In the spring of 2013, somebody (or somebodies) launched a sniper attack on a major transmission substation outside of San Jose, Calif., with a high-powered rifle, blasting off more than 100 rounds at 17 electrical transformers.
The April 16 attack on the Pacific Gas and Electric Metcalf Transmission Substation didn’t knock the power out across the nearby Silicon Valley, but it did do $15 million worth of damage and set off alarm bells throughout the nation’s tech, security and energy communities. While the FBI has says it doesn’t consider the unsolved incident a true “terrorist” event, the attack did serve to highlight the vulnerability of the nation’s critical infrastructure. It was a relatively crude, yet powerful and costly attack, and it added another turn to the already complicated homeland security situation.
A more sophisticated kind of attack on a national infrastructure system took place in 2010. Not in the U.S., but in Iran, where as many as 1,000 centrifuges in a uranium enrichment facility in the city of Natanz were damaged by a cyberattack. The culprit there is suspected to be the now-notorious malicious computer worm called Stuxnet — that many suspect was developed in a joint U.S.-Israeli effort to develop an effect agent for covertly sabotaging the Iranian nuclear program. In that attack, the virus is thought to have targeted the centrifuges’ programmable logic controllers — the digital components that tell the various pieces of a factory assembly line what to do — essentially causing them to physically spin out of control until they burned out.
While likely not as successful as its launchers had hoped — the physical damage was probably more limited than intended and the worm was exposed soon after — it did cause deep shockwaves in the tech and energy worlds. It was not the first time hackers have targeted industrial systems, nor the first publicly known intentional act of cyberwarfare, but Stuxnet was the first malware to spy on and attack an industrial system, and the first to include its own programmable logic controller.
Then just before Christmas last year, the Black Energy 3 Trojan — a program for hacking into systems by misleading users of its true intent, like Greeks in a wooden horse — was used to bring down the power system in a region of Ukraine, leaving hundreds of thousands of users without electricity for several hours. This time, the Russians are suspected.
What does all of this mean for us back here in Wyoming? A whole lot.
All three incidents were part of lively discussions on grid and infrastructure security at both the Wyoming Business Report’s Cybersecurity Symposium and Energy Summit held last month in Cheyenne. Experts at both events weighed in on threats of all types, as well as strategies for making assets more secure and limiting damage when attacks do occur.
“We are not just dealing with threats,” Jason Begger, executive director of the Wyoming Infrastructure Authority said. “These are things that have happened and it won’t be the last time.
“It’s not a matter of if, it’s a matter of when the next attack happens.”
He said, here in Wyoming, where most of the electricity we produce already goes to out-of-state users, and where the increasing call for renewable power sources in states like California looks to continue to stoke demand for the state’s power even more, the electrical grid — from coal-or-gas-fired plants, and windfarms, to transmission lines — is considered a prime target for attacks. Data centers and vital telecommunications networks are also at risk.
And it is not just cyberwarfare or direct physical attacks that we have to fear. In the extreme, an EMP (Electro-Magnetic Pulse) effect generated by a nuclear weapon could wipe out systems far beyond the blast zone. It’s estimated that an EMP device going off over central Oklahoma could do damage across most of North America. Even a smaller, localized EMP created with everyday equipment from Radio Shack could wreak havoc on the grid. Or, a geo-magnetic storm from the sun could also generate a devastating EMP effect.
Begger moderated a discussion at the Cybersecurity Symposium, where panelists gave input on the importance of protecting infrastructure in the face of internal and external attacks, whether they be from international or domestic terrorists or even disgruntled employees (some suspect the Metcalf case might have involved attackers with insider knowledge of the facility).
“Since at least 2007, there has been a real interest by the bad guys in taking down the grid,” cybersecurity panelist Hart Brown said.
Brown is the senior vice president for organizational resilience at HUB International, a leading North American insurance brokerage that provides a variety coverages for infrastructure and other projects. He said that nobody currently has “a good answer when it comes to a cyber-initiated event that results in physical damage to the grid.” He said while protecting the grid is important, a “strong contingent response” may be even more important in the long run.
Since 2010, the Department of Energy has invested more than $100 million to advance a resilient grid infrastructure that can survive a cyber incident while sustaining critical functions. And more help may be on the way. By taking a step backward.
A bipartisan supported bill introduced in the U.S. Senate June 6 aims to reduce the electrical grid’s cybersecurity vulnerability by replacing modern systems with older, safer technology. The legislation would create a two-year study regarding technology that makes the grid vulnerable, with an emphasis on automated systems that can be hacked remotely.
The Energy Department would then have to report on the study and the feasibility of certain technological changes.
“The United States is one of the most technologically-advanced countries in the world, which also means we’re one of the most technologically-vulnerable countries in the world,” said Sen. Angus King (I-Maine), who introduced the bill with Sens. Martin Heinrich (D-N.M.), Jim Risch (R-Idaho) and Susan Collins (R-Maine.).
“Our legislation would reengineer the last-mile of the energy grid to isolate its most important systems, and in doing so, help defend it from a devastating blow that could cut off electricity to millions of people across the country,” he said.
The senators are calling their approach “retro.” They point to a cyberattack last year on Ukraine’s electrical grid, which they said caused significant damage but could have been worse if more technology were automated.
“As experts continue to tell us, it is not a matter of if a cyberattack aimed at our critical infrastructure occurs, but when,” said Collins. “This bill, along with other cybersecurity measures passed by Congress and under consideration before the Senate, can make a real contribution in strengthening our defenses against this dangerous threat.”