Category Archives: Energy

Is “Cash Strapped” The Right Analysis of American Critical Infrastructure?

If you’ve been a long-time reader of this blog you may recall seeing here before that in the early-2000s the US government left security of critical infrastructure up to the market investors in infrastructure (mainly banks) to figure out.

It was like a “trickle-down” theory of investment bankers showering the littlest critical infrastructure projects with the kind of money they would need to make things safe — at a market-designated level.

I have done critical infrastructure security audits, as well as security strategy consulting, before and after this time. What one might imagine on the outside is very different than what I found on the inside. That is to say, I expect most people (even myself before I started going inside) expect management to be laser focused on safety of service delivery, and willing to invest even a little extra to protect people from harm (capacity and disaster planning).

Yet that hasn’t been my experience.

For example on one engagement I had a bank ask if they should put their investments towards building adjacent bitcoin mining operations in power stations to shove “excess” power into assets they would sell off to an unregulated market.

On another engagement, as I was on my way to hack into the generation and distribution networks (they were weak), management stopped me and said “wait a minute, we care not much if those go down and people are without service, as that’s routine for us; instead please focus attacks on our trading systems and financial operations around billing and pricing” (they were weak too).

To be fair they were saying they could handle dangerous life-threatening accidents because that’s what they have been planning for all along… yet when I probed deeper it was more like they knew that those accidents wouldn’t have an effect on their P&L. Really.

And these were giant even “bulk” organizations, not “small systems” that have less of a fighting chance to argue with banks that may make final decisions on risk management models:

There are over 145,000 active public water systems in the United States (including territories). Of these, 97% are considered small systems under the Safe Drinking Water Act, meaning they serve 10,000 or fewer people.

Alas, from an economics standpoint it’s easy to say “poor” American banks do not have the money to spend on public utilities. Yet a wider macro view is probably that American investors with loads of cash to invest made it a conscious market decision since at least 1998 (when I pwned 1,000s of infrastructure routers across five states using clear-text passwords) to not invest in service safety. They’re not cash strapped as much as they’re not regulated in a way that a whole history of relevant accidents and basic common sense would force a cash infusion into the areas we might expect.

Also sometimes I wonder things like why Microsoft’s billionaires even charged utilities to license software for water utilities in the first place… or why the utilities didn’t all shift to software that came without a license, avoiding built-in end-of-life (EOL) and support models wildly inconsistent with their operation plans.

Anyway, here’s the TL;DR on the most recent “news” in America that uses the headline of “cash strapped” Americans (who have been violating basically every basic principle of safe operations even as laid out by the US government for years):

  • All computers used by plant personnel had remote control
  • All computers connected to plant’s control system
  • All computers connected directly to Internet
  • Out of date OS (Win7 – EOL Jan 2020)
  • All users share the same password
  • No network protection (firewall)

Shocking. It doesn’t take much money to fix all of that, especially if you had done it a year ago.

And here’s a post I wrote about many of the prior warnings: Was Stuxnet the First?

And here’s a post I wrote (in 2011!) about this exact issue: Chicken LittleStux is Falling

Let me now suggest a different narrative. “Cash strapped” is a military negotiation and planning phrase despite having an enormous amount of money in its budget.

Cash-strapped US military to cut Persian Gulf fleet: USS Harry S Truman will not return to Middle East, leaving only one American carrier group near the strategic Strait of Hormuz

And now for something completely different, look at hard lessons of 1991 when a missile downed an AC-130 gunship and how the US military responded.

America decided not one more AC-130 would be lost to attack. And 30 years later it’s still true. Was it cash infusion? No.

All 14 airmen aboard were killed, but one Air Force general wrote that their sacrifice helped usher in a new era of the AC-130, one where new technology and tactics helped ensure that no gunship has been lost in combat since.

“We owe much to those who sacrificed everything aboard Spirit 03, not only because ‘they gave the last full measure of devotion’ for us, but also because they bequeathed to us, at a critical point in history, the decisive motivation to reinvent the AC-130 for a new challenge and a new century,” wrote now-retired Maj. Gen. Mark Hicks, a career gunship pilot, in the summer 2014 issue of Air Commando Journal.

