Updated Aug 23, 2018

Why "crashing the grid" doesn't keep cyber experts awake at night

Illustration: Sarah Grillo/Axios

In news stories, TV shows and at least one bestselling non-fiction book, you'll see warnings that hackers are coming to take out the U.S. electric grid, plunging the nation into democracy-ending darkness. An attack on that scale was even raised by leading intelligence officials in an Axios deep dive on global security threats.

Reality check: The people tasked with protecting U.S. electrical infrastructure say the scenario where hackers take down the entire grid — the one that's also the plot of the "Die Hard" movie where Bruce Willis blows up a helicopter by launching a car at it — is not a realistic threat. And focusing on the wrong problem means we’re not focusing on the right ones.

So, why can't you hack the grid? Here's one big reason: "The thing called the grid does not exist," said a Department of Homeland Security official involved in securing the U.S. power structure.

Think of the grid like the internet. We refer to the collective mess of servers, software, users and equipment that routes internet traffic as "the internet." The internet is a singular noun, but it’s not a singular thing.

  • You can’t hack the entire internet. There’s so much stuff running independently that all you can hack is individual pieces of the internet.
  • Similarly, the North American electric grid is actually five interconnected grids that can borrow electricity from each other. And the mini-grids aren't singular things either. Taking down "the grid" would be more like collapsing the thousands of companies that provide and distribute power accross the country.
  • "When someone talks about 'the grid,' it's usually a red flag they aren't going to know what they are talking about," says Sergio Caltagirone, director of threat intelligence at Dragos, a firm that specializes in industrial cybersecurity including the energy sector.

Redundancy and resilience: Every aspect of the electric system, from the machines in power plants to the grid as a whole, is designed with redundancy in mind. You can’t just break a thing or 10 and expect a prolonged blackout.

  • On some level, most people already know this. Everyone has lived through blackouts, but no one has lived through a blackout so big it caused the Purge.
  • 'The power system is the most complex machine ever made by humans," said Chris Sistrunk, principle consultant at FireEye in energy cybersecurity. "Setting it up, or hacking it, is more complicated than putting a man on the moon."
  • An attack that took out power to New York using cyber means would require a nearly prohibitive amount of effort to coordinate, said Lesley Carhart of Dragos. Such a failure would also tip off other regions that there was an attack afoot. Causing a power outage in New York would likely prevent a power outage in Chicago.

There are two real problems with getting this issue wrong:

  • Unnecessarily scaring people about the threat of terrorism is harmful in itself.
  • Setting the expectations too high for what an attack looks like can divert attention from more realistic and still pretty devastating attacks on the electric system and blunt the need to prepare for smaller attacks. "You run the risk of desensitizing people of the issue," said Mark Orlando, CTO of Raytheon's cybersecurity practice.

The real threat:

  • National attacks are unlikely. Small attacks matter more than you'd think.
  • "People can relate to their freezer stopping working. It's tough to relate to what would happen if oil refineries stopped working," said Mike Spear, global operations director for industrial cyber security at Honeywell.
  • An industrial plant that lost power by hacking nearby plants and onsight generators, for example, could lose as much as $50,000 a minute. Spears' oil refinery example would not only lose more money, but also impact anyone who drove a car.
  • Harming Cleveland's economy is less exciting than a nationwide blackout, but it still matters.

What about Russia? Periodically, news stories will cover the Russian malware implanted in industrial networks. One story cautioned that Russia had its "fingers on the switch."

  • It's no small task to get into industrial networks — most attacks at plants are limited to business networks.
  • But Russia's aim in hacking electric networks does not appear to be an imminent attack. Rather, experts agree, it's likely a reconnaissance mission for potential future actions.
  • While the threat here is real, an actual attack is more speculative than is sometimes portrayed.
  • Russia is the likely culprit behind the only two cyber-related blackouts in history, both launched against the Ukraine. But cybersecurity experts see no evidence that Russia is capable of more than localized attacks.

Go deeper

World coronavirus updates: Spain's health care system overloaded

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens and confirmed plus presumptive cases from the CDC

Two planes carrying protective equipment arrived to restock Spain’s overloaded public health system on Wednesday as confirmed cases surpassed 100,000 and the nation saw its biggest death toll so far, Reuters reports.

The big picture: COVID-19 cases surged past 930,000 and the global death toll exceeded 46,000 on Wednesday night, per Johns Hopkins data. Italy has reported more than 13,000 deaths.

Go deeperArrowUpdated 8 mins ago - Health

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 9 p.m. ET: 932,605 — Total deaths: 46,809 — Total recoveries: 193,177Map.
  2. U.S.: Total confirmed cases as of 9 p.m. ET: 213,372 — Total deaths: 4,757 — Total recoveries: 8,474Map.
  3. Business updates: Small businesses are bearing the brunt of the coronavirus job crisis.
  4. World update: Spain’s confirmed cases surpassed 100,000, and the nation saw its biggest daily death toll so far. More than 500 people were reported dead within the last 24 hours in the U.K., per Johns Hopkins.
  5. State updates: Florida and Pennsylvania are the latest states to issue stay-at-home orders — Michigan has more than 9,000 confirmed cases, an increase of 1,200 and 78 new deaths in 24 hours.
  6. Stock market updates: Stocks closed more than 4% lower on Wednesday, continuing a volatile stretch for the stock market amid the coronavirus outbreak.
  7. 1 future thing: Shifts to telemedicine, at-home diagnostics, and drone delivery are all likely lasting consequences from this pandemic.
  8. What should I do? Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk.
  9. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

U.S. coronavirus updates: Confirmed cases surpass 200,000

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Andrew Witherspoon/Axios

Positive cases of the novel coronavirus passed 213,000 on Wednesday — nearly twice as many as Italy, per Johns Hopkins — as more state governors issued stay-at-home orders for Americans to curb infection.

The state of play: Trump administration officials are anonymously sounding the alarm that America's emergency stockpile of personal protective equipment is running dangerously low, the Washington Post reports.

Go deeperArrowUpdated 17 mins ago - Health