Abstract: Since the first-ever blackout caused by cyberattack in the Ukraine on December 23rd, 2015, followed by the second-ever blackout caused by cyberattack also in the Ukraine on December 17th-18th 2016, the world has witnessed a dramatic escalation of the use of cyber weapons as a tool of coercion. Further, the targeting of critical infrastructure constitutes a willingness to accept collateral damage to non-combatants and violates generally accepted international norms including the Law of Armed Conflict.

Given these dramatic escalations in cyberspace, many have been asking if the United States is ready for such an attack on the power grid. There are many factors that need to be considered to answer this question. It is a complex problem with many stakeholders who are each looking at the problem from their own point of view. To help make sense of this complex problem, and get a unified view of the problem across stakeholders, I have created a simple Grid Threat Calculator.

The calculator collates vulnerabilities and threats across stakeholders and empowers us to classify and quantify these vulnerabilities and threats. By understanding the factors that contribute to the overall threat level of cyber-attacks against the power grid, we can better understand our level of readiness to face the threat. 

Are We Ready? Examining United States Readiness for Cyberattacks on the Power Grid

By Jan Dyment

The Department of Energy (DOE) recently released a report that the United States power grid is in imminent danger from cyberattack.[1] A Federal Energy Regulatory Commission (FERC) report determined that a small-scale coordinated cyberattack on only 9 out of 55,000 substations that make up the U.S. electric power grid could cause a nationwide blackout.[2] The American Society of Civil Engineers (ASCE) 2017 Infrastructure Report Card recently gave U.S. energy infrastructure a D+.[3] EMP Commission Staff Director Dr. Peter Vincent Pry warns that a long-term outage (LTO) that lasted over a year “could kill up to 9 of 10 Americans through starvation, disease, and societal collapse”[4] due to our dependence on the power grid. Taken in total, there is growing anticipation of a major cyberattack against U.S. critical infrastructure that would have catastrophic effects.

With the threat of imminent danger from cyberattacks that could cause nationwide blackouts looming over an aging and overstressed electric grid that was never built to withstand these rapidly rising threats, are we ready? Some experts are sounding the alarm while others say the threat is overblown. Without consensus on the actual nature and level of the threat of cyberattacks against the U.S. power grid, resilience and remediation efforts have been stymied in a regulatory and legislative quagmire. The goal of this inquiry is to make sense of the threat of cyberattacks on the grid to help us understand if we are prepared for this threat.

Cyber Threats are Growing

Not a day goes by without media coverage of a major cyberattack. Some experts believe that cyber warfare will play a central role in the conflicts of the 21st century.[5] In an address at the New America Foundation, Admiral Michael Rogers, who serves as the Director of the National Security Agency (NSA), Commander of U.S. Cyber Command (USCYBERCOM) and Chief of the Central Security Service (CSS), discussed the rising trend. “Clearly, I would argue that history has shown us to date that you can name any crisis, you can name almost any confrontation we’ve seen over the last several years, and there’s a cyber dimension to it. Whether it’s what we saw in Georgia, whether what we saw in Ukraine, Iraq, the challenges associated with ISIL. This is not something isolated.”[6] Ralph Langner, the German Industrial Control Systems engineer who was the first to decode Stuxnet, also sees cyber as a likely feature of future conflicts. “I cannot imagine any future war that would not have a cyber component.”[7]

For example:

  • In April 2007, Estonia was hit with a massive Distributed Denial of Service (DDOS) campaign that took down the online services of Estonian banks, media, and government. The attack was believed to be in response to the Estonian government moving an important Russian monument out of the center of Tallinn, the capital.[8] While Estonian officials have blamed the Kremlin, attribution is elusive. The botnet that caused the takedown was made up mostly of hijacked U.S. devices.[9]
  • In August 2008, Russia allegedly coordinated a military invasion with a cyberattack on Georgia’s internet and communications in response to Georgia’s advances on a Russian-backed republic.[10] This is thought to be the first time in history a military attack was coordinated with a cyberattack.[11] Researchers said that the servers that launched the attack were based in the U.S.[12]
  • In 2010, the Stuxnet virus caused physical damage for the first time in history, destroying over 1,000 uranium-enrichment centrifuges at the Natanz nuclear plant in Iran. The U.S. has admitted involvement with Israel in Operation Olympic Games intended to forestall Iran’s development of nuclear capabilities.[13]
  • In March 2014, Russia allegedly again coordinated a military invasion with cyberattack, launching a DDoS to support separatists invading Crimea.[14] This DDoS was 32 times larger than the DDoS used against Georgia in 2008.[15] A separate, but some say connected, DDoS attack hit NATO and a NATO-affiliated cyber security center in Estonia.[16]
  • In December 2014, a cyberattack on a German Steel Mill causes physical damage for only the second time in history.[17]
  • In December 2015, the first-ever successful cyberattack on a power grid hit Ukraine resulting in a power outage for 225,000 customers across the Ukraine.[18] Russia is suspected of the attacks.
  • In December 2016, the second-ever successful cyberattack on a power grid hit Ukraine again, resulting in a power outage for 230,000 customers.[19] Russia is suspected of the attacks.

Nationwide Blackout

The escalation of hostilities in cyberspace resulting in the use of blackouts as tools of coercion is a grave cause for concern. The cause of the terrifying statistic mentioned previously, that 90 percent of the population of the U.S. could die from a LTO, is due to our dependency on, and the vulnerability of, the Industrial Control Systems (ICS) that underpin our critical infrastructure. These ICS are at the heart of all critical infrastructures.

There are 16 critical infrastructure sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”[20]

These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation Systems, and Waste and Wastewater systems.

All sectors depend on the power grid. When the power goes out, all other critical infrastructures go down. When the batteries and backup generators run out, without power and gas to fuel society, society starts to unravel. The benefits we enjoy of a just-in-time economy test the resilience of society confronted with catastrophic failure caused by cyberattacks.

Could a cyberattack cause a LTO?

FERC has confirmed that a targeted and coordinated cyberattack could cause a nationwide blackout. But how likely is an attack of that magnitude? And if an attack did cause a blackout, what would be the impact and how long could it last? To make sense of the challenge, I created a simple grid threat calculator.

Grid Threat Calculator

In order to better organize the problem and aid in quantifying the threat, the calculator addresses four dimensions of the problem:

  1. Potential Impacts (PI)
  2. Prime Vulnerability Factors (PVF)
  3. Prime Threat Factors (PTF)
  4. Prime Mitigation Factors (PMF)

Such that:

PI X PVF X PTF – PMF = NET GRID THREAT

Potential impacts will help us understand what is at stake and establish why we should care; prime vulnerability factors will help us understand the primary vulnerabilities of the grid to cyberattack; prime threat factors will help us understand the primary threats to the grid; mitigation factors will help us understand the mitigation factors in place to counteract the vulnerabilities and threats; and, the net grid threat will help us understand if mitigation factors adequately counteract the vulnerabilities and threats given the potential impacts.

For the purposes of this initial inquiry, the calculator serves only as a theoretical framework to organize a highly complex problem and help us better understand what needs to be factored in to our calculations of the threat of cyberattack against the U.S. power grid.

Part II will examine mitigation factors more closely. The calculator is designed to undergo continued synthesis and integration of old and new data. This is useful due to the need for a highly responsive real-time analysis of a rapidly evolving threat.

Potential Impacts

“We’ve got a two-week veneer of civilization. If we can’t get the power restored by then, it’ll take us years to get it back.”[21]

It is critical to understand the potential impacts of a cyberattack on the power grid to establish why we should care about the problem in the first place. It is no longer simply a theoretical possibility that cyberattacks can cause blackouts. But what does this mean? The below examples are commonly used as a baseline for understanding the potential impacts of a blackout. Note in the National Geographic model how each day of an extended outage has catastrophic consequences.

2003 Northeast Blackout

So far, the largest blackout on record in the United States was the 2003 Northeast Blackout. On August 14, 2003, a blackout disrupted power to some 50 million people in the states of Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and the Canadian province of Ontario, lasting for up to 4 days in some areas, with an economic impact between $4 billion and $10 billion (U.S. Dollars).[22]

Lloyd’s of London

Lloyds of London provides an excellent model of potential impacts from a successful cyberattack on the grid.[23] The scenario is a malware-based attack that burns up 50 generators and results in a blackout affecting 15 U.S. states and Washington, D.C., leaving 93 million people without power.[24] The power was restored in 24 hours in some areas, but others took weeks.[25] Lloyds determined the total financial impact to be $243 billion at the low end, and up to $1 trillion at the high end.[26] In addition there would be an increase in deaths resulting from failures of critical infrastructure.[27] Interestingly, this model was released only months before the first-ever successful cyberattack on a power grid in the Ukraine.

