Last week, US Secretary of Defense Leon Panetta gave a stern speech warning of an incoming “cyber Pearl Harbor.” The gloomy song and dance, which we’ve heard played out so many a time now, made a chorus of hackers’ alleged ability to disrupt transit lines and shut down the power grid. As Motherboard’s Mr. Estes pointed out, the faux-somber debacle seemed designed to scare folks into supporting the Obama administration’s drive for internet security legislation.
And it might work. After all, we’re innately terrified of a world without electricity at this point; so much so that we’ve created an entire subgenere of fiction, the unplugged dystopia, to imagine its terrors. There’s been a steady drumbeat of forceful warnings that cyber attacks could “cripple” the US grid: from Obama himself, from the NSA general who said over the summer that the “probability of a crisis is mounting”, and from the military, who says that Anonymous, the hacker group, would soon be capable of shutting down the entire U.S. electrical grid.
With the specter of hacker-spawned darkness so roundly raised, the question is this: need we legitimately fear it?
Back in 2007, researchers successfully hacked into a power generator in Idaho, causing it to “self-destruct.” The Department of Homeland Security released footage of that event, which was aired on news networks everywhere:
[If you’re asking yourself why the DHS, a bureau known for its lack of transparency, would voluntarily release footage of a successful cyber attack crippling US energy infrastructure, well, I am too.]
Furthermore, as MIT Technology Review points out, many power plant operators are using control software that’s hopelessly outdated — as in, installed in the 90s and barely upgraded. That software could be a cakewalk to breach for hackers.
Chris Blask, the CEO of ICS Cybersecurity told MIT that “Power and water systems have had an entirely different mindset [than] the IT industry. Stability and reliability are more important than anything—you have to keep the lights on.” As such, they haven’t been overly concerned about protecting security, and have left their software woefully unpatched. Meanwhile, they have upgraded to remote systems, allowing engineers to perform utility functions from home; and potentially offering hackers a way into vulnerable power systems through basic internet.
Thus, it may be plausible that a hacker group could replicate the scenario above; find a way to access a power plant’s control software and force it to malfunction. But so so unlikely. Mostly because it would require an incredible host of resources to bring it down with any accuracy. Writing for Wired in 2010, the former supervisory intelligence officer Michael Tanji pointed out that hackers hoping to disrupt even a single power plant would have to have all sorts of intelligence beyond how the software works. To be able to coordinate a successful cyber attack on a power plant, he writes, the hackers are going to need the following:
- HUMINT (human intelligence, aka spies) to collect both open and private (though not necessarily classified) material about plant construction and operation. In the United States, we’re pretty good at announcing who won a contract to do what. In less open societies, it is going to take time to identify who is most likely to have the information you need and then more time to try and figure out the best way to get them to provide that information to you (if they’ll do it at all).
- IMINT (imagery intelligence, aka satellite or aerial pictures) to help analysts and engineers determine what sort of plant it is, give some idea as to where its various components may be located, the number of people it takes to run it, etc.
- SIGINT (signals intelligence, aka intercepted communications) to pick up key words, terms and conversations by those who built or are building the plant, who are working at the plant, who provide supplies and transport workers to the plant, to hear what local media and officials are saying about plant operations, reliability, etc.
- MASINT (measurement and signature intelligence) to gauge from afar things like temperature, magnetic fields, vibrations, exhaust and other meaningful emanations. These can be used to help determine what is likely to be happening behind walls that a human source might not be able to reach (or understand), and to help confirm (or dispute) what other intelligence sources report.
Furthermore, he notes, most utility operating software is not connected to the traditional internet — though some, as mentioned above, is.
The researchers who ran the 2007 attack broadcasted by the DHS already had access to all of that information; there’s no way that even the world’s biggest and best-known hacker collectives could muster the kind of resources to do such a thing routinely, if at all. In other words, Anonymous is not going to plunge your city into darkness. Also, Anonymous never even hinted at any intent to do anything of the sort; it was just a convenient boogeyman for the NSA and its bout of fear-mongering.
More than anything, the facts and opinions outlined above give lawmakers and online security interests an opportunity to exploit hacker mythology — those shadowy “cyber” forces that anyone who owns a computer is now at the mercy of; they could leave us all in the dark! Just look at those Guy Fawkes masks and their (until-recently) allegiance with an “enemy of the state” like Wikileaks! They’re scary, unknown, and they steal identities and shut down banks’ websites. And in the movies, they’re always seedy anarchist-types who don’t care for mainstream America. Just imagine what the foreign, un-American hackers might do!
Now, if there was a well-funded terrorist cell or a hostile regime with an active intelligence agency, it might be able to perpetrate such a cyber-speared attack on the grid. You know, the sort of thing that Fox News likes to rile its viewers up over:
It’s a scenario in league with perpetually feared nuclear reactor strikes and other attacks on sensitive infrastructure never ever actually happen. In this case, it would be a terrorist cell hellbent on using a massive amount of time and resources to … cause a temporary blackout?
As for hostile nations exploiting those cyber-security weaknesses — in the Fox segment above, the “analyst” ominously points out that some Russian military hackers shut down Georgia’s internet before it attacked — that would be an act of war, as the federal government has starkly declared. Does the US intelligence community think war is nigh? Are we under threat of attack? In that case, if the CIA or NSA is concerned about a nation openly engaging in an act of war on US soil, perhaps they should be directing their resources towards ameliorating that threat — diplomatically, I trust, as is their legacy! — or at least alerting we peaceable American citizens to this nebulous threat.
But there will be no wars on our energy infrastructure. And if there were, I might add, in one last aside, might it just be easier for our foes to knock down some of our power lines? After all, a single storm left four million people in the dark last year; our transmission infrastructure is aging and fragile from the outside, too — and more plainly accessible. But it’s much less fun to imagine such a dull 20th century sort of electrical horror story.
Okay okay, enough talk of wars and terrorist plots and holes in the national security of the richest, most militarized nation on the planet. What our grid needs most is modernization; upgrades to make electrical transmission more efficient. And certainly, there should be IT upgrades in our nation’s aged power systems, patches on outdated software.
Yet our military-industrial complex feeds itself with paranoia, which is as good as capital for DoD budgets and politicians “strong on foreign policy” alike. We all know this, right? These internet security threats to our power grid are overstated for a reason, though that reason may even elude the war chiefs articulating them. They come, after all, in a deluge, of more threats, more advanced threats, more cyber threats, so, more gadgets and staff and weapons and secret NSA directives and Perfect Citizens to combat those threats. Eisenhower, you dog, if you could only see us now! Your greatest fear just thrives online, where its tentacles’ reach is unfettered and its engine runs on the fears of the dark.
Hackers will not likely put out our lights anytime soon, nor Al Queda, nor Russia. Yet, ‘beware the spiky-haired anarchists and unwashed terrorists and steely foreigners that seek to pull the plug,’ the subtext rings out. And so the myth of hacker cells intent on disrupting our power grid has taken shape, goaded into being by political speeches and ominous punditry. But it seems pretty clear that other forces now afoot are more likely to leave us fumbling for the switch.