This weekend, CBS News' 60 Minutes show aired a segment, which stated that a series of blackouts in Brazil in 2005 and 2007 were caused by malicious hackers. While this can seem sensational to the public at large, the industry has been aware of the potential for these types of attacks, and these specific incidents, for a number of years.

It is all the more puzzling then, why someone would take this opportunity to single out two EnergySec directors for comments made in April 2008 near the time of the CIA's initial public disclosure that several cities outside of the U.S. were affected by intrusions through public networks.

In a post to the SCADASEC mailing list, Joe Weiss from Applied Control Systems attempted to take two of our directors to task for comments that were at best misunderstood, and at worst deliberately misrepresented. The issue at hand is whether Tom Donahue's statement in 2007/8 - that the CIA had knowledge of cyber attacks impacting power grids in other countries - was worth a public disclosure. The opinion of this organization continues to be that, due to the lack of any specific actionable details, it was not.

As it appears that several current and former government officials with knowledge of the specific events have elected to publicly disclose more information than was in Mr. Donahue's original statement, we offer the following explanation for this opinion.

Notwithstanding Mr. Weiss's statements to the contrary, there was no new information provided by Mr. Donahue at the 2008 SANS SCADA summit. The information he discussed (as described above) had already been disclosed to the electric utility community over a year before the public statements were made.

The issue at hand is not the accuracy of the information - as to which there is no question: the organization for which Mr. Donahue works is a leader in the gathering and assessment of such intelligence - but, rather, the actionability of the information provided. That is, to what extent could electric utility asset owners use the information to take specific additional actions to protect our infrastructure?

The short answer is that the information that was provided in the closed briefings and subsequently disclosed by Mr. Donahue wasn't actionable and was therefore of use only as another data point when examining other potential threats to the systems.

Here's what we were told prior to the public disclosure in 2007/8:

• That an unknown organization in a specific set of countries had succeeded in disrupting power in some metropolitan areas;
• That no motivation was known, but that extortion was suspected;
• That the method of the attack was not disclosed; and
• That specific indicators that would evidence this type of attack were classified or unknown.

To date, this is effectively still all that has been publicly acknowledged.

In the absence of key information (the last two bullets), there is nothing to do, and no action to take beyond what is already being done, to mitigate whatever unknown vulnerability allowed this attack. The net effect of Mr. Donahue's public statement was to provide interested media a platform to decry the state of security within the North American electric sector, while simultaneously denying those with a stated responsibility to protect this critical infrastructure any new information that would help us to do so. To the extent that the vague public disclosure and Mr. Weiss's continued insistence in using this as an example of the security failings within the electric sector divert resources of security professionals to defending their actions at the expense of continuing to improve the security of these critical systems, both statements are detrimental to the mission of securing the grid.

As with most industries and organizations, measures taken to address security concerns are often not public knowledge. Statements that imply a lack of action and diligence based on the absence of public knowledge serve to distract from legitimate issues that must be addressed. It is unfortunate that Mr. Weiss chose to malign two of our founding directors - people who have done as much to further the understanding of how to secure critical assets as any we know. Patrick Miller and Stacy Bresler were the driving forces behind organizing Energy Security Northwest, the information sharing group from which EnergySec grew. You can rest assured that they understand that securing the electric grid takes far more than just meeting regulatory compliance requirements.

The organization that Patrick and Stacy founded and fostered now has representative members from companies comprising over a third of the nameplate generation capacity in the U.S. and over half of the residential distribution customer base. Those members hail from all facets of the industry - physical security, control systems engineering, control systems operations, information security, and many other disciplines. They participate on an all-volunteer basis and recently helped us to achieve our most successful conference to date, with over 150 attendees - nearly two thirds of which were from electric utility asset owners with the rest hailing from DOE, DHS, FERC, NERC, and other industry partners. We know of no other private critical infrastructure that has an information sharing organization as robust as the one that exists within the energy sector.

This reality certainly contradicts any claim of the industry's "reprehensible job of securing the critical electric assets and hiding behind the NERC CIPS…." While the industry has made strides in securing this important critical infrastructure, we still have work to do. Security is, after all, a journey, not a destination, and the industry is working to achieve the goal of ensuring grid security and resiliency within the framework of regulatory compliance. Those who truly care about securing our critical infrastructure ought to support and encourage efforts that are succeeding in doing so.

We’re sharing actionable information every day within EnergySec.

We close with a quote that seems as appropriate today as it did when President Roosevelt uttered it in 1910:

"It is not the critic who counts, nor the man who points how the strong man stumbled or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena; whose face is marred by dust and sweat and blood; who strives valiantly...who knows the great enthusiasms, the great devotions, and spends himself in a worthy cause; who, at best, knows the triumph of high achievement; and who, at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who know neither victory nor defeat."