National Geographic

On their website, Survive the Blackout, the National Geographic Channel calculates a real-time progression of the impacts of an extended outage, and by day 10 the calculator estimates that there would be a nearly $1.3 billion financial impact and 339,013 fatalities.[28]

Prime Vulnerabilities and Threats

Now that we have a basic understanding of the potential impacts of a cyberattack on the power grid, we can examine the factors that are contributing to the possibility and probability of a blackout caused by cyberattack.

The U.S. power grid is facing a historical convergence of rising vulnerabilities in tandem with a historical convergence of rising threats from cyberattack. Each individual vulnerability or threat that increases the likelihood or severity of a successful grid cyberattack is a cause for concern. However, when factored together, the overall threat-level is multiplied.

The complexity of the grid results in a multitude of stakeholders, each with their own interest and stake in the grid, viewing the problem from their own domain. Thus, vulnerabilities and threats are viewed from the vantage point of a single domain, or limited set of domains. A key advantage of the calculator is that it provides a platform for a unified view of vulnerabilities and threats across domains and stakeholders.

For example, some stakeholders are raising concerns about the lack of availability and redundancy of critical Extra High Voltage (EHV) transformers that can be impacted as the result of a cyberattack (vulnerability factor 6), while other stakeholders are raising concerns about the expanded attack surface caused by Smart Grid initiatives (vulnerability factor 3), and yet other stakeholders are warning of the dangers of new malware variants and zero-days that are targeting critical infrastructure (threat factor 3). Still, others are concerned that substantial portions of our military networks and command and control capabilities are dependent on a mostly privately owned grid (vulnerability factor 7). And, anyone familiar with the subject material is concerned about the unclear public and private roles and responsibilities, chain of command, and accountability for the grid (vulnerability factor 8).

The goal of this inquiry is to collect, organize and centralize these primary threat and vulnerability factors across sectors and industries to better understand their combined effects on the overall threat level. Based on the results of this initial inquiry I have isolated 9 prime vulnerability factors and 9 prime threat factors converging to multiply the impact and probability of a successful cyberattack on the U.S. power grid:

Prime Vulnerability Factors

  1. Rising dependence on grid
  2. Grid depends on ICS that are vulnerable to cyberattack
  3. Rapidly expanding ICS attack surface from Smart Grid initiatives
  4. Grid past life expectancy operating at max capacity on legacy IT
  5. Just-in-time energy supply with no energy storage
  6. Lack of availability and redundancy of Large Power Transformers (LPTs) and Extra-High Voltage (EHV) transformers
  7. Interdependence, dependencies, and cascading failure
  8. Command and control gridlock
  9. Cybersecurity skills shortage

Prime Threat Factors

  1. Grid is a strategic target
  2. Loose cyber weapons designed to seek-and-destroy ICS
  3. Rising grid attacks and exploits
  4. IOT Crisis and massive rise in threat pollution
  5. Rapidly maturing cyber-crime market and global network
  6. Cyberspace relations escalations
  7. Terrorism and cyber WMD
  8. Cyberspace deterrence challenges
  9. The high ROI of cyber weapons

Prime Vulnerability Factors

Vulnerability is the state of being exposed to a threat. There are myriad vulnerabilities in the vast and complex electric grid system, but for the purposes of this initial inquiry, the following prime vulnerability factors were estimated to cause the highest degree of exposure to the threats of cyberattack.

1. Rising dependence on the grid.

With rising dependence on technology has come rising dependence on the electric grid to power that technology. Although we have greatly benefitted from the efficiency and productivity gains of technology, we have also acquired the risks of dependency.

The advent of the grid begins with the so-called War of Currents between alternating current (AC), championed by Nikola Tesla, and direct current (DC) championed by Thomas Edison. “At stake was the basis for the entire nation’s electrical system.”[29] Many had been working on various electric lamps and bulbs, but Edison not only invented the incandescent lightbulb, he also overcame the design challenges of providing a safe and reliable energy source for the bulb. In December of 1880 he established the Edison Electric Illuminating Company of New York[30] and in September of 1882 engineered and built the first “permanent central power station for electric lighting”[31] at the Pearl Street Station in New York City.

The Pearl Street Station was based on Edison’s DC technology and delivery system, however, AC eventually won out due to the easy transformation of voltages and ability to transmit electricity long distances.[32] The ability to carry electricity long distances from where it was generated transformed the electric grid and the power market, allowing for economies of scale and enabling centralized generation of electricity that could be transmitted and distributed to customers across the grid.[33] From 1920-1980 market and regulatory forces resulted in utility monopolies with centralized control over generation, transmission, and distribution.[34]

Throughout this period, more interconnections were made to improve efficiency and reliability, and more dependencies formed. In the early 20th century, before these forces had taken hold to consolidate power and control of grid assets, more than 4,000 utilities operated independently as isolated systems.[35] Now, in the early 21st century, there are only 3 connected grids that make up the entire U.S. electric power grid – the Eastern Interconnection, the Western Connection and the Electric Reliability Council of Texas. This high-level of interconnection and dependency on a grid that is vulnerable to cyberattack is a major factor in the threat calculation.

2. Grid depends on ICS that are vulnerable to cyberattack.

The facilities that make up the grid, including generation, transmission, and distribution facilities, are operated by ICS. These systems include Supervisory Control and Data Acquisition Systems (SCADA) and Energy Management Systems (EMS) that control data acquisition over large areas, Distributed Control Systems (DCS) that control, monitor and manage industrial processes that are dispersed,[36] as well as various additional types of systems that aid in the control and management of large industrial processes including Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMI) to name a few.

In 2007, the Department of Homeland Security conducted the Aurora Generator Test to determine if cyberattacks could cause physical damage by compromising ICS. Their fears were confirmed when they were able to remotely destroy a diesel generator by exploiting a known vulnerability in the ICS that the generator was connected to.[37] When the results of the test were first released to the public, suggestions that the vulnerability could cause a blackout were considered hype by some.[38] There have now been two successful blackout attacks on the grid, with the most recent integrating the lessons learned from the first, and increasing in sophistication.

2.1 OT/IT connections increase attack surface.

With the rise of the Smart Grid, ICS are more connected and more exposed than ever. Before the rise in ICS automation and Smart Grid, Operational Technology (OT) that managed ICS was traditionally separated from Information Technology (IT) that managed the business and administrative operations. This prevented ICS from being exposed to vulnerable IT systems that required internet connections. Now, these systems are being connected more than ever before to improve operating and delivery capabilities, as well as to improve efficiency and reduce costs. This increases the exposure of critical systems to risk.

A 2016 Kaspersky threat report addresses the challenges of dependency on OT automation tools that are exposed to Internet-connected IT environments.

“An air gap between the industrial network and other networks was an easy-to-implement requirement 10 or 15 years ago. However, the ever-growing reliance of modern finance, supply and planning processes on connectivity and business analytics renders air-gaps impracticable, with very little chance of that simple solution being used in the future.”[39]

Attacks can also originate from a malicious insider with access who introduces an ICS cyberweapon directly into the network via USB, or from a trusted 3rd party who is unknowingly compromised and delivers the payload into the network by accident when connecting to the protected network for system support or maintenance. Although an internet connection is not required to launch a cyberattack on an industrial control system, an OT/IT connected environment expands the attack surface and increases the vulnerabilities that can be exploited by a malicious actor.

2.2 Many U.S. power systems lack backup manual control of ICS.

The dependence on control system automation tools, and the revolution in productivity, efficiency, and reliability for critical infrastructure owners, happened in a time before the threats and consequences of cyberattacks were fully considered or understood. Many experts have noted that the impacts of the Ukraine attack were mitigated due to manual controls that helped prevent further failures and enabled a more rapid recovery. However, they also note that many power systems in the U.S. lack this manual backup functionality.[40] This could multiply the potential impact of a cyberattack on a facility that does not have these backup manual controls.

2.3 ICS vendor product vulnerabilities.

Hardware and software environments are filled with unpatched and legacy products with known vulnerabilities that can be exploited by a malicious attacker to gain entry into the control system network.

In addition to unpatched products with known vulnerabilities, “zero-day” vulnerabilities allow hackers to take advantage of products with vulnerabilities that are as yet unknown. Stuxnet took advantage of four zero-day vulnerabilities to execute the successful attack on the Natanz nuclear facility.[41] In addition, CIA and NSA had been stockpiling these vulnerabilities for their own use exploiting adversaries, and with their recent release by WikiLeaks and Shadow Brokers respectively, many are now in the wild and available to malicious actors. This is a gaping vulnerability in grid security.

2.4 ICS supply chain vulnerabilities.

In addition, vulnerabilities can be introduced at any point in the supply chain.

“At each phase in the extended supply chain — from product design, manufacturing quality, secure transportation, warehousing, maintenance and repair through secure end-of-life disposal — there are risks that counterfeit products or compromised components could be inserted into the smart grid.”[42]

 The multitude of vulnerable entry points that can be exploited by malicious actors to access and control critical ICS increases the probability of a successful attack.

