There was a brief panic in late December 2016, when we feared that Russians had hacked the nation’s electric grid through a Burlington, VT utility. Initial reports, as any soldier will tell you, are almost always wrong, and the Burlington story was no exception. Suspicious activity was indeed detected on one computer, but one that wasn’t connected to the grid controls.
That doesn’t mean Vladimir Putin’s minions aren’t trying, though. On January 11, the Wall Street Journal published a lengthy exposé on the latest attempts, and while it’s ringing alarms through the government, it hasn’t made much of an impact on the public.
The article takes a deep dive into Russian attempts to gain access to the U.S. electrical grid by hacking the emails and websites of small businesses associated peripherally with the electric industry. “Rather than strike the utilities head on,” the Journal reported, “the hackers went after the system’s unprotected underbelly—hundreds of contractors and sub-contractors… who had no reason to be on high alert against foreign agents.”
The attempt to compromise trusted vendors and websites like online journals read by electrical industry insiders is just the latest example of Russia’s longstanding attempts to find a way to hold our electricity supply hostage, or to turn it against us in the case of open hostilities. It’s time the public took notice.
It’s all about the juice
Living in modern America, most of us take electricity for granted. We just expect the lamp to turn on, the television to start, the computer to boot-up, and our phones to charge when we plug them in. It’s only during severe storms that we worry about the supply, and we get irate if the power is out for more than a few hours.
After all, we have a mature, well maintained grid that distributes power from the more than 8,600 power plants in the U.S., as well as power imported from Canada, to all of our homes and businesses. But just as more and more of our household appliances are attached to the internet, so too are the devices that control how that electricity is routed around the country. And anything attached to the net is vulnerable.
You don’t need to take my word for it. Just look at what Russia has done in Ukraine.
In two attacks a year apart, in December 2015 and December 2016, Russian hackers took down parts of the Ukrainian electric grid. In 2015, they were able to shut down the relays at substations that allowed the power to flow. At the same time, they installed code that made it impossible to turn those relays back on without physically visiting them and flipping switches manually.
The Russians learned valuable lessons from the Ukrainian response, honed their methods, and returned a year later. The 2016 attack is considered to be the first fully automatic cyberattack on an electrical grid, taking-out around 20% of the generation capacity of the capital city of Kiev for several hours.
Can you imagine the chaos if 20% of Manhattan suddenly lost its power and authorities couldn’t figure out why, or how to restore it? Even worse, can you imagine the effect on a military installation during a tense international crisis?
There is no safe haven
We’ve grown used to our geographic isolation keeping us safe from having to fight our wars on American soil. A major invasion of the continental United States is virtually impossible. That doesn’t make us “safe,” though.
Russians aren’t just messing with your social media feeds, finding ways to make you angry with your neighbor, or question your interpretation of world events. They’re actively looking for ways to paralyze the nation without firing a shot.
The National Defense Strategy defines the threat clearly. “It is now undeniable that the homeland is no longer a sanctuary. America is a target, whether from terrorists seeking to attack our citizens; malicious cyber activity against personal, commercial, or government infrastructure; or political and information subversion.”
The Journal article make it clear that as a nation, we must remain vigilant, and work diligently to develop solutions to keep the electric grid, and the rest of the nation’s critical infrastructure, safe from attacks, both physical and virtual. Aside from the inconveniences, the economic cost of losing power is great. As utility NRG said a year ago, “Power outages sap some $27 billion annually from eight key sectors, according to research firm E Source.”
Another study of the widespread blackout that affected as many as 50 million customers in the northeastern U.S. for several days in August 2003 put the economic losses at between $6.8 and $10.3 billion. Expand the reach and time, and you can see how the U.S. economy would take a major hit from an extended loss of electricity.
Cybersecurity by itself is an important issue. But the cybersecurity of the electric grid is critical. There’s a lot we’re already doing, but also a lot to be done.