Why Energy Grids Are So Susceptible to Cyberattack
Computer war has grown up. It has moved from the age of the equivalent of black powder to the equivalent of high-explosive shells—not yet nuclear devices, but close.
Enemies with sophisticated computer technology, money and determination can now contemplate the possibility of taking down the electrical systems of entire swaths of the United States. Just a small interruption in power supply can be hugely disruptive, as demonstrated by recent power outages in 10 states that were caused by severe weather.
The world as we know it stops when power fails; gasoline cannot be pumped, air conditioning and all other household appliances cannot be used, plunging us into a dark age without the tools of a dark age—candles, firewood, horses and carts.
At the center of this vulnerability is a device most of us have never heard of but which is an essential part of modern infrastructure. It's called the programmable logic controller (PLC).
The PLC is usually a small, black box about the size of a woman's purse. It came on the scene in the 1960s, when microprocessors became available, and has grown exponentially in application and deployment ever since. The full computerization of the PLC put it silently but vitally in charge of nearly every commercial and industrial operation, from assembly lines to power dispatch.
These devices are the brain box of everything from air traffic systems to railroads. They replaced old-fashioned relays and human commands, and made automation truly automatic.
The revolution brought on by the PLC is an “ultra-important part” of the continuing story of technological progress, according to Ken Ball, an engineering physicist who has written a history of these devices.
Now the PLC—this quiet workhorse, this silent servant—is a cause of worry; not so much from computer hackers, out for a bit of fun through manipulating a single controller, but from the wreckage that can be achieved in a government-sponsored cyberattack with planning and malice aforethought.
Such an attack could be launched for diverse purposes against many aspects of our society. But the most paralyzing would be an attack on the electrical system; on the controllers that run power plant operations and the grid, from coal to nuclear to natural gas to wind turbines and other renewables.
Such a coordinated attack could bring the United States to its knees for days or weeks with traffic jams, abandoned cars, closed airports and hospitals reliant on emergency generators while fuel supplies last.
For this to happen, the hostile force would need to be able to get around many firewalls and what are called “sandboxes,” where malware is trapped when detected.
The evidence of how effective attacks on controllers can be lies in Iran and two U.S./Israeli programs—worms that have been used against the nuclear enrichment plant at Natanz. The first worm was launched specifically at a single type of controller, made by the German company Siemens and deployed in the Natanz plant.
A slip let some of the worm be detected on the Internet by American security companies like Symantec. They named it Stuxnet.
So far, Stuxnet has been able to cause the destruction of about 1,000 of the 5,000 Iranian centrifuge enrichment devices. Stuxnet made them run at unsafe speeds, while simultaneously telling the operators that all was well.
A second worm, called Flame, has been trolling though Iranian computers, sending back critical information on military and scientific secrets. This fiendishly clever operation was launched under President George W. Bush with the code name Olympic Games. But it has been ramped up by President Barack Obama, according to David Sanger of The New York Times.
How safe are our computers and those little black boxes that control everything from chocolate manufacture to traffic lights? A former technology expert at the Central Intelligence Agency told Oilprice.com that cybersecurity is the top worry of defense planners: It is “ultra” critical, he said.
On the commercial side, many companies are working with clients to protect their systems. Benjamin Jun, vice president of technology at Cryptography Research, is one of the civilian sentries guarding networks, and by extension controllers for private clients. Jun says invaders are looking for flaws, and that complexity does not necessarily make a system less vulnerable.
—This story originally appeared on Oilprice.com.