3. Rapidly expanding ICS attack surface from Smart Grid initiatives.

Smart Grid technology is further increasing dependencies and introducing new vulnerabilities to the grid. The Smart Grid effort was born out of the American Recovery and Reinvestment Act of 2009 that allocated $4.5 billion for grid modernization.[43] According to the DOE Office of Electricity Delivery and Energy Reliability (OE), the Smart Grid is a “developing network of communications, controls, computers, automation and new technology and tools working together to make the grid more efficient, more reliable, more secure and greener.”[44] However, the sensors and internet connections that the smart grid rely on increase the attack surface of the grid by introducing new attack vectors for attackers, and make the grid more vulnerable to potential cyberattack. Further, these initiatives are being widely deployed without a focus on security, compounding the impact.

4. Grid past life-expectancy running at max capacity on legacy IT.

The U.S. grid earned the D+ ASCE rating on the infrastructure scorecard mentioned previously because much of the transmission and distribution lines were built in the 1950s and 1960s and are past their 50-year life expectancy. In addition, high voltage transmission lines are at max capacity in 48 states.[45]

In addition to the aging and maxed out infrastructure, much of the grid is being run by legacy IT systems. In many cases, these systems were custom built for a plant and put in place before cybersecurity was a concern. In addition, these legacy systems can’t be easily switched out.

“As a recent example of this challenge, take a look at Microsoft’s conclusion of support for the XP Operating System. Many ICS systems have been relying on XP for the past decade and with the long life-cycle for these systems – i.e.., they are not changed out for years at a time – and an approach to patching and maintenance that has minimized maintenance and operational impacts on these devices. However, with XP now out of support, there are increased security concerns for these machines/devices and their security exposure – but, changing out these systems is not as easy as replacing a laptop or server due to the critical need for ICS system availability to run factories, generation plants, etc.”[46]

The combined impact of an aging and overstressed grid being operated by legacy equipment vulnerable to cyberattack dramatically increases grid exposure to cyber threats.

5. Just-in-time energy system with no energy storage.

Energy delivery across the grid is an incredibly precise balance of the flow of energy supply balanced exactly with energy demand at all times. In addition to this fragile supply and demand balance dependent on the reliability of interconnected systems, there is currently no way to store energy, and thus no backup if things go wrong.

The impacts of outages and the associated cascading failures across the grid and additional critical infrastructure have been exhaustively studied. An outage of only weeks can cause catastrophic consequences. The dependence on a just-in-time system with no reserves that is vulnerable to cyberattack dramatically increases the threat level and potential impacts.

6. Lack of availability and redundancy of Large Power Transformers (LPTs) and Extra High Voltage (EHV) transformers.

This is the Achilles Heel that causes the nightmare scenarios that no one wants to talk about. But our enemies are talking about it as we speak. The lack of availability and redundancy of Large Power Transformers is a widely-known vulnerability within the industry, and it is a well-understood problem.

“LPTs are custom-designed equipment that entails a significant capital expenditure and a long lead time due to an intricate procurement and manufacturing process. Although prices vary by manufacturer and by size, an LPT can cost millions of dollars and weigh between approximately 100 and 400 tons (or between 200,000 and 800,000 pounds). The procurement and manufacturing of LPTs is a complex process that includes prequalification of manufacturers, a competitive bidding process, the purchase of raw materials, and special modes of transportation due to its size and weight. The result is the possibility of an extended lead time that could stretch beyond 20 months if the manufacturer has difficulty obtaining certain key parts or materials. Two raw materials—copper and electrical steel—account for more than half of the total cost of an LPT. Special grade electrical steel is used for the core of a power transformer and is critical to the efficiency and performance of the equipment; copper is used for the windings. In recent years, the price volatility of these two commodities in the global market has affected the manufacturing condition and procurement strategy for LPTs.”[47]

But the larger problem is the extremely important and rare Extra High Voltage Transformers that are subject to the same supply chain and logistics challenges, with the added challenges of the relative obscurity of their rare components. The at-risk populations are made up of auto and non-auto transformer types with a variety of primary and secondary voltage ratings and MVA capacity ratings that were designed specific to their grid location purposes. This diversity underscores the problems of providing spare equipment for such large-scale infrastructure failures.”[48] Annual global output of EHVs is roughly 200.[49]

LPTs and EHVs can be destroyed as a result of a cyberattack. Widespread failure of these components can dramatically extend the length of an outage, and thus drastically increase the potential impact of an outage. The GRID Act included provisions that would give FERC authority to direct the Electric Reliability Organization (ERO) to develop standards for the sufficient availability of large transformers, but the bill died in the 113th Congress.[50]

7. Dependencies, interconnectedness, and threat of cascading events.

A NERC report following the Northeast Blackout of 2003 directly correlates large-scale blackouts to the increase in grid interconnectedness and resulting cascading impacts.[51] “Because the transmission networks in the U.S. are tightly interconnected, the concern also becomes failure modes that can cascade a failure or collapse from one region into neighboring interconnected and unaffected regions as well.”[52]

In addition to cascading effects across the power grid itself, there is the risk of cascading failures across all critical infrastructures that depend on the electric grid. Because critical infrastructures are dependent on power, threats to the power sector pose the threat of cascading events across dependent critical infrastructures. Cascading failures across critical infrastructures that result from an initial outage can dramatically increase the impact of a cyberattack.[53]

7.1 DOD dependent on grid.

In 2008, the Defense Science Board Task Force on DOD strategy warned of the vulnerability of DOD to the dangers of a privately owned and fragile grid.

“DoD’s key problem with electricity is that critical missions, such as national strategic awareness and national command authorities, are almost entirely dependent on the national transmission grid. About 85% of the energy infrastructure upon which DoD depends is commercially owned, and 99% of the electrical energy DoD installations consume originates outside the fence. As noted below, however, the grid is fragile, vulnerable, near its capacity limit, and outside of DoD control. In most cases, neither the grid nor on-base backup power provides sufficient reliability to ensure continuity of critical national priority functions and oversight of strategic missions in the face of a long term (several months) outage.”[54]      

In fact, the Task Force determined that this was one of only two primary energy challenges facing the DOD.

“Almost complete dependence of military installations on a fragile and vulnerable commercial power grid and other critical national infrastructure places critical military and Homeland defense missions at an unacceptably high risk of extended disruption.”[55]

Disruption to DOD command and control is a major vulnerability factor that could further compound the impact of a cyberattack on the grid, and the United States’ ability to respond and recover.

8. Command and control gridlock.

“There is, quite simply, an unavoidable tension between industry’s insistence that it be allowed to operate within a free enterprise system and government’s responsibility to develop high standards of safety and security for what may be the nation’s single most critical piece of infrastructure. This tension has resulted, in the electric power industry, in a high-stakes duel between corporations and government regulators, the consequences of which are cybersecurity regulations so patchwork and inadequate as to be one of the chief sources of the grid’s vulnerability.”[55]

The issues associated with this vulnerability factor have caused dangerous delays in deploying critical threat mitigations to widely known and understood vulnerabilities and threats to the grid.

Who’s in Charge?

The power grid is owned and run by a complex network of private stakeholders charged with the reliable generation, transmission and distribution of electricity, as well as public stakeholders charged with legislation, regulation, and enforcement of security and reliability standards.

Private stakeholders include the Northeast Electric Reliability Corporation (NERC) the Electricity Subsector Coordinating Council (ESCC), electric companies that generate, transmit, and distribute electricity, Independent System Operators (ISO) and Regional Trade Organizations (RTO) that facilitate open access to electricity transmission among competing generators, trade associations and various industry organizations.

NERC was formed following the Northeast Blackout of 1965 that occurred on November 9, 1965[56] and prompted industry and government to rethink the criticality of grid reliability. Following the Northeast Blackout of 2003, it was determined that violated NERC standards were a major cause of the blackout.[57] In response, the Energy Policy Act of 2005 authorized the establishment of NERC as the North American Electric Reliability Organization (ERO) making compliance “mandatory and enforceable”.[58] NERC is subject to FERC oversight.

