Profile picture
Robert M. Lee @RobertMLee
, 14 tweets, 3 min read Read on Twitter
Thread: It’s easy to understand why people come to the conclusion that Russia and China have “implants” to cause blackouts buried throughout our grid. It’s not true though. A few thoughts...
First, if you read the articles and click through to the stories they cite. The claim is actually never supported. Specifically this notion that there are hundreds of utilities with malware waiting to br activated to cause blackouts. Legitimately isn’t even sourced
So the burden of proof is entirely on the authors. The rest of us don’t have to disprove anything - the claim isn’t supported. Unfortunately, hype spirals and spreads quickly. So let’s diagnose a few key points.
First, the articles cite various intelligence officials (anonymously) noting concern. And public DHS comments noting concern. This isn’t mapped to the claim but I’ll denote that their concern is real (they see threats) but uninformed (they aren’t operating in the utilities)
Or said more simply. USG folks get all the fear because they see national level threats all the time, but they don’t see the day-to-day work by infrastructure operators who defend and understand the resiliency. So the fear is unchecked and is often over hyped.
Second, it’s reasonable for people to be concerned because the number and aggressivensss of the threats is increasing. But “placing digital implants to activate to cause blackouts” isn’t how it actually works. The “implant” is the first stage, to then get access, to learn, etc.
We’ve seen this in every cyber intrusion against electric companies. Even in the attacks of 2015 and 2016 on Ukraine’s grid. It wasn’t widescale prolonged blackouts and it’s wasn’t some long left implant. It was human operations enabled by malware. It was after lots of learning
The ability to reliably scale attacks is very difficult. The US electric grids as an example are so complex and heterogenous that the idea of having a single piece of malware or even a handful that could be reliably used to achieve the effect is out of touch with reality.
There would have to be a significant amount of tailoring done per site targeted. Not a trivial amount. And the adversary couldn’t be positive it’d even work at scale.
Third, the idea that malware is laying around to be activated for a blackout (opposed to espionage which does occur) is ridiculous. The risk to the adversary of any 1 site finding the malware risks their entire operation across everyone. So deploying too far in advance is risky
Fourth, there are truly only a small handful of people that have done incident response and hunting at more than 1-2 infrastructure companies. So these insights are rare which allows the hype to go unchecked
As an example, and this isn’t meant as a pitch but as an explanation of size and scope, thr @DragosInc team has the largest most experienced ICS specific incident response team in the US (could be more but at least the US).
I.e. we have more ICS specific incident responders than the US’ DHS. The people in the Intelligence Community aren’t doing response. So, speaking from experience, our insight at Dragos > USG’s on what happens from threats in the utilities themselves.
I say this only to then say that if the Dragos team is going “no that’s not how these attacks work” and “no we’ve never found this mythical implanted blackout malware in apparently hundreds of utilities that defies logic, operations, and physics in its use” then the article is BS
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert M. Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!