Originally published on Thoughts of a Lapsed Physicist.
By Allan Hoffman
This article is on a topic I have touched on before in this blog – the vulnerability of our infrastructure. The purpose of the article is twofold: to gather in one place my various thoughts on infrastructure vulnerability, and to issue a call for action to reduce this vulnerability before our infrastructure is compromised and we have to pay an unacceptably high price. This concern is valid for the U.S. and for other countries highly dependent on infrastructure.
America’s Vulnerable Infrastructure
This article is a call for action on an issue that has important implications for the U.S. – the fact that infrastructure on which we are highly dependent can be compromised by deliberate action by our enemies. I am not raising a new concern, but one that, despite some attention in recent years, is still not receiving the level of attention from public officials and the private sector that I believe it desperately needs. Failure to adequately address this issue can have dire consequences for our nation, and for other nations that find themselves in similar. situations.
I have written about this issue in bits and pieces before, starting in 2013, and continually return to the subject because I see too little happening to address a serious and growing problem. That problem is the vulnerability to cyber attacks on our infrastructure, a problem that genuinely scares me. This piece will pull my thoughts together in one place and review my concerns, which are now shared by a growing number of people as more and more cyber attacks occur and their harmful impacts are identified. I will also point out out the ways in which I believe this vulnerability can be mitigated, although complete elimination of cyber threats is not realistic. However, it is my strong belief that we can and must do a lot better at reducing these risks than we are now doing. The price for not doing better is potentially very high.
Infrastructure has been defined as “basic physical and organizational structures needed for the operation of a society or enterprise, or the services and facilities necessary for an economy to function.” The term is often used for the physical structures that support a society, such as roads, bridges, water supply, sewers, electrical grids, and telecommunications facilities.
America’s Vulnerable Electrical Grid
A major concern is that most of our electricity supply today comes from large, centralized power plants that are poorly protected from attack, if at all, and most electrical power is distributed over above-ground power lines that form a highly interconnected grid subject to falling trees, storm damage, or sabotage. It wouldn’t take much to disable a portion of that grid and remove power from large numbers of utility customers. This concern is exacerbated by increasing computer control of the grid and its vulnerability to malevolent hacking. Given today’s level of protection against such hacking I am very worried.
It is important to emphasize that it is not electricity per se that is the valuable commodity but the services that access to electricity makes possible – lighting, heating, cooling, water services, manufacturing, transportation, and communications. Energy has always been critical to human activities, but what differentiates modern societies is the energy beyond human and animal power required to provide increasingly high levels of services. In the developed world we are totally dependent on these services and it is in society’s interest to provide these services in the most reliable way with the least amount of energy, to minimize costs and environmental and national security impacts. My growing concern is, that with steadily increasing electrification, including the electrification of transportation, and growing dependence on computer control and internet interconnection, that those many aspects of society that are dependent on electricity are increasingly vulnerable to serious disruption and blackmail. It is minimizing the risks associated with this vulnerability that must become a high priority focus of modern nations.
Another vulnerability, in addition to risks arising from cyber attacks, sabotage and military attacks, and one that has received some attention of late, is the impact that an electromagnetic pulse arising from a solar flare could have on our power systems. Interconnected power lines can act as a giant antenna that captures this electromagnetic energy and overloads the system and burns out power lines, transformers, and other equipment. This occurred in the 1860’s and burned out many telegraph lines. While physical components can be replaced it takes time, during which most people will be without power unless they have a backup generator. This is especially true for replacing the large power transformers in the system that are quite expensive and not routinely inventoried.
America’s Vulnerable Water Supply
Still another area of concern is disruptions to the U.S. water supply, which have implications for public health, food production, and other public services. It is well known that after natural disasters one of the first infrastructure failures is that of the clean water distribution system. My growing concern is that we are not doing enough to make sure nobody is compromising or poisoning that water supply, which is largely unprotected. After 911 this topic began to get some increased attention from U.S. government agencies.
