CYBEREYE

Securing the grid is crucial, but Chicken Little claims don’t help

The electric power grid is among the most important of the nation’s critical infrastructure, and billions of dollars are being invested to create an interoperable Smart Grid with two-way communications and power flow that could increase both its resilience and its vulnerability.

Securing this evolving infrastructure is important, and to do it  we need to think realistically about its vulnerabilities and not rely on hyperbole about threats.

Anyone who suffered recently in triple-digit temperatures without electricity knows just how important power is and how vulnerable the system can be. But despite these weaknesses, the grid is also surprisingly resilient. As government struggles to define its role in protecting the nation’s critical infrastructure, it is increasingly important to understand just what are the grid's real strengths and weaknesses.


Related coverage:

NIST fills some gaps in smart-grid standards


In a commentary written in April, Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Dianne Feinstein (D-Calif.) sounded a traditional warning.

“In the digital era, a few computer keystrokes from anywhere in the world could devastate the operations of our critical infrastructure — electric grids, water delivery systems and transportation, finance and communications networks,” they wrote. “An attack like that could cause widespread chaos, even death, and could be a preface to a wider assault on our national security.”

Systems already are being infiltrated in preparation for attacks, they wrote, and “national defense leaders . . . agree that the cyber networks of the nation’s critical infrastructure are sitting ducks for the pernicious acts of criminals, hostile foreign powers, hackers and terrorists.”

Well, not exactly. Although the threats and the need to protect against them are real, it would take more than a few keystrokes from a hacker’s laptop to do serious damage. According to the U.S. Cyber Consequences Unit, an independent research institute that studies the realities of threats, the problems that are most likely to cause widespread outages are often the ones that can be most quickly fixed. Serious damage to the core infrastructure is much more difficult to pull off.

“The sorts of cyber attacks that are easy to do would simply trigger breakers, causing only brief outages,” said Scott Borg, director of the Cyber Consequences Unit. “These would be less destructive than many storm outages.”

Borg said utilities respond well to power outages caused by weather. They have plenty of experience, they cooperate with each other, and the components being repaired and replaced are relatively easy to work with.

Attacks against physical components at the core of the grid — the generators, large transformers and cross-country transmission lines — would be much more destructive but also more difficult to carry out.

“Highly sophisticated cyberattacks, prepared by considerable numbers of highly skilled experts, could cause damage that would make the worst storm damage seem trivial,” Borg said. “This is because such attacks could physically destroy large quantities of large, hard-to-replace equipment. The consequences of this could be almost unbelievably bad.”

Those are the threats officials need to worry about and defend against at the national level. Because of their complexity (think Stuxnet: A multi-national, multi-year, multi-million dollar effort to take out key pieces of hardware in a single plant), traditional human intelligence operations will be just as important in detecting and blocking these efforts as advanced cyber monitoring.

At the same time, industry will have to be responsible for monitoring its own networks to identify and respond to threats big and small. The balance of responsibilities and authorities should be worked out with a serious eye on the real threat landscape, not hyperbole.

Reader Comments

Fri, Aug 3, 2012

If utilities were paid only for what they delivered and fined for when they could not, then there would be a market caused increase in resilence. Public utility commissions shield the company from punishing market forces. See for example, PEPCO.

Fri, Aug 3, 2012 J. Smith

The respected members of Congress and Senate sound a bit like the red scare mongers of the 50's and 60's. They hyperbolize to the point of silliness. Their apparent ignorance is almost willful, and seeks votes, not support for real infrastructure security. Our infrastructure is vulnerable, but as recently proven by a single-minded woman, sometimes all that's needed are some wire cutters. What's more of a threat, a power grid based on self-serving risk analyses and higher profit margins with physical protection provided by minimum wage mall cops, or imaginary zombie programmers? Maybe the latter is real, but we seem to shoot ourselves in the foot more often than anyone taking intentional aim.

Fri, Aug 3, 2012

It seems to me that a much more real risk would be that of a coordinated physical attack on the tens of thousands of miles of high voltage transmission lines.

Fri, Aug 3, 2012 Kristina NoVA

Can you comment on the risk of an Electro Magnetic Pulse attack on our grid.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above