Communication avalanche: What utilities need to think about before a nation-state cyberattack happens to them
Utilities are preparing for the technical side of a cyberattack generated by the Russia-Ukraine conflict. But there is another aspect to these attacks that can cause chaos if you’re not ready. We’ll explore that here.
Let’s say a power company gets attacked, causing an outage. A big one, in an important area of the country, and it affects the company’s entire footprint. What happens next?
In the US, there hasn’t been a successful attack on the power system. Other attacks have happened in other sectors, but most of those were ransomware and not direct acts from a foreign adversary during a time of conflict (war). This scenario would be unprecedented, and we don’t have a playbook for it.
After an attack, the utility is required by law to contact the E-ISAC (CIP-008), DHS CISA (also CIP-008) and the DOE (OE-417). The FBI has also requested an email. At the same time, operational processes within the utility interconnections will need to be invoked, which means contacting all the “neighbors” in the power grid to let them know why you caused a disturbance (outage). The Reliability Coordinator (grid oversight for their geographic area) will need to know. There are more notification points, such as the board, shareholder, and internal corporate communications that will also be necessary, but this gives you an idea of the array of utility-specific things that will need to happen. A communication avalanche follows as everyone tries to get updates throughout the duration of the event and even after.
At the same time, the media and various watchdog groups will be banging down the door to find out what’s going on. They probably won’t stop with the PIO (Public Information Officer). They’ll be looking for any cracks in the media wall to get any information they can by pestering the utility staff both physically and online. This isn’t a bad thing. Everyone in the country will be concerned, asking the same questions, and they are just trying to get answers. Transparent and regular communications have proven to have the greatest success in the past, but with this being a possible act of war, all bets are off in terms of what the utility will be able (allowed) to do/say, further complicating the media relationship.
And then there is the federal response.
Historically, the federal agencies have essentially said “we want to know about it, but as for defense and response, you’re on your own.” This has changed somewhat over time, with various cyber forces expanding their capabilities within the DOD, DHS CISA, NSA, FBI, and others. Increased attention from the POTUS through Executive Orders and the National Security Memorandum signals even more interest in the critical infrastructures and their cyber posture. It’s clear the federal entities want more visibility into critical infrastructure security, but what isn’t clear is what they will (or are able to) do if an event actually happens.
It’s likely that one or more of these federal agencies, departments, and bureaus will want (and possibly assert a legal or national security directive/mandate) to help the utility. Currently, for the private sector, there isn’t a “one federal entity in charge” for this kind of assistance. Each federal entity may state that their agency is the one in charge and act accordingly. These federal groups have talented people and a sound mission, but they may not have deep experience in your infrastructure, or they may be stretched thin due to the obvious situation. This assistance, especially if from multiple federal entities, has a high potential to add complication and confusion to the already exigent situation.
At this point, the utility will be pulled in all directions. They must respond to the defense/federal/state/regulatory requests, respond to the media requests, respond to their utility peers, and respond to the internal, board, and shareholder requests. All this while trying to get a nation-state level adversary out of their network and get the lights back on.
There are competing priorities in a situation of this magnitude. For the utility, their priority is getting operations running - safely and reliably - again. This may conflict with the perspectives of defense or intelligence agencies. Be prepared to make uncomfortable decisions here. Be prepared to go far outside of your risk register. Be prepared to go well beyond your budget.
This sounds like a frustrating and chaotic situation. And it will be, if we don’t look ahead and talk about these issues with an eye toward solutions. Read the notices from ISACs, federal entities, and trade organizations and have constructive conversations about how we can keep this chaos from happening.
Information sharing is far more difficult and complex than most understand. In my discussions with super smart industry and government people, the most common hope is that we get the federal entities to decide on how to interface with the critical infrastructure organization(s) through a single point of contact on the federal side. The critical infrastructure organizations have their part as well – and many are underprepared for a situation of this scale.