America’s Vulnerable Telecommunications
Another area of concern is telecommunications. Many of our communication systems today – telephone, television, Internet, GPS, weather forecasting, tele-education and tele-medicine – are dependent on solar-powered satellite links and any disruption of these links, whether inadvertent or deliberate, can disable critical elements of our society. These links provide unique and invaluable services, but the satellites are vulnerable to collisions with micrometeorites, disruption by solar flare radiation, sabotage and acts of war, and simply wearing out. And the number of links is increasing steadily as more and more satellites are placed into orbit.
It is well known that many public and private telecom networks are under regular cyber attack, by government-supported and private individuals. Many examples can be found, including the Stuxnet attack on Iranian centrifuges, the North Korean attack on SONY, recent ransomeware attacks, and the Russian attacks on U.S. and other national elections. The point is that we and others are highly vulnerable to cyber attacks, and unless we take steps to adequately protect our web-connected systems from these interventions I fear we will pay a terrible price. Too many of our public systems are now remotely controlled by wireless networks, and someone bent on doing damage and who is expert in hacking can make us hostage if our systems are penetrated. My concern is less with SONY than with our centralized electric utility systems that power our homes, businesses, hospitals, water supply systems, and many other aspects of modern life.
Is it difficult to provide this cyber protection? The simple answer is yes, for several reasons: the growing numbers of wireless networks and cyber hackers, the cost of counteracting malicious hacking, the availability of trained professionals to address the hacking issue, and what I have long considered a major problem – the inability to focus enough attention on cyber security issues.
Let me discuss each of these barriers in turn. Wireless networking is growing because it offers many advantages – reduced wiring requirements and related costs, remote operation and reduced manpower requirements, ability to monitor more variables continuously and control systems to a finer degree. Disadvantages arise when inadequate attention is paid to preventing hacker penetration into the network, thus allowing disruption of normal operations or allowing hackers to take control of the network. Also, the number of capable hackers is increasing rapidly. Many schemes have been proposed for restricting unauthorized access to a network, usually using passwords, but often these passwords are not adequate to stop an experienced hacker and most people are resistant to remembering long, complicated passwords. Many companies are also not yet convinced of the need to spend the money on sophisticated protection systems, and some may see the consequences of a hacking as less costly than the required investment.
Costs are inherent in any attempt to prevent hacking, ranging from software and hardware costs to labor costs. There is some indication that SONY, an electronics company, spent too little on protection costs by underestimating the potential threat to its cyber systems. It surely is a mistake it won’t make again, and the SONY experience, and others, should serve as wake up calls to other corporate and government bodies as well as individual consumers.
The trained manpower issue is a critical one. As has been noted in Congressional testimony, the vast majority of people available today to address cyber security issues are the ones who designed and implemented the current vulnerable information technology system. Should they be the ones to try and fix it, or do we need newly-trained cyber experts who are not so closely linked to today’s operating modes? Clearly there are people who have the requisite high level skills – think NSA – but are they available broadly on a global basis? Expertise in cyber security is already in high demand and will be in even greater demand in the future as more and more functions are digitized and the Internet-of-All-Things becomes a part of everyday life.
Finally, let me address the issue of focusing attention on cyber security issues. It has not been easy. I have personally observed resistance to addressing cyber security issues by the U.S. military and private electric utilities, largely due to lack of familiarity with required capabilities and associated costs. Fortunately, this is beginning to change now that the consequences of not being vigilant are becoming obvious.