NERC gives authority to eight Regional Entities including the Florida Reliability Coordinating Council (FRCC), the Midwest Reliability Organization (MRO), the Northeast Power Coordinating Council (NPCC), Reliability First (RF), SERC Reliability Corporation (SERC), Southwest Power Pool, RE (SPP RE), Texas Reliability Entity (Texas RE), Western Electricity Coordinating Council (WECC), that are responsible for monitoring and enforcing reliability compliance for over 1,400 Registered Entities who are required by law to comply with NERC reliability standards.[59]

Registered Entities are asset owners of facilities that make up the Bulk Electric System (BES) as defined by NERC as “all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy.”[60][61]

Registered Entities include Balancing Authorities who make sure power supply and demand are “finely balanced”, Distribution Providers who own the wires that distribute electricity from the transmission system to the customer, Generator Operators who operate power generation facilities, Generator Owners who own power-generating facilities, Interchange Coordinators or Interchange Authorities who authorize the implementation of Interchange Schedules between Balancing Authorities, Reliability Coordinators, with the highest authority, who have a Wide Area view of the grid that individual operators don’t have, Transmission Operators who are responsible for the reliability of the transmission system within their Transmission Operator Area, and Transmission Owners who own the transmission facilities.[62]

These entities are subject to the mandatory and enforceable NERC standards. However, facilities, including the local distribution facilities where critical substations are located that are vulnerable to cyberattack, and can have widespread cascading impacts, are not subject to the mandatory standards. Distribution substations generally do not meet the “bright line” threshold set by NERC of 100KV as they generally operate at 2.4kV – 34.5kV.[63] The first Ukraine grid attack was conducted against distribution facilities.

The Federal Energy Regulatory Commission (FERC) evolved out of what was originally the Federal Water Power Act involving freedom of navigation and power generation. FERC is made up of 5 members appointed by the president and confirmed by the Senate.[64]

FERC has responsibility and authority for the interstate transmission of electricity including the rates charged for it, and the reliability of the high-voltage transmission system that transports it.[65] In general, FERC does not have authority over the reliability of generation or distribution facilities. Again, the critical distribution facilities are left out of mandatory oversight. Although it is clear mandatory regulations alone are not necessarily sufficient, enforceable standards were put in place to help prevent the type of cascading failures that occurred in 2003 resulting from the violation of these basic standards.

8.1 Legislative gridlock.

In a report issued by the Center for the Study of the Presidency and Congress, chaired by Thomas Ridge who was Assistant to the President for Homeland Security and the first United States Secretary of Homeland Security under President George W Bush, as well as current acting chairman of Ridge Global, a cybersecurity consulting firm, recognizes the command and control challenges of securing the grid. “The leadership in Congress must act to resolve the deadlock that has stymied legislation aimed at addressing cybersecurity information sharing and critical infrastructure protection.”[66] This deadlock can mean that the deployment of critical recommendations from experts becomes delayed, increasing our vulnerability and hindering our ability to address known gaps.

In addition to gridlock challenges, legislators and policy makers with the power to make change don’t fully understand the issues. Peter Singer, noted American scholar, political scientist and specialist on 21st century warfare, discusses the challenge in his book Cybersecurity and Cyberwar: What everyone needs to know: “Someone who doesn’t “seem to know jack BLEEP about computers or the Internet … is just the guy in charge of regulating it” is a near-perfect illustration of how disconnected Washington policymakers can be from technological reality.”[67] This disconnect is another vulnerability in the command and control apparatus we depend on to adequately respond to the threat.

8.2 Unclear roles, responsibilities, and accountability.

The Department of Homeland Security National Infrastructure Advisory Council (DHS NIAC) also recognizes the challenges of command and control issues related to cybersecurity of the U.S. power grid. “There is no clear national strategy or accountability that indicates who is responsible to defend the collective entities in the Nation against cyberattacks.”[68] In addition, a 2016 GAO report cited a lack of clear roles and responsibilities for DOD in the instance of a cyberattack.[69] The lack of clear chain of command and accountability further compounds the challenges in adequately responding to the threat.

8.3 Lack of unified jurisdiction, authority, and command over cybersecurity of grid.

As mentioned previously, the electric power grid is an interconnected system that extends across state lines and allows for the generation, transmission, and distribution of electricity. FERC jurisdiction and authority is limited to the transmission component of the grid because transmission systems facilitate interstate commerce. States generally have jurisdiction and authority over the generation and distribution component of the grid through Public Utility Commissions.

In an article covering the well-planned and executed sniper attack on the Metcalf power station in San Jose, CA, Jon Wellinghoff, former head of the Federal Energy Regulatory Commission, issued a warning “that no single authority can order utilities to beef up security at their facilities.”[70]

“Wellinghoff also says that his former agency, which regulates the interstate transmission of electricity, natural gas, and oil, does not have the authority to tell utilities to take specific actions to boost security at their facilities. “Some agency,” he says, has to be put in charge of putting such a plan together and making sure utilities follow through.” [71]

The lack of clear roles, responsibilities, and accountability prevents the critical coordination between stakeholders required to face this dramatically rising threat.

8.4 Competing public and private interests.

90 percent of the U.S. grid is privately owned.[72] This leads to many conflicting interests and agendas including who has the authority, jurisdiction, responsibility, and budget to solve the problems related to the grid. The fact that the grid is privately owned, but that the safety, peace, and prosperity of the nation depend on it, poses a unique command and control challenge of balancing the mechanisms of the free market with the requirements of public safety.

In a letter to the Subcommittee on Economic Development, Public Buildings, and Emergency Management of the Committee on Transportation and Infrastructure in the U.S. House of Representatives, the Foundation for Resilient Societies, a research and education organization focused on critical infrastructure protection, highlight the regulatory challenges between the public interest and private industry bottom line.

“Dysfunction of the Current FERC/NERC Regulatory System

The North American Electric Reliability Corporation (NERC), the designated Electric Reliability Organization (ERO) under Section 215 of the Federal Power Act, is an organization dominated and effectively controlled by electric utility interests. Seventy percent of NERC members are electric utilities. NERC members regularly vote to place representatives from large investor owned utilities in key committee positions. While the NERC Board of Trustees is nominally independent, their election is also controlled by NERC members. With this membership and governance structure it should be no surprise that NERC acts principally to further the goals of for-profit electric utilities.”[73]

8.5 Disincentivization of breach reporting.

As pointed out in a policy recommendation by the Bipartisan Policy Center Co-chaired by General (Ret.) Michael Hayden, FERC’s mission and incentives are misaligned whereby they encourage information sharing between industry and government on one hand, and yet impose fines and penalties for breaches on the other hand.[74] This results in the disincentivization of breach reporting, with fewer breaches reported, and therefore less awareness and understanding of the actual threat.

8.6 NERC/FERC rulemaking slow.

NERC and FERC bear the greatest responsibility for the reliability of our grid, but the rulemaking process critical for carrying out this mission is lengthy and delays implementation and adoption of critical standards.[75] The grid is facing a cyber-threat landscape where threats are multiplying and morphing daily. The rulemaking process is intended to ensure due process and stakeholder participation; however, this has had the unintended consequence of delaying mitigation efforts and leaving open critical windows of vulnerability that are only multiplying.

8.7 Standards are inadequate or do not cover critical entities.

Although the industry is highly regulated, many of the standards related to the security of the grid are inadequate. Additionally, as mentioned previously, critical distribution facilities that are on the front lines of cyberattacks against the grid are not covered by the standards.

These have been key issues in the debate as industry doesn’t want government interference, and needs to be responsible to shareholders, while government needs to be able to assure the public safety and national security that depend on a reliable grid. This topic will be covered in depth in Part II covering mitigation factors.

8.8 Electric utility deregulation increasing command and control complexities.

Decentralization because of deregulation is good for competition that drives innovation and reduces costs, but bad for security as it creates greater complexities that are more difficult to secure. Prior to deregulation, governance was verticalized with central command and control across generation, transmission, and distribution. Now different stakeholders run each separate process, and in addition, governance is also distributed across these processes and causes potential vulnerabilities.

“Restructuring is also raising concerns over the reliability of the nation’s electricity grid, as evolution to a competitive market structure has created substantial new operating and planning challenges for reliability. In this environment, operators are faced with large volumes of transactions, larger areas to control, new players, changing operational responsibilities, movement of power over long distances in response to market signals, shrinking and changing definitions for reserve margins, unpredictable system behavior, and finally, an environment of having to manage systems with operational tools that were designed for a centrally planned and controlled electric grid.”[76]

9. Cybersecurity skills shortage and resulting shortage of battlespace defenders.

The rapid increase in cyber threats has resulted in an increased demand for cybersecurity skills that are not being met. This shortage of cybersecurity professionals results in a vulnerability in the human network responsible for protecting the grid in both the public and private sector.

In July 2016, the White House released the Federal Cybersecurity Workforce Strategy based on the challenges caused by the shortage. “Federal agencies’ lack of cybersecurity and IT talent is a major resource constraint that impacts their ability to protect information and assets.”[77] In addition to all of the other factors the grid is facing, the shortage of battlespace defenders directly affects the U.S. ability to respond to all other threat factors and therefore is a major factor in the overall threat-level the U.S. faces.

Prime Threat Factors

In the same way that prime vulnerabilities were selected for how much they exposed the grid to threats, the prime threats were selected for their ability to increase the probability of attack, increase the impact of an attack, or both.

