Two years ago Iranian hackers infiltrated the control system of the Bowman Avenue Dam, a small structure used for flood control in Rye, N.Y., about 20 miles from New York City. The hackers never took control of the dam, and no damage was done, but U.S. officials say the incident highlighted the vulnerability of a sprawling U.S. infrastructure of dams, pipelines, drawbridges and electric transmission lines, according to the Wall Street Journal.
The timing of that story couldn’t be better for Ted Koppel, author of the newly published book, “Lights Out: a Cyberattack, a Nation Unprepared, and Surviving the Aftermath.”
Koppel’s terrifying thesis is simply stated in a series of propositions:
- Russia and China most likely have already infiltrated our electric grid, Iran is striving to do so, and terrorist organizations aspire to do so.
- While the electric power industry maintains that the electric grid is resilient enough to avoid catastrophic blackouts, a growing chorus of national security experts argue that the grid is vulnerable to cyber-sabotage. While parts of the system may be secure, no chain is stronger than its weakest link, and there are lots of weak links.
- Cyber-sabotage could lead to system-wide blackout in any or all of North America’s three grids (eastern, western and Texas) that could take months to repair. Neither the federal nor state governments are remotely prepared to respond to a disaster of this magnitude.
- Contemporary American society is so totally dependent upon electricity that the country would face economic collapse, civil unrest and mass starvation. Think Mad Max. Mortality rates could run as high as 90%.
- The Mormons will inherit the earth — or at least North America. The Mormon Church appears to be the only organized entity in the country to have stockpiled sufficient supplies of food and survival tools to survive a year-long “lights out” scenario.
While Koppel quotes a host of experts in government and the private sector who worry about U.S. vulnerability to cyber-attack, it is worth bearing in mind that consultants and government officials thrive on alarm. The more agitated the public is about the cyber-security threat, the greater the funds that will be thrown their way. I take their warnings with a grain of salt.
Still, the revelation of the Bowman Avenue Dam incident drives home one of Koppel’s main points: that Iran has been actively probing our grid. Maybe his thesis isn’t so alarmist after all.
The United States made a strategic decision years ago to prioritize cyber-offense over cyber-defense. Supposedly, we have the best cyber warriors in the world, and we can take down the infrastructure of any advanced society. Russia and China might be able to knock out our electric grid, but we could knock out their’s. We’re locked in a Mutually Assured Destruction scenario. But Iran? Who can predict the actions of a country ruled by mullahs in the grip of an end-of-times eschatology? If the enemy thinks that the mahdi is coming with the power of god to purge the world of evil and presage the day of judgment, Mutually Assured Destruction may not be much of a deterrence.
Whether you think the odds are 50-50 that catastrophic blackouts could occur, or one in ten, or one in a hundred, the potential consequences are every bit as cataclysmic as those of runaway climate change. But the issue hasn’t gotten a sliver of the attention that climate change has. As the nation embarks upon a massive re-engineering of the electric grid under the Clean Power Plan to reduce carbon-dioxide emissions, will the grid be more secure or less secure from cyber-assault as a result? Is anyone even asking that question?
So, what are we doing here in Virginia?
AEP, parent company of Appalachian Power Company, details its cyber-security initiatives here. The company works within the framework established by the North American Electric Reliability Council (NERC) to protect grid reliability, including the Critical Infrastructure Protection cybersecurity standards to be rolled out in 2016, and it participates in a variety of industry-government groups that share information.
Last month, AEP participated in the GridEx III exercise, sponsored by NERC, which brought together more than 200 organizations across North America. GridEx, the company says, “is the largest, most comprehensive effort addressing security by the electricity industry to date and serves as an example of the commitment of stakeholders to continuously improve physical security and cybersecurity defenses.” Findings from the exercise, which simulated cyberattacks in coordination with physical attacks, combined with trucks and shootings to create enduring damage, will be released in January.
Dominion’s web page on cyber-security states that the company continually monitors and periodically audits its operations. “Dominion cyber security experts regularly communicate with government agencies, law enforcement and intelligence organizations and industry peers to assess threats and align the company’s security posture with regulatory requirements and evolving digital technologies.”
In April, Governor Terry McAuliffe announced that Virginia was the first state to set up an Information Sharing and Analysis Organization, or ISAO, “a collaboration that is designed to facilitate the collection and analysis of critical infrastructure information in order to help stakeholders better understand and combat security risks.”
However, Koppel quotes General Keith Alexander, retired director of the National Security Agency (NSA) and now CEO of IronNet Cybersecurity, as saying that the electric grid is more vulnerable than it used to be. New interconnections create new pathways for cyber attacks to travel.
“Your small and medium-sized companies cannot afford a world-class cyber threat team,” he told Koppel. Bringing down small companies in the right order could initiate a domino-like “cascade effect” which could compromise the systems of the larger companies, threatening the entire network.
(This article first ran in Bacon’s Rebellion on December 22, 2015)