What are the CMMC Levels?

2 min read

I talk a lot about security in the procurement and contracting processes. I think using capitalism as a means of achieving an outcome is a better model than regulation. Read previous posts to get up to speed on those thoughts.

The abstraction of that idea is that suppliers are a risk, and exercising control over those suppliers -- using the power of the purse in the preceding example -- is one key to moving the cybersecurity needle. This post addresses the application of that idea in the local energy sector (our PUDs and dams, mainly).

If you follow the Daily New Blast, it's become obvious through a proliferation of stories that small product and service providers, which have some degree of trusted electronic access to their customers, are the entry point for infiltration of the true targets. Click here for a good summary of the issue.

Think about the energy grid. There are small suppliers of energy ("generation," in the parlance of the sector) all over the place. We have dams. In Weatherford, OK, wind turbines stand as far as you can see. Each of these contributes a tiny fraction of energy to the grid, but they do supply the grid. Again, small suppliers are a big target for disruption. NERC and DHS are working with these organizations, but there's another exposure that's under the federal regulatory radar that, for now, can only be addressed through that market force.

There are small businesses that frack, drill, fabricate, weld, and perform a host of other services for the companies that extract, transport and refine a lot of the raw fossil fuels used for generation and export. This Bloomberg article talks about a cyber-attack against an oil pipeline in 2008 that resulted in an explosion, which preceded Russia's action in the country of Georgia.

So it seems to me, that with oil below $60/barrel and continuing to fall, and with Russia hurting from sanctions over Ukraine, and now its only real export being devalued, there is a strategic reason for Putin to consider an action that spikes energy prices. What's the soft target—the one most likely to facilitate an action that doesn't leave fingerprints? It's a driller, welder, or fabrication service with access to those pipelines. They don't invest in logical controls, and they certainly don't log the events that would facilitate forensic recovery of the root cause. It will look like incompetence by a small company, but energy prices will still head North with alacrity.

So until big companies start  requiring  small  company  suppliers  to  meet cybersecurity  standards,  and  while geopolitics are so tied to fossil fuels, some real volatility is to be expected as we march into the new world of bytes as a weapon.