Monday, August 15, 2016

A look at the power grid threat....

I have a love-hate relationship with Foreign Policy Magazine. Much of it is leftist dribble, but often they hit it out the park. An interesting look at cyberterrorism against our power grid.
The Threat to America’s Electrical Grid Is Much Bigger Than You Can Possibly Imagine

Greetings from the front. The cyberwar continues. Our operatives continue to hit infrastructure targets around the globe. In June alone we conducted 44 ops, hitting targets in 26 U.S. states and six countries total. Each operation impacted as many 15,000 people and lasted for up to four and half hours. Of course that’s just our unclassified operations; the actual number of power outages our operatives have caused is 10 times that number.

As we continue to wreak havoc on your electric infrastructure, your policymakers and cyberwar hawks are rattling sabers, worried about online attacks from nation-states, completely ignoring the threats that successfully target your power grid every day. The Washington Post, Forbes, USA Today, and even the esteemed Ted Koppel talk about “cybergeddon,” trillion-dollar risks, and when — not if — a massive cyberattack on the U.S. electric power grid will occur. Even President Obama is worried. In the meantime, we quietly go about our work, disrupting power generation and transmission across the globe.

To date there has been exactly one, just one, power outage that can be attributed to some sort of cyberattack by a nation-state. Last December, someone (many people say directed by the Russian government, but there really isn’t enough evidence to support that accusation) hit up to six different power companies in Ukraine with a coordinated malware and DDoS attack. This definitely wasn’t a random lone hacker in a basement; this took months of planning and coordinated effort. It sounds scary but the outages only lasted a few hours and affected around 80,000 residences. We have caused far bigger and longer outages all by ourselves.

We are everywhere, and yet almost impossible to find. There are other events that have impacted critical infrastructure: a water pump failure in Illinois, power outages in Brazil, a pipeline explosion in Turkey, a cyberattack on a dam in New York; even a blast furnace in a German steel plant was supposedly put into an uncontrolled shutdown from a cyberattack. In each case, the initial cause for the failure was blamed on cyberattacks — but in each case, once the evidence was actually examined, hackers were nowhere to be found. Still, that lack of evidence hasn’t stopped the cyberwar hawks from pointing to these analog events as examples of the coming digital doom.

When that doesn’t work, the threatmongers and profiteers point to previous widespread blackouts, known as “black swan” events because of their rarity, such as the Northeast blackout of 2003 or the Southwest blackout of 2011. In both cases, a string of unlikely events occurred, including human error, before the lights went out. In both cases, most of the power was restored in just a few hours. There were no riots, no financial meltdowns, and democracy continued unabated.

Then there’s what we affectionately call the “nine substation problem.” After a bunch of armed assailants opened fire on a substation outside of Metcalf, California, in 2013, the Federal Energy Regulatory Commission (FERC) conducted a study of the national power grid and found that if just nine substations were attacked in a similar manner as the one in Metcalf, the entire United States would be without power for over 18 months. Are you freaked out yet?

Good. But the problem is: This scenario is extremely unlikely. First, that FERC study only looked at physical damage to the transformers, which are usually custom-built for each location, and are only manufactured by a few companies — meaning a substation could take months to replace. Second, the study only looked at physical damage, which in the event of a cyberattack is extremely unlikely. But still, the prophets of doom ask, what if hackers had guns? Didn’t you see Skyfall?!

No, we didn’t. We’re squirrels.

Look, even for our billion-strong army of small rodents — in the United States alone — the “attack surface” for the U.S. electric grid is absolutely huge. There are over 7,000 power plants in the United States run by over 3,000 companies. There are over 55,000 substations and over 450,000 miles of high-voltage transmission lines. We squirrels have a hard enough time trying to take out small sections of it, let alone nine substations at once. Anyone attempting to conduct a major coordinated effort to turn out power over a large region for a long period of time is going to find it a rather difficult task.

Not that we’re not trying. As of July of this year we squirrels (and our fellow animal operatives) have conducted over 1,400 unclassified operations that have resulted in aggregate of more than 67 days without power, affecting over 3.6 million people. That works out to the entire population of the state of Connecticut losing electricity for more than two months. And remember: Our unclassified ops are just a fraction of the total. On average, we cause dozens of outages every day impacting about 5,000 people each for around two hours. Compare that with the number of outages caused by cyberattack, which in the United States is exactly zero...

I will not dismiss this threat out of hand, like the author seems to here. In a paper I did in my masters program, it covered how many control programs for electrical generation, dam operation and other heavy industry systems were standardized to a Windows or Linux base in the early 1990s. While this makes the systems more functional and user friendly, they are now Internet connected and our enemies have more ways to infect them.

In one source, the Department of Energy used 30 lines of code uploaded to the control program of a industrial diesel generator. Within three minutes, the generator was destroyed. The programs cut off the lubrication of the engine and the rest is history.

An interesting read, all in all.

No comments:

Post a Comment