Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Cyber Warfare: Bad Actors and Our Electrical Grid
Stores are closed. Cell service is failing. Broadband Internet is gone. Hospitals are operating on generators, but rapidly running out of fuel. Garbage is rotting in the streets, and clean water is scarce as people boil water stored in bathtubs to stop the spread of bacteria. And escape? There is none, because planes can’t fly, trains can’t run, and gas stations can’t pump fuel.
That is the potential scenario if the U.S. undergoes a major cyber attack against our electrical grid. We know it’s likely that the Russians have hacked several U.S. companies, both in the public and private sectors. We don’t know, however, how deeply they have penetrated our systems overall.
We’ve been warned for years that our electrical grid is vulnerable to attackers who damage critical substations. Although some steps have been taken to mitigate the problem, the threat is still serious. Now we have the added danger of a cyber attack, the kind of attack launched against the Ukrainian power structure last December 23. Admiral Mike Rogers says the Russian government hackers likely were responsible; they even studied the way the Ukrainians responded in order to slow down their recovery of electrical power. He is very concerned about the implications of that action for this country.
In contrast, the Department of Homeland Security issued a report that downplays the seriousness of these attacks against energy companies, calling them “low level cybercrime that is likely opportunistic in nature rather than specifically aimed at the sector, [and] is financially or ideologically motivated, and not meant to be destructive.” I’m not reassured.
The fact is that not only Russia is working on cyber attacks, but other rogue players such as North Korea and Iran are probably in our systems. Specialists warn that the most damaging kind of attack would be a coordinated strike against multiple power stations. If they knocked out 100 stations in the Northeast, “the damaged power grid would quickly overload, causing a cascade of secondary outages across multiple states. While some areas could recover quickly, others might be without power for weeks.”
In 2003 there was a blackout that spread from the coastal Northeast into the Midwest and Canada. Senator Susan Collins (R-Maine) has said, “If you think of how crippled our region is when we lose power for just a couple of days, the implications of a deliberate widespread attack on the power grid for the East Coast, say, would cause devastation. Researchers have run the numbers on an East Coast blackout with these results:
A prolonged outage across 15 states and Washington, D.C., according to the University of Cambridge and insurer Lloyd’s of London, would leave 93 million people in darkness, cost the economy hundreds of millions of dollars and cause a surge in fatalities at hospitals.
Another alarming aspect of a cyber attack is that the utility might not even realize what is happening:
At first, power providers may only notice a cascade of overloaded transmission lines failing in rapid succession—something that happened during the 2003 blackout, which was caused by an ordinary software bug. A major attack would trigger a series of actions laid out in the Electricity Subsector Coordinating Council playbook, and even for regional blackouts, energy companies would begin communicating instantly.
But the assistance program may also run into difficulties with a cyber attack:
“If I’m sitting in Columbus, Ohio, and I know there’s a storm in Maryland, I’m not worried about sending my resources to Maryland,” said Stan Partlow, chief security officer at American Electric Power. “We’re pretty confident when we let those crews go that we’re not in trouble. On the cyber side, if I’ve sent my resources somewhere else and I’m next on the list…”
Although there are government agencies that are trained and equipped to deal with these kinds of attacks, they have few plans on how to prepare, since there have been so few major attacks on which to create response scenarios.
So I refer you to the opening paragraph in this OP. What happens when there is a devastating cyber attack and people run out of the basic necessities? What will we do when we are isolated, frightened and hungry? Or do you think these fears are exaggerated, as DHS suggests?
Published in General
The question I’ve always had is when precisely did the power grid become susceptible to an internet attack? At some point in the past…twenty years ago perhaps? Twenty five?…. it would have been physically impossible to attack the power grid in this way, simply because the grid wasn’t connected to the internet. The power grid existed before the Internet. This seems like such a failure on so many levels. The grid worked when it was physically impossible to hack it. A conscious decision was made at some point which made it hackable, and a whole lot of people could die as a result.
My gas stove still worked during the 2003 blackout. It was so hot, though, I had no desire to use it. Don’t know how long other facilities might work during a more long and drawn out disaster, of course.
I always prep when I’ve got some warning – before Hurricane Sandy, for instance, though I was luckily about 10 blocks above where the worst of the power outages were. I’d likely be caught flat-footed during an unexpected loss of power, though, as limited supplies are kept on hand in a cubicle-sized NY apartment.
I can only hope I’ll be visiting home if and when something like that happens. I still remember the great meals my Dad whipped up on an old camp stove when ice storms suddenly turned us into the Ingalls family for a few days. He was in his element.
I don’t see it. Last time people flew planes into buildings in NYC the US laid a good portion of two countries waste, destabilizing a few others along the way. Cui Bono from that?
Even the US is wary of the level of chaos it is willing to encourage in places like Iran. Because chaos is…chaotic. It’s hard to predict how it’ll play out for your agenda.
Even more devastating would be an electro-magnetic pulse attack over the central US. It would take about everything electronic for a huge share of the country.
Go out into the street, extend my arms to Heaven and sing ….
Maranatha, Lord Messiah!
Keep in mind that the grid could be physically damaged, and has been, at key places. You can’t do it easily if their is security, but it can be done. Hacking is in some ways much easier, since we can’t see the villains. Thanks for your comment, Bob.
