Fears of Devastating Cyber-Attacks on Electric Grid, Critical Infrastructure Grow
Many remember Aug. 14, 2003 as the day the lights went out. The Great Blackout, as it is often called, left millions in the Northeast and parts of Canada in the dark for up to two days. Traffic lights went out, commuters were stranded in stalled subway trains, and hundreds of people were trapped in elevators.
In this case, a power line in Ohio malfunctioned after touching an overgrown tree branch, crippling the local electrical system and creating a domino effect of outages.
That massive blackout was a work of Mother Nature, but officials fear similar damage that could be caused by a cyber-attack on the electrical grid.
In her farewell speech, exiting Department of Homeland Security Secretary Janet Napolitano warned that the United States faces “a major cyber-event that will have a serious effect on our lives, our economy and the everyday functioning of our society.” Many experts worry that this looming cyber-attack could target the nation’s power grid.
A massive cyber-attack on the nation’s grid has been a top concern among those working in the industry for years. Experts have said that a sophisticated assault targeting electrical lines or power plants could wreak havoc far and wide, and effectively shut down the government and economy.
The question isn’t if an attack will happen, but rather when, said Doug Myers, the chief information officer for Pepco Holdings Inc., an electrical company that serves parts of the Mid-Atlantic region.
“Utilities think about natural disasters as when, not if, and we think about the threat of a cyber-event in the same manner. However, there are several key differences between a hurricane, for example, and a cyber-event,” said Myers. “A hurricane comes with some degree of warning. Utilities typically begin their preparatory work days in advance … [but] cyber-attacks are not expected.”
While the electrical grid is vulnerable, industry has an opportunity to blaze trails in cybersecurity, said retired Air Force Gen. Michael Hayden, former director of both the CIA and National Security Agency.
The electric industry is one of the best places to test out new defenses, Hayden said in August at the Bipartisan Policy Center, a Washington, D.C.-based think tank.
“The electrical industry might actually be the trailbreakers here,” said Hayden.
Utilities may be able to establish a precedence in the cyberdomain that would not only help it better defend its networks, but open the doors for better relationships between the private sector and the government, Hayden said.
Electric companies do not deal with as much private information as the financial sector — another major hacker target, Hayden said. They can therefore be more aggressive in seeking threats and can more easily share information with other companies and the government without serious repercussions.
There is an ongoing debate about how much personal information the government can look at. From the Edward Snowden scandal to the snooping on private Gmail accounts, the country as a whole has not yet decided how much power it wants to give the government.
Until U.S. citizens embrace spying by the government — which is for the common good and safely collected — the United States will have one of the most unprotected networks in the world for the foreseeable future, he said.
“I’m willing to accept the proposition that the United States of America will forever have one of the least well-defended networks on this planet,” said Hayden. “We as a people have not yet created a consensus as to what it is we want our government to do … or what we’ll let our government do.”
While Congress and the American public wring their hands over government intrusions, the threat is growing.
The United States faces cyber-attacks from three types of “sinners,” Hayden said.
Countries such as Iran or China might launch attacks. In 2012, Iran allegedly destroyed 30,000 computers belonging to Saudi Aramco, the state-run Saudi Arabian oil and gasoline company. But, while intrusions could be sophisticated and damaging, governments can be held accountable, and in that way are less of a threat, Hayden said.
Criminal gang syndicates, while dangerous, usually are after money and can be bought off, if necessary, Hayden said.
The most worrisome actor is the hacktivist, Hayden said. Hacktivists can be unpredictable and their motivations are often unclear. Notorious hacker groups such as Anonymous or LulzSec fall into this category. They are also becoming more sophisticated, Hayden said.
“As time goes on, we’re going to see this group down here [hacktivists] — whose demands are actually hard to define, whose demands may be unsatisfiable — begin to acquire the capacities that we now associate with nation states,” said Hayden. “This is going to get worse before it gets better.”
