A real scenario that’s scarier than fiction
When it comes to movies, I like a good sci-fi apocalypse as much as the next person.
But even someone with as vivid an imagination as I have would have trouble with a movie premise about the entire North American electric grid being brought down by hackers marshalling the combined powers of our smart appliances — televisions, fridges, microwaves and routers, to name a few.
Except it’s not a movie premise.
Recently, the U.S. General Accounting Office (GAO) released a report after it was tasked with reviewing the cybersecurity of the electric grid — parts of that grid, like the Eastern Interconnection, include Canadian provinces as well, and parts of the Atlantic region.
“The electricity industry has refined its power restoration processes after decades of experience in responding to disaster-related events, but restoration from a cyber-related
event may be more challenging, the GAO writes. “(Cyberattacks) may occur without warning, leaving owners and operators no time to prepare for a response. In addition, cyberattacks could target and damage specific types of components or facilities across a dispersed geographic area.”
What’s novel is the circumstances involved. As the GAO points out, while electrical utilities were early converts to computerized control of their systems, those early computers were not connected to the internet.
“Early industrial control systems operated in isolation, running proprietary control protocols using specialized hardware and software. In addition, many industrial control system components were in physically secured areas, and the components were not connected to IT systems or the internet,” the GAO says.
“Many legacy industrial control systems were not designed with cybersecurity protections because they were not intended to be connected to networks, such as the internet.”
(I recently saw an Atlantic Canadian utility ask regulators for permission to replace a computer system so old that it couldn’t run Windows, and, if the computer failed, would have to have its operating system re-engineered, a process the electrical utility suggested could take months.)
Now, the internet is in play, and there’s a mix of systems, including remote access capabilities, that make utility management easily, cheaper and possibly open to attack.
“The U.S. electric grid faces significant cybersecurity risks — that is, threats, vulnerabilities, and impacts — and grid owners and operators face significant challenges in addressing these risks. Threat actors are becoming increasingly capable of carrying out attacks on the grid. At the same time, the grid is becoming more vulnerable to attacks,” the GAO writes.
Now, your fridge won’t crash the grid by itself, but connected to a series of other smart appliances, and run in a botnet, the GAO cautions that the devices could simultaneously change the demand level over electrical grids and damage key system components. The GAO is concerned that foreign operatives could find the weakest link in the grid — or a series of weakest links — and exploit them.
Remember the concept of mutually assured destruction? That was the Cold War description of why neither side wanted to start a nuclear war — because there were enough nuclear weapons to ensure both sides of the conflict were wiped out, regardless of who started it.
Well, think about mutually assured darkness.
The GAO suggests that one of the reasons that no major foreign agent has darkened a big part of North America is because they’re not sure of the payback that would be delivered. (Though that hasn’t stopped a major attack that shut down parts of the Ukrainian grid a few years ago.)
That doesn’t mean there aren’t risks — and right now, the GAO argues that U.S. regulators haven’t done enough to minimize obvious dangers in the existing system.
In the old days, toasters just toasted bread.
In the modern world of the internet, maybe toasters will have a role in toasting the grid.