by Stuart Madnick
In the fall of 2019, in Northern California, the United States experienced its first-ever long-lasting and deliberate, large-scale blackout. Fueled by increased fears of devastating fires due to its century-old equipment, the region’s utility companies shut off power to more than 1.5 million people, forcing many evacuations. The impact was devastating; Michael Wara, a climate and energy expert at Stanford University, estimated the cost to California as up to $2.5 billion. For cybersecurity experts like myself, the blackout was a signal of just how precarious our reliance on electricity is, and how much we have to fear in cyberattacks.
Think about what would happen if a cyberattack brought down the power grid in New York or even just a larger part of the country. As we saw in California, people could manage for a few hours—maybe a few days—but what would happen if the outage lasted for a week or more? If a utility in a high-density population area was targeted with a cyberattack, is an evacuation of millions of people feasible or desirable?
Questions we should all be asking include: What do we do if the power grid is breached, making electric-start backup generators unusable? What’s the backup plan for the backup plan? What happens to our food supply? Our water supply? Our sewer systems? Our financial systems? Our economy? Answering these questions requires systems-level thinking about how everything is connected and consideration of the interdependencies. For example, hospitals might have backup generators. But what about the supply line for refueling? If the refueling stations need electricity to operate pumps, what is the plan?
Acknowledgment: This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium.
We all understand that there are certain catastrophes that can reoccur, such as hurricanes or wildfires. But how do you prepare for a catastrophe that has never occurred before? We do not do well at addressing things that we have never seen before.
Consider what happened in 2017 when an area of Wyoming was hit by a strong windstorm that knocked down many large power lines. It took about a week to restore power due to heavy snow and frozen ground. Initially, water and sewage treatment continued due to backup generators. But the pumps that moved sewage from low-lying areas to the treatment plants on higher ground were not designed to have generators, since they could hold several days of waste. After three days with no power, they started backing up. The water then had to be cut off to prevent backed-up wastewater from getting into homes, and the town had to be evacuated. As a spokesperson for the Jackson Hole Mountain Resort said: “This will probably be the longest time that we have had to close … in our history.” No one had anticipated such a scenario or sequence of events.
The Wyoming windstorm and the California fire threats provide cybersecurity researchers with real-life tests of what to expect when we don’t know what could happen. We haven’t faced a large-scale cyberattack. Based on conversations I have had with experts in the field, we are as unprepared for a major cyberattack as Wyoming was for the windstorm and California for the fire threat, regardless of whether you’re talking about the regional or city level, or the private sector. As Professor Lawrence Susskind, in MIT’s urban systems department, described it to me, “[In a cyberattack today] millions [of people] … could be left with no electricity, no water, no public transportation, and no waste disposal for weeks (or even months).”
Weeks and months, as it happens, are good estimates for how long it could take to come back online after an attack on a utility. A cyberattack can disrupt a traditional computer system by manipulating the software or erasing data, but the physical computer is still intact, and with various degrees of effort, the software and data can be restored. But a cyberphysical system, such as a generator or similar computer-control equipment, can be destroyed—that is, made to explode. Repairing or replacing such systems can take weeks or even months, especially if many are destroyed at the same time, since spare systems and parts are usually scarce and often custom manufactured.
Some have asked me why such a major cyberattack of this nature hasn’t already occurred. I believe there are three necessary conditions for one to happen: opportunity, capability, and motivation.
There are at least three problems with the way we have addressed such issues in the past that need to change:
To illustrate the risks we face by not planning, consider again the California blackouts of 2019; 248 hospitals were in regions that lost power. “I can’t overemphasize the calamity that these events cause at the neighborhood level. Hundreds of health-care facilities don’t have backup generators,” said Jack Brouwer, an engineering professor and director of the National Fuel Cell Research Center at the University of California, Irvine. Referencing the deaths caused by previous wildfires in California, he said, “If you’re out of power for an hour, that’s fine, but for a couple of days—those lives count as much as those that would be lost in a fire.”
It’s time to imagine the unimaginable, and the California power outages have provided us with a small glimpse of what could happen if we don’t prepare. As we face increasingly global uncertainty and insecurity, we need more innovative and systems-level thinking—and a sense of urgency to mitigate the impact of a major cyberattack before it happens.
TAKEAWAYS
Our approach to cybersecurity must evolve to anticipate types of attacks we’ve never seen before—such as an attack on the power grid of a major metropolitan area. Recent disasters provide us a glimpse of what the unimaginable could be and show us how necessary it is to safeguard against it. There are at least three behaviors we need to change:
1. Matthew Rosenberg, Nicole Perlroth, and David E. Sanger, “ ‘Chaos Is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020,” New York Times, January 10, 2020, https://
Adapted from “How to Safeguard Against Cyberattacks on Utilities,” on hbr.org, January 23, 2020 (product #H05DAL).
3.17.150.89