Electrical-grid hacking scenarios mostly overlook engineering expertise. Experts: Grid safe from big attack

The specter of a large-scale, destructive attack on the U.S. power grid is at the center of much strategic thinking about cybersecurity. For years, Americans have been warned by a bevy of would-be Cassandras in Congress, the administration and the press that hackers are poised to shut it down.

But in fact, the half-dozen security experts interviewed for this article agreed it’s virtually impossible for an online-only attack to cause a widespread or prolonged outage of the North American power grid. Even laying the groundwork for such a cyber operation could qualify as an act of war against the U.S. — a line that few nation-state-backed hacker crews would wish to cross.


None denied that determined hackers could penetrate the networks of bulk power providers. But there’s a huge gap between that and causing a civilization-ending sustained outage of the grid.

Electrical-grid hacking scenarios mostly overlook the engineering expertise necessary to intentionally cause harm to the grid, say experts knowledgeable about the power generators and high voltage transmission entities that constitute the backbone of the grid — what’s called the bulk power system.

There’s also the enormity of the grid and diversity of its equipment to consider. “The grid is designed to lose utilities all the time,” said Patrick Miller, founder and director of the Energy Sector Security Consortium. “I’m not trying to trivialize the situation, but you’re not really able to cause this nationwide cascading failure for any extended duration of time,” he added.

“It’s just not possible.”

ICS security in a nutshell

Controlling the boilers, fans, valves and switches and other mechanical devices that turn raw inputs and high-voltage transmission into flip-of-a-switch electricity is a class of computers known as industrial control systems. Supervisory Control and Data Acquisition Systems, or SCADA, is a type of ICS.

ICSs aren’t general purpose computers like desktops. At the level of direct control over electromechanical processes — via a device often classified as a Programmable Logic Controller — programming is mainly done in specialized languages on obscure operating systems. Even just accessing a PLC requires particular software. Hiding malware in field devices is difficult to impossible. Many of the devices “aren’t running multi-thread, multi-tasking operations like our laptops,” noted Chris Blask, chair of the Industrial Control System Information Sharing and Analysis Center.

And penetration is just a starting point. “Just hacking into the system, and even taking complete control of a computer or crashing a bunch of computers, won’t necessarily bring down the bulk electric system,” said Dale Peterson, founder of Digital Bond, an industrial control system cybersecurity consultancy.

For example, hackers could cause a SCADA system to crash, causing grid operators to lose system visibility — decidedly not a good thing. But the grid doesn’t need the SCADA system to continue operating. “There has to be an understanding that simply taking out the cyber assets doesn’t cause a blackout,” Peterson said.

What Project Aurora proved

Exhibit A in the cyber-Cassandra’s arsenal is Project Aurora, a Homeland Security Department test undertaken in 2007 at the Idaho National Laboratory. The object was to hack a working, 2.25-megawatt, grid-connected diesel power generator. Seeing on CNN the resulting grainy video of smoke pouring from the jolting 27-ton machine was the moment that convinced many their worst fears could come true.

Seven years later, however, Project Aurora’s status as a thunderclap of warning has been undermined by questions about the test and its real-life applicability.

“That was a contrived test in a contrived environment,” said Miller, also a former Western Electricity Coordinating Council manager of audits and investigation.

The Aurora attack consisted of rapidly opening and closing circuit breakers, knocking the generator out of phase with the grid — a state that engineers have long known causes physical damage through accumulation of excessive torque inside the generator’s spinning parts.

Even at the time, the odds of an Aurora attack occurring in the wild were very low, said David Whitehead, vice president of research and development at Schweitzer Engineering Laboratories, a power relay manufacturer. Whitehead participated in a mitigation working group formed after the test.

“There were a lot of ideal conditions that had to be in place before the actual rapid cycling and opening of a circuit breaker could occur,” he said. “For it to work, all the stars have to line up.” An Aurora attack is possible, he allowed — but “the probability of it happening in my lifetime is pretty small.”

Of course, it’s perfectly possible that other cyber-physical attacks await discovery. “I think it would be naive to think that there are no more,” said Perry Pederson, a former DHS Control Systems Security Program director who oversaw the test. But even the possible existence of additional vulnerabilities doesn’t necessarily mean the grid is highly vulnerable.

“I tend to think the grid is a little more robust than what we give it credit for. It’s not quite so fragile,” he added.

Is the grid rigged?

Undergirding the widespread perception of a power system fragile to hackers’ touch is a belief that foreign states have already penetrated the grid system and left behind malware ready for activation at any time.

It’s a statement that pushes the envelope of technical and geopolitical realities — although it’s not impossible. “I think the U.S. is doing it, I assume Russia is doing it, I assume China is doing it,” said Peterson, also a former National Security Agency official, although not here claiming any direct knowledge.

No such implanted code has been discovered, he acknowledged — at least, “not that I’m aware of, and it might not exist.”

Planting power-grid malware, as opposed to hacking for purposes of reconnaissance, also “comes too close, and may even cross, a threshold that no one has been willing to cross,” asserted cybersecurity strategic thinker Jim Lewis.

The electric grid will be a target for cyberattack during a future conflict, he said in a 2010 paper — but governments also have international norms of behavior to consider, and planting malware in a foreign nation’s grid could be considered an act of war.

Terror groups aren’t bound by international norms nor necessarily deterred by U.S. military might. But absence of an attack against the grid to date suggests to many that they lack the ability to launch one.

As seen in the movies

Hollywood hackers and hack authors love a digitally demolished grid. The media like it too, reporting, for example, that a 2007 power outage lasting two days in Brazil was the work of hackers. In fact, the outage was caused by sooty insulators on high voltage lines.

“Fear makes stuff happen, unfortunately,” said Pederson, the Aurora test program manager.

Fear also risks creating a backlash of complacency as the promised grid takedowns fail to materialize. And despite all the hubris, complacency still isn’t warranted. ICS devices increasingly resemble regular IT systems, with all the attendant benefits and vulnerabilities that represents. And as the smart grid takes shape, the number of entry points to the grid will increase.

That, plus the growing availability of cyber weapons for sale on the Internet, means the time to head off the possibility of a future attack is now, said Paul Stockton, until recently the Defense Department’s top homeland security official. “Industry is investing very, very heavily, and effectively, against both cyber and kinetic threats. I agree with the assessment that it would still be a major challenge for an adversary to successfully take down the electric grid,” he said. Nonetheless, stronger cybersecurity today will have a future payoff. If state or nonstate actors “lose hope that an attack can be successful, their incentive to invest in building up cyber weapons to launch such an attack diminishes,” he said.

“The sky isn’t falling. We don’t need to build a new sky, but the sky will fall eventually if we ignore it,” said ICS-ISAC’s Blask.