"A massive and well-coordinated cyber attack on the electric grid could devastate the economy and cause a large-scale loss of life."
- Dr. Richard Andres, US National War College
Cyber Attack Against the Electric Grid
To understand our vulnerability to cyber attack, I would first point you to an obscure and largely unreported test of our electric grid by the Department of Homeland Security, code-named Aurora. In short, the DHS connected a diesel backup generator to an electrical substation (which is common for substations to have) and then attacked its control systems and breakers with an “out of phase” condition. In response, the generator started shaking and smoking and eventually tore itself apart (watch the video here or here). In response to the test the Federal Energy Regulatory Commission (FERC) instructed utility companies to update them periodically for preparedness in combating an Aurora-style attack on their substation infrastructure. In an audit a year later, 23 of the 30 utility companies had failed to follow up and comply with FERC’s directive. The Department of Defense has recently tried to offer shielding equipment to the utility companies for free to defend against an Aurora-type attack. The problem with this, according to industry expert Joe Weiss, is that “they couldn’t give them to any of the utilities because any facility they put them in would become a ‘critical facility’ and the facility would be open to NERC-CIP audits.” In other words, none of the utility companies want to open themselves up to federal oversight even if they could get the shielding equipment for free.
To make matters worse, in response to a FOIA request to the Department of Homeland Security in regards to an “Operation Aurora” cyber attack against Google, the DHS accidently responded with the wrong information and released to the public over 800 pages of data regarding the “Aurora Project” and their testing of the electric grid. The documents revealed names and locations of substations that are completely vulnerable to attack and could help any “interested parties” better understand where to strike to have maximum efficiency in taking down our electric grid.
The one big thing about the Aurora test is that it only tested A SINGLE control system in an electric grid composed of thousands of vulnerable, un-protected control systems and SCADA (Supervisory Control and Data Acquisition) systems. Even if every utility company protected itself against the Aurora threat, there are thousands of other unprotected control systems and ways an educated and informed hacker could shut down the electric grid in the US. To date, the utility companies feel uncompelled to address the problem, so they basically ignore it.
Joe Weiss is the managing Director of Applied Control Solutions and is the foremost expert in control systems engineering and vulnerabilities. He testified before Congress that, “The long-term ramifications of such an attack would be severe: If electrical equipment were destroyed, power could be lost for six to nine months because the replacement gear would take so long to manufacture.”
As recently as Nov 20, 2014 (two weeks before the Sony cyber attack), the House Select Intelligence Committee held hearings on Cybersecurity Threats. One of the interviews was with Admiral Michael Rogers who is the Commander of US Cyber Command. He said some absolutely startling things in the interview below about the likelihood of the US losing the electric grid in the near future. Yet it wasn't picked up by the press.
While discussing the vulnerability of our control systems (commonly referred to as SCADA), he was asked if there are any hackers or nation states that currently have the ability to “flip the switch” and turn off our electric grid. Here is his response:
“There shouldn’t be any doubt in our minds that there are nation states and groups out there that have the capability to do that. To enter our industrial control systems and to shut down and forestall our ability to operate our basic infrastructure: whether it’s generating power across this nation, whether it’s moving water or fuel… Once you’re into the system, it enables you to do things like, If I want to tell power turbine systems to go offline and stop generating power, you can do that. If you wanted to segment the transmission systems so that you couldn’t distribute the power that was coming out of power stations, this enables you to do that. It enables you to shut down very
segmented, very tailored parts of our infrastructure that forestall the ability to provide those services to us as citizens.
“I think the industrial control systems and SCADA piece are big growth areas of vulnerability and action that we are going to see IN THE COMING TWELVE MONTHS and it’s among the things that concern me the most, cause this would be truly destructive.”
Admiral Rogers was then asked by the ranking member of the Congressional Intelligence Committee, Rep. Dutch Ruppersberger about a recent report by technology experts that predicted a catastrophic cyber attack before 2025 that would cause significant loss of life and property. Rep Ruppersberger asked if he shared this view along with the industry experts, and without even a second of hesitation, Admiral Rogers responded, “I do.” He later said, “We see multiple nation states and in some cases, individuals and groups that have the capability to engage in this behavior… It is only the matter of when and not if we are going to see something traumatic."
One of the newest and emerging threats to the United States is a cyber attack against our critical infrastructure. This has been brought to the forefront of the news recently with the Sony hacking attack by North Korea. What is surprising, though, is the lack of media attention on the likelihood of enemy nations taking down our entire electric grid and other critical infrastructure through cyber warfare. It is truly amazing when you research this, how our government is absolutely unprepared for and I should say completely unable to stop an attack against our electric grid and other critical infrastructure. Why are energy companies so vulnerable? One reason is that these industrial systems rely on 1970s-era technology and it's not getting upgraded, because doing so would interrupt service.
