The nightmare is easy enough to imagine. Nefarious baddies sit in a dark room, illuminated by the green glow of a computer screen. Meanwhile, technicians watch in horror from somewhere in the Midwest as they lose control of their electrical systems. And, suddenly, hundreds of thousands, even millions of Americans are plunged into darkness.
That scene was evoked in recent weeks as federal security experts at the Department of Homeland Security warned that state-sponsored hackers have targeted more than American elections — they’re after the electric grid, too. They’ve gotten “to the point where they could have thrown switches,” a DHS official told The Wall Street Journal. Both DHS and the FBI have linked these attacks to Russia — which was already pinned as the culprit in two attacks that shut down power to hundreds of thousands of people in Ukraine two Decembers in a row, in 2015 and 2016. It’s all very urgent — a high-risk crisis that must be solved immediately.
But, surprisingly, some electrical system experts are thinking about it in a different way. Cyberattacks on the grid are a real risk, they told me. But the worst-case scenarios we’re imagining aren’t that likely. Nor is this a short-term crisis, with risks that can be permanently solved. Bringing down the grid is a lot harder than just flicking a switch, but the danger is real — and it may never go away.
Representatives from two nonprofit organizations — both of which play large roles in how the electric grid is regulated and maintained — said it is easier to imagine disaster scenarios than create one. “There’ve been some very sensational books out there about the grid going dark because someone’s got their finger ready over a mouse and everything is going to turn off at the same time,” said Bill Lawrence, vice president and chief security officer at the North American Electric Reliability Corporation, the regulatory authority that sets and enforces technological standards for utility companies across the continent. “The grid does not work that way.” Our electric infrastructure is chock-full of both redundancies and regional variations — two things that impede widespread sabotage.
That’s not to say that the grid isn’t under attack. Lawrence acknowledged that there is interest in “trying to hurt us from a distance.” But he emphasized there have not yet been any successful attacks — meaning hackers haven’t caused any blackouts.
They’ve been poking at our critical infrastructure for a long while. Incident reports published by the Industrial Control Systems Cyber Emergency Response Team — a division of Homeland Security that does training and responds to cyberattacks on critical infrastructure — suggest that electricity, oil and natural gas infrastructure have been routinely targeted for years. There are dozens of these attacks reported to ICS-CERTS annually.
However, it would be difficult for these attacks to lead to wide-scale blackouts, according to Lawrence and Candace Suh-Lee, who leads a cybersecurity research team at the Electric Power Research Institute, a nonprofit research and development lab. And that’s true even if hackers do eventually succeed in taking control of some electric systems.
It helps that the North American electric grid is both diverse in its engineering and redundant in its design. For instance, the Ukrainian attacks are often cited as evidence that hundreds of thousands of Americans could suddenly find themselves in the dark because of hackers. But Lawrence considers the Ukrainian grid a lot easier to infiltrate than the North American one. That’s because Ukraine’s infrastructure is more homogeneous, the result of electrification happening under the standardizing eye of the former Soviet Union, he told me. The North American grid, in contrast, began as a patchwork of unconnected electric islands, each designed and built by companies that weren’t coordinating with one another. Even today, he said, the enforceable standards set by NERC don’t tell you exactly what to buy or how to build. “So taking down one utility and going right next door and doing the same thing to that neighboring utility would be an extremely difficult challenge,” he said.
Meanwhile, the electric grid already contains a lot of redundancies that are built in to prevent blackouts caused by common problems like broken tree limbs or heat waves — and those redundancies would also help to prevent a successful cyberattack from affecting a large number of people. Suh-Lee pointed to an August 2003 blackout that turned the lights off on 50 million people on the east coast of the U.S. and Canada. “When we analyzed it, there was about 17 different things lined up that went wrong. Then it happened,” she said. Hackers wouldn’t necessarily have control over all the things that would have to go wrong to create a blackout like that.
In contrast, Suh-Lee said, scenarios that sound like they should lead to major blackouts … haven’t. Take the 2013 Metcalf incident, where snipers physically attacked 17 electric transformers in Silicon Valley. Surrounding neighborhoods temporarily lost power, but despite huge energy demand in the region, “the big users weren’t even aware Metcalf had happened,” she said.
Difficult isn’t the same as impossible, Suh-Lee told me. Depending on where an attack happened and how people responded, you could get the stuff of our nightmares. Lawrence repeatedly invoked the phrase “knock on wood” as he talked about the possibility of infiltrations of electric infrastructure turning into real-world blackouts. That’s why there’s a lot of effort going into research, monitoring and preparation for cyberattacks. Lawrence’s team, for instance, is gearing up for an event that’s held every other year and is sort of like war games for the electric grid. And the Department of Energy is planning a similar event, focused on figuring out what it takes to reboot after a hacker-caused blackout.
But that preparation doesn’t mean we’ll eventually solve this problem, either, Suh-Lee said. If the chances of a cinematic disaster are low, the chances of a theatrical hero on a white horse riding in to save the day are even lower. Making the grid stronger and more resilient also means making it more digital — the work that’s being done to improve the infrastructure has also created new opportunities for hackers to break in. And the risk of attack is here to stay. Security improvements are “never going to completely eliminate the risk,” she said. “The risk is out there and people will find a new way to attack.” We’ll be living with cyber threats to the grid for the rest of our lives.
It’s not clear whether energy is the most attacked critical infrastructure, though, because, according to a 2016 report by the Idaho National Laboratory, reports of attacks are voluntary, and ICS-CERT has long had closer ties to energy than other industries. The result is that the energy industry probably reports more of its attacks than other critical infrastructure industries do.