Is this type of cyber attack inevitable? Are we prepared?
Veteran newsman, Ted Koppel, is gaining a lot of attention for his new book, “Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath.” In it, Koppel convincingly argues that a cyber attack against our nation’s computer- and Internet-dependent power grid by declared enemies of the U.S. poses an unprecedented and grave danger. It would shut off our lifeblood of electrical power over wide swaths of the country for very long periods of time.
Backup generators keeping vital infrastructure running would soon run dry. Clean water, food and sanitation would become unavailable; no heating fuel; no pumpable gasoline; pervasive breakdowns in security; millions of deaths. And, writes Koppel, the Federal Emergency Management Agency (FEMA) has not planned adequately to meet this threat.
Sadly, this nightmarish scenario is by no means farfetched. “Multiple sources in the intelligence community and the military,” writes Koppel in a recent opinion piece in the Washington Post, “tell me that Russia and China have already embedded cyber-capabilities within our electrical systems that would enable them to take down all or large parts of a grid.” He goes on to say that Iran and North Korea are rapidly accumulating the know-how necessary to do likewise, and it’s a sure bet that ISIL will be following their lead.
For the past several years, the President and others, from both sides of the political spectrum, have been warning about the strong possibility, and in some cases, probability of such an attack, yet very little has been done.
Many power executives do acknowledge that action needs to be taken. As Tom Gjelten of NPR reported back in 2013 after attending a power industry conference, the consensus among the power executives was “that such attacks are probably inevitable.”
Nonetheless, the industry as a whole has been resistant to taking action. Gjelden cited a survey of electric utilities taken in 2013, directed by then Rep. Edward Markey (now a U.S. senator) and former Rep. Henry Waxman. What they found, wrote Gjelden, was that “…most of the companies had failed to implement voluntary cybersecurity standards recommended by the North American Electric Reliability Corp., an industry organization.”
“Some companies might calculate,” wrote Gjelden, “that the necessary investments to guarantee grid security might not be justified, given their assumptions that a major attack is still unlikely.”
Fast-forward two years later, and not much has been done. USA TODAY’s investigative reporter, Steve Reilly, reported on the issue last March after extensively researching the dangers of cyber attacks as well as physical attacks on the grid by “drawing on thousands of pages of government records, federal energy data and a survey of more than 50 electric utilities.” He wrote that the industry, through its lobbyists, has successfully staved off government moves, such as the proposed Grid Reliability and Infrastructure Defense Act, or GRID Act, aimed at eliminating the industry’s current state of self regulation. “Congressional lobbying disclosure records show industry-funded groups spent millions lobbying about the GRID Act since 2010,” Reilly reported.
Obviously much more needs to be done to defend our power grid against cyber attacks. As for emergency planning if such an attack were to occur, Koppel says that the Federal Emergency Management Agency (FEMA), and the other groups responsible for protecting us, aren’t doing their jobs. He charges that the agencies continue to see a cyber attack on our grid as a relatively short-term affair, as if a cyber-induced blackout would be similar in duration to the blackouts caused by a natural disaster or a malfunction. According to Koppel, plans simply do not exist for what would be a much longer-term blackout.
Koppel writes, “When I asked former secretary of homeland security Janet Napolitano what the chances are that an aggressor could knock out one of our power grids with a cyberattack, she replied, ‘Very high — 80 percent, 90 percent.’ Yet she acknowledged that there is no specific plan to respond to a disaster of that magnitude.”
At the end of Koppel’s op-ed, he wrote, “It is surely time that the vulnerability of our power grids to cyberattacks and the absence of a national plan to deal with the consequences become a part of our national conversation.”
After being so persuasive about the enormity of the danger, merely having a “national conversation” seems too weak a response. If in fact these issues are national security threats of the highest order, we should be acting accordingly.
Related: PreparedEx Podcast Episode 10 – An Insight into Cyber Security with Leo Taddeo
About David Kalson
David Kalson is an expert in issues and crisis management. He has more than 25 years experience providing strategic communications counsel, on-the-ground assistance and highly targeted media relations and “new media” programs to manage issues and crises as well as reputation enhancement for both profit and not-for-profit organizations. Business sectors he has counseled include energy, food and beverage, financial services, healthcare, consumer products and technology. He has designed and implemented communication / media relations programs, often emphasizing Web-based strategies, to address issues including data security breaches, environmental accidents, product recalls, financial problems, high-profile lawsuits, corporate governance issues, criminal behavior, attacks by opposition groups, government/regulatory challenges, competitive challenges and labor disputes. Companies he has counseled in relation to crisis drills, plans and crisis management include Cargill, Dunkin’ Brands, Cadbury Schweppes, Staples, Entergy, Eli Lilly, Canaport LNG and the American Automobile Association (AAA)
This article was written in 2016. What has changed in the three years since? Is the grid system more vulnerable? Do organizations have any plans for manual recovery and back-up? There are a lot of questions raised that we should be considering. The shift to electric vehicles, although minimal in terms of the load on the grid, presents another touchpoint of vulnerability should a cyber attack or a natural disaster (i.e., California wildfires) create a situation where the confluence of events causes a cascading failure.