Twitter Facebook Google RSS
Homeland Security News 

Report Ponders What Follows a Cyber Attack on Electric Grid 


By Stew Magnuson 

Experts are convinced that a cyber attack on a U.S. electric grid that could cut off power to millions is a near certainty.

The question is, what comes next?

A report by the Bipartisan Policy Center, “Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat,” devoted a chapter to what authorities may need to do in the event that a terrorist group, nation state or insider successfully switches off electricity in a major U.S. city.

“In the early phases [of the attack], it may not be possible to identify either the origins of an attack or its implications for the broader system,” said the report.

The example experts cite most often had nothing to do with terrorism. The 2003 multiday blackout in the Northeast that affected some 55 million customers in the United States and Canada was caused by a software bug in an Ohio control room and some unpruned trees. But it took almost a year for investigators to find out exactly what happened.

“Ten years ago we would have this conversation and say, ‘What if?’ Today … I think the question is, ‘When?’” Curt Hebert, former chair of the Federal Energy Regulatory Commission, and co-chair of the committee that wrote the report, said of a cyber attack on a grid.

More recently, Hurricane Sandy in 2012 pointed out further shortcomings in power delivery recovery efforts. Since then, utilities and other companies with grid assets have been working to strengthen their recovery plans, the report said.

“That said, the disruptions associated with a large-scale cyber attack are likely to challenge utilities’ operational abilities,” the report said.

There are two frameworks in place that are intended to guide federal agencies in such an event. One is the National Response Framework, developed by the Department of Homeland Security and the other is the 2010 Interim National Cyber Incident Response Plan.

“It is incumbent on policymakers to clarify how these two response systems can operate in a mutually supportive manner and to resolve ambiguities that may exist under the two frameworks with respect to roles, responsibilities and authorities for federal agencies,” the report said.

In the aftermath of an attack, a hacker could further manipulate monitoring tools and data, and cause more disruptions on command-and-control centers and to communications systems, the report said.

Actions to safeguard utilities from such an attack are needed, said retired Air Force general and former CIA director Michael Hayden, because agents have already infiltrated computer systems that control the nation’s power grids.

The supervisory control and data acquisition computer programs that run power plants do not contain trade secrets or information of interest to a cyber spy. Infiltration could only be for two purposes: a recreational hacker in there just for the challenge; or some agent who wants to conduct what the military calls IPB — intelligence preparation of the battlespace.

Photo Credit: Thinkstock
Reader Comments

Re: Report Ponders What Follows a Cyber Attack on Electric Grid

it is clear that we need to consider both physical and cyber attacks and responses to them, especially since physical control systems are so few, complex and vulnerable e.g., the silicon valley attack

clancy mcquigg on 04/08/2014 at 00:14

Re: Report Ponders What Follows a Cyber Attack on Electric Grid

There exists no disagreement that electrical energy in the U.S. is considered a major operating essential to industrial operation, commercial, and residential. Thus given this assessment, it is no wonder that the protection of this energy source should be considered very high on the U.S. critical infrastructure list.

As a result of the importance of electrical energy in the U.S., insuring that the control systems operating this sector should be one of the U.S. Government’s high priority targets for cyber security protections (Johnson, 2012).

A 2007 report from the GAO (2007) suggested that control systems present serious vulnerabilities to U.S. CIP. Control systems are “ systems that monitor and control sensitive processes – perform vital functions in many of our nation’s critical infrastructures such as electric power generation, transmission, and distribution; oil and gas refining; and water treatment and distribution...” (p. 1).

There is a direct relationship between the effective operation of U.S. industries and (other users of electrical energy) the cyber security of the marketed energy available for the U.S. consumers of electrical energy (LaCommore & Eto, 2004; Newton-Evans, 2007; DOE, 2009). The effective operation and security of the control systems operating the electrical grids have paramount impacts on the industry.

Cyber security breaches, therefore in the grids’ infrastructures via control systems, thus resulting in electrical disturbances on the grid could potentially cause power plant failures, transmission congestion, system stresses, and distribution failures (DOE, 2009). In essence, such an occurrence could be rather costly.

Research data obtained from a 2004 Lawrence Berkeley National Laboratory (Berkeley Lab) study on costs associated with U.S. electric power outages and blackout suggested that electric power outages and blackouts cost an estimated $80 billion annually (LaCommore & Eto, 2004; Chen, 2005). Included in this figure, according to the authors, $20 billion was realized by the industrial sector while $57 billion in losses were realized by the commercial sector (includes both small and large businesses). The authors maintained that the U.S. industrial customers’ base alone consists of 1.6 million customers (LaCommore & Eto, 2004). The U.S. commercial customers’ base consists of 14.9 million customers (LaCommore & Eto, 2004).

In the event of a Denial of Service (DoS) due to a cyber-attack on a major electricity grid, one could infer that there will be such factors as inconveniences and a hassle also of residential electricity customers not having power for periods of time due to outages and power interruptions.

Coupled with the costs associated with the industry sector and commercial sector loses, adding the costs associated with such a DoS in the residential sector could be staggering.

The 2004 LaCommore & Eto study placed the cost at $1.5 billion for residential losses. The researchers admitted, however that there “...are uncertainties in the available data on power interruptions, and these gaps could mean that the true costs of interruptions could be higher or lower by tens of billions of dollars...” (p. 1).

In order for the U.S. to obtain a clearer picture of overall costs associated with electric power outages and blackouts, DHS needs to spearhead the effort of obtaining more reliable information (Johnson, 2012).

An earlier study conducted by Primen (2001) revealed that U.S. annual power interruptions and power quality estimates range from $119 billion to $188 billion annually.

To further illustrate this point, the report went further to suggest that in a one hour power lost in year 2000, to the Chicago Board of Trade, trades totaling about $20 trillion could not be executed. Further during this same power disruption in Chicago, according to the report, the Field Museum realized loss of powers to their refrigeration systems that put DNA samples at risks of being destroyed.

Where the exact figures depicting costs associated with electricity interruptions may differ slightly, the fact remains, however that a breach or disruption of control systems located in just the U.S. electrical grids alone could have not only a “...significant impact on public health and safety...” (GAO, 2007, p. 1), but also could prove to be extremely costly.

The data as it stands is striking. With data of this sort it makes “...securing control systems, a national priority...” (p. 1).

Chen, C.L. (2005). Cyber-vulnerability of power grid monitoring and control systems. Retrieved May 18, 2010 from
Johnson, R.L. (2012). An analysis of IT governance practices in the Federal Government: Protecting U.S. critical infrastructure from cyber terrorist attacks. Retrieved 20 March 2014 from,
LaCommore, K.H. & Eto, J.H. (2004). Understanding the cost of power interruptions to U.S. electricity consumers. U.S. Department of Energy. Berkeley, CA: Ernest Orlando Lawrence Berkeley National Laboratory.
Newton-Evans (2007, August 21). Newton-Evans research company provides worldwide SCADA market assessment and outlook. Retrieved May 18, 2010 from,
Primen. (2001). The cost of power disturbances to industrial and digital economy companies. Primen. TR-1006274 (Available through EPRI). Madison WI: EPRI.
U.S. Department of Energy. (2009). International Energy Outlook 2009. Retrieved May 18, 2010 from,

Dr. R. LeWayne Johnson on 03/20/2014 at 15:43

Submit Your Reader's Comment Below
The content of this field is kept private and will not be shown publicly.
Please enter the text displayed in the image.
The picture contains 6 characters.
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

  Bookmark and Share