This is the “nightmare scenario” that lawmakers have been warning you about. Stores are closed. Cell service is failing. Broadband Internet is gone. Hospitals are operating on generators, but rapidly running out of fuel. Garbage is rotting in the streets, and clean water is scarce as people boil water stored in bathtubs to stop the spread of bacteria. And escape? There is none, because planes can’t fly, trains can’t run, and gas stations can’t pump fuel.
The threat of an attack on the nation’s power grid is all too real for the network security professionals who labor every day to keep the country safe. “In order to restore civilized society, the power has got to be back on,” said Scott Aaronson, who oversees the Electricity Subsector Coordinating Council (ESCC), an industry-government emergency response program.
While cybersecurity experts and industry executives describe such warnings as alarmist, intelligence officials say people underestimate how destructive a power outage can be. The most damaging kind of attack, specialists say, would be carefully coordinated to strike multiple power stations. If hackers were to knock out 100 strategically chosen generators in the Northeast, for example, the damaged power grid would quickly overload, causing a cascade of secondary outages across multiple states. While some areas could recover quickly, others might be without power for weeks.
The scenario isn’t completely hypothetical. Lawmakers and government officials got a preview in 2003, when a blackout spread from the coastal Northeast into the Midwest and Canada. “If you think of how crippled our region is when we lose power for just a couple of days, the implications of a deliberate widespread attack on the power grid for the East Coast, say, would cause devastation,” said Sen. Susan Collins (R-Maine). Researchers have run the numbers on an East Coast blackout, with sobering results. A prolonged outage across 15 states and Washington, D.C., according to the University of Cambridge and insurer Lloyd’s of London, would leave 93 million people in darkness, cost the economy hundreds of millions of dollars and cause a surge in fatalities at hospitals.
The geopolitical fallout could be even worse. “If [a major cyberattack] happens, that’s a major act of war, bombs are starting to fall,” said Cris Thomas, a well-known hacker who is now a strategist at security firm Tenable. A former senior intelligence official who spoke to The Hill echoed that assessment. The specter of a catastrophic attack on the electrical grid looms large for utilities and the federal government. They all agree that a “cyber Pearl Harbor” would be a deliberate attack, most likely from a foreign adversary. “It’s an act of war, not an act of God,” Aaronson said.
One of the most fearful aspects of a cyberattack is that they can be difficult to spot, even when they are happening.
At first, power providers may only notice a cascade of overloaded transmission lines failing in rapid succession — something that happened during the 2003 blackout, which was caused by an ordinary software bug. A major attack would trigger a series of actions laid out in an ESCC playbook, and even for regional blackouts, energy companies would begin communicating instantly.
Given all the preparations, it would seem that the U.S. has a rapid response plan ready to go in the event of any power grid hack. But according to numerous cybersecurity experts, companies are mostly basing their preparations on the few case studies they’ve seen, creating the potential for gaps. “I’ve spoken to CEOs and utilities about this problem,” Homeland Security Secretary Jeh Johnson said at a congressional hearing in March. “There’s clearly more to do.”
Last December, electric companies got their first look at what a blackout caused by hackers might look like.
In a coordinated assault, suspected Russian hackers penetrated Ukraine’s power grid, knocking out electricity for 225,000 people. The hackers flooded the customer service center with calls, causing technical difficulties and slowing the response.
“That isn’t the last we’re going to see of that,” National Security Agency Director Adm. Michael Rogers said recently. “And that worries me.”
Hackers already target the energy sector more than any other part of U.S. critical infrastructure, according to the most recent government report. There are more reported cyber incidents in the energy industry than in healthcare, finance, transportation, water and communications combined — and those are just the intrusion attempts that get noticed and reported. Probing the power grid for digital vulnerabilities — which China, Russia and Iran do routinely — is now considered a standard part of intelligence gathering. But those countries are careful not to disrupt economic and diplomatic relations with the U.S. No such constraints exist for rogue nations like North Korea and terrorist groups like the Islamic State in Iraq and Syria (ISIS).
Source: By Katie Bo Williams and Cory Bennett, The Hill website