosure is a greater concern with statements such as “to share that information widely with the US government”.
If the government is able to get utilities to deploy the monitoring equipment and send the data to the government. There is the monumental challenge of being able to analyze the data and pull actionable intelligence out of the data, as EINSTEIN has demonstrated. My gut feeling is that private industry, your Dragos or FireEye, is well ahead of the government in being able to do this for ICS. Both in terms of systems and talent.
Even if the US government’s capabilities exceed my estimations, bringing in monitored data from five to ten of the largest utilities is a significant expansion. There could be an approach to limit what is sent to the government and save data locally for investigations, but this would not be the approach that maximizes the government’s monitoring capability.
This focus area theoretically could make a difference, if they could get the utilities to cooperate and if DHS could demonstrate capabilities that have not before been evident. This isn’t something that can be accomplished in 100 days. A program could be announced along with some utilities publicly agreeing to play along in this 100 day timeframe.
Identify Critical Sites
It will ask utilities to identify critical sites which, if attacked, could have an outsized impact across the grid.
For over a decade, DHS will periodically highlight the need to identify critical sites in power and other sectors. And my response is don’t you already have that? Wouldn’t it be a huge failure if this doesn’t exist? It has been done. It does exist.
Perhaps asking the power utilities to contribute to this is new, although they go through a criticality assessment as part of NERC CIP. Maybe the 100-day sprint will be to update an existing prioritized critical site list, which should be done periodically. This race should be simple to complete in 100 days.
Identifying Security Flaws
it will expand a partially classified Energy Department program to identify flaws in grid components that could be exploited by the country’s cyber-adversaries
Much like “Identify Critical Sites” the Department of Energy has been doing this activity for almost 20 years now. From 2003 to 2010 DoE had an active program at INL where they brought in the most important control systems to the power grid and assessed them. Perhaps the biggest beneficiary to this work was it’s contribution to Stuxnet and other offensive operations #reckless_speculation.
Identifying flaws in grid components is almost worthless until there is a commitment to adding authentication security to the controllers and PLC’s, and pushing to replace or upgrade these insecure by design devices in those critical sites. One area that might be worthwhile is software that could affect many sites, such as ICCP protocol stacks. Or software and devices that would connect power utilities to a centralized collection system in the US Government.
100 Days
There is not much that can be done except raising attention and kicking off initiatives in 100 days. While the bulk power sector is the most critical since it undergirds all of the other sectors, it is also the sector that has had an active, consistent, regulated effort the longest. It has also received the most attention.
A 100-day sprint on the water sector and critical manufacturing might have better results due to the fact that some of these entities do not even have ICS Security 101 in place. My advice is to create a simple, 10 question checklist and see where these, and perhaps other, sectors stand using the government’s sector specific agencies to collect the data. Have the entities fill out the checklist and get executive management signature on the response. This would provide some metrics for the government to track and also put executive management on notice of where they stand compared to their peers and to what government recommends.
Once this is done the government could follow this up by addressing one item every quarter with awareness and guidance. Metrics could be tracked annually, and if there is lack of progress then the specter of regulation would loom.