The Asbury Park Press February 01, 2012
An apocalyptic fantasy or an actual threat? How crippling would a cyberattack on the nation's power grid be?
By Ken Serrano
Power generators at a plant in New Jersey spin wildly out of control, then grind to a halt.
Other utilities step in to carry the extra load, but they, too, suffer internal malfunctions. Soon, cascading outages take out the power grid in the eastern half of the country – all carefully timed to happen in the dead of winter. Gas utilities are next.
But this isn’t like the week without power in parts of Central Jersey caused by downed limbs and trees felled by the freak October snowstorm. Power is out for much longer because the heavily damaged equipment is difficult to replace.
No heat, no running water, no toilets, no phones. Small generators die when fuel quickly runs dry. Hospitals, transportation, the banking system, the telecommunications grid – all down.
An apocalyptic fantasy or an actual threat? The prospect is something political and military leaders and security analysts have been raising alarms about for several years.
Former chairman of the Joint Chiefs of Staff Adm. Michael Mullen, who retired in September, said during his tenure that cyberattacks pose an “existential threat” to the United States.
While spies, cyberthieves and garden-variety hackers have caused untold economic loss to governmental agencies, companies and individuals by stealing information, the threat of a downed power grid and damage to other critical infrastructure presents a far greater risk, security analysts say.
Measures are under way to bolster security, but some analysts say they offer too little.
Yet not every expert buys the grim scenario of a downed electrical grid.
Safeguarding New Jersey
Responding to an FBI suggestion, the New Jersey Board of Public Utilities recently took steps to safeguard utilities in the state. It issued an order that took effect Jan. 13 in which the BPU directed New Jersey utilities under its authority – electric, gas and water – to outline what equipment and safety measures they have in place to monitor against cyberintrusions and to report any incidents.
“Generally this is very new and not many states are requiring this reporting,” said Greg Reinert, spokesman for the BPU.
Fines for failing to comply run only $100 a day, but Reinert said the BPU has broad authority “to require that utilities take specific actions to ensure reliability and security.”
The order is a small effort in an industry that experts say is fragmented in terms of regulation and faces little oversight when it comes to cybersecurity.
Municipal utilities in New Jersey, for instance, do not fall under the purview of the BPU, with the exception of some water utilities. In terms of cybersecurity, they are on their own.
PSEG, the only power producer with generators in New Jersey, is not under the BPU’s authority, either. It is regulated by the Federal Energy Regulatory Commission and the North American Electric Reliability Corp., an organization of U.S. electrical grid operators.
PSEG declined to go into any depth about its cybersecurity defenses, citing the need to keep those details from hackers.
A bill recently introduced in the Assembly, A4369, proposes a Cyber Security Bureau for the state Office of Homeland Security and Preparedness to identify vulnerabilities and deal with them.
An attack few can launch
Penetrating the power grid is not something the average high school hacker can pull off. It takes the resources of nation-states like China, already suspected of performing extensive reconnaissance on the critical infrastructure of the United States and other countries. The Chinese have complained that they are victims of the same. Messages sent to the Chinese Embassy in Washington in an attempt to reach a spokesman were not returned.
Security analysts warning about the danger of cyberattacks say the deterrent of military power or retaliatory cyberattacks holds our opponents at bay.
Still, modern civilization has entrusted itself to an invention - the Internet - that has been in wide public use for only 20 years. As the Internet continues to grow haphazardly, our exposure to its risks have skyrocketed.
“No one expected the Internet to become a critical global infrastructure, least of all the people who designed and built it,” James Lewis, senior fellow at the Center for Strategic and International Studies – a bipartisan, foreign policy think tank – told lawmakers in May. “The Internet is incredibly valuable, but it’s easy to attack.”
The grid – from power generators to regional organizations that transmit electricity to utilities that distribute it like JCP&L and GPU – has grown increasingly reliant on the Internet to communicate.
Hacking and warfare
There are three types of hackers:
• Hobbyists who are like high-tech vandals.
• Criminals who usually operate in organized crime groups and concentrate on scams and operations to pillage individuals and institutions.
• Spies working on behalf of nation-states.
Along with espionage – the theft of classified documents, trade secrets and internal memos on planned negotiations – spies also commit acts of cyberwarfare, which are rare.
Terrorists do not currently have the capability to launch cyberattacks, meaning those that wreak large-scale havoc, said Lewis.
According to Lewis, there have been three cyberattacks in history:
• The 2009 attack by the Stuxnet computer worm that destroyed Iranian centrifuges used to enrich uranium.
