The attack could come when we're most vulnerable a blistering hot July afternoon or a freezing cold January night. Suddenly, vast sections of the U.S. power grid go black. The lights go out, air-conditioning (or heating) shuts down. Once it becomes clear that this is no temporary brownout, the public begins to panic. At the power utilities, engineers can't understand why the network shut off, and can't get it to start up again. It's hours before the truth emerges: a terrorist group (or a hostile country, or some evil-genius hacker) has broken into the computer networks that control the power grid, bringing the U.S. to its knees.
If that worst-case scenario crossed your mind last week, it was probably because you'd just read news reports that federal authorities had detected signs that hackers likely from Russia and China, countries with militaries known to be pursuing cyberwarfare capabilities had penetrated the computer systems that control the power grid. It was unclear when these intrusions had taken place, but they had left a software signature. If that wasn't disturbing enough, the North American Electric Reliability Corp., a Congress-authorized regulator, issued an alert that the utilities had not adequately surveyed their computer systems to detect vulnerabilities. (Read "Can We Prevent Another Blackout?")
As bad as all that may sound, there are several reasons not to panic about our power grid's vulnerability.
No national power grid anywhere in the world has been brought down by a cyberattack. And it's worth keeping in mind that most countries have much fewer defenses from cyberattacks than the U.S. "It's virtually impossible to bring down the entire North American grid," says Major General (Rtd) Dale Meyerrose, a cybersecurity expert who recently retired as chief information officer for the Director of National Intelligence. The electricity-distribution system is highly decentralized, and there's no central control system; at worst, cyberattackers may be able to damage sections of the grid.
The most critical power users the military, hospitals, the banking system, phone networks, Google's server farms have multiple contingencies for uninterrupted power supply and backup generation. In the event of a cyberattack on the grid, they would be able to operate for long periods days, weeks and, in some cases, indefinitely without much difficulty.
The power grid is far from perfect. On any given day, 500,000 Americans experience an outage, says Arshad Mansoor of the Electric Power Research Institute, which is funded by the utility industry. Why is this a good thing? Because it means the grid deals with breakdowns all the time, and the industry knows how to fix them. The grid has built-in redundancies and manual overrides that allow for restoration of supply. Mansoor is careful to point out that these are "not defenses against cyberattacks, but for dealing with the consequence of such attacks."
The larger point is that in most cases, damage done to the power supply can be undone. "In the banking system, if someone hacks the system and steals information about 500,000 credit cards, it's incredibly tough to undo that damage," says Mansoor. "But if a section of the power grid goes down, we start it up again."
Of course, every power outage comes with a cost, not least to the economy. Mansoor would not discuss how long it would take to recover from a cyberattack there are too many variables involved but said the longest delays in restoring power are typically caused not by technological glitches but by major acts of God, like hurricanes and earthquakes that destroy physical infrastructure. (Read a TIME blog on China and hacking.)
This is not to suggest that the power grid can't be hacked into. In 2007, CNN reported that researchers working for the Department of Energy had mounted an experimental cyberattack against a power generator and were able to get it to self-destruct. Details of the experiment were kept from the public at the request of the Department of Homeland Security.
While Meyerrose, Mansoor and other experts agree that the utility industry's vulnerability will grow as its command-and-control systems rely ever more on computer networks, those concerns are not new. Some security experts have cautioned against the growing use of "smart grid" technology which relies even more on computer networks to allow both utilities and individual consumers to monitor and reduce power usage. There are already 2 million smart meters in use in the U.S., and the Obama Administration's 2010 budget includes $4.5 billion in spending on such technology. The fear is that these meters may allow hackers access to the grid's control systems. But smart-grid backers say the opposite is true: the use of more-sophisticated monitoring systems makes the grid safer.
The timing of the recent reports about the power grid's vulnerability to cyberattacks may have more to do with politics than anything else. The news flurry coincided with the introduction of a new bill, by Senators Jay Rockefeller and Olympia Snowe, to impose cybersecurity standards on private industry regulations that would likely affect the utilities and other vital infrastructure. And this week marks the end of a 60-day review by the National Security Council of the nation's cybersecurity polices and practices; the results will be submitted to President Obama any day now, and will likely be made public later this month.
As the review has drawn to a close, a turf war has broken out in Washington over which agency should be put in charge of cybersecurity and get the billions of dollars of federal money that comes with it. Last month, Rod Beckstrom quit as director of the National Cybersecurity Center, citing turf battles between the Department of Homeland Security (which oversees the center) and the National Security Agency. His take on the sudden alarm bells over the power grid's cybersecurity? It's a power grab: a competition between two government agencies to become the main player in cybersecurity.