The lesson from the US military success with the AC-130, however, was not an expensive reinvention of technology and newly dedicated staff as much as what Deming called the statistical control process to improve existing practices — commitment to delivering quality and identifying exposure or risks earlier.

For what it’s worth, in 1980s when “cash strapped” Ford hired Deming he improved safety, quality and changed management practices in those areas. They called it Total Quality Management and focus on lack of cash; he turned risk around so much they soon outperformed GM and became the most profitable car company.

Had Ford stuck with Total Quality Management, it might have avoided many of the problems that have plagued it recently. Instead, as the years rolled by, the concept faded into the background at Ford as its champions retired and were replaced by executives who had other priorities. “U.S. automakers had so much confidence, they felt they had achieved quality and didn’t need to focus on it anymore”…

Perhaps read that insight as Ford was no longer was “cash strapped” so their focus deteriorated and safety declined.

Cash infusions could have actually led to the wrong outcome. Again, it was focus on the wrong things that led to the AC-130 being shot down, and like Deming’s work at Ford maintaining focus on quality is what made a huge difference in safety. Spend as little as possible and no less.

Here’s the money quote from the story of how an AC-130 program now has run three decades without any attacker forcing one down.

…improved fire control and better sensors really helped, but it was a commitment to be tactically sound that really made the difference,” Hicks wrote. Walter expressed a similar view. “The fundamental lesson learned is to always expect to be fired upon when firing.”

They don’t say the fundamental lesson is a cash infusion (in fact they brush that away as “really helped, but”). They certainly spent some money and also had some accidents — but it was focus on quality that mattered most.

Although losing a brand new, low density-high demand asset like an AC-130J is bad news, this is what testing is for. Better have a permanently grounded plane than one laying on the ground burning in the enemy’s backyard.

And I wonder if we should apply the same lessons domestically. Stop making safety in critical infrastructure about cash moving hands and instead make it about being tactically sound. I don’t mean NERC’s Critical Infrastructure Protection (CIP) either as some of you may remember it was a very cynical game by utilities to avoid NIST 800-53 and pretend they needed their own set of rules so they could ignore them.

We’ve known what happened in a water system in 2021 is what we talked about in 2000 after a water system was compromised, as I said above in my links to blog posts from a decade ago. There have been many, many studies in between then and now.

However, unlike the US military resolve to care deeply about stop loss, the market-driven critical infrastructure seems to have long taken the opposite approach and push the question how many more catastrophes are allowed before they really, really have to care.

I say don’t make it about cash, because it’s always been that way. Take a look at America’s healthcare system for reference. Anyone who says government run health care would be more inefficient is willfully ignoring that the United States pays more per capita on health costs than any advanced country, yet is the only one without universal health care. Cutting out health insurance companies whose sole goal is to manage “cash strapped” issues by pushing huge amounts of money around using a market-based solution could save billions and still improve safety.

In fact, you might say the inflationary cost of security has made safety even less likely to happen because it gives bankers and easy out by claiming the risks are worth not spending on controls. So the less cash-strapped the less secure… could be a logical outcome.

Make it about quality, about tactical soundness, not about opening coffers or another form of congressional-military-industrial-complexity.


See also 2020: “What We’ve Learned from the December 1st Attack on an Israeli Water Reservoir?

The reservoir’s HMI system was connected directly to the internet, without any security appliance defending it or limiting access to it. Furthermore, at the time of the publication, the system did not use any authentication method upon access. This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser.

The Future-Future of Aircraft Carriers

The impressively huge Aircraft Carrier was a decisive platform in past wars and still gets a lot of airtime (pun not intended).

…when word of a crisis breaks out in Washington, it’s no accident that the first question that comes to everyone’s lips is: ‘where’s the nearest carrier?’

However, I can’t help but think about it in terms of a commoditization line over history.

