Energy Insecurities: The Downside of Being Too Smart

By John Bumgarner
No one can say we weren’t warned about energy insecurities. In 1998, President Clinton signed a Presidential Directive that established a national program for critical infrastructure protection.  This directive stated that the energy sector of the United States was potentially vulnerable to cyberattack and that the United States would take all necessary measures to swiftly eliminate any significant cyber vulnerabilities within this sector. Five years later President Bush’s administration published the “National Strategy to Secure Cyberspace.” This document again called for the government to secure computerized systems within the electric grid from possible cyberattack.  In May 2009, President Obama stated in a speech on securing our nation’s cyber infrastructure: "It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation," Obama said, adding, "We're not as prepared as we should be, as a government or as a country." His remarks also make clear that the United States is highly dependent on computerized systems to provide energy, but he said, “Cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.”
It has been over a decade since President Clinton stated that cyberthreats against our energy infrastructure were a national security threat.  In the preceding period the cyberthreats against our energy infrastructure have only increased. The reason for these increases is because of technological advances within the energy sector that has exposed the industry to unforeseen cybervulnerabilities. The alarming thing is that more unforeseen vulnerabilities are being unintentionally engineered into the energy sector as newer technology is being introduced in an effort to improve efficiency and increase resiliency within the industry.  
A Host of Insecurities
The frequency of warning about these underlying vulnerabilities has been increasing.  In January 2008, a senior analyst working for the Central Intelligence Agency stated publicly that cyberattacks had already been used to disrupt electrical power in multiple cities outside the United States. In March 2009, CNN reported that the high-tech electricity infrastructure known as the “smart grid” could be vulnerable to a devastating attack by computer hackers. The following month the Wall Street Journal reported that Chinese and Russian spies had penetrated computers that control the North American electric grid. Four months later, security experts speaking at Black Hat USA offered insights on hacking smart grid technology (.pdf). Their discussion included a graphical demonstration of how a computer worm could infect thousands of smart meters in a major metropolitan area. 
These alarming reports nonetheless fail to describe the extent to which a complex system such as the national electric grid could be vulnerable to cyberattacks, a growing concern among experts in national security. Demonstrations of cyberattacks—such as a remote attack launched against control systems that regulate an electric generator in Idaho—further justify this concern. In this demonstration, under the code name “Aurora,” the Department of Energy Idaho National Laboratory manipulated the generator’s controls to exploit system weaknesses that caused the generator to fail. In particular, the attack caused extreme vibrations, which in turn physically destroyed internal components and ultimately caused the generator to catch fire. 
This kind of cyberattack—which the demonstration showed to be feasible—is likely to be even more effective in much larger generators, such as those in big dams and many coal-fired power plants. Potentially catastrophic consequences could occur if a significant number of critical generators were simultaneously damaged by a cyberattack. Research conducted by the U.S. Cyber Consequences Unit has shown that shutting down all electric power over a sizable region will cause at least 70 percent of all economic activity, as measured by GDP, to shut down after 8 to 10 days. This means that if a cyberattacker could shut down electrical power generation across a third of the United States for four months, the dead loss would exceed 1.6 trillion dollars.




The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.