The next president is likely to face the real scenario of the first shot of a cyber war. One potential target: The Grid. And some say that attack has already begun. Full Measure correspondent Lisa Fletcher has the story.
This is the nation’s electrical grid. 55,000 substations pushing power to 200,000 miles of high voltage transmission lines, lighting up 125 million homes across the country. Cyber security experts call it a target waiting to be hit.
Jon Miller: One hacker, that's adequately skilled, can cause infinitely more damage than a bomb.
Jon Miller is the chief research officer for the cyber security company, cylance. He used to get paid to hack critical infrastructure like banks and nuclear power plants to find the vulnerabilities before the bad guys do.
Jon Miller: I mean somebody actually coming in and causing kinetic damage to a power plant or a pipeline, or the transportation industry, will create a ripple of destruction.
Miller says an intentional outage by an enemy state or rogue hacker is not an implausible scenario.
On December 23, 2015, hackers took down the power for nearly a quarter of a million people in Ukraine, an unprecedented move that’s been widely blamed on Russia.
Lisa Fletcher: let’s talk a little bit about the hack in the Ukraine. You know, your suspicions about why that was done, who did it, and if that was a precursor to something larger.
Jon Miller: So, I mean for all intents and purposes, it, it was the Russians, right? Um, it’s pretty commonly recognized that it was a proof of concept, right? We can talk about you know hacking substations and taking down power. The only way you know if it’s going to work for reals is if you do it.
Joe Weiss: when you look at what happened in Ukraine, everything that happened there could happen here.
Joe Weiss is an expert on the automated systems that control everything from dams to substations. He’s spent his career studying how the electric grid works.
Joe Weiss: Look, you’ve got the transformer, you’ve got the relay house, you know, this is typical.
Weiss says substations like this one are all over the country, and they are more vulnerable to hacks than the utilities care to let on. That’s because Weiss and other experts say that nations like China and Russia have already infected the U.S. power grid with the very same destructive malware that’s in Ukraine. And while it hasn’t been triggered, as of now, there’s no way to remove it.
Lisa: What does that mean that black energy malware is in our grids, what does that mean to the average American?
Joe Weiss: What it basically is, is a way of mapping what you have. So what it’s saying is whoever put it there knows precisely what is in our grids.
Michael Rogers, who runs both the NSA and U.S. cyber command, raised the same concerns.
Michael Rogers: It’s only a matter of when, not the if, you are going to see a nation state or critical actor engage in destructive behavior against the critical infrastructure of the United States.”
Lisa Fletcher: Are the gov and the utility companies prepared for the kind of outage you are talking about?
Joe Weiss: I don’t believe so. And the reason is, it could be very widespread and very long.
As long as nine to eighteen months, Weiss says. What does that look like?
Joe Weiss: What it looks like is the country going back to the 1850s.
But the utility industry’s trade association, the Edison Electric Institute, has minimized the threat of a cyber hack. Executive director, Scott Aaronson, was in front of the senate homeland security committee in May:
Scott Aaronson: There are a lot of threats to the grid. And you know, from we say like from squirrels to nation states. And frankly, there have been more blackouts as a result of squirrels than there are from nation states.
Gerry Cauley, head of the industry’s regulatory association testified in April that any outage would be minimal, and that the industry is ready for it.
Gerry Cauley: in the unlikely event of a successful cyber-attack or physical attack, I believe that we are well prepared.
Ted Koppel: it’s ludicrous for the power industry to maintain that they have secured the power grid. The Russians are already inside it and the Chinese are already inside it.
Ted Koppel is the author of “Lights Out,” a new book that spells out the risk and how unprepared the government is to deal with it.
Lisa Fletcher: So, since the book’s come out, you’ve been the brunt of a lot of pushback from your critics. A lot of them have said the dangers you’ve raised in the book are overblown. Why would they say that?
Ted Koppel: It all depends on who the critics are. I don’t think you’ll find there were many critics in the intelligence community. I don’t think you’ll find there were many critics in the military community. The critics tend to come from the electric power industry and from their organizations, and of course they’re gonna criticize it. They don’t want the american public to know the power grid is in danger, so it makes sense that they would argue that i’m wrong and they’re right.
Some experts in the industry have said, “no need to worry, security is better, we’ve got our arms around this.” Do we? Do we have our arms around this?
Jon Miller: No, no. I think it’s pretty obvious that we don’t.
Lisa Fletcher: Why do you think there isn’t more of a sense of urgency to fix these systems?
Jon Miller: people don’t have the answers on how do we do it, right? That’s, that's really what it comes down to. It’s not that these people have vulnerabilities and are just neglecting taking care of them. Um, the entire system essentially needs to get re-architected, get rebuilt, and replaced.
Something that can’t happen overnight which makes Koppel and others wonder where’s the government’s sense of urgency? What should be happening now that’s not happening?
Ted Koppel: what should be happening is that we should be preparing for the consequences of a devastating cyber attack.
Full Measure reached out to the electric utility groups for a response and found something very interesting. They replied that unlike many countries there is tremendous variability among 3000 utilities in the U.S. And all the difference, makes it much more difficult to bring down the entire grid at one time.
Just like they cyber expert said last week in Scott's report on hacking an election. Let's call it the chaos of our election and electric systems actually, makes them safer.