Quote of the Day: “We’ll be living with cyber threats to the grid for the rest of our lives.” - Maggie Koerth-Baker, a senior science writer for FiveThirtyEight.
That’s the bad news. The good news is that Hacking The Electric Grid Is Damned Hard and that competes for Quote of the Day #2: “Our electric infrastructure is chock-full of both redundancies and regional variations — two things that impede widespread sabotage.”
Koerth-Baker interviewed two experts on cybersecurity as it pertains to our power grid: Bill Lawrence, “vice president and chief security officer at the North American Electric Reliability Corporation, the regulatory authority that sets and enforces technological standards for utility companies across the continent.” and “Candace Suh-Lee, who leads a cybersecurity research team at the Electric Power Research Institute, a nonprofit research and development lab."
It helps that the North American electric grid is both diverse in its engineering and redundant in its design. For instance, the Ukrainian attacks are often cited as evidence that hundreds of thousands of Americans could suddenly find themselves in the dark because of hackers. But Lawrence considers the Ukrainian grid a lot easier to infiltrate than the North American one. That’s because Ukraine’s infrastructure is more homogeneous, the result of electrification happening under the standardizing eye of the former Soviet Union, he told me. The North American grid, in contrast, began as a patchwork of unconnected electric islands, each designed and built by companies that weren’t coordinating with one another. Even today, he said, the enforceable standards set by NERC don’t tell you exactly what to buy or how to build. “So taking down one utility and going right next door and doing the same thing to that neighboring utility would be an extremely difficult challenge,” he said.
Meanwhile, the electric grid already contains a lot of redundancies that are built in to prevent blackouts caused by common problems like broken tree limbs or heat waves — and those redundancies would also help to prevent a successful cyberattack from affecting a large number of people. Suh-Lee pointed to an August 2003 blackout that turned the lights off on 50 million people on the east coast of the U.S. and Canada. “When we analyzed it, there was about 17 different things lined up that went wrong. Then it happened,” she said. Hackers wouldn’t necessarily have control over all the things that would have to go wrong to create a blackout like that.
In contrast, Suh-Lee said, scenarios that sound like they should lead to major blackouts … haven’t. Take the 2013 Metcalf incident, where snipers physically attacked 17 electric transformers in Silicon Valley. Surrounding neighborhoods temporarily lost power, but despite huge energy demand in the region, “the big users weren’t even aware Metcalf had happened,” she said.
“Difficult isn’t the same as impossible, Suh-Lee” said. “That’s why there’s a lot of effort going into research, monitoring and preparation for cyberattacks.” But that “preparation doesn’t mean we’ll eventually solve this problem, either.”
So, even in spite of the lack of leadership on cybersecurity from the White House, we might be OK. Come to think of it, that judgment might be true of lots of things.