Ten years ago, the Department of Homeland Security released a classified video by mistake.
In it a diesel generator gets destroyed by a cyberattack. The malicious computer program is used to rapidly open and close the circuit breakers out of phase from the rest of the grid until it explodes. Extreme vibrations caused by the attack tear the generator apart, with some pieces landing as far away as 80 feet from the generator.
This was the original “Operation Aurora”, before the 2009 China hacking of Google. The experiment involved controlled hacking into a replica of a power plant's control system, and drew public's and government's attention to the electric grid vulnerability from cyber-attacks.
We take electricity for granted. It is always there if you turn on the switch. It powers our life, our phones, cars, fridges, microwaves and gas station pumps. It heats our homes and makes our subway trains run.
But if you think about it, it is very fragile, and vulnerable to attacks by computer malware.
Every year, energy sector is among the top 3 most attacked critical infrastructure sectors in the U.S.
In 2015 Russian Sandworm group used BlackEnergy malware to create first-ever hacker-induced blackouts in Ukraine. A year later, the same group came back with an upgraded weapon — Industroyer malware attacked Ukrainian energy firm Ukrenergo and took down about a fifth of the electric capacity of Kyiv.
Ukrainian attacks should have been a warning to the US government and electric grid utilities.
Last week brought the news of hacking into a dozen of US power plants, including the Wolf Creek Nuclear Operating Corporation, which runs a generating station in Burlington, Kansas. The attack technique was sending fake resumes to senior industrial control engineers. Resumes were Microsoft Word documents with malicious template injection.
Control system networks were not breached in this case. Power plants usually protect from malware by an “air gap” — a separation between sensitive systems and internet-connected ones.
But the air gap can be jumped through tangentially connected devices or those with a peripheral in common.
Attackers could enter power utility systems through front-office computers and then steal employee identities to pivot into the control rooms. For example, Brutal Kangaroo is a set of tools from the CIA, that jump the air gap by using USB thumb drives. Other methods to bridge the air gap include remote access, mobile devices, firmware implants, vendors, and supply chains.
And the breach risk is increasing with the attack surface as the shift to a smart grid brings thousands of new connected devices: sensors, controllers, relays, meters.
In the US there are about 55,000 electric substations and 30 of them are deemed “critical.” If just nine transformers of those 30 were destroyed, it would be lights out for quite a while, for at least 18 months, probably longer.
That's because they are large, difficult to move, and often custom-built.
The total impact to the US economy from a major energy grid cyber incident could be between $243 billion and $1 trillion dollars, according to Lloyd's. This number is equivalent to the cost of 40–50 major hurricanes.
Without electricity we can't communicate, can't use ATMs or credit cards, won't have clean water or fresh food, and our most vulnerable people will die, as their ventilators, heart pumps and oxygen machines will fail.
So, what can we do about this?
Government involvement is crucial to the protection effort. It should impose mandatory, broadly applicable security standards on the industry.
Government should develop preparation and response capabilities to protect critical infrastructure in times of security emergency.
Cybersecurity businesses and private sector cybersecurity expert citizens should be involved in the preparation, planning and incident response process.
Government should increase the collection of data about breaches from utilities, acknowledge these breaches, and share information about them to properly guard the nation.
Utilities should deploy advanced malware and intrusion detection and network monitoring tools in place, and have regular cybersecurity drills.
Finally, we - the consumers - should be aware of the prolonged outage risk and have an emergency supply kit, same as the one for other type of disasters: water, food, radio, solar panel charging station, batteries, cash.