1. Grid is a high-value strategic target.

If no one wanted to attack the grid I would not be writing this paper. The vulnerabilities would not matter because there would be no threats. The reason that attacks and threats are multiplying is because the grid is a high-value strategic target.

Critical infrastructure is a key strategic target for any adversary. The targeting of critical infrastructure began with the advent of strategic bombing campaigns designed to disable “the most vital, most vulnerable, and least protected points of the enemy’s territory” and bring an end to enemies’ war efforts.[78] The advent of ICS cyber weapons now gives actors the capabilities of a strategic bombing squadron without the expenses or risks.

In November of 2010 a McAfee Report In the Dark: Crucial Industries Confront Cyberattacks warned that electric grids were constantly being probed, and more than likely by state actors.

“Our survey data lend support to anecdotal reporting that militaries in several countries have done reconnaissance and planning for cyberattacks on other nations’ power grids, mapping the underlying network infrastructure and locating vulnerabilities for future attack.”[79]

2. Loose state-level cyberweapons designed to seek-and-destroy ICS.

As termed by Perry Pederson, former Director of Control System Security for the Department of Homeland Security who served as the lead for the Aurora Generator Test, and now Senior Control Systems Security Program Manager at Pacific Northwest National Laboratory, a cyberweapon is “a software artifact designed to cause physical harm to objects, people, or the environment.”[80]

2.1 First time ICS cyberweapon causes physical damage – Stuxnet malware.

As mentioned previously, in June 2010, Stuxnet malware brought down over 1,000 uranium-enrichment centrifuges in the Natanz nuclear facility in Iran via cyberattack on the SCADA system. This was the first time in history that a cyberattack caused direct physical damage. Cyber was now a kinetic weapon.

An analysis by cybersecurity firm Symantec determined that everything needed to gain control of the control system of the nuclear plant and disrupt the system was in the malware.

“Thus, all the functionality required to sabotage a system was embedded directly in the Stuxnet executable. Updates to this executable would be propagated throughout the facility through a peer-to-peer method established by Stuxnet.”[81]

“Should we shut this thing down?”

One of the biggest consequences of the attack was that Stuxnet, the first-of-its-kind cyberweapon trained to seek and destroy ICS, is now in the wild to be examined, analyzed, reverse engineered, and copied by malicious actors. It also opened a new era where governments could use malicious code to achieve physical effects for political purposes.

“While their choice of using self-replication methods may have been necessary to ensure they’d find a suitable Field PG, they also caused noticeable collateral damage by infecting machines outside the target organization.”[82]

 When it was discovered that the malware had accidentally been released into the wild, President Obama considered the options. According to members of the national security team present, Obama asked, “Should we shut this thing down?”[83] But they continued with the mission.

In a July 2011 interview, over 4 years before the Ukraine power grid hacks, Stuxnet decoder and ICS engineer Ralph Langner issued an ominous warning. When asked what was the most dangerous development since Stuxnet, Langner said the greatest danger was that nobody cares.

“The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates; the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares.”[84]

2.2 First time ICS cyber weapon causes blackout – BlackEnergy malware.

Then, on December 23, 2015, an ICS cyberattack in the Ukraine caused a blackout for over 225,000 people. This was the first time in history that a cyberattack had caused a blackout. The attack was highly coordinated and took at least 27 substations, and probably more, offline from three different companies.[85]

As was the case in the Natanz attack which used Stuxnet malware to gain access to ICS, malware was also used to gain access to the ICS in the Ukraine. BlackEnergy 3 malware was delivered into the business network via a spear phishing campaign with an email that carried infected Microsoft Word and Excel documents. Once a user clicked on the attachment, the attackers gained entry to the business network. From the business network, they hijacked credentials and entered the ICS network, where they were able to take control of the system and open the breakers that triggered the blackout.[86]

A telephone denial-of-service attack also flooded the control center with calls and prevented customers from being able to report outages.[87] As of the date of a February 25, 2016, ICS-CERT report, over 2 months after the attack, all three of the affected regional electric power distribution companies were not fully operational.[88]

2.3 Second time ICS cyber weapon causes blackout – BlackEnergy malware.

Nearly a year late on December 17th, 2016 there was another cyberattack on the Ukraine grid. Some experts believe it was the same actors that learned from the previous attack. “The attacks in 2016 and 2015 were not much different – the only distinction was that the attacks of 2016 became more complex and were much better organised.”[89]

This time the power outage only lasted for one hour and fifteen minutes, but ICS expert Michael Assante says that it was much more significant. The attack on December 23, 2015, targeted a distribution system and therefore had localized impacts. The attack on December 16, 2016, targeted a transmission system that could increase the size and impact of an attack. “Impacting the electric transmission system has the potential to impact a wider geographic area causing cascading outages with the potential to damage extremely expensive and difficult to replace electric system components.”[90] This is further validation of the dangers of the potential far-reaching impacts of cyberattacks to affect key components of the grid.

Could it happen in the U.S.?

In addition to the report from FERC that confirmed a coordinated attack could cause a nationwide blackout, Ukrainian researcher Marina Krotofil, who is a researcher with the Honeywell Industrial Cybersecurity Lab and helped with the most recent attack in the Ukraine, said that they believe the Ukraine is being used as a testbed, and that these attacks could be successful anywhere.

“Ukraine uses equipment and security protections of the same vendors as everybody else around the world,” says Krotofil. “If the attackers learn how to go around those tools and appliances in Ukrainian infrastructures, they can then directly go to the West.”[91]

2.4 Grid already infected with malware.

As early as 2009, U.S. officials have warned that spies are probing our grid and leaving behind software artifacts that could be used to cause damage in the future.

“The spies came from China, Russia, and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.”[92]

In addition, the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) has issued an alert regarding the BlackEnergy malware and its variants used to take down the Ukraine grid twice, indicating that the campaign has targeted critical infrastructure and been active since 2011.[93]

 3. Rising ICS attacks and exploits.

Federal Energy Regulatory Commissioner Cheryl LaFleur confirmed in an interview that the power grid is the most attacked critical infrastructure. “The most attacked is the high-voltage electric grid, which has people trying to get in literally every day, be they individual hackers, nation states or other adverse players out there.”[94]

In early 2016 Marty Edwards, Director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) for the Department of Homeland Security (DHS) warned that attacks against ICS have increased. “We see more and more that are gaining access to that control system layer.[95]

The Institute of Electrical and Electronics Engineers (IEEE) also reported this trend. “There is an increasing amount of evidence showing that attackers are now focusing on control systems, operating with varying motivations and intentions.”[96]

A 2015 Dell report that gathers information from more than 1 million sensors in 200 countries, as well as from Dell threat centers, along with shared intelligence from over 50 industry groups and threat security research worldwide, found that attacks on SCADA systems doubled from 2013 to 2014.[97] It can be challenging to comprehend a 100% increase in a single years’ time. This metric needs to be considered in the threat-level calculation.

A RecordedFuture threat intelligence report confirms that not only are attacks against ICS rising, but also the number of exploits that can be used against ICS.

“Capabilities for attacks on ICS/SCADA1 systems (collectively referred to as ICS below) are growing. The number of publicly disclosed vulnerabilities and off-the-shelf exploits targeting ICS systems continues to grow over time and well into 2015, even as awareness of dangers for critical infrastructure is improving.”[98]

4. The IoT crisis.

The IoT crisis creates both vulnerabilities and threats that factor in to the net grid threat level. The combined impacts of the vulnerabilities and threats from the IoT crisis result in an overall threat to the grid, and so this is classified in total as a threat factor for now.

4.1 Rapid proliferation of insecure IoT and smart technology.

The rapid proliferation of insecure Internet of Things (IoT) internet-connected devices has resulted in a rapid rise in threats. These things use internet-enabled “smart” technology and include devices beyond our cell phones and laptops such as toys, toasters, and fridges. Smart technology is a revolution transforming the technological landscape with greater functionality and capabilities as well as improved efficiencies and reduced costs.

However, these products are being mass produced and mass consumed with security as an afterthought, if thought of at all. “Gartner, Inc. forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020. Total spending on endpoints and services will reach almost $2 trillion in 2017.”[99] This massive influx of insecure devices connecting to the internet sets the stage for disaster in the digital world.

4.2 Rapid increase in cyberattack surface from IoT.

Every insecure device that connects to the internet becomes a new potential attack vector and entry point for a malicious actor. Every insecure device gives a malicious actor a chance to gain a foothold into a network, or to use the device as a zombie in service of a botnet that can take down Internet-dependent services. The more insecure things that connect to the internet, the more entry points available for malicious actors, or more zombies for a zombie army that can wreak havoc on internet-connected services.

4.3 Rapid increase in cyberattack magnitude from IoT

The rapid proliferation of insecure things connecting to the internet, and rapid expansion of the internet attack surface from the insecure things, has resulted in a rapid rise in attack magnitude. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attackers commandeer insecure IoT devices to form large botnets that can cause internet traffic jams and cause service disruptions for companies who depend on the internet to provide their services.

