By Talley Cross Philpy, InfraGardNCR VP-Communications
How is the U.S. government preparing for a cyberattack against the electric grid? What can be done to ameliorate the effects of a massive attack? On Friday, March 4, journalist Ted Koppel addressed these questions and many more to InfraGardNCR members gathered at Boeing’s Arlington, Va., auditorium. InfraGardNCR President Kristina Tanasichuk conducted the interview with Koppel, author of the best-selling book Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.
There isn’t universal agreement on whether a cyberattack on the electric grid could have a massive impact, since the grid is somewhat decentralized, and there are redundancies. The grid is also designed with some compensatory mechanisms in place. According to Koppel, the disagreement over attack impact has made the issue less urgent to the U.S. government, which he contended is reactive versus proactive, and focuses its efforts on fighting fires in the present. The media is similarly preoccupied with reporting unfolding dramas rather than potential ones, he said, as networks compete fiercely for viewers in the wake of the Internet and digital media explosion.
InfraGardNCR members who attended Koppel’s talk brought their own perspectives on the topic. Martin Kessler, Chief of Staff to the CIO at The AES Corporation (Fortune 200 global power company) and InfraGardNCR Energy Sector Chief, noted that grid security is critical since electricity powers our lives and the global economy: “The book underscores why the electric power industry exercises such vigilance regarding the protection of our critical infrastructure. We know that the threat is real and that the adversary is becoming increasingly sophisticated. The key for us as an industry is to remain agile and continuously evolve and strengthen our defenses and response capabilities.”
If a devastating cyberattack did cut power to millions of people for months, there is no U.S. government plan, said Koppel, for resettlement, food supply, alternative energy, etc. Koppel claimed that it would take three years to acquire the food, from the beginning of production to the end product, needed to feed 8 million people. However, according to his investigation, the U.S. government hasn’t even begun to begin to plan for a disaster of this magnitude. He said that we have the means to prepare for such an attack — for example, by re-outfitting old, stand-alone nuclear power plants on U.S. military bases or accumulating and producing batteries and solar panels. While the money required to implement these measures would be significant, the real problem is time. Both options would take about 10 years to execute.
Koppel also commented that China and Russia have been mapping the U.S. electric grid for years, and he said that it’s only a matter of time until Iran and North Korea have that information, too. China and Russia, he suggested, are less likely to conduct an attack on the grid due to their interlocking economic interests with the United States, but smaller, less stable countries may not have the same reservations. Moreover, Koppel referenced George Cotter, former Chief Scientist at the NSA, as saying that ISIS/ISIL will likely acquire the capability to attack the U.S. electric grid, a capability they would almost certainly exploit. Even if no attacks actually took place, the threat of an attack on the grid could give other countries or groups the leverage to potentially influence U.S. policy.
While it could be difficult for the U.S. government to allocate resources toward a scenario that may not come to pass, Koppel made a good point that implementing any contingency plan — food production and storage, the development of alternate energy sources, or a backup nuclear power supply — could be helpful in heading off a wide variety of natural disasters and emergencies. But absent a tangible threat to the grid, the U.S. government may continue to forgo such mitigation efforts — particularly in the current fiscal environment — for more immediate concerns. The natural conclusion to this dilemma, and one that the Federal Emergency Management Agency (FEMA) has stressed, is that businesses and individuals can’t necessarily rely on the U.S. government to bail them out of extreme scenarios. If a devastating attack on the grid does occur, the burden of recovery may well be on the private sector, and businesses should prepare according to their risk profile.
Kessler says that the electric sector is already taking steps to address the risks by implementing mandatory, enforceable standards to protect the grid, including the implementation of cyber and physical security best practices and testing of incident response plans to minimize the impact of breaches. For example, in 2015, the North American Electric Reliability Corporation (NERC) conducted its third industry-wide drill called GridEx. This exercise involved more than 4,400 participants from over 350 organizations participating in a simulated crisis response to cyber and physical incidents compromising the electric grid.
The silver lining to Koppel’s exposé is that even as the attack tactics of U.S. adversaries continue to evolve, technology is also continuing to change and improve. The electric grid of the future, according to Kessler, will be by design more secure than the one we have now: “For our industry, the future is extremely exciting. The power sector is undergoing a historic transformation. The electric grid of the future is clean, smart, more decentralized due to technologies like rooftop solar and other forms of distributed generation, and more resilient by virtue of technologies like energy storage.”
The program with Ted Koppel was sponsored by InfraGardNCR, the Government Technology & Services Coalition (GTSC), and Women in Homeland Security (WHS). Special thanks to Martin Kessler for providing program comments.
Talley Cross Philpy works at Bank of Georgetown in Washington, D.C., where she conducts analysis of financial transactions in compliance with the U.S. Bank Secrecy Act (BSA). Prior to joining Bank of Georgetown in 2016, she was a Critical Infrastructure Intelligence Analyst at the Washington, D.C., Fusion Center, and she served three years as Security Systems Coordinator at Occidental Petroleum Corporation.