Small Companies, Russia, and Energy

I  talk  a  lot  about  security  in  the  procurement  and  contracting  processes.  I  think  using  capitalism  as  a  means  of achieving an outcome is a better model than regulation. Read previous posts to get up to speed on those thoughts.

The  abstraction  of  that  idea  is  that  suppliers  are  a  risk,  and  exercising  control  over  those  suppliers  —  using  the  power of  the  purse  in  the  preceding  example  —  is  one  key  to  moving  the  cybersecurity  needle.  This  post  addresses  the application of that idea in the local energy sector (our PUDs and dams, mainly).

If  you  follow  the  Daily  New  Blast,  it’s  become  obvious  through  a  proliferation  of stories  that  small  product  and  service  providers,  which  have  some  degree  of  trusted  electronic  access  to  their customers, are the entry point for infiltration of the true targets. Click here for a good summary of the issue.

Think  about  the  energy  grid.  There  are  small  suppliers  of  energy  (“generation,”  in  the  parlance  of  the  sector)  all  over the  place.  We  have  dams.  In  Weatherford,  Okla.,  wind  turbines  stand  as  far  as  you  can  see.  Each  of  these  contributes  a tiny  fraction  of  energy  to  the  grid,  but  they  do  supply  the  grid.  Again,  small  suppliers  are  a  big  target  for  disruption. NERC  and  DHS  are  working  with  these  organizations,  but  there’s  another  exposure  that’s  under  the  federal  regulatory radar that, for now, can only be addressed through that market force.

There  are  small  businesses  that  frack,  drill,  fabricate,  weld,  and  perform  a  host  of  other  services  for  the  companies that  extract,  transport  and  refine  a  lot  of  the  raw  fossil  fuels  used  for  generation  and  export.  This  Bloomberg  article talks  about  a  cyber-attack  against  an  oil  pipeline  in  2008  that  resulted  in  an  explosion,  which  preceded  Russia’s  action in the country of Georgia.

So  it  seems  to  me,  that  with  oil  below  $60/barrel  and  continuing  to  fall,  and  with  Russia  hurting  from  sanctions  over Ukraine,  and  now  its  only  real  export  being  devalued,  there  is  a  strategic  reason  for  Putin  to  consider  an  action  that spikes  energy  prices.  What’s  the  soft  target  —  the  one  most  likely  to  facilitate  an  action  that  doesn’t  leave  fingerprints? It’s  a  driller,  welder,  or  fabrication  service  with  access  to  those  pipelines.  They  don’t  invest  in  logical  controls,  and  they certainly  don’t  log  the  events  that  would  facilitate  forensic  recovery  of  the  root  cause.  It  will  look  like  incompetence by a small company, but energy prices will still head North with alacrity.

So   until   big   companies   start   requiring   small   company   suppliers   to   meet   cybersecurity   standards,   and   while geopolitics  are  so  tied  to  fossil  fuels,  some  real  volatility  is  to  be  expected  as  we  march  into  the  new  world  of  bytes  as a weapon