Stores are closed. Cell service is failing. Broadband Internet is gone.
Hospitals are operating on generators, but rapidly running out of fuel.
Garbage
is rotting in the streets, and clean water is scarce as people boil
water stored in bathtubs to stop the spread of bacteria.And escape?
There is none, because planes can’t fly, trains can’t run, and gas stations can’t pump fuel.
This is the “nightmare scenario” that lawmakers have been warning you about.
The
threat of an attack on the nation’s power grid is all too real for the
network security professionals who labor every day to keep the country
safe.
“In order to restore civilized society, the power has got to
be back on,” said Scott Aaronson, who oversees the Electricity
Subsector Coordinating Council (ESCC), an industry-government emergency
response program.
While cybersecurity experts and industry
executives describe such warnings as alarmist, intelligence officials
say people underestimate how destructive a power outage can be.
The most damaging kind of attack, specialists say, would be carefully coordinated to strike multiple power stations.
If
hackers were to knock out 100 strategically chosen generators in the
Northeast, for example, the damaged power grid would quickly overload,
causing a cascade of secondary outages across multiple states. While
some areas could recover quickly, others might be without power for
weeks.
The scenario isn’t completely hypothetical. Lawmakers and
government officials got a preview in 2003, when a blackout spread from
the coastal Northeast into the Midwest and Canada.
“If you think
of how crippled our region is when we lose power for just a couple of
days, the implications of a deliberate widespread attack on the power
grid for the East Coast, say, would cause devastation,” said Sen.
Susan Collins (R-Maine).
Researchers have run the numbers on an East Coast blackout, with sobering results.
A
prolonged outage across 15 states and Washington, D.C., according to
the University of Cambridge and insurer Lloyd’s of London, would leave
93 million people in darkness, cost the economy hundreds of millions of
dollars and cause a surge in fatalities at hospitals.
The geopolitical fallout could be even worse.
“If
[a major cyberattack] happens, that’s a major act of war, bombs are
starting to fall,” said Cris Thomas, a well-known hacker who is now a
strategist at security firm Tenable.
A former senior intelligence official who spoke to The Hill echoed that assessment.
The
specter of a catastrophic attack on the electrical grid looms large for
utilities and the federal government. They all agree that a “cyber
Pearl Harbor” would be a deliberate attack, most likely from a foreign
adversary.
“It’s an act of war, not an act of God,” Aaronson said.
One of the most fearful aspects of a cyberattack is that they can be difficult to spot, even when they are happening.
At
first, power providers may only notice a cascade of overloaded
transmission lines failing in rapid succession — something that happened
during the 2003 blackout, which was caused by an ordinary software bug.
A
major attack would trigger a series of actions laid out in an ESCC
playbook, and even for regional blackouts, energy companies would begin
communicating instantly.
After a recent blackout at Washington,
D.C.’s biggest electricity provider, “Immediately, I called a guy at
Pepco and just said, ‘Hey, what’s going on?’ ” recalled Tom Fanning, who
heads the country’s fourth largest utility, Southern Company, during an
industry conference in March.
One of the things the industry has
done to prepare for attacks is to set aside “clean” replacement
equipment, like transformers, that could be deployed in an emergency.
Transformers can be the size of school buses, but industry officials say
they can be moved quickly and easily.
The energy sector for years
has also had a mutual assistance program that kicks in during major
power disruptions. Providers in unaffected areas send crews to places
that have been crippled by a big storm, accelerating the work to restore
power.
The assistance program could prove difficult to carry out during a cyberattack, however.
“If
I’m sitting in Columbus, Ohio, and I know there’s a storm in Maryland,
I’m not worried about sending my resources to Maryland,” said Stan
Partlow, chief security officer at American Electric Power. “We’re
pretty confident when we let those crews go that we’re not in trouble.
On the cyber side, if I’ve sent my resources somewhere else and I’m next
on the list…”
If the power grid were attacked, government workers would be scrambling at a command center in Arlington, Va.
The
National Cybersecurity and Communications Integration Center (NCCIC) is
part of the Department of Homeland Security. In the last six years, it
has emerged as a hub for all the cyber information the government
collects and analyzes.
Inside the complex, government employees
and representatives from critical infrastructure industries monitor
cyber activity around the clock. The NCCIC floor is lined with
wall-sized screens and filled with rows of computer monitors.
The
electricity industry’s main nonprofit regulatory body, the North
American Electric Reliability Corporation (NERC), has a representative
on the NCCIC floor every day.
If large swaths of the power grid
went down, the government would tap the NERC representative to serve as a
go-between to the industry as it sought to identify malicious software
as quickly as possible.
After identifying the software, the
government could help develop tools to boot out the hackers and
eradicate lingering security flaws.
The NCCIC can also deploy “fly
away teams” to utilities during a cyberattack. Those units can collect
samples of malware causing outages and help mitigate network damage.
Over
at the FBI, agents have been trained to assist with cyber
investigations. If an attack occurred, their job would be to figure out
the culprit.
“That’s really where they make their bones in this
space,” said Austin Berglas, a former head of the FBI’s New York Cyber
Branch and a lead investigator into last fall’s data breach at JPMorgan
Chase.
Given all the preparations, it would seem that the U.S. has
a rapid response plan ready to go in the event of any power grid hack.
But
according to numerous cybersecurity experts, companies are mostly
basing their preparations on the few case studies they’ve seen, creating
the potential for gaps.
“I’ve spoken to CEOs and utilities about
this problem,” Homeland Security Secretary Jeh Johnson said at a
congressional hearing in March. “There’s clearly more to do.”
Last December, electric companies got their first look at what a blackout caused by hackers might look like.
In
a coordinated assault, suspected Russian hackers penetrated Ukraine’s
power grid, knocking out electricity for 225,000 people. The hackers
flooded the customer service center with calls, causing technical
difficulties and slowing the response.
“That isn’t the last we’re
going to see of that,” National Security Agency Director Adm. Michael
Rogers said recently. “And that worries me.”
Hackers already
target the energy sector more than any other part of U.S. critical
infrastructure, according to the most recent government report. There
are more reported cyber incidents in the energy industry than in
healthcare, finance, transportation, water and communications combined —
and those are just the intrusion attempts that get noticed and
reported.
Probing the power grid for digital vulnerabilities —
which China, Russia and Iran do routinely — is now considered a standard
part of intelligence gathering.
But those countries are careful
not to disrupt economic and diplomatic relations with the U.S. No such
constraints exist for rogue nations like North Korea and terrorist
groups like the Islamic State in Iraq and Syria (ISIS).
“I believe
that right now in Raqqa they're working hard on trying to orchestrate
cyberattacks [on the power grid], just as they are working hard on
trying to develop weapons to be used,” said Sen.
John McCain (R-Ariz.), who chairs the Armed Services Committee, referring to the Syrian city ISIS has claimed as its home base.
The
grid is like a single, sprawling machine made up of thousands of
discrete operating units — a soft target, but a diffuse one, with
redundancies built in. Turning the lights off would require the ability
to strategically and simultaneously active many pieces of malware in
separate locations.
“Right now the people who could do it, won’t — nation-states — and the people who want to, can’t,” Aaronson said.
