Category Archives: Energy

Is “Cash Strapped” The Right Analysis of American Critical Infrastructure?

If you’ve been a long-time reader of this blog you may recall seeing here before that in the early-2000s the US government left security of critical infrastructure up to the market investors in infrastructure (mainly banks) to figure out.

It was like a “trickle-down” theory of investment bankers showering the littlest critical infrastructure projects with the kind of money they would need to make things safe — at a market-designated level.

I have done critical infrastructure security audits, as well as security strategy consulting, before and after this time. What one might imagine on the outside is very different than what I found on the inside. That is to say, I expect most people (even myself before I started going inside) expect management to be laser focused on safety of service delivery, and willing to invest even a little extra to protect people from harm (capacity and disaster planning).

Yet that hasn’t been my experience.

For example on one engagement I had a bank ask if they should put their investments towards building adjacent bitcoin mining operations in power stations to shove “excess” power into assets they would sell off to an unregulated market.

On another engagement, as I was on my way to hack into the generation and distribution networks (they were weak), management stopped me and said “wait a minute, we care not much if those go down and people are without service, as that’s routine for us; instead please focus attacks on our trading systems and financial operations around billing and pricing” (they were weak too).

To be fair they were saying they could handle dangerous life-threatening accidents because that’s what they have been planning for all along… yet when I probed deeper it was more like they knew that those accidents wouldn’t have an effect on their P&L. Really.

And these were giant even “bulk” organizations, not “small systems” that have less of a fighting chance to argue with banks that may make final decisions on risk management models:

There are over 145,000 active public water systems in the United States (including territories). Of these, 97% are considered small systems under the Safe Drinking Water Act, meaning they serve 10,000 or fewer people.

Alas, from an economics standpoint it’s easy to say “poor” American banks do not have the money to spend on public utilities. Yet a wider macro view is probably that American investors with loads of cash to invest made it a conscious market decision since at least 1998 (when I pwned 1,000s of infrastructure routers across five states using clear-text passwords) to not invest in service safety. They’re not cash strapped as much as they’re not regulated in a way that a whole history of relevant accidents and basic common sense would force a cash infusion into the areas we might expect.

Also sometimes I wonder things like why Microsoft’s billionaires even charged utilities to license software for water utilities in the first place… or why the utilities didn’t all shift to software that came without a license, avoiding built-in end-of-life (EOL) and support models wildly inconsistent with their operation plans.

Anyway, here’s the TL;DR on the most recent “news” in America that uses the headline of “cash strapped” Americans (who have been violating basically every basic principle of safe operations even as laid out by the US government for years):

  • All computers used by plant personnel had remote control
  • All computers connected to plant’s control system
  • All computers connected directly to Internet
  • Out of date OS (Win7 – EOL Jan 2020)
  • All users share the same password
  • No network protection (firewall)

Shocking. It doesn’t take much money to fix all of that, especially if you had done it a year ago.

And here’s a post I wrote about many of the prior warnings: Was Stuxnet the First?

And here’s a post I wrote (in 2011!) about this exact issue: Chicken LittleStux is Falling

Let me now suggest a different narrative. “Cash strapped” is a military negotiation and planning phrase despite having an enormous amount of money in its budget.

Cash-strapped US military to cut Persian Gulf fleet: USS Harry S Truman will not return to Middle East, leaving only one American carrier group near the strategic Strait of Hormuz

And now for something completely different, look at hard lessons of 1991 when a missile downed an AC-130 gunship and how the US military responded.

America decided not one more AC-130 would be lost to attack. And 30 years later it’s still true. Was it cash infusion? No.

All 14 airmen aboard were killed, but one Air Force general wrote that their sacrifice helped usher in a new era of the AC-130, one where new technology and tactics helped ensure that no gunship has been lost in combat since.

“We owe much to those who sacrificed everything aboard Spirit 03, not only because ‘they gave the last full measure of devotion’ for us, but also because they bequeathed to us, at a critical point in history, the decisive motivation to reinvent the AC-130 for a new challenge and a new century,” wrote now-retired Maj. Gen. Mark Hicks, a career gunship pilot, in the summer 2014 issue of Air Commando Journal.

The lesson from the US military success with the AC-130, however, was not an expensive reinvention of technology and newly dedicated staff as much as what Deming called the statistical control process to improve existing practices — commitment to delivering quality and identifying exposure or risks earlier.