What I mean to say is that there is a line that goes from the 1960s drone war being conducted on a mainframe in a few high-security buildings, all the way to warfare today being done using mobile phones in everyone’s pocket.

Take the core concept of the “carrier”. In today’s commodity technology terms I believe you get an autonomous sea box of tiny drones ready to swarm.

Source: Louisiana-based shipbuilder Metal Shark, selected to develop and implement the Long Range Unmanned Surface Vessel (LRUSV) System for the United States Marine Corps

One of the lessons of the 1980 failed operation Eagle Claw, for example, was they came up one single aircraft short of a complete mission.

Imagine telling that story instead where the numbers of aircraft launched from sea are no hurdle at all — opposite problem really, as you have surplus of highly operational units.

The sea launch platform already was pioneered a while ago by submarines launching drones out of their missile tubes. And the Navy many years ago was manually launching swarms of 50 drones. Surely by now they’ve combined these two advances into tubes at sea having a magazine attached.

Now flatten the carrier to waterline (e.g. into a Low Visibility Craft or LVC) to remove its target profile, and with a towline attach a submarine filled with sensors and tubes of hundreds or thousands or drones.

It would look like a fatter version of the 2016 Wave Glider submersible by Liquid Robotics.

Obviously this means surface vessels could easily reload by picking up another tow-line submersible, bringing resupply buoys (forward docking stations) into the picture on “long line” deployments.

Also I can’t help but mention this is very similar to what was being designed in the late 1800s and even demonstrated by Tesla himself, so we’re on a very late cycle of adoption (postponed by WWI emphasis on maintaining control over petroleum distribution).

The drones could launch undersea or on surface. Either way it’s a far more modern take on an old solution, for an even older problem in warfare.

Who Caused 2018 Power Outages in Russia?

In 2018 a very important and very large dry dock facility in Roslyakovo was in the news for a horrible tragedy.

There were about 60 people on the dock when it started to sink. Five of them did not manage to get in safety. One is reported dead and four injured, one with a serious condition.

This gave me a flash back to 1984 when Severomorsk, Russia hit the news for a horrible tragedy. A navy weapons depot caught fire and exploded, killing hundreds.

…the Central Intelligence Agency learned of the accident from travelers, then positioned satellites and electronic devices to assess the damage. Those sources said the death toll was estimated at between 200 and 300 people, many of them ordnance technicians sent into the fire caused by the explosion in a desperate by unsuccessful effort to defuse or disassemble the munitions before the exploded in a chain reaction over several hours. Officials at the State and Defense Departments, as well as diplomats and congressional officials all blamed the accident on Soviet “carelessness.”

There’s even a CIA file (with a copy of Jane’s Defense Weekly and details of a criminal trial for the Navy analyst who leaked the photos) for perspective:

…U.S. District Court Judge Josepth H. Young has already ruled that Morison’s motives were irrelevant, [Assistant U.S. Attorney] Schatzow voiced skepticism about the defense claims that Morison wanted to alert the American public through the medium of a British magazine where he was seeking a full-time job. “He didn’t send it to CBS,” Schatzow declared. “He didn’t send it to The Washington Post. He sent it to Jane’s.”

That Jane’s disclosure story from 1984 points out an ammunition dump also exploded in the Bobruysk airfield (Belarus), and at the end of the prior year ammunition exploded in the Dolon (Kazakhstan) airfield and two more ammunition depots exploded after that… by June there was a huge explosion in Schwerin. So the CIA file in fact shows Murmansk was the fifth or sixth Soviet safety disaster a row.

And that’s not to mention, or who can forget, the April 26, 1986 disaster at the Chernobyl nuclear power plant?

Way back in 1984 there would have been “travelers” to inform intelligence agents about a disaster. In 2018 terms there instead is monitoring of social media accounts to start the discussion about the tragic sinking of a massive dock.

And from that angle the 2018 news of disaster reads at first like it should get a footnote similar to the 1984 official commentary: Russia continues to be known for operations fraud, “carelessness” and decay.