Texas has its own power grid. Plus, folks down here are prepared for hurricanes. Bring down the power grid for a week? Uncomfortable, but not deadly. Did it after Alicia and Ike. I even have a coffeepot I can used on my gas grill. Many of us have auxiliary generators, too. Those will keep the freezer, fridge, and
anti-personnel defensesalarm systems powered up.Further, I live in the most heavily armed city in Texas. I figure if the grid goes down, it will be the blue state types who will not make it – not my good ole boy neighbors (who come in black, brown, yellow, and red as well as white around here). They will get by.
Seawriter
But after all that has happened since, Zafar, Obama is clearly reluctant to get involved, and Clinton and Trump are inconsistent about what they’d be willing to do militarily. I hope you’re right.
Where did you say you lived, Seawriter? ;-)
League City, TX. It has the highest per-capita rate of carry permits of any community in Texas. (Or did two years ago. Have not checked recently, but I figure it has not changed much.
Seawriter
When did his boss give the testimony Trink?
Knock down parts of the grid, sure. Keep it down. Doubtful.
In case of an attack the IT guys would just yank the gateways and go to manual or internal intranet control. Any compromised machines / systems would be froze and snap restored back to before the event. In the event our data centers lost power we drop back to batteries then backup generators most having a week or more worth of fuel. Most IT departments train and game these scenarios within virtual bottles several times a year. Sure the IT guys and others would be scrambling and there would be a financial hit but the grid would be back up and most processing / operations would never go down.
If someone has a Letter of Marque they are not a pirate. They are a privateer.
One thought. Comparing cyber attack damages to the Ukraine or other such nation is not really applicable. First world, virtualization, back and restore technologies are about a decade ahead of such countries and allow for recovery from malware events to be minimized.
We live in earthquake country, so we’re pretty prepared. Have water, plenty of food, propane, etc.
My three sons have been preparing and planning for a zombie apocalypse for years so we’re heavily armed. Please, if it happens let it be on a Sunday when I have Marines on hand and husband is home. He works four freeways and 45 miles from home. In Los Angeles. Multiply the 45 by 7 for those not stupid enough to live here.
But thanks to me he has provisions and running shoes in his trunk and he may have to hoof it along the San Gabriel river to get home.
Not intending to make light, but being prepared helps me sleep at night
Oh, it was almost inept enough. A lot of bad code was either rewritten or replaced. There were a few failures here and there. My credit card got rejected at one store because the expiration date came out “19100.” A few elevators headed for the basement and sat because they hadn’t been serviced in 100 years. For the most part the big stuff got fixed first and the smaller stuff followed.
Boy I hope you’re right!
With good reason, I think.
Obsma has dealt with the aftermath reasonably okay – except on the cheerleading front – and where he did get involved (Libya) it was in its own way as bad as Iraq
Letters of Marque are my husband’s vision for the future of combat, but then he’s a true-believin’, sci-fi readin’, free-market Constitutional Libertarian. Just another reason I adore him.
I like the Letters of Marque, approach – though I don’t think we should have to pay – just tell them they can keep their loot, tax free. If you pay them, then you’ve got scammers looking to collect $100,000 to sit on the couch and play Pokémon, which leads to the government deciding to regulate the whole process and pretty soon you have a Cabinet Level Department of Hacking.
I also like “blackout our grid and we’ll destroy yours,” though I don’t like nukes.
Pirates should be hung. Or shot. Every U.S. Navy Captain should be authorized to levy capital punishment on any pirates he captures. Worked in the 19th century. Trial and jail? Considering the hellholes these poor bastards live in that’s like a win-win – if I succeed, the freighter owner pays me millions, if I get caught I get a warm bunk and three meals a day for an extended period. If I’m living in Haradhere, that seems like a pretty good bet.
Yeah. The power industry found a lot of bad code – stuff like pollution monitors that could have tripped plants because there were no authorized emissions for January 1, 2000. But they spent a gazillion dollars scrubbing through everything they could – as you said, starting with the big stuff.
I think this is right. After 2004/2005, every utility in the South spent a bunch of time and money thinking through resiliency and how to restore faster. In know for a fact that at least some of them did think through cyber warfare implications,a and suspect FJ/JG is right that they all have and continue to do so. If one of them isn’t able to recover in a timely manner and their neighbors do, they would fear having the PUC whack their returns. Money motivates.
In 2004 in Florida some parts of the grid were rebuilt, almost from scratch. It wasn’t pleasant, but not the nightmare scenario described above. This smells like government fear mongering to me.
Make sure they are well done. Probably diseased.
I am open to all of that. But I do think there has to be a way for them to prove what they did. Not a lot of loot in taking out power. It seems to me a clever hacker could leave a public message.
Don’t need Nukes for a lot of things, but never take ’em off the table. Then again, I’d resume testing as President.
That is a good point, John. I’m sure Ukraine was ill-prepared for an attack.
Sorry, Bryan. Sloppy and too-fast reading on my part. A very intriguing approach that might be handy!
I so hope you and John are correct, Isaac. I guess when I read that the DHS is saying that fears are exaggerated, I assume the opposite is true. I guess time will tell. Thanks for all your comments.
I see the vulnerabilities being at the little REMC level. Those guys may not be investigating in their IT infrastructure for cost savings reasons. So they are more susceptible to attack and may have a harder road to recovery. On the other hand they are smaller entities less likely to be targeted and if disrupted would have a smaller impact. The other side of the coin is that since they do not invest in technology they can fall back to manual or may even be using manual methods more so the risk assessment may be a wash in their case. Their small foot print, uneven technology and shear number of REMC entities would make a large scale malware targeted attack very problematic to coordinate and execute.
I listened to Ted Koppel’s book on this very topic and had to shut it off half way through. Horrifying prospect.