Cyberterrorists vs. the Power Grid: Who Will Win?
September 30, 2015 • Blog Post • By Atlantic Re:think
IN THIS ARTICLE
- Reports estimate that a cyber attack on the North American power grid happens once every four days
- Key utilities industry players are amplifying their security programs to prevent attacks from causing major power outages
Despite resilience, redundancy and serious vigilance, the threat of security breaches is growing along with utilities' digital infrastructure
It is the 21st century doomsday scenario: the ultimate hack, capable of dismantling critical North American infrastructure and sending us into complete Stone Age chaos. But even beyond such "Die Hard 4" paranoia, at the heart of every zombie apocalypse storyline, and every "Day After Tomorrow" superstorm system, lies the fear that we may have to live without electricity, running water or emergency services, and that everything else will crumble soon thereafter.
In short, the modern apocalypse is one in which life must, often due to an accident, go on without the complicated electrical grid that has shaped our lives. Would it be possible for cyberterrorists to disrupt the grid on purpose?
More than 55,000 substations serve the North American power grid - 45,000 of them in the United States and all of them behind extensive security systems that aim to protect the grid from all manner of threats. Today, the major external causes of service interruptions are severe weather events, followed by physical attacks on substations themselves, then cyber attacks. But experts say the cyber threat is growing more serious all the time.
An Attack Every Four Days
The Department of Energy's recent quarterly review noted that "the number and sophistication of threats are increasing, and information technology systems are becoming more integrated with energy infrastructure." A recent report in USA Today estimated that a physical attack or cyber attack on the North American power grid happens once every four days.
Scott Aaronson, managing director for national security policy at Edison Electrical Institute, explains that energy companies and providers take a layered approach to developing protection measures against physical and cyber attacks. The base level is a government-imposed regulatory standard, which every provider already exceeds.
"Standards by their very nature are static", Aaronson says. "You put them in place so the entities that make up the electric grid abide by the same rules, but to think that standards in and of themselves are sufficient is dangerous. You need to go beyond the mandatory standards and evolve and respond to threats."
Experts like Aaronson know that security measures must grow and develop according to the threats they face, and rightnow the fastest-growing threat is from the cyber space. "The problem", says Sean Curran, director at West Monroe Partners' Technology Infrastructure and Operations practice, "is that the average workstation is far more connected to the infrastructure of a company than ever before". That makes each workstation a possible point of entry.
Attackers have also become increasingly deft at throwing investigators off their scent. A Russian malware bug called BlackEnergy, which targeted NATO, as well as energy firms in the United States, went undetected for months.
Bad News and Worse News
Beyond its potential for blackouts, disrupted routines and other practical effects, a targeted attack on the North American power grid could inflict significant financial damage. When a power-related accident in Ohio caused blackouts to cascade through the Northeast in 2003, millions of citizens were left without power for days. The estimated cost of the blackout ranged between $4 billion and $10 billion. According to the Department of Energy, severe weather alone costs the economy "between $18 [billion] and $33 billion every year in lost output and wages, spoiled inventory, delayed production and damage to grid infrastructure".
A report by insurance company Lloyds and the University of Cambridge estimates that in a scenario where a particularly efficient malware strain targeting the power grid takes out 50 generators, the resulting damage to the economy would be at least $243 billion.
The ultimate effect of an undetected malware attack is almost incalculable. The computer worm Stuxnet, discovered in 2010, a year after its launch, targeted Iranian centrifuges and may have delayed the Iranian nuclear program by years.
"It all depends on the severity, on how long the power is out", says Martin Libicki, senior management scientist at RAND Corporation. "If it's out only five minutes, then people will only need to reset their alarm clocks. If you have significant disruption on a very, very hot day when people are shut in and don't have access to air conditioning, then people could die".
...And Some Good News
Libicki believes that a power outage as extensive as the 2003 Northeast blackout is very unlikely, thanks to measures that electrical companies and regulatory agencies have taken to make sure outages remain on the "resetting the alarm clock" side of the spectrum.
"We make sure any attack does not cascade", says Aaronson, "that it is quickly quarantined, mitigated, addressed and power is restored. We look at planning for attacks as part of our security".
Beyond the active security measures that experts have taken in order to protect our infrastructure, the grid has built-in fail-safes. The grid is operated by thousands of providers across thousands of stations and transformers, and therefore, has a degree of natural resilience and redundancy.
"The grid is made up of thousands of owners, users and operators who grew their networks and controls of their systems over decades", Aaronson says. "This engineers a level of biodiversity into the system. There aren't single components, single points of failure that are uniform across the entire sector. As in nature, the biodiversity of the grid is a defense mechanism."
The energy sector also works with a large network of agencies - including the Department of Energy, the Department of Homeland Security and the Department of Defense - in order to share information and to maintain the security of the grid.
Still, cyber security experts know that just as security teams work around the clock to keep the grid secure, so do the cyber attackers bent on taking it down. In 2013 attacks on a natural gas operator in the Midwest, though ultimately unsuccessful, continued for two weeks. "Attackers today have more money to spend on this", Curran says. "They have more time available. They're not trying this once and going away. They're probing and looking for the weakness and they'll carry on until they've found it."