A partnership between a public utility and the National Guard in Washington state is being held up as a model for how the military can help to defend the U.S. power grid from cyberattack, despite the fact that it took two years to bring to fruition.
The Snohomish County Public Utility District invited the 262nd Network Warfare Squadron, based out of Joint Base Lewis-McChord, to penetration test its network, the utility’s CIO Ben Beberness told a recent Capitol Hill briefing organized by the Lexington Institute. Like almost every utility company, the PUD uses supervisory control and data acquisition, or SCADA, systems to remotely control its power generation and distribution equipment.
“They ended up getting into our SCADA systems,” said Beberness of the military hackers — although only into a special testbed the company runs for testing out new SCADA software. The penetration test last year was set up “in a way that’s not going to impact us … not interfere with your day-to-day operations, cause generation sites to go down and so forth,” he explained.
“What the National Guard brought to this was the mindset of a hacker,” Beberness said, noting that in general, IT personnel “think like engineers.”
He said the guard used techniques similar to those employed by suspected Russian hackers in a cyberattack on the Ukrainian power grid just before Christmas, which cut power to more than 200,000 customers for six or seven hours.
The guard personnel, specially trained in SCADA and industrial control system software, “demonstrated to my team that things they thought were impossible were in fact possible,” Beberness explained, adding that, what the guard got out of it was, “they learned what a utility [‘s computer network] looks like … it gave them a cyber range” to test their hacking skills.
But, even though the PUD is a municipally owned public utility, and the guard personnel in question were in “state active duty” status, it still took two years of talks before the test could take place, Brig. Gen John Tuohy, the assistant adjutant-general of Washington state’s Air National Guard, told the briefing.
“It took almost two years to put this together, with a plethora of [state government and corporate] attorneys wrangling over what’s legal, what’s not, all the rule of engagement, etcetera,” Tuohy said.
“The process was well coordinated and executed by a comprehensive memorandum of agreement, inclusive non-disclosure agreements, and explicit rules of engagement with stringent controls in place,” he added, “to ensure all applicable rules, regulations, policies and laws were conformed to.”
Tuohy said the exercise “only highlighted areas for review and in no way fixed anything. The guard’s mandate is to assess, not correct. The fixing is left for the customer to do.”
That’s important he added, because it means “we’re not in competition with the private sector. In fact, you could argue … our assessments create opportunities for the [private] sector” to come in and fix the problems they find.
Tuohy said the Washington National Guard was “uniquely blessed” in personnel, “because of our physical location near to some of the big cyber giants out there such as Microsoft and others.”
He said these service members, “are at the center of excellence and on the cutting edge of technology, techniques, tactics, training and innovations.”
Watch a video of Touhy’s presentation here. Beberness’ talk is below: