11
HOW TO SAFEGUARD AGAINST CYBERATTACKS ON UTILITIES
by Stuart Madnick
In the fall of 2019, in Northern California, the United States experienced its first-ever long-lasting and deliberate, large-scale blackout. Fueled by increased fears of devastating fires due to its century-old equipment, the region’s utility companies shut off power to more than 1.5 million people, forcing many evacuations. The impact was devastating; Michael Wara, a climate and energy expert at Stanford University, estimated the cost to California as up to $2.5 billion. For cybersecurity experts like myself, the blackout was a signal of just how precarious our reliance on electricity is, and how much we have to fear in cyberattacks.
Think about what would happen if a cyberattack brought down the power grid in New York or even just a larger part of the country. As we saw in California, people could manage for a few hours—maybe a few days—but what would happen if the outage lasted for a week or more? If a utility in a high-density population area was targeted with a cyberattack, is an evacuation of millions of people feasible or desirable?
Questions we should all be asking include: What do we do if the power grid is breached, making electric-start backup generators unusable? What’s the backup plan for the backup plan? What happens to our food supply? Our water supply? Our sewer systems? Our financial systems? Our economy? Answering these questions requires systems-level thinking about how everything is connected and consideration of the interdependencies. For example, hospitals might have backup generators. But what about the supply line for refueling? If the refueling stations need electricity to operate pumps, what is the plan?
Acknowledgment: This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium.
Planning for the Unexpected
We all understand that there are certain catastrophes that can reoccur, such as hurricanes or wildfires. But how do you prepare for a catastrophe that has never occurred before? We do not do well at addressing things that we have never seen before.
Consider what happened in 2017 when an area of Wyoming was hit by a strong windstorm that knocked down many large power lines. It took about a week to restore power due to heavy snow and frozen ground. Initially, water and sewage treatment continued due to backup generators. But the pumps that moved sewage from low-lying areas to the treatment plants on higher ground were not designed to have generators, since they could hold several days of waste. After three days with no power, they started backing up. The water then had to be cut off to prevent backed-up wastewater from getting into homes, and the town had to be evacuated. As a spokesperson for the Jackson Hole Mountain Resort said: “This will probably be the longest time that we have had to close … in our history.” No one had anticipated such a scenario or sequence of events.
The Wyoming windstorm and the California fire threats provide cybersecurity researchers with real-life tests of what to expect when we don’t know what could happen. We haven’t faced a large-scale cyberattack. Based on conversations I have had with experts in the field, we are as unprepared for a major cyberattack as Wyoming was for the windstorm and California for the fire threat, regardless of whether you’re talking about the regional or city level, or the private sector. As Professor Lawrence Susskind, in MIT’s urban systems department, described it to me, “[In a cyberattack today] millions [of people] … could be left with no electricity, no water, no public transportation, and no waste disposal for weeks (or even months).”
Weeks and months, as it happens, are good estimates for how long it could take to come back online after an attack on a utility. A cyberattack can disrupt a traditional computer system by manipulating the software or erasing data, but the physical computer is still intact, and with various degrees of effort, the software and data can be restored. But a cyberphysical system, such as a generator or similar computer-control equipment, can be destroyed—that is, made to explode. Repairing or replacing such systems can take weeks or even months, especially if many are destroyed at the same time, since spare systems and parts are usually scarce and often custom manufactured.
Evaluating Our Risk
Some have asked me why such a major cyberattack of this nature hasn’t already occurred. I believe there are three necessary conditions for one to happen: opportunity, capability, and motivation.
Opportunity: Too often factories and energy companies believe that if they are not directly connected to the internet, they are safe from attack. This is not the case. There are plenty of ways to “jump” that gap to launch a cyberattack, as the Iranians learned when their uranium enrichment facility was attacked by the computer worm Stuxnet. Relying on this method of “protection” has created opportunities and openings for attacks around the world.
Capability: Given that there may be ways to “get in,” do the attackers have the capability to do damage? There is also plenty of capability out there. Although much attention has focused on the major state actors, such as China, Russia, North Korea, and Iran, the reality is that an attacker does not need billions of dollars or thousands of people. As I sometimes say, “The good guys are getting better, but the bad guys are getting badder faster.” The tools to accomplish attacks are increasingly available on the Dark Web at decreasing costs, including cyberweapons stolen from NSA and the CIA. For example, the Ukraine power grid attack used spear phishing, industrial control, and disk-wiping techniques that were all readily available on the black market, many of them previously stolen from NSA.
Motivation: So far, motivation has been our major saving grace. What does the attacker gain by shutting down the power grid of another country? In the case of kinetic warfare (such as a missile attack), the possibility of retaliation acts as a strong deterrent. Satellites easily spot the origin of the missile, and retaliation is likely to soon follow. But those checks and balances do not work as well for cyberwarfare where plausible deniability—or even misdirecting the blame to someone else—is so easy. As the New York Times recently reported, “Groups linked to Russia’s intelligence agencies […] had recently been uncovered boring into the network of an elite Iranian hacking unit and attacking governments and private companies in the Middle East and Britain—hoping Tehran would be blamed for the havoc.”1 Relying on the lack of motivation and luck is not a safe way going forward.
How to Better Prepare
There are at least three problems with the way we have addressed such issues in the past that need to change:
Driving forward by looking through the rearview mirror: This is an old cliché but very appropriate. We usually focus our future actions in response to the last cyberattack. Although that helps prevent future reoccurrences, which is good, it does little to address the cyberattack that we have never seen before. In some bizarre cases, the attackers actually took advantage of what they knew their target had done to respond to their last cyberattack to make their next cyberattack even more effective. There needs to be visionary thinking: not just what has happened, but what could happen.
Getting overwhelmed by addressing the causes rather than the impacts: In trying to think about and prepare for new cyberattacks, we often start by thinking about how the cyberattack might originate. Instead, we should focus on what we can do to minimize the damage. Our cybersafety analysis method, developed with my colleague Shaharyar Khan, starts with a focus on what we are trying to prevent, and then what controls or facilities can minimize the possibility of that outcome. For example, as part of a cybersafety analysis of a company’s central utility system, our team determined that a relatively inexpensive relay costing about $6,000 could safeguard against a cyberattack targeting the automatic voltage regulator (AVR) of a generator. This upgrade would prevent $11 million worth of direct damage to the generator in addition to preventing subsequent outage damage of the cost of repairs and lost revenue. Of course, if many such generators were targeted at the same time, the resulting widespread power outage would be substantial and long term.
Not considering overlooked interdependencies and the unique properties of cyberphysical systems: Based on our past experiences, most people, especially engineers working with physical systems, assume independent failures. That is, there is of course some chance that generator #1, which is a mechanical device, will fail at some point. But it is unlikely that generator #2 will fail at the same time, and extremely unlikely that generators #1, #2, and #3 will fail at the same time, etc. Considering the physical properties, those assumptions are reasonable. But a cyberattack that destroys generator #1 can just as easily destroy all the others at the same time. Our emergency preparedness needs to not only take this into account but also plan for it.
What We Risk by Not Imagining the Unknown
To illustrate the risks we face by not planning, consider again the California blackouts of 2019; 248 hospitals were in regions that lost power. “I can’t overemphasize the calamity that these events cause at the neighborhood level. Hundreds of health-care facilities don’t have backup generators,” said Jack Brouwer, an engineering professor and director of the National Fuel Cell Research Center at the University of California, Irvine. Referencing the deaths caused by previous wildfires in California, he said, “If you’re out of power for an hour, that’s fine, but for a couple of days—those lives count as much as those that would be lost in a fire.”
It’s time to imagine the unimaginable, and the California power outages have provided us with a small glimpse of what could happen if we don’t prepare. As we face increasingly global uncertainty and insecurity, we need more innovative and systems-level thinking—and a sense of urgency to mitigate the impact of a major cyberattack before it happens.
TAKEAWAYS
Our approach to cybersecurity must evolve to anticipate types of attacks we’ve never seen before—such as an attack on the power grid of a major metropolitan area. Recent disasters provide us a glimpse of what the unimaginable could be and show us how necessary it is to safeguard against it. There are at least three behaviors we need to change:
- Driving forward by looking through the rearview mirror: Responding to the last cyberattack can help prevent future reoccurrences but does little to address an attack we’ve never seen before. Visionary thinking is needed.
- Getting overwhelmed by addressing the causes rather than the impacts: Instead of focusing on how an attack might originate, we should concentrate on what we can do to minimize the damage that attacks cause.
- Overlooking interdependencies and the unique properties of cyberphysical systems: Under normal circumstances redundant mechanical systems will break down at different times—but a cyberattack could cause a system and all its backups to fail simultaneously.
NOTE
1. Matthew Rosenberg, Nicole Perlroth, and David E. Sanger, “ ‘Chaos Is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020,” New York Times, January 10, 2020, https://
www ..nytimes .com /2020 /01 /10 /us /politics /russia -hacking -disinformation -election .html
Adapted from “How to Safeguard Against Cyberattacks on Utilities,” on hbr.org, January 23, 2020 (product #H05DAL).