For what it’s worth, in 1980s when “cash strapped” Ford hired Deming he improved safety, quality and changed management practices in those areas. They called it Total Quality Management and focus on lack of cash; he turned risk around so much they soon outperformed GM and became the most profitable car company.

Had Ford stuck with Total Quality Management, it might have avoided many of the problems that have plagued it recently. Instead, as the years rolled by, the concept faded into the background at Ford as its champions retired and were replaced by executives who had other priorities. “U.S. automakers had so much confidence, they felt they had achieved quality and didn’t need to focus on it anymore”…

Perhaps read that insight as Ford was no longer was “cash strapped” so their focus deteriorated and safety declined.

Cash infusions could have actually led to the wrong outcome. Again, it was focus on the wrong things that led to the AC-130 being shot down, and like Deming’s work at Ford maintaining focus on quality is what made a huge difference in safety. Spend as little as possible and no less.

Here’s the money quote from the story of how an AC-130 program now has run three decades without any attacker forcing one down.

…improved fire control and better sensors really helped, but it was a commitment to be tactically sound that really made the difference,” Hicks wrote. Walter expressed a similar view. “The fundamental lesson learned is to always expect to be fired upon when firing.”

They don’t say the fundamental lesson is a cash infusion (in fact they brush that away as “really helped, but”). They certainly spent some money and also had some accidents — but it was focus on quality that mattered most.

Although losing a brand new, low density-high demand asset like an AC-130J is bad news, this is what testing is for. Better have a permanently grounded plane than one laying on the ground burning in the enemy’s backyard.

And I wonder if we should apply the same lessons domestically. Stop making safety in critical infrastructure about cash moving hands and instead make it about being tactically sound. I don’t mean NERC’s Critical Infrastructure Protection (CIP) either as some of you may remember it was a very cynical game by utilities to avoid NIST 800-53 and pretend they needed their own set of rules so they could ignore them.

We’ve known what happened in a water system in 2021 is what we talked about in 2000 after a water system was compromised, as I said above in my links to blog posts from a decade ago. There have been many, many studies in between then and now.

However, unlike the US military resolve to care deeply about stop loss, the market-driven critical infrastructure seems to have long taken the opposite approach and push the question how many more catastrophes are allowed before they really, really have to care.

I say don’t make it about cash, because it’s always been that way. Take a look at America’s healthcare system for reference. Anyone who says government run health care would be more inefficient is willfully ignoring that the United States pays more per capita on health costs than any advanced country, yet is the only one without universal health care. Cutting out health insurance companies whose sole goal is to manage “cash strapped” issues by pushing huge amounts of money around using a market-based solution could save billions and still improve safety.

In fact, you might say the inflationary cost of security has made safety even less likely to happen because it gives bankers and easy out by claiming the risks are worth not spending on controls. So the less cash-strapped the less secure… could be a logical outcome.

Make it about quality, about tactical soundness, not about opening coffers or another form of congressional-military-industrial-complexity.


See also 2020: “What We’ve Learned from the December 1st Attack on an Israeli Water Reservoir?

The reservoir’s HMI system was connected directly to the internet, without any security appliance defending it or limiting access to it. Furthermore, at the time of the publication, the system did not use any authentication method upon access. This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser.

The Future-Future of Aircraft Carriers

The impressively huge Aircraft Carrier was a decisive platform in past wars and still gets a lot of airtime (pun not intended).

…when word of a crisis breaks out in Washington, it’s no accident that the first question that comes to everyone’s lips is: ‘where’s the nearest carrier?’

However, I can’t help but think about it in terms of a commoditization line over history.

What I mean to say is that there is a line that goes from the 1960s drone war being conducted on a mainframe in a few high-security buildings, all the way to warfare today being done using mobile phones in everyone’s pocket.

Take the core concept of the “carrier”. In today’s commodity technology terms I believe you get an autonomous sea box of tiny drones ready to swarm.

Source: Louisiana-based shipbuilder Metal Shark, selected to develop and implement the Long Range Unmanned Surface Vessel (LRUSV) System for the United States Marine Corps

One of the lessons of the 1980 failed operation Eagle Claw, for example, was they came up one single aircraft short of a complete mission.

Imagine telling that story instead where the numbers of aircraft launched from sea are no hurdle at all — opposite problem really, as you have surplus of highly operational units.

