On the 8th anniversary week of 9/11, the US remains vulnerable to a devastating cyber attack directed at its critical infrastructure. Despite all the warning signs of this threat, policy makers continue to prepare for the last war, ignoring the major lesson of both 9/11 and Pearl Harbor–not to be prepared, but to understand the changing nature of warfare. US policy makers need to adopt a new security paradigm to defend its critical assets in cyberspace, especially energy infrastructure, from a devastating cyber strike.
Critical US energy infrastructure continues to be penetrated and probed by a host of malicious actors operating in cyberspace, from organized criminal gangs to spies. It was recently reported that cyper-spies from China and Russia installed malware tools on the US electrical grid. Several years ago the California Independent System Operator reported that: “For at least 17 days at the height of the energy crisis, hackers mounted an attack on a computer system that is integral to the movement of electricity throughout California.” According to a more recent public report by a CIA analyst this is a global problem: criminals have launched cyber attacks against foreign power utilities with the goal of extorting money.
Yet, action was not taken until the release of a CNN video showing a software attack that quickly destroyed an industrial power generator. A Similar attack on key electric facilities could take out power to major geographic areas. If a third of the country lost power for three months, the economic price tag would be about $700 billion, according to Scott Borg, Chief Economist at US Cyber Consequences Unit, a private non-profit think tank. That is “equivalent to 40 to 50 large hurricanes striking all at once,” Borg told CNN. “It’s greater economic damage than any modern economy ever suffered. … It’s greater then the Great Depression. It’s greater than the damage we did with strategic bombing on Germany in World War II.”
Soon after the controversial tape aired, the Federal Energy Regulatory Commission (FERC) and the Electric Reliability Corporation (NERC) approved new standards designed to improve cyber security of critical energy infrastructure. A positive step albeit trivial in terms of mitigating risk. The power grid remains vulnerable as regulations require further refinement, focus and effective enforcement.
In absence of improvements, the threat of a devastating attack looms. It might be useful to look back at other grim prophecies that, had they been heeded could have prevented catastrophes. It has happened before; Brigadier General Billy Mitchell warned in April 1926 that there would be “a surprise aerial attack on Pearl Harbor;” just as Richard Clarke, Good Harbor Consulting Executive, former top US counterterrorism official and “Cyber Czar” warned top White House officials of the threat of al Qaeda prior to 9-11.
Obama administration’s prioritization of energy security is a good start. Energy and telecom are the two primary critical infrastructures upon which all others are dependent. Citizens of modern infrastructures—banking, hospitals, water, energy, telecom, defense, etc—depend on these interrelated and symbiotic infrastructures for their survival and “the power grid is the foundation of it all,” noted cyberwar expert Winn Schwartau.
Practicing what they preach, the government has allocated $4.1 billion of stimulus funds to invest in the power grid or “Smart Grid.” Major investments are needed to make up for years of neglect in electric grid investments and related R&D, which has declined since 1975. This decline has been accompanied by an increasing frequency in large blackouts like we saw in 2003 that cost an estimated $6 to 10 billion dollars in losses. Until improvements are made the current electrical grid will continue to operate at abysmal state of disrepair and remain fraught with operational inefficiencies, physical and cyber vulnerabilities that could potentially cripple our current grid and our economy along with it.
Enter the “Smart Grid.”
“Smart” implies a move away from centralized generation and control to two-way communications between the utility and end users, tying in decentralized renewable sources of energy, such as wind and photovoltaic along with other distributed generation sources. This will help realize Obama’s goals of developing alternative energy sources, diversifying fuel supplies, and curbing carbon emissions. However, unless security is part of the design criteria, the smart grid will not live up to its name; increased communications will be accompanied by increase cyber vulnerabilities.
Another one of the challenges is the private sector owns and operates the majority of the country’s critical energy infrastructure. A leading advocate of building a private-public-partnership, Richard Clarke, commented: “The owners and operators of electric power grids, banks and railroads; they’re the ones who have to defend our infrastructure. The government doesn’t own it, the government doesn’t operate it, [and] the government can’t defend it. …..the military can’t save us.”
What can be done to fortify the electric infrastructure and build societal resiliency?
First and foremost, a new paradigm must include security into the design and operational criteria as something more than merely an afterthought. Building resiliency into the grid requires conservation and load management, distributed resources, adaptive grid deployment and some transmission upgrades.
More specifically, adaptive islanding or physically dispersing the location of small, modular generators allows for some continued operation if the overall transmission system has been disrupted either physically or by cyberattack. Locating the distributed sources closer to the place of use minimize the vulnerability of transmission lines. By diversifying the mix of fuels and technologies used by the distributed units there is safety from disruption of any one fuel source. Due to the increasing reliance on gas, incapacitating a pipeline compressor at a critical location could disrupt the flow of gas to large areas and for this reason even some new gas storage technologies need to be considered. It’s important for form to match function. Indeed, for decentralization to work there must be a distributed framework.
Too Little to Late
Until these improvements are made the current electrical grid will continue to operate at an abysmal state of disrepair fraught with operational inefficiencies; physical and cyber vulnerabilities that could potentially cripple our current grid and our economy along with it. Current economic inefficiencies cost billions of dollars in losses, primarily in electricity generation, but also in transmission, distribution, and end use. These loses present a major challenge as increases in the world’s energy demand will require supply to triple by 2050.
Eight years after 9/11, the nature of warfare has changed. New threats are quickly emerging from cyberspace that target our energy infrastructure. To mitigate this risk, we must quickly adapt our defenses to an increasingly virtual battlefield. This requires a public-private partnership that engages entrepreneurs to incorporate comprehensive security into any future “smart grid” design in a way that minimizes loses in operational efficiency. Building partnerships between policy makers, customers, and utilities will facilitate these efforts. Moreover, building a stronger and smarter electrical energy infrastructure will transform the country, mitigate risk, create jobs, and slow our reckless destruction of the environment. Indeed, a challenge worth undertaking.