Shutting Down the Power Grid Is Way Easier Than You Think

Look, I’m as willing to shun the grid the next privileged apocalyptic goofball, but the truth is that I’m still quite fond of having access to public electricity, even if it is produced and delivered by a state-sanctioned private utility monopoly. For starters, as a renter I’m pretty much bound to it but there’s also that whole business of society at large depending on it to maintain stability, quality of life, and often just for its members to live through the day. We should all actually be a bit more concerned about that grid, not just in terms of rates and who runs the thing, but about its very integrity.

You should know at least know something about the smart-grid by now, about how the grid is increasingly controlled by automated software from remote locations. It’s a good thing mostly, allowing the vast network of networks to respond quickly to changes in supply, demand, and equipment failures with the result being less vulnerability to blackouts and brownouts and allowing the grid to react to fluctuations caused by more variable renewable energy sources like wind and solar power. But, with our energy networks also becoming information networks, there is the risk of hacking and sabotage.

We probably shouldn’t be finding out about smart-grid vulnerabilities on accident and in public, but that’s what happened a couple of months ago, according to The New York Times’ Bits blog. An engineer named Adam Crain was testing a new piece of software designed to look for vulnerabilities in the communications protocol used by electric and water companies, DNP3. Testing it out after finding nothing wrong with his open-source DNP3 program, Crain ran the new software against code belonging to a third-party vendor of S.C.A.D.A systems, which allow utility control centers to communicate with distant power stations. His software broke the system, belonging to Triangle MicroWorks, “instantly.”

Triangle probably shouldn’t feel too bad about that because Crain and an electrical engineer named Chris Sistrunk then went and tried the software on 16 different third-party S.C.A.D.A. systems. Every single one of them broke. The Times notes that it took the Department of Homeland Security a full four months to issue a warning about the Triangle vulnerability.

What it means:

“We haven’t found anything we haven’t broken yet,” Mr. Crain said in an interview. At minimum, the two discovered that they could freeze, or crash, the software that monitors a substation, thereby blinding control center operators from the power grid. Mr. Crain likened that capability to “a bank robber being in a bank vault with the camera frozen.”

In the case of one vendor, Mr. Crain found that he could actually infiltrate a power station’s control center from afar. An attacker could use that capability to insert malware to take over the system, and like Stuxnet, the computer worm that took out 20 percent of Iran’s centrifuges, inflict actual physical harm.

That's some apocalyptic level hacking and perhaps the sort of thing we all imagined would be possible in theory. But the notion that it was just all hanging out there in the open is not the most comforting thought.