Maybe there’s nothing more to this story than just people discussing a tragedy resulting from bad safety practices:

…the dry dock has itself had repeated problems with its aging technical equipment, including the electricity system…

Reports mentioned sub-par maintenance of a huge floating platform built by Sweden in 1980, neglected since, with possible criminal charges for the private owners of the dock. Rosneft bought 2015 for its “oil operations”, which in terms of Russian oligarchical corruption means transfer of government funds to someone’s pockets by forcing major Navy repairs into private hands.

That makes the most simple explanation of disaster very believable: when a power outage hit the dock’s huge ballast tanks they failed-unsafe because of careless management. When a power outage hit that floating dock it predictably filled up with water and sank.

The subsequent lawsuits probably say something like Rosneft cut safety corners to increase profits, as one expects from an unregulated/monopolized market — the only dock big enough for the Russian navy to do repairs on its fleet.

It’s an unbelievably unfortunate operations situation coupled with a design flaw someone must have known about for a long time, especially given a history of having unstable power sources in that region.

A very predictable disaster.

Yet such a vulnerability makes it too tempting to not float the idea that this is also was fertile ground for someone hunting for easy cyber attack targets.

Again, the basic narrative since 1984 of Russian carelessness still makes sense. Yet early 2018 also saw a series of electricity “hacks” on America purported to originate from Russia.

For a little context from 2018, two years earlier the U.S. loudly warned that its “military hackers have penetrated Russia’s electric grid…for cyber attacks that could turn out the lights…”.

A month after these 2016 U.S. statements, the Russian city of Murmansk experienced a massive energy blackout. It was blamed on an intentional short circuit at the Kolenergo substation.

The acts were done near a city block in the street of Knipovich, Nikora said in an extraordinary meeting in the regional Staff of power security. It is not clear who was behind the acts, nor whether it is consider as deliberate sabotage or result of an accident.

That’s kind of important context, given how two years later rolling power outages hit the same region, sinking the largest dock in Russia and crippling their global navy operations. Even if not a cyber attack, you can’t say a fail-unsafe design makes any sense for the dock.

The most interesting run-up to the power outages in 2018 perhaps starts months earlier when the Wall Street Journal reported that Russia was trying to boast they had breached America’s power grid:

Hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities…

It was thus after aggressive hacking claims by Russia that it faced:

…several cases of power outage all over the [northwest] region, including in the cities of Severomorsk and Murmansk…

These power outage cases not only crippled Russia’s ability to manage its fleets by sinking their largest Naval dock, they also damaged Russia’s only aircraft carrier in the dock failure (Admiral Kuznetsov, which had been serving in Syria to infamously carry out air strikes yet losing two aircraft during routine landings).

Again, it has to be emphasized Russia earned itself a reputation for carelessness and predictable self-inflicted disasters. There may have been no cyber attacks at all and disasters still could have happened from decay or “incredibly easy” physical attacks.

Just a year after the dock sank, that same one and only aircraft carrier caught fire during repairs, blamed on a short circuit.

The Admiral Kuznetsov, Russia’s only aircraft carrier, caught fire today during repairs in Murmansk. While officials of the shipyard said that no shipyard workers were injured, Russia’s TASS news service reports that at least 12 people (likely Kuznetsov sailors) were injured, some critically. In addition, three people, possibly including the third-rank captain in charge of the ship’s repairs, are unaccounted for.

The Kuznetsov has had a long string of bad luck, experiencing fires at sea, oil spills, and landing deck accidents…

It’s hard to prove a cyber attack hit a country causing a power outage when that country is so bad at operations, but that’s exactly the point. The Stuxnet attack targeted a facility that already was suffering under something like a 30% failure from rust and basic operations failures.

This is why timing of the 2018 power outages in Russia shortly after its boasts about hacking can make for interesting reading. Despite the lack of any real details or news from the cities in Russia affected, I’ll be surprised if historians don’t find out more here by poking around.

Perhaps US Admiral Stavridis put it best in October 2016 when he quoted a Russian proverb: “Probe with bayonets. When you hit mush, proceed.”