The sea launch platform already was pioneered a while ago by submarines launching drones out of their missile tubes. And the Navy many years ago was manually launching swarms of 50 drones. Surely by now they’ve combined these two advances into tubes at sea having a magazine attached.

Now flatten the carrier to waterline (e.g. into a Low Visibility Craft or LVC) to remove its target profile, and with a towline attach a submarine filled with sensors and tubes of hundreds or thousands or drones.

It would look like a fatter version of the 2016 Wave Glider submersible by Liquid Robotics.

Obviously this means surface vessels could easily reload by picking up another tow-line submersible, bringing resupply buoys (forward docking stations) into the picture on “long line” deployments.

Also I can’t help but mention this is very similar to what was being designed in the late 1800s and even demonstrated by Tesla himself, so we’re on a very late cycle of adoption (postponed by WWI emphasis on maintaining control over petroleum distribution).

The drones could launch undersea or on surface. Either way it’s a far more modern take on an old solution, for an even older problem in warfare.

Who Caused 2018 Power Outages in Russia?

In 2018 a very important and very large dry dock facility in Roslyakovo was in the news for a horrible tragedy.

There were about 60 people on the dock when it started to sink. Five of them did not manage to get in safety. One is reported dead and four injured, one with a serious condition.

This gave me a flash back to 1984 when Severomorsk, Russia hit the news for a horrible tragedy. A navy weapons depot caught fire and exploded, killing hundreds.

…the Central Intelligence Agency learned of the accident from travelers, then positioned satellites and electronic devices to assess the damage. Those sources said the death toll was estimated at between 200 and 300 people, many of them ordnance technicians sent into the fire caused by the explosion in a desperate by unsuccessful effort to defuse or disassemble the munitions before the exploded in a chain reaction over several hours. Officials at the State and Defense Departments, as well as diplomats and congressional officials all blamed the accident on Soviet “carelessness.”

There’s even a CIA file (with a copy of Jane’s Defense Weekly and details of a criminal trial for the Navy analyst who leaked the photos) for perspective:

…U.S. District Court Judge Josepth H. Young has already ruled that Morison’s motives were irrelevant, [Assistant U.S. Attorney] Schatzow voiced skepticism about the defense claims that Morison wanted to alert the American public through the medium of a British magazine where he was seeking a full-time job. “He didn’t send it to CBS,” Schatzow declared. “He didn’t send it to The Washington Post. He sent it to Jane’s.”

That Jane’s disclosure story from 1984 points out an ammunition dump also exploded in the Bobruysk airfield (Belarus), and at the end of the prior year ammunition exploded in the Dolon (Kazakhstan) airfield and two more ammunition depots exploded after that… by June there was a huge explosion in Schwerin. So the CIA file in fact shows Murmansk was the fifth or sixth Soviet safety disaster a row.

And that’s not to mention, or who can forget, the April 26, 1986 disaster at the Chernobyl nuclear power plant?

Way back in 1984 there would have been “travelers” to inform intelligence agents about a disaster. In 2018 terms there instead is monitoring of social media accounts to start the discussion about the tragic sinking of a massive dock.

And from that angle the 2018 news of disaster reads at first like it should get a footnote similar to the 1984 official commentary: Russia continues to be known for operations fraud, “carelessness” and decay.

Maybe there’s nothing more to this story than just people discussing a tragedy resulting from bad safety practices:

…the dry dock has itself had repeated problems with its aging technical equipment, including the electricity system…

Reports mentioned sub-par maintenance of a huge floating platform built by Sweden in 1980, neglected since, with possible criminal charges for the private owners of the dock. Rosneft bought 2015 for its “oil operations”, which in terms of Russian oligarchical corruption means transfer of government funds to someone’s pockets by forcing major Navy repairs into private hands.

That makes the most simple explanation of disaster very believable: when a power outage hit the dock’s huge ballast tanks they failed-unsafe because of careless management. When a power outage hit that floating dock it predictably filled up with water and sank.

The subsequent lawsuits probably say something like Rosneft cut safety corners to increase profits, as one expects from an unregulated/monopolized market — the only dock big enough for the Russian navy to do repairs on its fleet.

It’s an unbelievably unfortunate operations situation coupled with a design flaw someone must have known about for a long time, especially given a history of having unstable power sources in that region.

