Why a power grid attack is a nightmare scenario

Stores are closed. Cell service is failing. Broadband Internet is gone.

Hospitals are operating on generators, but rapidly running out of fuel.

{mosads}Garbage is rotting in the streets, and clean water is scarce as people boil water stored in bathtubs to stop the spread of bacteria.

And escape?

There is none, because planes can’t fly, trains can’t run, and gas stations can’t pump fuel.

This is the “nightmare scenario” that lawmakers have been warning you about.

The threat of an attack on the nation’s power grid is all too real for the network security professionals who labor every day to keep the country safe.

“In order to restore civilized society, the power has got to be back on,” said Scott Aaronson, who oversees the Electricity Subsector Coordinating Council (ESCC), an industry-government emergency response program.

While cybersecurity experts and industry executives describe such warnings as alarmist, intelligence officials say people underestimate how destructive a power outage can be.

The most damaging kind of attack, specialists say, would be carefully coordinated to strike multiple power stations.

If hackers were to knock out 100 strategically chosen generators in the Northeast, for example, the damaged power grid would quickly overload, causing a cascade of secondary outages across multiple states. While some areas could recover quickly, others might be without power for weeks.

The scenario isn’t completely hypothetical. Lawmakers and government officials got a preview in 2003, when a blackout spread from the coastal Northeast into the Midwest and Canada.

“If you think of how crippled our region is when we lose power for just a couple of days, the implications of a deliberate widespread attack on the power grid for the East Coast, say, would cause devastation,” said Sen. Susan Collins (R-Maine).

Researchers have run the numbers on an East Coast blackout, with sobering results.

A prolonged outage across 15 states and Washington, D.C., according to the University of Cambridge and insurer Lloyd’s of London, would leave 93 million people in darkness, cost the economy hundreds of millions of dollars and cause a surge in fatalities at hospitals.

The geopolitical fallout could be even worse.

“If [a major cyberattack] happens, that’s a major act of war, bombs are starting to fall,” said Cris Thomas, a well-known hacker who is now a strategist at security firm Tenable.

A former senior intelligence official who spoke to The Hill echoed that assessment.

The specter of a catastrophic attack on the electrical grid looms large for utilities and the federal government. They all agree that a “cyber Pearl Harbor” would be a deliberate attack, most likely from a foreign adversary.

“It’s an act of war, not an act of God,” Aaronson said.

One of the most fearful aspects of a cyberattack is that they can be difficult to spot, even when they are happening.

At first, power providers may only notice a cascade of overloaded transmission lines failing in rapid succession — something that happened during the 2003 blackout, which was caused by an ordinary software bug.

A major attack would trigger a series of actions laid out in an ESCC playbook, and even for regional blackouts, energy companies would begin communicating instantly.

After a recent blackout at Washington, D.C.’s biggest electricity provider, “Immediately, I called a guy at Pepco and just said, ‘Hey, what’s going on?’ ” recalled Tom Fanning, who heads the country’s fourth largest utility, Southern Company, during an industry conference in March.

One of the things the industry has done to prepare for attacks is to set aside “clean” replacement equipment, like transformers, that could be deployed in an emergency. Transformers can be the size of school buses, but industry officials say they can be moved quickly and easily.

The energy sector for years has also had a mutual assistance program that kicks in during major power disruptions. Providers in unaffected areas send crews to places that have been crippled by a big storm, accelerating the work to restore power.

The assistance program could prove difficult to carry out during a cyberattack, however.

“If I’m sitting in Columbus, Ohio, and I know there’s a storm in Maryland, I’m not worried about sending my resources to Maryland,” said Stan Partlow, chief security officer at American Electric Power. “We’re pretty confident when we let those crews go that we’re not in trouble. On the cyber side, if I’ve sent my resources somewhere else and I’m next on the list…”

If the power grid were attacked, government workers would be scrambling at a command center in Arlington, Va.

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Department of Homeland Security. In the last six years, it has emerged as a hub for all the cyber information the government collects and analyzes.

Inside the complex, government employees and representatives from critical infrastructure industries monitor cyber activity around the clock. The NCCIC floor is lined with wall-sized screens and filled with rows of computer monitors.

The electricity industry’s main nonprofit regulatory body, the North American Electric Reliability Corporation (NERC), has a representative on the NCCIC floor every day.

If large swaths of the power grid went down, the government would tap the NERC representative to serve as a go-between to the industry as it sought to identify malicious software as quickly as possible.

After identifying the software, the government could help develop tools to boot out the hackers and eradicate lingering security flaws.

The NCCIC can also deploy “fly away teams” to utilities during a cyberattack. Those units can collect samples of malware causing outages and help mitigate network damage.

Over at the FBI, agents have been trained to assist with cyber investigations. If an attack occurred, their job would be to figure out the culprit.

“That’s really where they make their bones in this space,” said Austin Berglas, a former head of the FBI’s New York Cyber Branch and a lead investigator into last fall’s data breach at JPMorgan Chase.

Given all the preparations, it would seem that the U.S. has a rapid response plan ready to go in the event of any power grid hack.

But according to numerous cybersecurity experts, companies are mostly basing their preparations on the few case studies they’ve seen, creating the potential for gaps.

“I’ve spoken to CEOs and utilities about this problem,” Homeland Security Secretary Jeh Johnson said at a congressional hearing in March. “There’s clearly more to do.”

Last December, electric companies got their first look at what a blackout caused by hackers might look like.

In a coordinated assault, suspected Russian hackers penetrated Ukraine’s power grid, knocking out electricity for 225,000 people. The hackers flooded the customer service center with calls, causing technical difficulties and slowing the response.

“That isn’t the last we’re going to see of that,” National Security Agency Director Adm. Michael Rogers said recently. “And that worries me.”

Hackers already target the energy sector more than any other part of U.S. critical infrastructure, according to the most recent government report. There are more reported cyber incidents in the energy industry than in healthcare, finance, transportation, water and communications combined — and those are just the intrusion attempts that get noticed and reported.

Probing the power grid for digital vulnerabilities — which China, Russia and Iran do routinely — is now considered a standard part of intelligence gathering.

But those countries are careful not to disrupt economic and diplomatic relations with the U.S. No such constraints exist for rogue nations like North Korea and terrorist groups like the Islamic State in Iraq and Syria (ISIS).

“I believe that right now in Raqqa they’re working hard on trying to orchestrate cyberattacks [on the power grid], just as they are working hard on trying to develop weapons to be used,” said Sen. John McCain (R-Ariz.), who chairs the Armed Services Committee, referring to the Syrian city ISIS has claimed as its home base.

The grid is like a single, sprawling machine made up of thousands of discrete operating units — a soft target, but a diffuse one, with redundancies built in. Turning the lights off would require the ability to strategically and simultaneously active many pieces of malware in separate locations.

“Right now the people who could do it, won’t — nation-states — and the people who want to, can’t,” Aaronson said.