| |
One of the newest emerging threats to the United States is a cyber attack against our critical infrastructure. This is occasionally brought to the forefront of the news by stories like the Sony hacking attack by North Korea in 2014. What is surprising, though, is the lack of media attention on the likelihood of enemy nations taking down our entire electric grid and other critical infrastructure through cyber warfare. It is truly amazing when you research this, how our government is absolutely unprepared for, and I could say completely unable to stop, an attack against our electric grid and other critical infrastructure. Why are energy companies so vulnerable? One reason is that these industrial systems rely on 1970s-era electric grid technology and it's not getting upgraded, because doing so would interrupt service.
Do you want to stress yourself out and stay up late with nightmares? Go to CSPAN.org and watch some of the congressional testimony to the House Select Intelligence Committee by the experts on our vulnerability to Cyber Attacks. You will go crazy wondering how the government is doing virtually nothing to combat this threat when the consequences could mean 9-18 months without electricity.
To understand our vulnerability to cyber attack, I would first point you to an obscure and largely unreported test of our electric grid by the Department of Homeland Security, code-named the “Aurora Project”. In 2007, the DHS (Department of Homeland Security) connected a diesel backup generator to an electrical substation (which is common for substations to have) and then attacked one of its control systems and breakers via the internet with an “out of phase” condition. In response, the generator started shaking and smoking and eventually tore itself apart and blew up (watch the video on my website). In response to the test, the Federal Energy Regulatory Commission (FERC) instructed utility companies to update them periodically for preparedness in combating an Aurora-style attack on their substation infrastructure. In an audit a year later, 23 of the 30 utility companies had failed to follow up and comply with FERC’s directive. The Department of Defense has recently tried to offer shielding equipment to the utility companies for free to defend against an Aurora-type attack. The problem with this, according to industry expert Joe Weiss, is that “they couldn’t give them to any of the utilities because any facility they put them in would become a ‘critical facility’ and the facility would be open to NERC-CIP audits.” In other words, none of the utility companies want to open themselves up to federal oversight even if they could get the shielding equipment for free.
To make matters worse, in response to a FOIA request to the Department of Homeland Security in regards to the unrelated “Operation Aurora” cyber attack against Google, the DHS accidently responded with the wrong information and released to the public over 800 pages of highly classified data regarding the secret “Aurora Project” and their testing of the electric grid. The documents revealed names and locations of substations that are completely vulnerable to attack and could help any “interested parties” better understand where to strike to have maximum efficiency in taking down our electric grid.
The one big thing about the Aurora test is that it only tested A SINGLE control system in an electric grid composed of thousands of vulnerable, un-protected control systems and SCADA (Supervisory Control and Data Acquisition) systems. Even if every utility company protected itself against the Aurora threat, there are thousands of other unprotected control systems and ways an educated and informed hacker could shut down the electric grid in the US. To date, the utility companies feel uncompelled to address the problem, so they basically ignore it.
Joe Weiss is the managing Director of Applied Control Solutions and is the foremost expert in control systems engineering and vulnerabilities. He testified before Congress that, “The long-term ramifications of such an attack would be severe: If electrical equipment were destroyed, power could be lost for six to nine months because the replacement gear would take so long to manufacture.”
As recently as Nov 20, 2014 (two weeks before the Sony cyber attack), the House Select Intelligence Committee held hearings on cybersecurity threats. One of the interviews was with Admiral Michael Rogers who is the Commander of US Cyber Command. He testified to some absolutely startling information about the likelihood of the US losing the electric grid in the near future. Unsurprisingly, it was barely covered by the main stream media.
While discussing the vulnerability of our control systems (commonly referred to as SCADA), he was asked if there are any hackers or nation states that currently have the ability to “flip the switch” and turn off our electric grid. Here is his response:
“There shouldn’t be any doubt in our minds that there are nation states and groups out there that have the capability to do that. To enter our industrial control systems and to shut down and forestall our ability to operate our basic infrastructure: whether it’s generating power across this nation, whether it’s moving water or fuel... Once you’re into the system, it enables you to do things like, If I want to tell power turbine systems to go offline and stop generating power, you can do that. If you wanted to segment the transmission systems so that you couldn’t distribute the power that was coming out of power stations, this enables you to do that. It enables you to shut down very segmented, very tailored parts of our infrastructure that forestall the ability to provide those services to us as citizens... I think the industrial control systems and SCADA piece are big growth areas of vulnerability and action that we are going to see IN THE COMING TWELVE MONTHS and it’s among the things that concern me the most, cause this would be truly destructive.”