Do you want to stress yourself out and stay up late with nightmares? Go to CSPAN.org and watch some of the congressional testimony to the House Select Intelligence Committee by the experts on our vulnerability to Cyber Attacks. You will go crazy wondering how the government is doing virtually nothing to combat this threat when the consequences could mean 9-18 months without electricity.
Again, remember that this man is the COMMANDER of US Cyber Command and not just some conspiracy theorist. You are literally hearing it from the horse's mouth. To sum up this section on the threat of a cyber attack on our electric grid, I challenge you to do your own homework and watch the hour-long testimony yourself. If you don’t want to, I can sum up Admiral Roger’s testimony in a few short sentences. America’s critical infrastructure (including the electric grid) is completely vulnerable to attack by multiple enemy nations and groups who currently have the knowledge and the ability to literally “flip the switch” on our electric grid at any time. It is his biggest fear as the Commander of US Cyber Command and he fears a traumatic attack in the near future which will result in massive loss of life and property…. Woohoo! Bring it on!
If you don't want to believe Admiral Rodgers, than how about Summer Fowler. Fowler, 37, is deputy technical director for cybersecurity solutions at CERT, the nation's first computer emergency response team, at Carnegie Mellon University's Software Engineering Institute. She is the front lines of defense against a cyber attack and works hand in hand with the Defense Department, Pentagon Cybersecurity soldiers, Intelligence Directors, and huge corporations to act as a first response team to combat a cyber attack. When asked about a devastating computer attack that unplugs the power grid, empties bank accounts and results in massive loss of life, "Ultimately, it absolutely could happen,” Fowler said. “Yeah, that thought keeps me up at night, in terms of what portion of our critical infrastructure could be really brought to its knees."
According to an article from CNN Money there were 79 significant Cyber hacking incidents against energy companies investigated by CERT in fiscal year 2014, alone. Between April 2013 and 2014, hackers managed to break into 37% of energy companies, according to a survey by ThreatTrack Security. Cybersecurity firm FireEye (FEYE) identified nearly 50 types of malware that specifically target energy companies in 2013 alone, according to its annual report. In March, TrustedSec discovered spy malware in the software that a major U.S. energy provider uses to operate dozens of turbines, controllers and other industrial machinery. It had been there for a year -- all because one employee clicked on a bad link in an email.
Watch this video from USA Today on the vulnerability of our critical infrastructure.
Or you could listen to the advice of the former Director of Counterintelligence for the CIA, Barry Royden, who spent 40 years in the CIA and believes that cyber terrorism is the next big threat to America. He says, "The trouble is, it’s extremely difficult, in fact, it’s impossible — everyone is connected to everyone, and as long as you’re connected you’re vulnerable. And there are firewalls, but every firewall is potentially defeatable, so it’s a nightmare in my mind. You have to think that other governments have the capability to bring down the main computer systems in this country, power grids, hospitals, or banking systems — things that could cause great economic upheaval and paralyze the country."
Also, even if you don't want to believe these experts and think they are just fear mongering, than why did the Defense Department recently announce nearly 1 billion dollars in upgrades they are working on at the previouisly decomissioned Cheyenne Mountain, specifically to to protect communications against an EMP attack or a attack on our electric grid which would take down communications for the rest of the civilian populations. Also please download and read the Congressional report to Congress "Cybersecurity Issues for the Bulk Power System" which was just released June 10, 2015. Again, don't read this report unless you want your ostrich head firmly pulled out of the sand where it is now. There is no disputing the absolute threat of losing our electric grid from a Cyber Attack in the near future.
Fox News Report on Cheyenne Mountain Upgrades...
If you want to see a pretty accurate portrayal of the aftermath of a cyber attack on our electric grid, I would highly recommend you watch National Geographic’s recent movie/documentary called American Blackout which shows the aftermath of a cyber attack on our electric grid. While I personally feel this movie is a very accurate depiction of how fast society would fall apart, I do strongly disagree with the ending. First off, most experts agree that a cyber attack could take down the grid for 6-18 months. Although it is definitely possible, I have yet to see a report showing less than 6 months. This movie depicts the power being restored after only ten days. Secondly, when the power has finally been restored, it paints a picture that things may get back to normal fairly quickly. I disagree. I believe that once society goes over the edge of American killing fellow American over a can of peaches, it doesn’t instantly recover from that. It could take weeks or months to get an out-of-control populace functioning like normal again. But again, it is a pretty good movie and would be a great "ice-breaker" for someone to watch who has never considered what life would be like without the electric grid.
National Geographic FULL MOVIE "AMERICAN BLACKOUT"
Additional links dealing with the threat to our electric grid from Cyber Attacks: