As the U.S. enters the final stretch of what seems like an interminable presidential campaign, I’ve been thinking about the motto “ e pluribus unum” (out of many, one). That motto also applies to the power industry.
The U.S. is composed of many states, individuals with family origins in virtually every part of the world, and people holding a multitude of different opinions. Similarly, power grids operate as unified entities while connecting diverse resources that include generating units using every possible source of fuel and ranging in size from kilowatt to gigawatt. As those resources become even more connected to each other and to digital networks, concerns about cyberattacks that could threaten grid “unity” are being raised.
Cyberthreat Fear Factor
We’ve all heard about high-profile hacks of consumer, corporate, government, and political data systems. Target, Sony Pictures, the U.S. Office of Personnel Management, and the Democratic National Committee are among the most notable recent examples. But it’s cyberattacks on the power grid that seem to stir the imagination most. That’s probably because a power outage affects everyone, but also because so few people fully understand cyberthreats and their potential consequences.
As the title of a July 29 motherboard.com post by Robert M. Lee—CEO and founder of Dragos Security and a former U.S. Air Force cyber warfare operations officer—put it: “What Are the Risks of Hacking Infrastructure? Nobody Really Knows”. Here’s perhaps the most problematic consequence of that unknown: “Gaps in Knowledge Will Be Filled with Hype,” as one of Lee’s subheads explains.
One example is Ted Koppel’s 2015 book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,whose title doubles as the CliffsNotes. Though I haven’t read the book, I have scanned and skimmed parts of it. I noticed a couple of factual errors but was more disappointed by the amount of attention paid to various types of survivalist/prepper approaches—as if that is the best response to the problem. I understand the desire to publish this sort of book. The threat is real. But the threat is also hyped in sometimes unhelpful ways—to sell books, prompt website clicks, or sell you “protection” you may not understand. Even Koppel acknowledges this when he notes that portraying the vulnerability “too graphically, without having developed practical solutions runs the obvious risk of simply provoking public hysteria.”
Sometimes it helps to put threats in perspective. When Foreign Policy invited @cybersquirrel1 (a satirical Twitter account that highlights animal damage to the grid) to talk about their mission, @cybersquirrel1 wrote “The Threat to America’s Electrical Grid Is Much Bigger Than You Can Possibly Imagine”. Assuming the persona of a squirrel, the op-ed explains, “As of July of this year we squirrels (and our fellow animal operatives) have conducted over 1,400 unclassified operations that have resulted in [an] aggregate of more than 67 days without power, affecting over 3.6 million people.”
In contrast, only one power outage has been confirmed as being caused by a cyberattack—the Ukraine episode that POWER covered online and in the May issue: “Why Power Generators Can’t Ignore the Ukraine Cyberattack.” (There have, however, been hundreds of reported cybersecurity “incidents” affecting U.S. industrial control systems [ICS] each year since 2011.) Yet even while @cybersquirrel1 pokes fun at the disproportionate responses to the cybersecurity threat, he acknowledges that the threat is real: “The cybersecurity of the U.S. electrical grid is absolutely pitiful. It wouldn’t take a team of geniuses to cut off the power to any large city. However, simply causing an electricity outage and keeping the power offline are two different things.”
Fighting Fear with Facts
Separating fact from fiction on this topic can be challenging, especially for the nonspecialist. At the infrastructure level, Lee calls for more ICS cybersecurity practitioners: “We need to focus on training personnel instead of being overly focused on products. The right people will choose the right tools, but untrained people will use tools incorrectly even when they are the right ones.” (He also offers advice for ICS vendors and the security community.)
Lee concludes, “There are unseen hacks in the ICS community. We are going to begin seeing more of them come to light. These case-studies need [to be] leveraged properly to advocate for more visibility community wide while avoiding the hype that can take us all down the wrong path.”
What We Can Do
On July 26, President Obama approved a Presidential Policy Directive on U.S. Cyber Incident Coordination that codifies “the policy that governs the Federal government’s response to cyber incidents”. It’s good that the administration takes cybersecurity seriously, but executive action is not enough. As the directive’s first “guiding principle” notes, there is “Shared Responsibility. Individuals, the private sector, and government agencies have a shared vital interest and complementary roles and responsibilities in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences.”
POWER does its part by publishing print and online articles about new standards, threat vectors, tools, and best practices. But just reading what we have room and time to publish is not enough. You can:
■ Ask your security staff or industry groups for recommended information sources appropriate for your job function.
■ Volunteer to be part of an interdepartmental cyber and physical security group at your company.
■ If you see something suspicious, say something to someone qualified to make a sound judgment (and that may not be your immediate manager).
No one—not even a president—can make good on a promise to guarantee cybersecurity. It takes a nation (that e pluribus unum) to ensure that this new threat is met with informed and appropriate action. It’s one way we all can display our patriotism and serve our country. ■
—Gail Reitenbach, PhD is POWER’s editor.
[9/1/16 change made to @cybersquirrel1 handle for consistency]