Escalation of Cyber Warfare Puts US Electric Grid in Crosshairs
With news of recent cyber developments involving Russia and Iran, the U.S. is now on a cyberwar footing with the two confrontational nations. The new battleground is electric supply systems – the electric grid in Russia, and the electricity-driven military command and control networks in Iran.
Thanks to the U.S. Department of Homeland Security and the FBI, we’ve known for quite some time that Russia had infiltrated the U.S. electric grid, embedding malware that could incapacitate power plants, pipelines and water supplies, and that they had even gained access to power plant control rooms.
We’ve also seen reports from the U.S. National Security Agency that “there have been serious issues with malicious Iranian cyber actions” against the U.S., and that Iranian grid hackers last year compromised high-profile government and commercial systems in the United Kingdom.
We did not, however, know that the U.S. has implemented stealthy response to those attacks. In Russia, American computer code, the digital equivalent of bombs that could be detonated, has been planted strategically in their electric grid as a potential responsive measure.
Nor did we know until very recently that the U.S. retaliated against Iran for shooting down an unmanned drone in June with a crippling “offensive cyber strike that disabled computer systems used by Iran’s Islamic Revolutionary Guard Corps to control rocket and missile launches," according to The Washington Post.
These actions are potential game changers in the global escalation of cyber warfare, and they highlight a glaring American Achilles heel — the U.S. today is not adequately prepared to prevent or defend against a major incoming cyber-attack on our electric grid, or to recover from such an attack rapidly.
This weakness has been known for some time, and is now more critical than ever to recognize and address — with the U.S. openly engaging in offensive cyber intrusions and attacks against Russia and Iran, the likelihood of counter-attacks increases significantly. The time to harden our vulnerable electric grid —to make it much more difficult to penetrate, and much more resilient in the event of an attack — is now.
Reliable electricity is our social and economic lifeblood, and a successful attack on a major portion of the U.S. electric would have widespread disruptive, and deadly, effects.
Imagine a U.S. in which telephones, cell phones, the Internet and television cease to operate, cars, trucks, trains and airplanes are idled because fuel pumps and charging stations are disabled, banks and ATMS are inoperable, home heating and air conditioning systems no longer work, food and clean water supplies dwindle and run out, and hospitals and other emergency services are largely unavailable. Studies suggest that in such situations, a large number of deaths are likely, and that a societal breakdown can occur in as little as one week.
If this widespread power outage scenario sounds unrealistic or improbable, remember that it happened in Puerto Rico in 2017, and in Argentina and Uruguay mere weeks ago. And, as those examples clearly illustrated, the scope, duration and impacts of a major outage are directly related to the effectiveness of efforts to build protection and resiliency into the grid before an event occurs.
The hard reality is that the U.S. must undertake a major electric grid upgrade that prioritizes cybersecurity, particularly as the number of potential pathways into the grid increases daily. With the growing deployment of distributed energy resources, and the literally billions of interconnected and grid-connected devices that make up the Internet of Things, every day we delay making the grid more secure and resilient leaves our country and our economy in peril.
The current administration acknowledges the need for grid improvements; Congress and some federal agencies are trying to make meaningful progress, and the electric utility industry is working to make the grid more secure and resilient.
But we need a more comprehensive, “moonshot”-style approach, one in which we marshal the level of talent, money, focus and determination equal to that which made it possible for us to land on the moon 50 years ago.
Importantly, this moonshot effort must be driven by a well-funded partnership between government and the private sector, and its costs must be borne by all.
Some form of innovative, flexible funding mechanism must be developed to incentivize large and small utilities to make necessary investments in cyber security and implement best practices on a sustained basis. And while the impact on electric utility ratepayers will need to be carefully overseen by the appropriate state regulatory agencies, utilities must also have some reasonable measure of guarantee that effective, prudent expenditures for cyber upgrades will be recouped.
Enhancing our offensive cyber capabilities against Russia and Iran, and others, is undeniably important. But we must simultaneously harden our defenses against an incoming cyberattack on our own electric grid —the most vital component of our critical national infrastructure —while we have the opportunity to do so.
As Gen. Paul M. Nakasone, head of the United States Cyber Command, said of our cyber adversaries during his confirmation hearings a year ago, “They don’t fear us.”
While it has long been recognized that the best defense is a good offense, it is equally true that a good offense is no substitute for a good defense. The security of our electric grid requires both. We’re clearly implementing a strategic offense, and that is to be applauded, but we must get equally serious at home and build a rock-solid defense against incoming cyberattacks on our grid before it is too late.
John E. Shkor is a retired U.S. Coast Guard Vice Admiral, having served as Atlantic Area Commander and twice Chief Counsel of the Coast Guard. He also served as the Chief Operating Officer for the Transportation Security Administration following 9/11. Timothy Connors is a retired U.S. Army Colonel. He served in the Army Reserve Counterterrorism Unit at the U.S. Department of State and as the Director of the Center for Policing Terrorism at the Manhattan Institute in New York City. Shkor and Connors both serve on the Advisory Panel of Protect Our Power, a not-for-profit organization whose mission is to strengthen the security and resilience of the U.S. electric grid.