We’ve all heard the scare stories about how hackers will one day successfully launch a power grid attack in the US. You may have even tried to imagine it by comparing it to something you can recall from recent history such as the infamous Northeast Blackout of 2003. A cascading series of calamitous events caused a large swath of the northeastern United States and portions of southeastern Ontario to lose electrical power. It created an evening commuter nightmare in New York City and forced many residents to abandon their stifling apartments and spend the night out on the street. Mercifully, power was restored to most parts of Manhattan by dawn the next morning.Now imagine power being cut off for weeks or even months. It’s probably something you don’t even want to contemplate. We’ll come back to the full horror of such an extended power outage in a moment, but for now, let’s examine the feasibility behind such a power grid attack. The blackout of 2003 was a cascade of blunders and system failures beginning with a technical glitch that was then compounded by human error and subsequent software failures leading to a major equipment meltdown affecting a large portion of the electrical grid in the Northeast. Based on these events, it’s then not much of a leap to imagine hackers remotely triggering such a “glitch.”You may be thinking that aside from such technical glitches and the occasional overloaded grid situations that power grids are pretty solid and there’s not too much to be concerned about. The truth is that a successful hack of an electrical grid
occurred in December of 2015 in Ukraine. Attackers used malware to successfully take sixty substations offline cutting off electrical power to 230,000 residents. The malware allowed the attackers to gain remote access to the computer at one of the distribution centers and effectively wrest control from the operator on duty, ultimately changing his password and locking him out! Similar software technology has been around for a while. Examples are PCAnywhere, vnc, and Windows Remote Desktop. Subsequent forensics analysis revealed a highly sophisticated plot involving many actors and transpiring over many months. This wasn’t the work of a lone script kiddie by any stretch.What should make those in charge of the US electrical grid take pause is that the control systems in Ukraine are actually more secure than many systems in the US. In addition, the Ukrainian systems have manual backup capability which many US systems don’t. The power only remained out for six hours in the Ukraine attack. Such an attack if it had occurred in the US could have resulted in a much longer outage. The culprits behind the attack have yet to be positively identified but Ukrainian officials have pointed the finger at Russia and probably with some justification given the on-going tensions between the two nations.The Ukraine power grid attack highlights the complexity of pulling off such an attack and the high-degree of sophistication it required. It also probably consisted of many participants both from the cyber criminal underworld as well as nation state cyber warfare professionals, something not within the capabilities of a lone wolf hacker – no matter how talented.The alarm about the potential for such a power grid attack occurring on US soil is being sounded by an unlikely source in veteran journalist, Ted Koppel of Nightline
fame. His recent book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath
, paints a grim picture of the vulnerabilities of the US power grid and its horrifying aftermath. Unlike the 2003 blackout of the northeast US, Koppel contends that a contemporary attack would most likely last for months wreaking incredible havoc, devastation, and death upon its victims. The same infrastructure and services that were crippled back in 2003 would be impacted again but with greatly amplified effects.Transportation, Communications such as cellular networks and the internet, industry, the water supply, and the very foundation of the US economy in the form of banking and financial systems along with the major stock markets all would be stalled. No one would be untouched, not even the so-called “Preppers” who meticulously prep and plan for just such an event. Surviving without electrical power is really not an option in the modern world.Koppel’s book has received its share of criticism from several quarters, most notably private utilities responsible for securing the power grid and their counterparts within the US government. They contend that Koppel either was not aware of the advances in power grid security or he chose to ignore them. It does make for a more frightening and gripping story if readers are led to believe those in charge of protecting the power grid from attack are asleep at the switch.A counter argument can be made that the US government is notorious for being reactive rather than proactive. Case in point is the complete lack of preparation for Hurricane Katrina and the scramble to better prepare for a similar weather catastrophe in its aftermath. To paraphrase Dirty Harry, “Are you feeling lucky?”Given the assumption that no system is 100% secure and that a motivated adversary in possession of the necessary resources could pull off a successful power grid attack on US soil, then it would be nothing short of gross misconduct for those in charge of the power grid not to be constantly anticipating a power grid attack. The common weak link across all previous power outages – both accidental and intentional – has been the human element. Establishing cybersecurity awareness within organizations as well as society at large remains an on-going challenge within the cybersecurity community. This is exactly why it’s the focus of many of the cybersecurity courses offered on Cybrary.it.