All the Lights Will Not Go Out in a Cyber Attack

Tuesday, April 17, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Doing some research for an upcoming magazine article on cyber warfare, something dawned on me.

One of the biggest threats that you hear is that hackers could take out the power grid and all the power would be shut off. America would be thrown back to the power stone age in the flick of a switch (or a series of SCADA exploits).

But is this true? The answer is no.

Even if hackers (hacktivists or foreign Nation States) did infiltrate every power plant and somehow successfully shut down the entire power grid, many buildings and organizations would not be affected.

Key government, military and even some commercial buildings would be unaffected.

At most what they would experience would be a very brief power outage, and then the power would be right back on.

You see, as several utility companies seemed to have ignored the warnings of cyber attack, others have not. When I worked in the energy sector several years ago, the move was already on to provide alternative power to key US organizations.

Even communication backup systems were created so that federal, state and local government agencies would be able to communicate in the event of a blackout.

These power systems are completely offline, impervious to electronic attack and can run for an extended amount of time. So even if “Cybergeddon” does occur, our nation will not be completely “in the dark”.

Cross-posted from Cyber Arms

Possibly Related Articles:
6869
SCADA
Industrial Control Systems
SCADA Utilities Attacks Exploits Network Security Infrastructure ICS Industrial Control Systems Power Grid
Post Rating I Like this!
A966b1b38ca147f3e9a60890030926c9
Chris Blask I do not want to denigrate the hard work of folks who have worked to create redundancy in our infrastructure, lots of folks have done a lot of work and we owe them a debt of gratitude for that.

However, we should rigorously avoid getting complacent for at least three reasons:

- Most civil infrastructure - like grocery stores - cannot survive several days without power. The vast majority of that infrastructure does not, and is unlikely to, implement one or two (or more) weeks of redundant power.

- "completely offline, impervious to electronic attack" is a dangerous bet. Think "Natanz" and the network used to control our drones...

- The type of scenario likely to lead to complete grid shutdown is warfare. In this environment it is unlikely that only cyber methods are used - kinetic military methods are reliable and effective - or that the scenario involves a single instance followed by a period of peace and quiet where our restoration processes are allowed to follow our predetermined plans.
1334718862
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Absolutely Chris, an extended wide area power outage would be bad news,especially as we rely on power more and more every day.

The systems I saw were KISS simple with minimal if any electronics. And could function for a very long time. Think many months, not hours.

Even so, having certain entities up and running will help with maintaining order, but I completely agree - commercial entities would be effected and it would do very little to ease human suffering.
1334759906
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson A couple of observations from past experience with small production systems:
* Redundancy is usually built into the system, as the engineers are expecting each part to fail at some point.
* I've never seen a Programmable Logic Controller, which does the actual switching, have a network interface. Their programming was changed by plugging another device (USB drive, laptop, control panel) into a serial port.
* Almost all the problems are caused by hardware failures, and in almost all cases they fail-safe.
* We've all experienced outages before, and we know from that experience it doesn't cause the disintegration of society, the apocalypse, the second coming of Christ, etc. The most obvious effects would be economic.

I know the above are bold generalisations, but the point is it's useless considering this in blanket 'cyber war' terms. A rational threat assessment must be done for individual systems before we know the true state of our 'critical infrastructure'.

Finally, I'd like to throw out a question: How probable is it that two or more slightly different PLCs/controllers in a large industrial system (e.g. power plant) would be hacked simultaneously?
1334795570
Default-avatar
Brad Blask I agree with this Dan's assertions that "All of the power" would (probably) not go out in a concerted cyber attack.

However,is it necessary for All of the power to go out in order to have a profound effect on the country as a whole for an extended period of time?

Of the tens of thousands of independent power generation facilities and distribution networks (and subsequent interdependent water facilities and, as Chris mentioned, potential food supply chains as well) what percentage of diminished operability, and for how long, is the threshold for critical short/medium/long term national economic stability and human safety acceptability? 10%? 20%? 4%?

And, although likely that:"Key government, military and even some commercial buildings would be unaffected." is that enough? Will it matter that "communication backup systems were created so that federal, state and local government agencies would be able to communicate in the event of a blackout." in the public's perception on the morning of the third day of a water outage?

The year(s) long national economic impact of the destruction of two buildings in New York City (not to downplay the tragedy of that event) illustrated how perception of events alone, both domestically and internationally, can adversely effect our country for disproportionately long periods of time in an asymmetric attack.

Sage wisdom was the Hitch Hiker's Guide to the Galaxy's admonition: "Don't Panic." Panic leads to paralysis and worse, but it's not the same as "don't be concerned."

Also, to Michael's final point, at what level of probability it it important to consider a committed threat actor's attention span to those type of details when nation states are now involved in this kind of activity?
1334845214
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Oh, no doubt the psychological effects would be huge. Some reports that I have seen converning Russia's cyber attack on Estonia claimed that the effect of taken down banking really caused a lot of hardships.

Supposedly they rely on electronic banking more than the US. And how many people carry significant amounts of cash nowadays?

Supposedly the US & UK had saturated Iraq command and control systems with viruses during Desert Storm, but the infected machines were destroyed by kinetic attacks before they could really do anything.

http://www.isssource.com/stuxnet-loaded-by-iran-double-agents/

Heck, the US took out Iraq's power grid during the early part of conflict, but it wasn't cyber attacks. They just dropped bombs full of conductive carbon wire on the power plants. Simple, yet very effective.

http://cyberarms.wordpress.com/2010/04/28/the-weapon-that-disabled-iraqs-power-grid/

Personally, I think that "cyber weapons" are just an extension of electronic warfare and psyops.

Could a nation state perform a coordinated attack against the power grid? I guess they could, but could they burn out all the generators/ turn off motors at the same time and at enough locations to have a nationwide impact? Don't know, I think that would be pretty tough.

In full blown war though, kinetic weapons most likely would be used to attack power stations, just as they have been in the past. They are just to effective and reliable.
1334855048
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.