America’s Electric Unity System
Let me now tie all these concerns to our electric unity system. Today, and for most of the past century, it has been a highly centralized grid system where large central power plants distributed electricity radially via high voltage transmission lines and lower voltage local distribution lines. It was a ‘dumb’ system with little overall control and when one part of the grid went down lots of people lost their electricity supply until the grid problem could be fixed. Today we are developing a ‘smart’ grid with lots of electronic controls that allow isolation of problem areas to minimize the number of people affected, that facilitates transfer of power from one grid region to another, and that allows utilities access to consumer homes and businesses for better balancing of supply and demand. These ‘smart grid’ features offer many advantages to suppliers and consumers, ranging from improved energy security to reduced costs. The downside is that electronic networks controlling these various features of the smart grid can be penetrated by sophisticated hackers, and my impression is that until fairly recently utility executives were not paying sufficient attention to cyber security issues. We can hope that this is no longer the case, but we all know of utilities that have underinvested in protecting their systems – e.g., by not trimming back trees that could fall on and disrupt power lines during storms, and not putting more of their power lines underground.
The good news is that some federal and state government and quasi-governmental agencies are beginning to take the issue seriously. Reports are now available that address Black Sky Day possibilities, which are defined as “extraordinary and hazardous catastrophes utterly unlike the blue sky days during which utilities usually operate.”
An important example of this increased government attention was the release in January 2017 of the second installment of the Department of Energy’s Quadrennial Energy Review. These reports, started in 2013, survey the U.S. energy system. The first installment dealt broadly with the entirety of the nation’s energy infrastructure, which goes far beyond electricity to encompass natural gas and oil pipelines, storage infrastructure, and other facets. This one focused on electricity, the nation’s rapidly changing electrical grid, and the need for new action to protect against evolving cyber security threats.
The document noted the sprawling scale of U.S. electric infrastructure – 7,700 power plants, 55,800 substations, 707,000 miles of high-voltage transmission lines, and 6.5 million additional miles of local lines spread out from the substations. It pointed out that dramatic change is sweeping over the sector and that this “rapidly evolving system” is in major need of modernization and upgrades to keep pace
“There’s the weak-link issue for the whole system,” Energy Secretary Ernest Moniz said in an interview when the report was released. “The reality is, for a lot of rural, smaller utilities, it’s a very difficult job to have the kind of expertise that will be needed in terms of cyber, so we suggest for example, grant programs to help with training, to help with analytical capacity in these situations.” “The economy would just take an enormous hit” from a successful grid attack, he said. The report also pointed out that cyberthreats are not the only challenge facing the grid. It warned that extreme weather events triggered by human-caused climate change also makes the system vulnerable.
The bottom line is that the integrity and reliability of many important infrastructure systems are at risk and a national commitment to minimizing these risks is a critical need. The primary responsibility of elected officials is to protect the U.S. public, and indications to date are that not enough is yet being done to meet that responsibility with respect to cyber threats. Red lights are flashing but is this to be another example of where the U.S. response is laggard until a crisis erupts? The sooner we address the following issues, via public education, legislation, and public and private practice, the more secure our energy and energy-dependent systems will be:
- identifying protection against cyber attacks as a national priority by both the President and the Congress.
- enhanced education of the public about the threat and implications of cyber attacks.
- engaging the government and private sector in a joint effort to develop new barriers to cyber network penetration that take into account both privacy concerns and the needs of the intelligence community to identify and protect us against internal and external threats.
- the need to focus greater attention on training of an increased number of cyber technology experts, much as we did in the aftermath of Sputnik in the late 1950s when the need for more trained scientists became evident.
- acceleration of the trend to distributed power generation, to reduce the risks of outages on today’s highly interconnected grid system that can lead to widespread loss of power. Distributed generation, in a smart grid system, can isolate (‘island’) local sources of lost power and keep the rest of the connected grid functioning. Renewable generation sources are inherently distributive and fit well into this category.
Of course the issue of global warming and climate change must also be addressed for reasons that go beyond reducing vulnerability of our power grid to extreme weather events. However, that is a topic that is receiving extensive attention elsewhere and one I will not discuss in this article.
Photo Credit: Map of realtime cyber attacks on the Norse honeypots during 2015 – by Christiaan Cohen via Flickr (CC BY SA, 2.0 License).
Republished with permission.