Why "crashing the grid" doesn't keep cyber experts awake at night
Illustration: Sarah Grillo/Axios
In news stories, TV shows and at least one bestselling non-fiction book, you'll see warnings that hackers are coming to take out the U.S. electric grid, plunging the nation into democracy-ending darkness. An attack on that scale was even raised by leading intelligence officials in an Axios deep dive on global security threats.
Reality check: The people tasked with protecting U.S. electrical infrastructure say the scenario where hackers take down the entire grid — the one that's also the plot of the "Die Hard" movie where Bruce Willis blows up a helicopter by launching a car at it — is not a realistic threat. And focusing on the wrong problem means we’re not focusing on the right ones.
So, why can't you hack the grid? Here's one big reason: "The thing called the grid does not exist," said a Department of Homeland Security official involved in securing the U.S. power structure.
Think of the grid like the internet. We refer to the collective mess of servers, software, users and equipment that routes internet traffic as "the internet." The internet is a singular noun, but it’s not a singular thing.
- You can’t hack the entire internet. There’s so much stuff running independently that all you can hack is individual pieces of the internet.
- Similarly, the North American electric grid is actually five interconnected grids that can borrow electricity from each other. And the mini-grids aren't singular things either. Taking down "the grid" would be more like collapsing the thousands of companies that provide and distribute power accross the country.
- "When someone talks about 'the grid,' it's usually a red flag they aren't going to know what they are talking about," says Sergio Caltagirone, director of threat intelligence at Dragos, a firm that specializes in industrial cybersecurity including the energy sector.
Redundancy and resilience: Every aspect of the electric system, from the machines in power plants to the grid as a whole, is designed with redundancy in mind. You can’t just break a thing or 10 and expect a prolonged blackout.
- On some level, most people already know this. Everyone has lived through blackouts, but no one has lived through a blackout so big it caused the Purge.
- 'The power system is the most complex machine ever made by humans," said Chris Sistrunk, principle consultant at FireEye in energy cybersecurity. "Setting it up, or hacking it, is more complicated than putting a man on the moon."
- An attack that took out power to New York using cyber means would require a nearly prohibitive amount of effort to coordinate, said Lesley Carhart of Dragos. Such a failure would also tip off other regions that there was an attack afoot. Causing a power outage in New York would likely prevent a power outage in Chicago.
There are two real problems with getting this issue wrong:
- Unnecessarily scaring people about the threat of terrorism is harmful in itself.
- Setting the expectations too high for what an attack looks like can divert attention from more realistic and still pretty devastating attacks on the electric system and blunt the need to prepare for smaller attacks. "You run the risk of desensitizing people of the issue," said Mark Orlando, CTO of Raytheon's cybersecurity practice.
The real threat:
- National attacks are unlikely. Small attacks matter more than you'd think.
- "People can relate to their freezer stopping working. It's tough to relate to what would happen if oil refineries stopped working," said Mike Spear, global operations director for industrial cyber security at Honeywell.
- An industrial plant that lost power by hacking nearby plants and onsight generators, for example, could lose as much as $50,000 a minute. Spears' oil refinery example would not only lose more money, but also impact anyone who drove a car.
- Harming Cleveland's economy is less exciting than a nationwide blackout, but it still matters.
- It's no small task to get into industrial networks — most attacks at plants are limited to business networks.
- But Russia's aim in hacking electric networks does not appear to be an imminent attack. Rather, experts agree, it's likely a reconnaissance mission for potential future actions.
- While the threat here is real, an actual attack is more speculative than is sometimes portrayed.
- Russia is the likely culprit behind the only two cyber-related blackouts in history, both launched against the Ukraine. But cybersecurity experts see no evidence that Russia is capable of more than localized attacks.