The massive 2003 power outage that left more than 50 million Americans and Canadians in the dark may have been a harbinger of things to come.
The outage served as a sort of dress rehearsal for what happens when a major chunk of the power grid is rendered useless, and the fact that it was caused by a programming error in the distributor's alarm system should still make us very nervous. Some 14 years later, it seems clear that not only could hackers likely mimic the conditions that unfolded that fateful August 14, they could probably take it several steps further.
It's just such a fear that makes our critical infrastructure a constant — and important — consideration, one that has been trumpeted often in October as part of Cyber Security Awareness Month. In fact, the last week of the month is devoted to protecting critical infrastructure. It's only logical that just weeks after 145 million records were swiped from one of our most important data stewards, Equifax, we should turn out attention to any critical systems that are vulnerable to cyber attack, the power grid being chief among them.
"The electric power industry understands that a safe and reliable flow of electricity is paramount not only to our nation’s security but also to the well-being of all Americans," Scott Aaronson, executive director for security and preparedness at the Edison Electric Institute, wrote recently for InsideSources.
Aaronson's words came just two months after the President's National Infrastructure Advisory Council (NAIC) issued a report featuring a number of suggestions on how to strengthen the defenses protecting the pieces of our critical infrastructure. That report makes the argument that those defenses aren't currently up to snuff.
"We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks — provided they are properly organized, harnessed and focused," the report read. "Today, we're falling short."
What's more, the report also implies that there's a now-or-never component to the urgency facing infrastructure stewards.
"There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action," the report states ominously.
Among the recommendations the NAIC made were things such as establishing separate, secure communication networks, piloting machine-to-machine information-sharing technologies and adopting better scanning tools and assessment practices.
But if another recent report from Accenture is to be believed, there's not a lot of faith among global utility executives that we're on a path to vastly improved security. More than half believe their countries could see an interruption in electrical supplies due to cyber attack within the next five years, while less than half feel they are well prepared to the meet the challenges resulting from such an attack.
That said, Accenture offered five steps it believes power distributors should take to greatly improve their defenses. These include:
- investigating a platform approach to cyber security capabilities;
- integrating resilience into asset and process design;
- sharing threat information;
- developing security and emergency management governance models; and
- developing relationships with regional security officials and cyber-response experts.
The report also suggested that power distributors have proven adept in dealing with other types of challenges, and that they need to apply some of those lessons to the cyber security arena.
"Distribution businesses are well-versed at delivering reliable power in the face of storms, asset failures and accidents," the report states. "Building cybersecurity capabilities at the heart of the smart grid is now the imperative and the opportunity for utilities."
The same can be said for those whose job it is to secure other pieces of our infrastructure, from food and water delivery to roads and bridges to health care systems. As Michelle Alvarez, threat researcher and editor for IBM Managed Security Services, reported in a recent post for IBM's SecurityIntelligence news site, attacks on the industrial control systems infrastructure providers so often depend on more than doubled between 2015 and 2016. Such trends indicate a clear uptick in the threats critical infrastructure systems face.
"The stakes for energy and utilities companies are higher than ever," Alvarez wrote. "The health and welfare of whole nations could potentially be at risk."
This should be an exciting calling for cyber security professionals, who are normally called upon to protect data. As meaningful as it is to protect critical data and prevent consequences such as competitive disadvantage and identify theft, it's not often that cyber security folks are asked to save entire countries.
They're being asked to do just that now, and the battle figures to heat up in the coming years. No less than our physical, social and economic well-being is riding in the balance. Here's hoping the cyber security world is up to the challenge.