I attended the (ISC)2 Security Congress in September, and one of the featured speakers was well known television journalist Ted Koppel. He gave a presentation about his new book Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath. You are probably wondering, as I was, what would make Ted Koppel an authority on this particular subject? The answer is that he engaged in about a year and a half of research before writing this book. What he told us was disturbing.
Basically, the sad case is that we are not prepared. Certainly not branch of the Federal government has a plan to deal with this very plausible threat. We saw this threat demonstrated on a limited scale last December by the Russians against the Ukrainian power grid. If a similar attack was launched against the US power grid, or even a part of it, the effects could be devastating.
Remember Hurricane Katrina? How it took five days for FEMA to get water to the Super Dome? How’s this? In the event of a sustained power outage, the Department of Defense has 20 million MREs (Meals Ready to Eat or K-Rations). That enough to feed the residents of New York City for 3 days.
There are 3200 power companies in the US, divided into 3 power grids. Texas, of course, has one of their own. Then there is the Eastern Interconnection and the Western Interconnection. The largest utility companies have been working to secure their networks from this sort of attack, but the little rural power cooperatives, city, and regional utilities are not at the same place from a security perspective. Hacking a smaller player could open the entire grid to a sustained and effective attack.
A sustained loss of electrical power would mean not just darkness, but of course no Internet, television, or radio. well some of those companies have diesel or natural gas power backup generators. But loss of electrical power would eventually mean that new supplies of fuel could not be delivered, because they could not be pumped out of underground storage tanks. The water supply would be available until all the water was drained from the water storage towers, but without electricity to pump new water into the tanks, eventually they would run dry. This means no more toilet flushing, for one thing, and human waste disposal woud become a big problem. No fuel means no trucks, and no deliveries of food, medical supplies, goods of any type. No electricity means no banking, no credit cards. How much cash do you have on hand? What if you couldn’t get more? What if your store quit accepting cash?
The bad news is that we have evidence that both the Russians and the Chinese have successfully penetrated the control systems of the electric grid already. The good news is that they have little incentive to launch a cyber-attack against us. There are too many interlocking economic interests to make this a good idea for either government. This is most like an extension of the policy of Mutual Assured Destruction (that’s right – MAD), since we have that capability against them as well.
The scary part comes when you play a scenario where an entity such as Al-Qaeda or Daesh where to develop, or purchase, this capability. They do not have even a small reason not to launch an attack against us.
This book was a interesting and terrifying read, and I recommend it to anyone who is interested in knowing just how bad a cyber attack can be. Usually I have some recommendations for prevention or avoidance, but not this time. It will just be bad, worse than you can imagine. Fill you bathtub with drinking water. Hope you got some food in the house. It is going to be remarkably dark at night, darkness like you only get deep in the wilderness now. Never been much of a “prepper,” but this might change my mind.
Ted Koppel said in his presentation that we are always “fighting the last war,” which is why we generally have trouble with the new one. Remember the French had the Maginot line, which was WWI trench warfare on steroids. In WWII, German paratroopers dropped in behind it, and that was all she wrote. The failure of the government and electric industry to treat this possibility seriously will pretty much be the end for us if it should happen.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com