Admiral Rogers was then asked by the ranking member of the Congressional Intelligence Committee, Rep. Dutch Ruppersberger, about a recent report by technology experts that predicted a catastrophic cyber attack before 2025 that would cause significant loss of life and property. Rep. Ruppersberger asked if he shared this view along with the industry experts, and without even a second of hesitation, Admiral Rogers responded, “I do.” He later said, “We see multiple nation states and in some cases, individuals and groups that have the capability to engage in this behavior.... It is only the matter of when and not if we are going to see something traumatic." (The full interview is on my website).
Again, remember that this man is the COMMANDER of US Cyber Command and not just some conspiracy theorist. You are literally hearing it from the horse's mouth. I challenge you to do your own homework and watch the hour-long testimony yourself. If you don’t want to, I can sum up Admiral Roger’s testimony in a few short sentences. America’s critical infrastructure (including the electric grid) is completely vulnerable to attack by multiple enemy nations and groups who currently have the knowledge and ability to literally “flip the switch” on our electric grid at any time. It is his biggest fear as the Commander of US Cyber Command and he fears a traumatic attack in the near future which will result in massive loss of life and property. Woohoo! Bring it on!
If you don't want to believe Admiral Rodgers or someone from inside the government, then how about Summer Fowler? Fowler, who is Deputy Technical Director for Cybersecurity Solutions at CERT, the nation's first Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute. She is the front lines of defense against a cyber attack and works hand in hand with the Defense Department, Pentagon Cybersecurity soldiers, Intelligence Directors, and huge corporations to act as a first response team to combat a cyber attack. When asked about a devastating computer attack that unplugs the power grid, empties bank accounts and results in massive loss of life, her response to me is unsettling. "Ultimately, it absolutely could happen,” Fowler said. “Yeah, that thought keeps me up at night, in terms of what portion of our critical infrastructure could be really brought to its knees."
According to an article from CNN Money, there were 79 significant cyber hacking incidents against energy companies investigated by CERT in fiscal year 2014, alone. Between April 2013 and 2014, hackers managed to break into 37% of energy companies, according to a survey by ThreatTrack Security. Cybersecurity firm FireEye (FEYE) identified nearly 50 types of malware that specifically targeted energy companies in 2013 alone, according to its annual report. In March, TrustedSec discovered spy malware in the software that a major U.S. energy provider uses to operate dozens of turbines, controllers and other industrial machinery. It had been there for a year, all because one employee clicked on a bad link in an email. Be sure to watch the video from USA Today on the vulnerability of our critical infrastructure.
Or you could listen to the advice of the former Director of Counterintelligence for the CIA, Barry Royden, who spent 40 years in the CIA and believes that cyber terrorism is the next big threat to America. He says, "The trouble is, it’s extremely difficult, in fact, it’s impossible — everyone is connected to everyone, and as long as you’re connected you’re vulnerable. And there are firewalls, but every firewall is potentially defeatable, so it’s a nightmare in my mind. You have to think that other governments have the capability to bring down the main computer systems in this country, power grids, hospitals, or banking systems — things that could cause great economic upheaval and paralyze the country."
Also, even if you don't want to believe these experts and think they are just fear mongering, then why did the Defense Department recently announce nearly 1 billion dollars in upgrades they are working on at the previously decommissioned Cheyenne Mountain? Reports show that they are specifically trying to protect communications against an EMP attack or an attack on our electric grid which would take down communications for the rest of the civilian populations. Also please download and read the Congressional report to Congress "Cybersecurity Issues for the Bulk Power System" which was released on June 10, 2015. Don't read this report if you have your head in the sand and don’t want it firmly pulled out. There is no disputing the absolute threat of losing our electric grid from a cyber attack in the near future. Please watch the news report video on Cheyenne Mountain Upgrades.
If you want to see a pretty accurate portrayal of the aftermath of a cyber attack on our electric grid, I would highly recommend you watch National Geographic’s recent movie/documentary called “American Blackout”. While I personally feel this movie is a very accurate depiction of how fast society would fall apart, I do strongly disagree with the ending. First off, most experts agree that a cyber attack could take down the grid for 6-18 months. Although it is probably possible, I have yet to see a report showing less than 6 months. This movie depicts the power being restored after only ten days. Secondly, when the power has finally been restored, it paints a picture that things may get back to normal fairly quickly. I strongly disagree. Once society goes over the edge of American killing fellow American over a can of peaches, it doesn’t recover from that very quickly. It could take weeks or months to get an out-of-control populace functioning like normal again. But again, it is a pretty good movie and would be a great "ice-breaker" for someone to watch who has never considered what life would be like without the electric grid.
"Destroy nine interconnection substations and a transformer manufacturer and the entire United States grid would be down for at least 18 months, probably longer."
- Internal memo, Federal Energy Regulatory Commission