In July of 2016, Arbor Networks reported that the peak size of a DDoS attack had risen 73% to 579Gbps over 2015.[100] However, in September 2016 a new record was set by a DDoS attack on the website of security blogger Krebs on Security that clocked in at roughly 620Gbps.[101] In October, another large attack hit internet provider Dyn, commandeering over 100,000 vulnerable devices.[102]

4.4 Rapid increase in threats and threat pollution.

The explosion of attack surface has resulted in an explosion of opportunity for malicious actors who are creating more exploits to fulfill growing demand. In addition, in April of 2017, Shadow Brokers released what was allegedly part of the toolkit of the National Security Agency’s EquationGroup.[103] Although some experts say that the exploits were older, they could still be used on targets that were running older and unpatched operating systems and software. This is a dramatic release of threat pollution.

Update: Biggest ransomware attack in history hitting 150 countries. Attackers used NSA exploits as indicated above.

5. Rapidly maturing cyber-crime market and global network.

Contrary to theories that there is no honor among thieves, cybercriminals have established a very stable and mature market[104] for selling not only the products of cyber-crime such as personally identifiable information, health records and credit cards, but also for selling state-level tools, cyberweapons and hacking services, putting cyberweapons in the hands of anyone with the means and motive.

6. Escalating cyberspace relations.

Cyberspace relations with state actors have been steadily escalating. This factor further increases the probability of a cyberattack on the power grid.

6.1 U.S.-Russia Cyberspace Relations

The Election hacking scandal hit U.S. presidential elections in June of 2014 amid revelations that the Democratic National Committee had been hacked. While many experts have blamed Russia, once again the attribution dilemma strikes, with the dangers of misattribution. Sam Biddle, a journalist for the intercept asks a very important question. “Do we want to make major foreign policy decisions with a belligerent nuclear power based on suggestions alone, no matter how strong?”[105]

In response to the suspected hacking, President Obama issued sanctions against 9 Russian entities including the GRU, FSB, four GRU officers, and three companies that supported the activities of these entities.[106] In addition, 35 Russian diplomats were declared “persona non-grata” and expelled from the Russian Embassy in Washington, D.C. and the Russian Consulate in San Francisco.[107]

6.2 U.S.-North Korea Cyberspace Relations

A tit-for-tat has already begun with North Korea starting with the hacking of Sony by the North Korean Regime for unfavorable portrayal in a Sony-backed film, and the U.S. retaliatory internet blackout.[108] In January 2015, also as a direct response to the Sony hack, President Obama signed an executive order imposing additional economic sanctions on the North Korean Regime.[109] And recently, U.S. officials have eluded to intervention in the recent missile launch failures in North Korea.[110]

6.3 U.S.-Iran Cyberspace Relations

A tit-for-tat has also begun with Iran. Operation Olympic Games began under President George W. Bush in 2006 and escalated by President Barack Obama culminating in the cyberattack on Iran’s Natanz nuclear facility, and resulting in the release of the most powerful cyberweapon in the world into the wild.[111] In March of 2015, seven Iranians were indicted for cybercrimes including DDoS attacks on over 50 financial institutions in the financial sector between 2011-2013 costing tens of millions of dollars, as well as an intrusion into a New York Dam and commandeering critical controls.[112]

6.4 U.S.-China Cyberspace Relations

China allegedly hacked the FDIC between 2010 and 2013.[113] In May of 2014 the U.S Justice Department indicted five Chinese Military hackers with criminal charges, the first time in history that criminal charges were filed against a state actor.[114] In July of 2015, it was suspected that China was behind the historical hack of the Office of Personnel Management that stole 20 million records, but officials were under orders not to name China.[115]

7. Terrorism and cyber WMD.

Threat actors that we face today have changed dramatically from the threat actors that we faced yesterday. We are no longer facing asymmetrical armies that uniform their combatants and abide by the Laws of Armed Conflict. We are no longer dealing only with rational nation-states, but also irrational non-state actors, including ISIS, who are increasingly targeting the grid.[116]

The basic tenets of traditional deterrence generally do not apply to terrorists who do not have the self-interest in survival necessary to be deterred by potential retaliation. In fact, terrorists have the opposite with a self-interest in martyrdom. Cyber weapons are an ideal weapon for terrorist looking to inflict the most damage for a high-impact martyrdom.

Cyberattacks on the power grid can cause catastrophic consequences. With resources, patience, coordination and planning, a cyberattack on our grid could be a weapon of mass destruction. Traditional deterrence and international norms have thus far been effective against the proliferation of other forms of WMD. However, cyber suffers from deterrence challenges and can’t be relied on.

 8. Cyberspace deterrence challenges.

Given that the most serious threats to the United States are other state actors such as Russia, China, Iran, and North Korea, traditional thinking is focused on deterrence. Yet, there are significant challenges for deterrence in cyberspace.

8.1 Attribution dilemma.

Deterrence depends on knowing the adversary responsible for an incursion and imposing costs or denying gains. Because of the inherent architecture of the internet and the ability to obfuscate the source of an attack, it is nearly impossible to attribute attacks with any high degree of certainty. This results in the attribution dilemma whereby the need to impose the costs necessary for deterrence is juxtaposed with the potential costs of misattribution.

8.2 Dangers of misattribution.

Many are concerned about the dangers of misattribution in cyber warfare, and the potential escalations it could cause. The current deterrence paradigm of Mutually Assured Disruption (Cyber MAD) as a deterrence paradigm has a high-risk of an escalation of tit-for-tat resulting from the blowback of a false accusation.

8.3 Danger of false flags.

False flag operations have been historically used by adversaries to make an operation look as though it was perpetrated by someone else. Because of the attribution dilemma, false flags are much easier to execute in cyberspace where the challenge of attribution already exists. False flags in cyberspace leverage this existing uncertainty and further compound doubt by casting suspicion on other actors. Again, dangers of imposing costs on the wrong actors.

Additionally, with the recent Wikileaks release of Vault 7 that alleges the CIA developed tools specifically for this purpose[117], further shadows of doubt will be cast on the attribution of any major cyberattack.

8.4 Plausible deniability.

Because of the attribution dilemma, cyber actors have the added benefit of plausible deniability, further reducing the risks and cost of cyber actions. The ability to impose costs is another critical dimension of deterrence, and if you can’t be certain who is responsible, you can’t impose costs without the danger of imposing the costs on the wrong actor.

9. The high ROI of cyberweapons.

Another major driving force behind these rising threats is the economics. Although it is evident that an attack on the power grid would require a great deal of expertise and coordination, compared with other conventional weapons it has a low barrier to entry, low-cost, low-risk, high reward payoff calculus. This high ROI payoff calculus makes cyberweapons attractive to malicious actors large and small.

9.1 Low barrier to entry.

Unlike conventional weapons, cyber weapons can be acquired with very little monetary or organizational resources. While nuclear weapons, for example, are only the purview of nation states, cyberweapons can be leveraged by individuals and small groups. For instance, a British teenager hacked CIA Director John Brennan’s email account with nothing more than an internet connection and social engineering techniques.[118] This dramatically expands the set of actors who can leverage cyberattacks on the grid.

9.2 Low-risk, high reward.

Because of the attribution dilemma mentioned previously, there is a low risk of getting caught. Because there is a low risk of being caught, and very little overhead executing an attack from a keyboard, the payout is virtually all profit. The ROI is hard to beat when compared with any conventional weapon or tactic.

9.3 Asymmetrical weapon.

In addition, because of the potential damage that can be done requiring very few resources, cyberweapons are asymmetrical weapons that act as force multipliers for actors large and small, state and non-state, with or without money. For smaller actors, cyberweapons level the playing field.

9.4 Easy access to state-level tools.

Although this is discussed in prime threat factor 2, it bears repeating here in context with the easy access to cyber weapons that can be added to the arsenals of malicious actors to execute an attack. The release of the most powerful cyberweapons in the world into the wild and hacking-as-a-service now puts state-level tools in the hands of almost anyone with enough motivation or money.

Changing the Payoff Calculus: Assured Survival through Resilience

The peace, security, and prosperity of the U.S., and by proxy, the world, rests on the U.S. power grid. It is the single-most important strategic asset upon which all other strategic assets depend. The U.S. grid ensures national continuity. The ability to prevent cyberattacks, but more importantly, the ability to survive a cyberattack intended to take down the U.S. grid, will be critical in the conflicts of the future.

The best defense we have against malicious actors in cyberspace is to change the payoff calculus and fortify our grid to dramatically increase the costs of an attack and dramatically reduce the probability of success. Assured Survival through Resilience is the only viable and dependable deterrent in cyberspace. This will require a paradigm shift in our national security mindset to mobilize the resources necessary to implement such a deterrent.