• A blackout in Brazil – it is hotly contested whether a cyberattack was responsible.
• Israel’s interference with Syrian air defenses during a raid on a nuclear facility there in September 2007.
He narrows the field of those probably able to inflict massive damage to critical infrastructure in cyberattacks to five or six nations.
But Lewis adds an important caveat.
“There’s another 30 nations nibbling around, wondering how they get that capability,” he said in a telephone interview. “And the scary thing is it takes five to 10 years to trickle down to the black market. In a few years, unstable groups could get this. The clock is ticking.”
In May 2009, President Barack Obama spoke about the risk of cyberattacks.
“We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control,” the president said. “Yet we know that cyberintruders have probed our electrical grid and that in other countries cyberattacks have plunged entire cities into darkness.”
Proven vulnerabilities
Just how much damage sophisticated hackers can wreak on important elements of the grid was confirmed in March 2007 by the Idaho National Laboratory, an applied-engineering lab that supports the U.S. Department of Energy in national defense research and other projects.
In a project called Aurora, a milestone in cybersecurity because of the actual damage caused, government staff hacked into the software controlling a power generator, causing it to accelerate and destroy itself.
Another watershed came two years later when the Stuxnet worm infiltrated the Industrial Control System running Iran’s uranium-enrichment project, supposedly causing an untold number of centrifuges to spin out of control and damage themselves. The worm at the same time sent signals to the system monitoring the centrifuges indicating they were operating normally.
“Stuxnet demonstrated how all industries can be at risk,” said Joe Weiss, a blogger on cybersecurity and consultant to companies using Industrial Control Systems.
Opposing view
Some security experts like George Smith, a senior fellow with globalsecurity.org, consider the talk of threats to the grid and a “cyber-Armageddon” overblown.
“If you make extraordinary claims, you need to produce extraordinary proof,” said Smith, who has been writing about national security and technology issues for more than a decade.
As for a blackout in Brazil in 2007 being caused by a cyberattack, he said, “It’s been debunked. They’ve never produced any extraordinary proof.”
Smith pointed to widespread concern over a technical issue that bordered on hysteria, leading to vast amounts of money being spent, he said.
“Y2K was supposed to be a calamity of Biblical proportions,” Smith said. “It turned out to be pretty much of a snooze.”
Lewis stands by his sources on the Brazilian blackout, adding that it involved an insider and software manipulation.
But hackers do not have the ability to attack the number of generators necessary to bring the grid down for an extended period of time, he said. PJM Interconnection, for instance, a regional transmission organization that coordinates and directs the flow of electricity for 60 million people in the eastern section of the country, oversees more than 1,300 generators, according to its website.
Spotty outages that might last for a week are his worst fear regarding cyberattacks against electrical utilities.
Little oversight
The private sector owns 85 percent of the critical infrastructure in the United States. The government has so far relied on information sharing between companies and governmental agencies – voluntary efforts – to bolster security.
It’s gone on for more than 12 years. And Lewis says it hasn’t worked.
Information sharing should be limited to 20 to 30 companies that deal with telecommuications, anit-virus programs and Internet service and two or three governmental agencies, he said.
More importantly, he said, regulation of critical infrastructure and Internet service providers should happen now while more complex efforts to fortify cyberdefenses evolve.
The authors of a Massachusetts Institute of Technology report released in December, “The Future of the Electric Grid,” called for centralization of grid oversight.
“No organization currently has responsibility for overseeing grid cybersecurity across all aspects of grid operations,” the report reads. “To cope more effectively with cybersecurity threats, a single federal agency should be given responsibility for cybersecurity preparedness, response, and recovery across the entire electric power sector.”
Roughly 70 percent of electrical utilities are currently excluded from cybersecurity regulations, Weiss said.
“It’s a joke. It’s self-regulated,” he said. “If you are less than 1,500 megawatts, you’re not regulated.”
Electric and other utilities have shown little enthusiasm for cybersecurity, said Jennifer Bayuk, program director of the Systems Security Engineering program at Stevens Institute of Technology in Hoboken.
“Nobody’s trying to make it their No. 1 priority,” she said.
Lewis fears that it will take a catastrophe for changes to occur.
“Cybersecurity is another of those situations in American history, ranging from Pearl Harbor to 9/11, where we knew there was risk and that we were unprepared, but assumed it would never happen because America is too powerful or too big to attack,” Lewis told lawmakers. “Nothing has yet punctured this misplaced sense of invulnerability.”
© Copyright 2012, The Asbury Park Press, A Gannett Company