A very predictable disaster.

Yet such a vulnerability makes it too tempting to not float the idea that this is also was fertile ground for someone hunting for easy cyber attack targets.

Again, the basic narrative since 1984 of Russian carelessness still makes sense. Yet early 2018 also saw a series of electricity “hacks” on America purported to originate from Russia.

For a little context from 2018, two years earlier the U.S. loudly warned that its “military hackers have penetrated Russia’s electric grid…for cyber attacks that could turn out the lights…”.

A month after these 2016 U.S. statements, the Russian city of Murmansk experienced a massive energy blackout. It was blamed on an intentional short circuit at the Kolenergo substation.

The acts were done near a city block in the street of Knipovich, Nikora said in an extraordinary meeting in the regional Staff of power security. It is not clear who was behind the acts, nor whether it is consider as deliberate sabotage or result of an accident.

That’s kind of important context, given how two years later rolling power outages hit the same region, sinking the largest dock in Russia and crippling their global navy operations. Even if not a cyber attack, you can’t say a fail-unsafe design makes any sense for the dock.

The most interesting run-up to the power outages in 2018 perhaps starts months earlier when the Wall Street Journal reported that Russia was trying to boast they had breached America’s power grid:

Hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities…

It was thus after aggressive hacking claims by Russia that it faced:

…several cases of power outage all over the [northwest] region, including in the cities of Severomorsk and Murmansk…

These power outage cases not only crippled Russia’s ability to manage its fleets by sinking their largest Naval dock, they also damaged Russia’s only aircraft carrier in the dock failure (Admiral Kuznetsov, which had been serving in Syria to infamously carry out air strikes yet losing two aircraft during routine landings).

Again, it has to be emphasized Russia earned itself a reputation for carelessness and predictable self-inflicted disasters. There may have been no cyber attacks at all and disasters still could have happened from decay or “incredibly easy” physical attacks.

Just a year after the dock sank, that same one and only aircraft carrier caught fire during repairs, blamed on a short circuit.

The Admiral Kuznetsov, Russia’s only aircraft carrier, caught fire today during repairs in Murmansk. While officials of the shipyard said that no shipyard workers were injured, Russia’s TASS news service reports that at least 12 people (likely Kuznetsov sailors) were injured, some critically. In addition, three people, possibly including the third-rank captain in charge of the ship’s repairs, are unaccounted for.

The Kuznetsov has had a long string of bad luck, experiencing fires at sea, oil spills, and landing deck accidents…

It’s hard to prove a cyber attack hit a country causing a power outage when that country is so bad at operations, but that’s exactly the point. The Stuxnet attack targeted a facility that already was suffering under something like a 30% failure from rust and basic operations failures.

This is why timing of the 2018 power outages in Russia shortly after its boasts about hacking can make for interesting reading. Despite the lack of any real details or news from the cities in Russia affected, I’ll be surprised if historians don’t find out more here by poking around.

Perhaps US Admiral Stavridis put it best in October 2016 when he quoted a Russian proverb: “Probe with bayonets. When you hit mush, proceed.”

This Day in History: 1945 US Dropped Atomic Bomb on Hiroshima, Japan

Japanese cities destroyed by strategic bombing in World War II. Source: “Tokyo vs. Hiroshima,” Alex Wellerstein, September 22, 2014

The usual story told in American history classes is that dropping two atomic bombs on Japan saved American lives. This is mostly false.

Studies now show nearly as many Americans died from nuclear radiation and fallout during creation of these bombs, as died in Japan from the bombs being dropped.

Source: “Some Unintended Fallout from Defense Policy: Measuring the Effect of Atmospheric Nuclear Testing on American Mortality Patterns,” Keith Meyers, University of Arizona

One might still say American soldier lives were saved at the time these two bombs were dropped (instead of invasion), even if so many Americans were killed at shockingly high rates for decades afterwards.

The problem with this theory is the atomic bombs didn’t force surrender either.

Nonetheless a story told in American policy circles has been that dropping two bombs on Japan proved such a level of superiority in warfare (“assured destruction”), it somehow suddenly compelled the Japanese to immediately give up… not to mention a story also told that atomic bombs held the Soviets at bay afterwards. All this unfortunately is false history (see “Hidden Hot Battle Lessons of Cold War“, for additional perspective).