Authors Note: On Hubris and the Pre-Cyber-Blackout Period

As I undertook this inquiry, it was fascinating to travel through time in literature before the era of the cyber-blackout. Consistently, experts underestimated the threat and overestimated our capabilities to deal with it. Thus, in addition to the aforementioned threats and vulnerabilities, there is one more vulnerability that can have catastrophic consequences in the delayed mobilization of resources required to close perhaps the largest window of vulnerability to U.S. national security: American hubris that can’t conceive of such an engineering marvel as the grid, being susceptible to a little computer virus.

Like the Titanic engineers that never conceived of the hull breach, we may be suffering from the same hubris that our grid is impenetrable. We need to conceive of the hull breach and be sure that each engine room is properly isolated to ensure that the failure of one engine room will not cascade into the others. Currently, the engine rooms are not isolated. Also, we need to heed those up on the deck that have first sight of the iceberg and are sounding the alarms.

SOURCES:

[1] U.S. Department of Energy Quadrennial Energy Review. “Transforming the Nation’s Electricity System: The Second Installment of the QER,” pg. 32. January 2017. Accessed March 29, 2017.

[2] Rebecca Smith. “U.S. Risks National Blackout from Small-Scale Attack,” The Wall Street Journal March 12, 2014. Accessed March 29, 2017.

[3] American Society of Civil Engineers. “Infrastructure Report Card,” Accessed March 29, 2017.

[4] Dr. Peter Vincent Pry. “Dr. Peter Vincent Fry Statement for the Record Joint Hearing Before the Subcommittee on National Security Subcommittee on the Interior House Committee on Oversight and Government Reform,” United Sates House of Representatives May 13, 2017. Accessed March 13, 2017.

[5] Robert A. Miller and Daniel T. Kuehl. Cyberspace and the “First Battle” in 21st-century war. Washington, D.C.: Center for Technology and National Security Policy, National Defense U, 2009.

[6] Admiral Michael S. Rogers (USN), Director, National Security Agency, and Commander, U.S. Cyber Command, Delivers Remarks at The New America Foundation Conference on CYBERSECURITY, February 23, 2015.

[7] Robert Langner. “Physical Cyberattacks and National Security,” Tel Aviv University October 21, 2017. Accessed April 31, 2017.

[8] Damien McGuinness. “How a cyberattack transformed Estonia,” BBC News April 27, 2017. Accessed May 5, 2017

[9] Joshua Davis. “Hackers Take Down the Most Wired Country in Europe,” Wired August 21, 2007. Accessed May 12, 2017.

[10] Robert Windrem. “Timeline: Ten Years of Russian Cyberattacks on Other Nations,” NBC News December 18, 2016. Accessed May 12, 2017.

[11] David Hollis. “Cyberwar Case Study: Georgia 2008,” Small Wars Journal January 6, 2011. Accessed May 12, 2017.

[12] John Markoff. “Before the Gunfire, Cyberattacks,” The New York Times August 12, 2008. Accessed May 12, 2017.

[13] David Sanger. “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times June 1, 2012. Accessed May 12, 2017.

[14] Robert Windrem. “Timeline: Ten Years of Russian Cyberattacks on Other Nations,” NBC News December 18, 2016. Accessed May 12, 2017.

[15] Ibid.

[16] Adrian Croft and Peter Apps. “NATO websites hit in cyberattack linked to Crimea tension,” Reuters March 16, 2014. Accessed May 12, 2017.

[17] Robert Lee, Michael Assante and Tim Conway. “German Steel Mill Cyberattacks,” SANS Industrial Control Systems December 30, 2014. Accessed May 12, 2012.

[18] Robert Lee, Michael Assante and Tim Conway. “Analysis of the Cyberattack on the Ukrainian Power Grid: Defense Use Case,” SANS Industrial Control Systems and Electricity Information Sharing and Analysis Center March 18, 2016. Accessed May 1, 2017.

[19] Kim Zetter. “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired March 3, 2016. Accessed May 12, 2017.

[20] Department of Homeland Security. “Critical Infrastructure Sectors,” Accessed March 29, 2017.

[21] National Geographic Channel. “Survive the Blackout,” Accessed May 2, 2017.

[22] U.S.-Canada Power System Outage Task Force. “Final Report on the August 14, 2003 Blackout in the U.S. and Canada: Causes and Recommendations,” April 2004. Accessed February 2, 2017.

[23] Lloyd’s of London, “Emerging Risk Report – 2015: Business Blackout,” July 2015. Accessed May 3, 2017.

[24] Ibid.

[25] Ibid.

[26] Ibid.

[27] Ibid

[28] National Geographic Channel. “Survive the Blackout,” Accessed May 2, 2017.

[29] U.S. Department of Energy. “Top 11 Things You Didn’t Know About Nikola Tesla,” November 18, 2013. Accessed May 2, 2017.

[30] Rutgers School of Arts and Sciences. “Thomas A. Edison Papers,” Accessed May 2, 2017.

[31] Institute of Electrical and Electronics Engineers. “Edison’s Pearl Street Station Recognized With Milestone,” The Institute July 27, 2011. Accessed May 1, 2017.

[32] U.S. Department of Energy. “The War of the Currents: AC vs. DC Power,” November 18, 2014. Accessed May 2, 2017.

[33] University of Texas at Austin Energy Institute. “The History and Evolution of the U.S. Electricity Industry,” The Full Cost of Electricity July 2016. Accessed May 20, 2017.

[34] Union of Concerned Scientists. “How the Electricity Grid Works,” Accessed May 2, 2017.

[35] U.S. Energy Information Association. “Electricity Explained, How Electricity is Delivered To Consumers,” Accessed May 2, 2017.

[36] Ernie Hayden, Michael Assante and Tim Conway. “An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity,” SANS August 2014. Accessed May 6, 2017.

[37] Scott Ainslee. “Operation Aurora FOIA,” MuckRock May 17, 2014. Accessed May 7, 2017.

[38] Bruce Schneier. “Staged Attack Causes Generator to Self-Destruct,” Schneier on Security October 2, 2017. Accessed May 3, 2017.

[39] Kaspersky Lab Industrial Control Systems Emergency Response Team. “Kaspersky Threat Landscape For Industrial Automation Systems In the Second Half of 2016,” March 28, 2017. Accessed April 30, 2017.

[40] Kim Zetter. “Inside the cunning, unprecedented hack of the Ukraine power grid,” Wired May 3, 2016. Accessed May 6, 2017.

[41] Liam O Murchu. “Stuxnet Using Three Additional Zero-Day Vulnerabilities,” Symantec September 14, 2010. Accessed May 12. 2017.

[42] U.S. Resilience Project. “Supply Chain Solutions for Smart Grid Security: Building on Business Best Practices,” 2012. Accessed May 5, 2017.

[43] 111th Congress. “H.R.1: American Recovery and Reinvestment Act of 2009,” U.S. Congress February 17, 2009.

[44] U.S. Department of Energy Office of Electricity Delivery and Energy Reliability. “What is the Smart Grid?” Accessed March 29, 2017.

[45] American Society of Civil Engineers. “2017 Infrastructure Report Card” Accessed April 30, 2017.

[46] Ernie Hayden, Michal Assante and Tim Conway. “An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity,” August 2014. Accessed May 6, 2017.

[47] U.S. Department of Energy. “Large Power Transformers and the U.S. Electric Grid,” Infrastructure Security and Energy Restoration, Office of Electricity Delivery and Energy Reliability April 2014. Accessed April 29, 2017.

[48] John Kappenman “Geomagnetic Storms and Their Impacts on the Power Grid,” Metatech Prepared for Oak Ridge National Laboratory. January 2010. Accessed May 9, 2017.

[49] Dr. Peter Vincent Pry. Blackout wars: state initiatives to achieve preparedness against an electromagnetic pulse (emp) catastrophe. Washington, DC: Task Force on National and Homeland Security, 2015.

[50] U.S. House of Representatives. “H.R. 4298 — 113th Congress: GRID Act.” http://www.GovTrack.us. 2014. Accessed April 30, 2017.

[51] North American Electric Reliability Corporation. “August 14, 2003, Northeast Blackout Impacts and Actions and the Energy Policy Act of 2005,” Accessed 11 May 2017.

[52] John Kappenman. “Geomagnetic Storms and Their Impacts on the Power Grid,” Metatech Prepared for Oak Ridge National Laboratory January 2010. Accessed 9 May 2017.

[53] Rae Zimmerman and Carlos Restrepro. “Analyzing Cascading Effects within Infrastructure Sectors for Consequence Reduction,” 2009. Accessed May 5, 2017.

[54] U.S. Department of Defense. “Report of the Defense Science Board Task Force on DoD Energy Strategy,” Defense Science Board Task Force February 2008. Accessed May 12, 2017.

