TECHNOLOGY and COMMUNICATION

Over the last 15 years, it now appears that the electrical grid is not only extremely vulnerable, they are in the process of exponentially increasing its vulnerability. At this point, the vulnerabilities in the power grid are well documented. I highlight how there are many points where control networks overlap business networks. The GAO published a report a month later highlighting this problem at the Tennessee Valley Authority [pdf link]. The Wall Street Journal highlighted how Russian and Chinese intelligence agencies have already planted malware in the power grid. Then there was the Idaho National Lab Aurora video, where they demonstrated that a generator SCADA system can be remotely hacked to blow up the generator. Then there was the recent 60 Minutes piece.

I have to admit that even with all of the above, I wasn't convinced that there could be a true strategic attack. You can probably blow up a few generators, but the fact is that the power grid itself is resilient enough to withstand the effects. Another issue is that while Russia and China could potentially coordinate a much more devastating attack, they do not have the motivation to cause such damage. While terrorists and some other parties might want to try, it is unlikely that they have the coordination and resources to accomplish a truly strategic attack. 

However, the smart grid changes all of that. The researchers from IOActive demonstrated that smart grid boxes can be hacked and that they can spread worms. Not only that, the boxes themselves will be connected to every home and be available to anyone. Anyone therefore has access to the smart grid. With tens of millions of the boxes planned to be distributed throughout the United States, potential attackers can easily get their hands on the systems to tear apart and find new vulnerabilities and attacks. More important, when there is a vulnerability found, how will it be mitigated?

There is a perfect storm brewing where the skills and resources required to launch a significant attack is being drastically lower. Depending upon the effects of a possible worm on the smart grid boxes, and the vulnerability of the generators, there can be a combined attack that does have strategic impact.

Again, I am not legitimizing the doomsday criers who have been doing this for decades. However, I have come to realize that there is gross negligence in how the power grid has been maintained, and how it is evolving. While I will not cry wolf and say it is imminent, I sadly realize that an Electronic Pearl Harbor is now very possible.

(From CSOonline.com by Ira Winkler)