Episode 162: Have We missed Electric Grid Cyber Attacks for Years? Also: Breaking Bad Security Habits

In this episode of the podcast #162: according to the non profit that oversees it, the first disruptive hack of the U.S. grid happened in March of this year. Our guest, Joe Weiss, said it really happened more than a decade ago and that hundreds more like it have been overlooked or mis-classified. Also: Rachael Stockton of the firm LastPass* joins us to talk about changing users troublesome password behavior to make companies more secure.

If you believe the headlines, the first known disruptive cyber attack against  the U.S. grid happened on March 5, 2019 when an unidentified actor attacked firewalls at an undisclosed utility that was part of the power grid in California, Utah and Wyoming. The incident cause “brief” outages
of internet-facing firewalls that controlled communications between the control center and multiple remote generation sites and between equipment on these sites, according to a report (PDF) released by NERC, the North American Electric Reliability Corporation.

Security Ledger Sponsored Content

That incident made news in April after the utility reported it to the U.S. Department of Energy and was called “unprecedented.” “A cyberattack is not known to have ever disrupted the flow of electricity anywhere in the United States,” E&E News, an electricity industry publication noted.

But what if the first successful attack on the grid didn’t happen in March 2019, but 15 years ago, in 2004? And what if hundreds of similar cyber incidents -both malicious and inadvertent – had occurred since the turn of the Millennium, but were never labeled as such?

Joe Weiss is a managing partner at Applied Control Solutions.
Joe Weiss, Applied Control Solutions

Our next guest, Joe Weiss of  of Applied Control Solutions has been making the case that cyber attacks on North America’s expansive grid are neither new nor are they rare. According to Weiss, there have been hundreds of cyber incidents (he counts more than 300) going back decades.

So how come we haven’t heard about them? Weiss argues that much of the problem is due to how cyber incidents are classified by the NERC, which oversees users, owners, and operators of the North American bulk power system, which serves more than 334 million people. Despite ample evidence of malicious and inadvertent “cyber” incidents that cause power disruptions, NERC and FERC, the federal regulators that oversee it, have a “see no evil” mentality.

Weiss worries that the unwillingness to confront cyber risk is allowing grid operators to ignore mounting evidence that our electric grid is highly vulnerable to cyber attack and manipulation. In our first segment, we welcome Joe back to our podcast to talk about how and why cyber incidents affecting grid operation and reliability are being overlooked. 

Patching Flaws at Layer 8

Security pros like to joke about compromises at “Layer 8” – a reference to the seven layer OSI model. Its a nerdy and amusing way to talk about the “users” -the homo sapiens who are increasingly the targets of malicious actors.

But what is the role of users in ensuring the security of modern organizations? And can even the best trained users be counted on to not become victims?

Rachael Stockton of LogMeIn
Rachael Stockton is the Senior Director of Product Marketing at LogMeIn.

In part two of our podcast, Rachael Stockton of the firm LastPass and LogMeIn joins us on the podcast to talk about one of the biggest challenges facing organizations: changing insecure behavior by users. 

The accepted wisdom in the information security industry is that technology needs to be easy to use and transparent in order for it to be accepted. But does the job of security really resolve to product designers? What role to users have in improving security especially in an era that sees increasing reliance on social engineering as the first stage in damaging cyber attacks? 

In our second segment of the podcast, we sat down with Rachael Stockton of LastPass, a LogMeIn brand, to talk about the difficult task of changing user behavior to improve cyber security. 

(*) Disclosure: This podcast was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.