Last week, a discussion panel of cyber security and electrical industry stakeholders examined what could be done to protect U.S. public utilities from cyber-attacks, and what steps could be taken during a high-risk event to mitigate the effects on the grid.
It turns out that we now rely on our DoE regional coordinators in each of the 10 Federal Emergency Management Agency (FEMA) regions to work with first responders during the event of a natural disaster or a terrorist attack (which may be the same thing). The panel cited an agreement signed by the Secretary of Energy in February that identified these individuals as points of contact to share information with the DoE and states in the event of an energy supply disruption, as an important step toward cyber-security preparedness. This would supposedly serve to improve information sharing and communication during critical response activities.
I don’t know about you, but this sounds a lot like the ads for LifeLock where the “security monitor” tells the Bank manager that “Yep, it looks like a robbery”. Except, those are supposed to be funny. This is not.
It gets worse. They went on to applaud the fact that they are working on preparedness exercises to be held by federal agencies and the private sector that would include annual studies on the risks and hazards that might affect the energy sector. And, we actually pay these people?
Someone should point out to this group that despite their heroic preparedness efforts, U.S. cyber security is not nearly as prepared as it appears. As Arthur House, commissioner for the state of Connecticut Public Utilities Regulatory Authority, warned, “The thing to remember about cyber security, we are far better on paper to take care of things than we are operationally. It’s not as if the president could turn to the secretary of energy in the event of a grid cyber-attack and say ‘turn it back on.’”
As we should have seen in the Ukraine power grid attack, the holistic strike vectors that disrupted restoration attempts immediately following the grid attack itself were the real problem faced by the Ukrainian security engineers and not just the initial strike on the grid. We are not even close to addressing let alone planning for a similar recovery disruption here.
It doesn’t take much imagination to conjure a scenario where an attack on the electric grid would be accompanied by an attack on our financial sector or another attack on our water supply at the same time. Or, simply an attack on our recovery efforts through brute force DDoS vectors against all of our FEMA sites and disruption of our communication protocols.
As recently as last year, Jehovah Johnson, Secretary of Homeland Security said “I’m sure FEMA has the capability to bring in backup transformers. If you want an inventory and a number, I couldn’t give you that.”
That might be because in fact, there is almost no such capability in the realm of large power transformers (LPT’s). Even if we had them as the STEP (Spare Transformer Equipment Program) people claim we do, how would we transport equipment weighing half a million pounds or more across interstate lines in a rapid response to a critical outage? According to FEMA representatives, as of this moment, that capability has never been tested.
LPTs are essential to the functioning of the grid. Because they are very expensive, only the largest and most profitable power companies can afford to keep backup transformers on hand. Because the transformers are custom-made, they are not easily interchangeable. Because the equipment is huge, it is not easily transported. Because these transformers are, on average, thirty-eight to forty years old, some of them were originally delivered by rail systems that no longer exist. Because the vast majority of LPTs are built overseas, it takes a very long time to replace them.
The federal response to federal response to Hurricane Sandy is an interesting case in point. In addition to hitting major sections of New Jersey and Long Island, Sandy flooded New York City streets, tunnels, and subways, effectively cutting off all electric power to Lower Manhattan.
They brought in power trucks, flown in from places as far away as California on DOD [Department of Defense] planes, to begin replacing the poles and the lines. At one point FEMA had about eighteen thousand people working in that area going door-to-door, bringing people food and removing them from unsafe buildings until they could get the power back on.
It took more than five days before any power was restored to Lower Manhattan, but 95 percent of New York’s customers did have their power back after thirteen days. Even with a relatively small emergency caused by a hurricane, thousands of homes were lost throughout the region and tens of thousands were rendered homeless.
Where, then, might you and I find advice on how to cope with the aftermath of such an attack?
Howard A. Schmidt, the former cybersecurity coordinator for the Obama administration, a principal in Ridge-Schmidt Cyber LLC, a Washington consultancy company in the field of cybersecurity and a board member of one of our technology partners, Taasera, says, “There is no answer.
No government agency has guidelines for private citizens because, according to Schmidt, there’s nothing any individual can do to prepare. “We’re so interconnected,” he said, that in terms of disaster preparation “it’s not just me anymore: it’s me and my neighbors and where I get my electricity from. There’s nothing I can do that can protect me if the rest of the system falters.”
The electrical industry panelists agreed that best practices for cyber security protection include layered defenses, regulatory oversight, external third party assessments and internal governance. Excuse me?
As Ted Koppel points out in his book, Lights Out, it would be helpful if the political world would just accept that there are two permanent conditions that are going to affect future generations: one is the global scourge of terrorism, the other is the digital forevermore. Within that world of the “digital forevermore” lies the prospect of a catastrophic cyber-attack on one of the U.S. power grids.
And that is the existential reality that the new president faces. I hope he or she is up to the job.