15 Mar Prepare for a cyberattack on the power grid, Wisconsin officials say
A cyberattack taking down the nation’s power grid could leave Americans scrambling to survive without electricity, potable water or working sewage systems, the commander of the Wisconsin National Guard warned, unless “gaps and seams” are filled in to mitigate the risk of catastrophe.
Maj. Gen. Donald Dunbar, who leads the state’s emergency management efforts, addressed IT and business leaders at the Fusion 2016 CEO-CIO Symposium on Thursday. It was a sobering end to a gathering that highlighted the importance of strengthening bonds with customers through technology, but the message couldn’t be more important, he said.
“Our entire society runs on power,” Dunbar said. A prolonged outage due to a cyberattack on the power grid would have profound consequences. “I don’t think I can truly measure in my head the impact.”
Also the state’s adviser on cybersecurity matters, Dunbar works with the CIO for the state of Wisconsin, David Cagigal, on emergency response efforts in the event of a cyberattack on the utility infrastructure in Wisconsin. One thing both men stressed: The government can’t handle response efforts of such a scale alone. It needs to rely on a partnership with private-sector companies, such as telecoms and utility companies, to ensure people have access to basic services, Cagigal said. A big reason? The state doesn’t own the lines that provide power to its citizens.
“We have a right to use the service and to pay the bills,” Cagigal said. “But we can’t control the resilience or the performance of those lines. We have to partner with them on a public-private basis.”
In the dark
Dunbar referred to the 2015 book Lights Out by Ted Koppel. In it, the former anchor of ABC news program Nightline examined what could happen during a blackout lasting for weeks or months. He painted a nightmarish picture of unprepared authorities and a panicked populace without access to the electronic networks and devices they have come to rely on.
The book has its critics, including those in cybersecurity circles, who said the risks aren’t nearly as severe as Koppel made them out to be. But Dunbar isn’t taking any chances. In his view, we’re ill-equipped as a society to roll back the clock and do things the way our ancestors did them, without smartphones, without the Internet, without electricity even.
“It would be a very complicated thing if it all failed,” he said.
Sure, companies have generators, Dunbar said, but what happens when the diesel they run on runs out? Sure, they have contracts with suppliers, but those suppliers don’t likely have enough trucks to keep up with the sheer number of orders for backup fuel — to say nothing of the difficulty of getting fleets of diesel-bearing trucks on the road without functioning computers and dispatch capabilities. And then there are the thousands or even millions of people in cars fleeing unbearable conditions at home, clogging the roads and getting stranded without fuel.
The prospect of such an attack is real, Dunbar said. A December malware attack on Ukraine’s power grid, which the U.S. Department of Energy blamed on Russia, caused widespread power outages in the country.
“That’s a preview of a coming attraction,” Cagigal said. “There’s no reason that couldn’t happen here.”
On Thursday, the Justice Department blamed Iran for a 2013 cyberattack on a dam in the New York suburbs. Hackers got into the computer system that runs the dam, which is used for flood control, but no damage was done.
Preparing for the worst
In the event of a larger, coordinated cyberattack on the power grid, Cagigal said good communications and partnerships between federal, state and local governments and private companies are crucial to an effective response. Coordination with the transportation industry, for example, is needed so that trucks carrying supplies aren’t stopped on the road by authorities after emergency laws kick in.
Ultimately, Cagigal said, the government and private sectors need to start thinking about a “plan C” — though what that might look like is not yet known. Microgeneration, or the production of small-scale electric power using solar or wind energy, is a possible alternative to relying solely on the power grid, Cagigal said. Another is battery storage, a method of stowing away electrical energy that is drawing attention and investment in the U.S.
Cagigal has coordinated exercises between teams of cybersecurity professionals in Wisconsin, with roles of cyberattacker and defender. Another exercise — this one involving five utility companies, plus AT&T and IBM — is coming up. In the event of a blackout, real or simulated, getting the power back on is task No. 1. That’s a job for the utilities.
“But once the power’s back on, what do you need? The network. And what do you need after that? The computer. So you have two industries that are going to be critical to our response capabilities,” Cagigal said.
But those two giants of telecommunications and technology have not revealed their plans for being ready for their customers ahead of the exercise. “I’m anxiously looking forward to that,” he said.