[55] Ted Koppel. Lights out: a cyberattack, a nation unprepared, surviving the aftermath. New York: Random House, 2015. Kindle Edition.

[56] NERC. “History of NERC,” August 2013. Accessed May 4, 2017.

[57] NERC. “August 14, 2003 Blackout: NERC Actions to Prevent and Mitigate the Impacts of Future Cascading Blackouts,” February 10, 2004. Accessed May 12, 2017.

[58] NERC. “History of NERC,” August 2013. Accessed May 12, 2017.

[59] NERC. “Key Players,” Accessed May 12, 2017.

[60] NERC. “Glossary of Terms Used in NERC Reliability Standards,” Accessed May 12, 2017.

[61] NERC. “Bulk Electric System Definition Reference Document,” April 2014. Accessed May 12, 2017.

[62] Ibid.

[63] Electrical Engineering Portal. “What is distribution substation and its main components,” July 22, 2016. Accessed May 12, 2016.

[64] FERC. “An Overview of the Federal Energy Regulatory Commission and Federal Regulation of Public Utilities in the U.S.,” December 2010. Accessed May 6, 2017.

[65] FERC. “Commissioner LaFleur on the Columbia Energy Exchange Podcast talking about the Challenges and Opportunities Facing the Electric Grid,” July 25, 2016. Accessed March 10, 2017.

[66] The Center for the Study of the Presidency and Congress. “Securing the U.S. Electric Grid,” 2014.

[67] P.W. Singer and Allan Friedman. Cybersecurity and Cyberwar: What Everyone Needs to Know? (p. 12). Oxford University Press. Kindle Edition.

[68] U.S. Department of Homeland Security National Infrastructure Advisory Council, “Cyber Scoping Study Working Group,” February 16, 2017. Accessed May 1, 2017.

[69] U.S. Government Accountability Office. “Report to Congressional Committee: DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents,” April 2016.

[70] Mark Memmott. “Sniper Attack On Power Station Highlights Grid’s Vulnerability,National Public Radio February 6, 2014. Accessed May 10, 2012.

[71] Ibid.

[72] National Institute of Standards and Technology. “Guide to Industrial Control Systems (ICS) Security,” May 2015. Accessed May 3, 2017.

[73] Foundation for Resilient Societies. “Subject: April 14th Hearing on “Blackout! Are We Prepared to Manage the Aftermath of a Cyberattack or Other Failure of the Electrical Grid?Letter to the Subcommittee on Economic Development, Public Buildings, and Emergency Management of the Committee on Transportation and Infrastructure in the U.S. House of Representatives April 12, 2016. Accessed May 5, 2017.

[74] Bipartisan Policy Center. “Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat,” February 2014. Accessed May 3, 2017.

[75] U.S. House of Representatives. “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” 2013.

[76] John Kappenman “Geomagnetic Storms and Their Impacts on the Power Grid,” Metatech Prepared for Oak Ridge National Laboratory. January 2010. Accessed May 9, 2017.

[77] The White House. “Strengthening the Federal Cybersecurity Workforce,” July 12, 2016. Accessed April 30, 2017.

[78] Stephen J. Collier and Andrew Lakoff. “The Vulnerability of Vital Systems: How Critical Infrastructure Became a Security Problem,” 2008. Accessed March 25, 2008.

[79] McAfee. “In the Dark: Crucial Industries Confront Cyberattacks,” November 2010. Accessed May 3, 2017.

[80] Perry Pederson. “IT vs. ICS: An Attacker’s Perspective,” September 7, 2014. Accessed May 6, 2017.

[81] Symantec. “W32.Stuxnet Dossier,” Version 1.4, February 2011. Accessed May 3, 2017.

[82] Symantec. “W32.Stuxnet Dossier,” Version 1.4, February 2011. Accessed May 3, 2017.

[83] David Sanger. “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times June 12, 2012. Accessed May 12, 2017.

[84] Mark Clayton. “From the man who discovered Stuxnet, dire warnings one year later,” The Christian Science Monitor. September 22, 2011. Accessed April 30, 2017.

[85] Robert Lee, Michael Assante and Tim Conway. “Analysis of the Cyberattack on the Ukrainian Power Grid: Defense Use Case,” SANS Industrial Control Systems and Electricity Information Sharing and Analysis Center March 18, 2016. Accessed May 2, 2016.

[86] Ibid.

[87] Ibid.

[88] Department of Homeland Security Industrial Control Systems Emergency Response Team. “Cyberattack Against Ukrainian Critical Infrastructure,” February 25, 2016. Accessed May 3, 2017.

[89] BBC. “Ukraine power cut ‘was cyberattack’,” January 11, 2017. Accessed May 2, 2017.

[90] Michael Assante. “How do you say Ground Hog Day in Ukrainian?” December 20, 2016. Accessed May 6, 2017.

[91] Kim Zetter. “The Ukrainian Power Grid Was Hacked Again,” Motherboard January 10, 2017. Accessed May 5, 2017.

[92] Siobhan Gorman. “Electricity Grid in U.S. Penetrated By Spies,” The Wall Street Journal April 8, 2009. Accessed May 5, 2017.

[93] DHS ICS-CERT. “Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E),” December 09, 2016. Accessed May 13, 2017.

[94] FERC. “Commissioner LaFleur on the Columbia Energy Exchange Podcast talking about the Challenges and Opportunities Facing the Electric Grid,” July 25, 2016. Accessed 3/10/2017.

[95] Jim Finkle. “U.S. official sees more cyberattacks on industrial control systems,” Reuters January 13, 2016. Accessed May 5, 2017.

[96] J. Hull, H. Khurana, T. Markham and K. Staggs. “Staying in control: Cybersecurity and the modern electric grid,” IEEE Power and Energy Magazine, vol. 10, no. 1, pp. 41-48, Jan.-Feb. 2012.

[97] Dell Security. “2015 Annual Threat Report,” 2015. Accessed May 12, 2017.

[98] RecordedFuture. “Up and to the Right ICS/SCADA Vulnerabilities by the Numbers,” September 9, 2015. Accessed May 1, 2017.

[99] Gartner. “Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016,” February 2017. Accessed May 5, 2017.

[100] Arbor Networks. “Arbor Networks Releases Global DDoS Attack Data for 1H 2016,” July 19, 2016. Accessed May 3, 2017.

[101] Brian Krebs. ”KrebsOnSecurity Hit With Record DDoS,” Krebs on Security September 2016. Accessed May 3, 2017.

[102] Scott Hilton. “Dyn Analysis Summary Of Friday October 21 Attack,” Dyn Blog October 26, 2017. Accessed May 7, 2017.

[103] Sean Gallagher. “In slap at Trump, Shadow Brokers release NSA EquationGroup files,” Ars Tecnica April 10, 2017. Accessed May 7, 2017.

[104] L. Allodi, M. Corradin and F. Massacci. “Transactions on Emerging Topics in Computing,” IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 1, pp. 35-46, Jan.-March 2016. Accessed 5/12/2017.

[105] Sam Biddle. “Here’s the public evidence Russia hacked the DNC – it’s not enough,” The Intercept October 14, 2016. Accessed May 8, 2017.

[106] The White House of President Barack Obama. “FACT SHEET: Actions in Response to Russian Malicious Cyber Activity and Harassment,” December 29, 2016. Accessed 5/19/2017.

[107] Ibid.

[108] Elizabeth Shim. “North Korea Internet outage was payback for Sony hack, U.S. official says,” UPI March 18, 2015. Accessed May 3, 2017.

[109] The White House Office of the Press Secretary. “Executive Order — Imposing Additional Sanctions with Respect to North Korea,” January 2, 2015. Accessed May 5, 2015.

[110] Zachary Cohen. “Pence avoids direct answer on North Korea sabotage,” CNN Politics April 19, 2017. Accessed May 5, 2017.

[111] David Sanger. “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times June 1, 2012. Accessed May 12, 2015.

[112] U.S. Federal Bureau of Investigation. “Iranians Charged with Hacking U.S. Financial Sector,” March 24, 2016. Accessed May 7, 2017.

[113] Jose Pagliery. “China hacked the FDIC – and US officials covered it up, report says,” CNN Tech July 13, 2016.

[114] U.S. Department of Justice. “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” May 19, 2014. Accessed May 7, 2017.

[115] David Sanger. “U.S. Decides to Retaliate Against China’s Hacking,” The New York Times July 31, 2015. Accessed May 7, 2017.

[116] Jose Pagliery. “ISIS is attacking the U.S. energy grid (and failing),” CNN Money October 16, 2015. Accessed May 12, 2017.

[117] Sean Carberry. “WikiLeaks exposes more alleged CIA cyber tools,” FCW April 3, 2017. Accessed May 12, 2019.

[118] Kim Zetter. “Teen Who Hacked CIA Director’s Email Tells How He Did It,” Wired October 19, 2015. Accessed April 30, 2017.