Here is Truman’s famous June 1st, 1945 speech calling on Japan to surrender, just to set the context of what the public was hearing at the time:

Take note that the warning was after massive bombing campaigns like March 9-10, 1945 where some 330 B-29 bombers burned 40 square miles of wood-built Tokyo to the ground killing over 100,000 civilians.

Source: “A Forgotten Horror: The Great Tokyo Air Raid,” Time, March 27, 2012

However Japan didn’t fear civilian casualty loads and couldn’t have really understood at the time why this new bomb mattered in August after a long summer of entire cities being destroyed. In a chillingly ironic manner US military leaders also didn’t fear civilian casualties.

Source: “Dar-win or Lose: the Anthropology of Security Evolution,” RSA Conference 2016

Japanese leaders instead greatly feared Soviet declaration of war on them. They thought Stalin’s shift to formal enemy would very negatively alter the terms of surrender (Soviets no longer would mediate a surrender that Japan had been asking about for weeks before the bombs were dropped).

I don’t write these things to be provocative, rather to help us better educate people about the past and also to plan for the future. Perpetuating a false narrative doesn’t do America any favors. And most of what I’m writing here is old news.

In 2013 for example Foreign Policy published “The Bomb Didn’t Beat Japan … Stalin Did

Japanese historians contended it was the USSR declaring war against Japan that convinced their Emperor and gov that surrender was the only option.

In fact American propaganda dropped into Japan at that time (translated here to English) emphasized the Red Army invading, a “ring of steel” approaching with no mention of bombs at all.

Source: “Paper Bullets: a Brief Story of Psychological Warfare in World War II” Leo J. Margolin, 1946

Japan referred to atomic bombs like a “single drop of rain in the midst of a hurricane”, given that they already had seen months-long fire-bomb raids of Tokyo that left it over 50% destroyed with 300,000 burned alive and 750,000 injured.

The reason Tokyo wasn’t targeted with atomic bombs was it was too destroyed already — atomic effect wouldn’t have been measurable (125,000 were killed in atomic attacks on Hiroshima and Nagasaki, which would mean it was similar in effect or even less than a single night of the fire bomb raids hitting Tokyo for months)

Two years before the Foreign Policy piece, a 2011 article in Boston papers offered the following insightful analysis in “Why did Japan surrender?

“Hasegawa has changed my mind,” says Richard Rhodes, the Pulitzer Prize-winning author of “The Making of the Atomic Bomb.” “The Japanese decision to surrender was not driven by the two bombings.” […] “The bomb – horrific as it was – was not as special as Americans have always imagined. …more than 60 of Japan’s cities had been substantially destroyed by the time of the Hiroshima attack, according to a 2007 International Security article by Wilson, who is a senior fellow at the Center for Nonproliferation Studies at the Monterey Institute of International Studies. In the three weeks before Hiroshima, Wilson writes, 25 cities were heavily bombed. To us, then, Hiroshima was unique, and the move to atomic weaponry was a great leap, military and moral. But Hasegawa argues the change was incremental. “Once we had accepted strategic bombing as an acceptable weapon of war, the atomic bomb was a very small step,” he says. To Japan’s leaders, Hiroshima was yet another population center leveled, albeit in a novel way. If they didn’t surrender after Tokyo, they weren’t going to after Hiroshima.

It’s very hard to argue with these common sense points. Massive civilian casualties were mounting and having little effect. Did novelty of a bomb that was a secret suddenly change minds? Even common sense would say no, and the historical record increasingly confirms this.

Or as DW puts it in their documentary, why did American drop a second bomb on Nagasaki if that Hiroshima one supposedly could send a message to surrender?

Video F18ODD8YyuE deleted from YouTube

Or here’s the BBC “accounts of American justification” for dropping a second bomb.

Civilian suffering had never coerced Tokyo to change tactics, and these bombs also failed in that sense. Hiroshima was the 69th city in Japan destroyed by bombing and Nagasaki wasn’t even the primary target (chosen after primary target had unfavorable weather) so it was destroyed just for the sake of bombing someplace at all.

In the end, America dropped these bombs most probably to see what the effects of dropping atomic bombs would be (expressed in the now deleted DW video above as “…my mother fell apart like dry sand when I touched her foot…”) and then the US Air Force created a supporting narrative to justify continuing the program.

Historians have been trying to explain the false stories away ever since.