By Yuval Medina. January 14, 2019.
“The word ‘blackout’ to refer to a power outage is something of a misnomer,” writes Gretchen Bakke in her book, The Grid. When our databases, communication systems, hospitals, and even our phones and cars—and our entire way of life—are all plugged into the grid that sustains us, losing our lights is the least of our worries. And as our critical infrastructure becomes more and more interconnected and reliant on vulnerable technology, hackers and rogue states are becoming aware of these highly promising targets.
In 2015, Russian security services were implicated in an operation that shut down 30 power substations in the Western Ukrainian region of Ivano-Frankivsk. 225,000 customers lost service, and communications systems were brought down as well, leaving the substations unable to reboot remotely. Although the blackout only lasted 6 hours, the operations of the affected company—which had to switch to manual control of systems to cope with the attack—were hindered well into the following year.
A second attack in Kiev in 2016, which shut down 20% of the Ukrainian capital’s power, lasted only an hour but used significantly improved malware to cause far-reaching damage on the targeted utilities. Rob Knake, former Director of Cybersecurity Policy on the U.S. National Security Council, explains in Foreign Affairs that the technological improvement in the second attack “provided an opportunity for Russia to use Ukraine as a testing ground” for this particular form of cyber warfare. Many are afraid that malicious actors who develop or acquire these cyber capabilities will soon put the United States in their crosshairs.
While adversaries’ cyber capabilities are becoming more and more advanced, a report by cybersecurity firm Cyber X has found that one-third of industrial sites are not air-gapped, 3 out of 4 are running obsolete Windows systems, almost 3 out of 5 have plaintext passwords that are easily exploited by hackers, and virtually half of the companies do not even own antivirus software. In 2014, then-Director of the NSA, Admiral Michael Rogers, told Congress that malware attributed to Russia had been on critical infrastructure throughout the country.
At the time, Rogers stated that Russia had lacked a strong incentive to activate the dormant malware. But what if it hadn’t? (Tom Bossert, former White House Homeland Security Advisor, discussed this fact in a Duke Law School event back in October 2018: the ability to wreak havoc on critical infrastructure systems does not directly necessitate a desire to do so.)
Though cyber attacks on infrastructure, especially our grid, are often linked to economic losses, the environmental impacts of such attacks are often overlooked. In 2014, Reuters reported that hackers had managed to tilt a floating oil rig to its side off the coast of Africa. It took weeks to figure out what was going on, mainly because there was no cyber-security expert on-hand. Another drilling rig sailing from South Korea to Brazil had come to a standstill for 19 days, while experts tried to rid it of the culpable malware.
The worst part is that many companies fail to report such incidents due to fear of alarming investors. This makes it more difficult to estimate when a potentially catastrophic environmental disaster could happen at the whim of a hacker.
In my History of Energy class last semester, we spent a lot of time exploring how essential the tapestry of grids, mines, ocean-rig liners, wind-farms, and hydroelectric dams across the world are to our way of life and the United States’ place in history. It’s a scary world knowing that this entire tapestry could be torn apart by capable cyber adversaries hiding anywhere in the world.
Yuval Medina is a first-year majoring in computer science and a member of the Duke Cyber Team.