Imagine if during the recent polar vortex cold spell, when large sections of the nation’s power grid were already operating under severe duress, a cyberattack was launched that shut off power.
Today, many bad actors are plotting and capable of such destruction. And it will take a concerted push by utilities, utility regulators and the national security community to thwart these acts.
Dan Coats, director of national intelligence, was clear about these dangers in a Jan. 29 report and related testimony to the Senate Select Committee on Intelligence.
“China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for days to weeks — in the United States,” he said.
Coats also said, “Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure — such as disrupting an electrical distribution network for at least a few hours.”
In November, Energy Secretary Rick Perry was even more blunt about the pending dangers, saying, “The threat of cyberattacks is growing, it’s metastasizing. The warning lights are blinking, and they’re blinking red.”
Energy industry leaders agree with Perry and Coats. According to a KPMG Survey released in November, nearly half the chief executive officers of power and utility companies believe a cyberattack on their business is a question of “when” and not “if."
Much of the electric grid is now run via the internet. The vast number of electronic devices, switches and circuit breakers that regulate the grid and ensure that it operates reliably and efficiently also present a big challenge. Hackers are looking for the weakest links in the complex chain that is America’s electric grid.
Power outages are not merely inconveniences. They are public safety crises. The elderly and the sick are especially vulnerable, unable to find medicines in the dark or to sufficiently heat or cool their homes. A study by Johns Hopkins found that the Northeast blackout of 2003, where 50 million lost power, caused 87 deaths.
Cyberattacks will also be quite costly. A 2015 report from the University of Cambridge and Lloyd’s of London found that a targeted cyberattack would cost the economy between $243 billion and $1 trillion, resulting from “direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain.”
To address the multiple, complex and ever-changing cyberattack threats, government and industry must somehow work together seamlessly. There have been some encouraging developments in this regard recently.
- National Cyber Security Strategy: In September the White House released a National Cyber Strategy, the first of its kind in 15 years, to clarify the roles and responsibilities of federal agencies.
- Simulated exercises: In October and November, the Department of Energy conducted Liberty Eclipse, which looked at coping with a cyberattack after a severe blackout. This builds on widescale tests involving 450 organizations already being undertaken by the North American Electric Reliability Corporation.
- Expanded information sharing: It is imperative that utilities share information with one another so that all can be ready to thwart attacks. The Edison Electric Institute has consistently pushed for world-class cyber information sharing.
The challenges in protecting the grid will grow, particularly as more technology is implemented to control power remotely and manage other aspects of electricity generation and distribution. It will require vigilance by local utilities, information sharing, national cooperation and relentless monitoring of our enemies.
Perhaps most important, it will require policymakers and the public to demand thorough and excellent protection. Complacency, and a catastrophic cyberattack on the grid, must simply not happen.