In response to increasingly frequent and dangerous attacks, companies in the private sector have called on the government to implement federal cybersecurity measures.
One of the largest efforts was the Cyber Intelligence Sharing and Protection Act of 2011. Critics claimed that CISPA could erode civil liberties, while proponents said it could help identify cyber-attacks. CISPA cleared the House of Representatives, but failed to pass the Senate in 2012. The act was reintroduced in Congress in 2013 but has since stalled.
In February, President Barack Obama released an executive order that aims to improve cybersecurity within critical infrastructure. The measure puts a premium on information sharing, and encourages the private sector to reach out to the government and share details about attacks. It also seeks to create a set of best practices while at the same time balancing privacy.
The order stated that securing critical infrastructure — like the electrical grid — is imperative.
“The cyberthreat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the nation’s critical infrastructure in the face of such threats,” said Obama.
While Obama said he would veto CISPA in the spring, the administration is in full support of creating federal legislation to combat threats, said Andy Ozment, senior director for cybersecurity for the White House’s national security staff.
While passing anything this congressional session would be tough, the White House is optimistic that it can happen, he said.
Cybersecurity, and protecting critical infrastructure in particular, is one of the priorities of the administration, said Ozment.
Electric companies are on the front lines, he said. “The executive order is one very clear example of what we’re doing in that space, and you can see we’re focusing on the standards to be developed under the cybersecurity framework … and information sharing in particular.”
As cyber-attacks have increased, energy companies realize they are prime targets.
It is critical that electric companies treat cyber-attacks as seriously as they do natural disasters, said Chris Peters, vice president for critical infrastructure protection at Entergy, a utility that serves nearly 3 million customers in Texas, Arkansas, Louisiana and Mississippi.
“We have to treat cyberthreats with the same respect that we give to forces of nature that impact our grid — hurricanes, floods, ice [and] storms,” said Peters. “They impact our grid throughout the year, and we are organized, [we] deal with those threats, [we] are strategic about how we respond.”
Electric companies need to make the proper investments in cybersecurity, he said. CEOs and board members also need to practice a top-down approach when discussing the importance of cybersecurity.
“These cyberthreats are part of our risk profile, we have to fund it, we have to staff it and we have to be prepared to respond as necessary,” said Peters.
Paul Stockton, the managing director for Sonecon, a Washington, D.C.-based economic advisory and analysis firm, and former assistant secretary of defense for homeland defense and America’s security affairs, said that lessons need to be drawn from Hurricane Sandy, which pummeled parts of the East Coast last October with flooding and powerful winds. The storm caused billions of dollars in damage and left millions without power for weeks.
When the electrical grid goes down, it’s not just power that goes out. It creates a domino effect that shuts down other essential services such as hospitals and can have major ramifications for public health, he said.
Federal legislation is one way to help better secure the grid, said Myers.
He asserted that it would better to have just one federal entity regulating cybersecurity, opposed to 51 separate regulatory commissions. The actions, or inaction, of just one state could have a cascading effect on a number of different power grids, he said. He pointed to the blackout of 2003, where mistakes made by one Ohio company following a small power outage caused grids in the Northeast and parts of Canada to shut down.
Scott Saunders, information security officer for the Sacramento Municipal Utility District in California, said since the executive order came out in February, he has seen an increase in information sharing in the industry, which is critical to stopping the threat.
“We cannot underscore that electricity would be a significant target by those intent on disrupting our national security and American way of life. Electricity underpins the capability of everything we do and every other critical infrastructure,” said Saunders.
He said implementing universal best practice procedures would be useful and that electric company employees need to use better practices to help curb potential intrusions.
While federal regulation would be wise, he stressed it should not bog companies down with excessive red tape.
“One size does not fit all. We need to be mindful that overly burdensome regulatory regimes can threaten our ability to respond to emerging threats and create complexity where it’s not needed and where it does not add value,” said Saunders.