What happens if someone attacks the American power system and turns off the electricity for a city, or a region? What would it be like without power? At the Fusion Executive Summit on Cybersecurity this week, the Wisconsin Adjutant General, the state CIO, and the head of Madison Gas & Electric were discussing just that.
Thinking the unthinkable used to involve the Rand Corporation and the American military war-gaming nuclear attacks. Thinking about a hack of the power grid is almost enough to make people nostalgic for those days — at least you knew who the enemy was.
Ted Koppel’s new book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” sparked the conversation. In well-researched detail, it explains what could happen if a cyber attack knocked out the nation’s power grid.
Major General Donald P. Dunbar, Wisconsin Homeland Security Advisor and Adjutant General in the state’s National Guard, said he was nearly finished reading Koppel’s book. Identity theft is inconvenient, but it doesn’t stop the economy, Dunbar said, and you can recover your identity.
“If there were a cyber attack that takes out the power grid, if something major happens and we lose electricity, we are going to lose the cyber network as well. We are so tied into cyber in our community, and most people don’t realize how much. A couple of months without that and you are talking a fundamental shift.”
Spotting Critical Infrastructure Vulnerabilities
David Cagigal, Wisconsin’s CIO, said the Department of Homeland Security has identified 16 critical infrastructures, such as water and gas pipelines, the chemical sector, dams, defense industries, energy, emergency services, financial services, and nuclear reactors. As speakers throughout the day noted, every other critical sector in the economy depends on electricity.
“The core is energy,” said Cagigal. “The other 15 don’t exist if something happens to the power grid.”
He collaborates with 32 other CIOs in Wisconsin state government. The state is aggregating data centers, which improves security, and using some applications, like Office 365, through the cloud.
The state has a backup data center in Milwaukee and is looking into a contract with IBM to augment its security operations center.
“The country has learned from 911,” said Cagigal, although the lessons about preparedness are trailing off, he added.
“I don’t want to wait for 911 in the cyber world to sell this proposition. I think we are smarter than that – we need to do this together.”
Moving Forward Cautiously
As Wisconsin extends its broadband network to cities and counties, it has to monitor security participants who have a mixed set of security skills.
“We are extending this to the cities and counties. Bad actors are looking for the weakest point, a school or city hall. I know there are strong ones and ones who are not so strong — it’s a function of money, priority and attitude.”
The state has a lot of data to protect, he added.
“Do you know how much data we have on you? No one has as much data on you as the state of Wisconsin, not your bank or retailers. We worry every second of the day about a data breach.”
The state is setting up emergency response teams in Milwaukee, Madison and in the Wausau area, he said, and will collaborate with the National Guard response team.
Government and Private Sector Teamwork Needed
Cagigal took issue with Koppel for laying responsibility for cybersecurity on the government. Most of the assets in need of protection are owned by the private sector, he said. The public service commissioners in all 50 states need to work with the energy sector. Michigan has been a leader in this, he added, and has a cyber disruption response strategy.
He wants the private sector to meet with state planners on cybersecurity, although he is worried that companies may try to steal his staff when they see how good the state employees are.
“I wish we were as well organized on the cyber side as the state is on the physical side, as shown by [emergency response] to the derailment in Watertown over the weekend. They have mature plans.”
Cagigal said the state will continue to protect against data breaches and establish governance and an authority structure for a cyber disruption response strategy.
“This is a fast moving target,” he added. “Whoever you have now, they don’t have enough skills. They need to get new credentials, and then new credentials after that.”