A blizzard slams the East Coast and the lights go out. Then they stay off. Is it an attack? How do we figure out who’s behind it? What do we do in retaliation? These are all questions that need answering since what looks like the first successful cyber attack on an entire nation’s power grid. Ukraine says that Russia shut down part of their electric grid. While no US official has yet confirmed that Russia is behind the attack, no one denies that a successful multi-pronged attack on parts of a country’s electric grid were successful.
So who is in charge when it happens here?
The power outages and untouched piles of snow still blocking the side streets of the nation’s capital underscore the misery unleashed when emergencies overwhelm disaster response capabilities. Add a cyber-attack to the mix and what is normally a major irritant begins to endanger lives and damage an economy.
Ukraine recently announced that a pre-Christmas cyber-attack, apparently originating in Russia, turned off the lights in hundreds of towns and cities across the country, overwhelmed the call centers that normally coordinate the response, and created misery for hundreds of thousands. They were lucky in one sense because the rugged simplicity of their largely Russian-built infrastructure meant that they had the option to restart their grid and generators by hand. Our grid is much more sophisticated and does not have the manual restart option. The same threat is repeatedly found on our electrical grid and other critical infrastructure and its potential for creating mayhem is profoundly disturbing.
Department of Homeland Security analysts report that the Ukraine attack employed the latest generation of a Russian offensive cyber toolkit called Black Energy. This is one of the attack sets periodically found on the U.S. grid. The attackers apparently penetrated the electrical management system using a crafted email, accessed the equipment that manages the Ukrainian power grid, turned off the lights, and then flooded phone lines and call centers used to report problems and manage responses. Ukrainian response teams realized they couldn’t use the control system’s computers to start the grid. They turned to manual protocols, traveling all over the country to literally flip a switch and turn the power back on while leaving the computers off until they could be secured.
The population in that part of the world is used to frequent and prolonged power outages and has developed a capacity to handle the accompanying unpleasantness to include manual “on” switches. We can only imagine the accompanying uproar if a similar attack took out the entire eastern seaboard and the computers orchestrating the conveniences of our daily lives stayed off for days and weeks instead of a day or two. We only need to look to the aftermath of Hurricane Sandy to get a small taste of the misery caused by prolonged power outages.
An event of this scope, akin to a U.S. city or state-wide attack, is supposed to be handled by local responders with help from industry Information Sharing Analysis Centers (ISAC’s), DHS, FBI, and other federal agencies. But the complexity of rooting out malware and cobbling together an ad hoc response center while restarting our grid will be extremely challenging and require significant capabilities that do not currently exist at scale.
The industry is thoroughly practiced in handling outages caused by natural disasters and physical events and collaborates seamlessly by sharing disaster response teams, crews, and other resources with the affected region. The same cannot be said on the cyber front.
A cyber-attack that takes down collaboration tools, the network management framework, and the computers managing the individual power generation plants is a very different problem because the industry does not have enough experience or the cyber resources to handle this. And the government does not have the teams, organization, or processes in place to backstop the industry effort.
A national event will strain existing institutions and resources beyond capacity. I had a chance to catch up with Andy Ozment, assistant secretary for Homeland Security at the Office of Cybersecurity and Communications (CS&C), at a recent Capitol Hill event and he walked us through the nation’s current response process in the event of a large scale attack on critical infrastructure.
In the event of a large scale cyber-attack on the US grid there is a playbook in place. He told us that the first response to an attack on the nation’s critical infrastructure is the deployment of a team from the US CERT to work in conjunction with regional response teams and the affected industry. This is followed by an FBI engagement for forensics, attribution, and criminal prosecution. In the case of a Ukraine-style attack the energy ISAC works in collaboration with local, state and federal governments and becomes the main body that circles the wagons, shares intrusion information, and jointly develops the remediation tactics to firewall against an attack.
This approach works at the local or regional level but in the event of a nation-on-nation cyber fight large scale damage is inevitable unless we significantly improve our infrastructure security posture, our ability to proactively find a threat, and then do something about an attack once it begins. When the Capitol Hill panel was asked about actions in retaliation or an attack there were allusions made to the newly-formed Cyber National Mission Force, but no one could actually speak to their responsibilities or the conditions for their engagement. Rep. Gerry Connolly pointedly asked which agency would lead in each stage of this scenario and the collective answer was, “it is a work in progress”.
The Ukraine incident, heralded as the first nation-on-nation takedown of an electric grid, has drawn little attention in the U.S. to date and deserves a much closer examination by both industry and the government. It is a useful stalking horse to assess our collective ability to handle a similar attack. There is broad agreement in policy circles that the deliberate attack and destruction of a national power grid (or any other critical infrastructure) by another nation clearly represents an act of war.
What is not clear is the threshold for a response against the offending nation, what are the local, the state, the federal roles, the resources necessary and available to stop an attack, and who fixes the ensuing damage and stops it from happening again. The responsibilities for planning, exercising, and responding to this type of attack are similarly diffuse with government, military, and industry roles in need of further definition and collective practice.
The episode begs the question, “What do we do when (not if) it happens here”? The current answer, per the panelists at the congressional session, is that progress so far amounts to the establishment of collaboration processes and some crisis assistance from the DHS and FBI. As citizens we deserve to know that the government and our critical industries understand the potential dangers of a broad cyber-attack, have assigned (and practiced) their roles and responsibilities, and that the instances of this malware peppered around the US grid are being dealt with. The grid needs a holistic, no-holds-barred assessment of its security posture, a deliberate approach to defining and inspecting critical cyber terrain, and active cooperation between the government and industry.
There are remarkable technologies emerging from the private sector that should be evaluated and deployed as a means to lock down our grid. Using the lessons learned in the Ukraine attack and our own exercises will identify the most critical gaps but success depends on a procurement model that can identify fresh capabilities, integrate them into the existing grid, and do it far quicker than the federal process. The government and industry need to adopt a supercharged method of assessment, gap identification, and remediation that can evolve as quickly as the attackers can change their tactics. Clear leadership and careful planning will avert a crisis in a future that is much nearer than we want to admit.
John Quigg, a retired Army lieutenant colonel, was one of America’s first cyber warriors. He now is a senior advisor to Spurrier Capital Partners, a New York-based technology investment bank.