FBI, National Infrastructure Protection Center (2001-2002)
We've worked very closely with the North American Electric Reliability Council, which is the information sharing and analysis center for the electrical power industry. Is it possible to attack, from a cyber standpoint, electrical power systems and their Supervisory Control and Data Acquisition (SCADA) systems? Yes, it's possible. Is it possible to bring them down for substantial periods of time? I don't think anybody knows the answer to that.
We've worked really closely with them and the power grids are very redundant across the United States, to include Canada, such that the ability to do that nationally or even regionally is really hard to do based upon the work that we've done in the industry.
Does it mean that it's impossible? No. Does it mean that if you give it enough money, millions of dollars, and the right kind of people to do it, it can't be accomplished? No. But is it something that is easy? No.
Center for Strategic and International Studies
A lot of people focus on the power grid. You can get control of SCADA systems or whatever, you can burn out the big generators, you can cause cascading effects from one system to another.
When people say that you can bring down the electrical system with a few keystrokes, it's one of those exaggerations that tends to bother me a lot. First, there is no electrical system. There's a multitude of electrical companies that all work together. Two, they are networked in some way, but each one of them is sort of idiosyncratic in how they've put themselves together. They all have SCADA systems, but they've applied them differently. If you know how to get into one company, that doesn't mean necessarily you know how to get in another.
Of course, there's this assumption that a hacker's going to be able to get into a electrical company and take control without anyone noticing or trying to stop it. That's just silly. We know that electrical companies are a very popular target for hackers. There are thousands of attacks every year. None of them have ever resulted in a single blackout. And that makes me kind of skeptical about this whole thing. ...
Naval Postgraduate School
[Can the electrical grid be taken down by cyber tactics?] And why might that be a possibility?
It is certainly possible to disrupt electronic power flows by cyberspace-based means. I think one has to consider the various sorts of systems that regulate a great deal of the flows. Again, I would follow a philosophy of striking at the seams, which has to do with the automated sharing that's done between one part of our country and another. If it's very hot in one part of the country, and they need more air conditioning, electricity, a cooler part of the country will automatically share that. This is all software driven, and so any intrusion into that, and any resetting of commands can make a great mess of things.
Now, we have people responsible for protecting these, who spend all of their time, and they're very able people, and do a very good job of this. I think we have to recognize the fact that in the future, others will think of these systems as targets, and will develop skillful ways to try to intrude upon those systems.
But some people will say the electrical grid is a creature with many heads. There are lots of organizations. There are a lot of different districts. It's interconnected, but it's not really interconnected and that there's lots of protection between systems. Why are they wrong?
Well, I think that we do have a great deal of compartmentalization in our electronic infrastructure, the power grid system. At the same time, we have a variety of connections that run entirely through the system, and I believe any skillful attacker will look for an avenue of advance that takes them to the most interconnected areas of the power grid system.
That said, the attack doesn't have to be of a tremendous magnitude in order to have a great psychological effect. So there are many enclaves within the electronic power grid, small areas, cities, counties, even subdivisions that can be affected from time to time.
And so we shouldn't think in terms of the "I" bomb, that information bomb that has as much disruptive effect as a nuclear bomb. We need to think about the possibility of pinpoint attacks on areas, and perhaps persisting over some period of days or weeks that cause disruptions, that have economic, but I think also great psychological effect.
Deputy Secretary of Defense (1997-1999)
It [the electrical power grid going out] certainly is a theory that has a lot of currency in the security community. It was kind of a core element of Eligible Receiver, this exercise that we conducted with the Defense Department. And five years ago, it was shocking that that could happen. But over the last five years there's been a tremendous increase in awareness of the problem. There's been a lot of, I think, improvements in the community, probably not to the degree that's required. But I don't think it's like we haven't thought about this. And again, I think we tend to have this impression that computers are just silently running everything and there's nobody watching it, and if something goes haywire that we're just going to watch everything crash on the floor. I don't think that's the case.
I think that there are lots of ways in which you can grab control of the system, and I think that they're attuned to that. I think there's an awareness in the IT community now about security that wasn't there five years ago. So I don't discount it. It is certainly theoretically possible. But the cyber security awareness today is thousands of times stronger than it was five years ago when we first conducted Eligible Receiver. ...
Sandia National Laboratories
One of the things that Dick Clarke talks about when he defines the vulnerabilities that we have is that whenever government red teams are hired on to hack into systems, specifically electrical, power companies or systems, they always get in. What's the significance?
When we go after an electrical power system, electrical power provider for the critical infrastructures, we always penetrate that system. And we do that in a number of ways: through social engineering, through cyber means. What this points out is that there are a number of vulnerabilities that exist for a certain level of adversary. This doesn't mean that there's no security or that we can penetrate with the simplest means. It just means as a sophisticated adversary, as a national lab, we are eventually able to get in.
The fact that we're able to penetrate these systems all the time is significant in that it shows that industry isn't able to apply security mechanisms to their critical infrastructures. This is for a couple of reasons. Number one, they don't have a business case to apply that security, and the awareness is being raised now where they're starting to realize that this may be important.
In addition, it's difficult to apply security to an information system because we don't have the cyber engineering and cyber science to define that process. Our attempts at red teaming and through IORTA are an attempt to provide a tool to do that.
John Hamre and Jim Lewis, who works with him in the think tank, defined Eligible Receiver as basically only a game, that you really couldn't take the grid down, there's too many spokes to the system, that in reality it doesn't signify anything much. What's your comment on that?
I think that the effects on the electrical power system, as an example, are important in this debate over can a cyber attack have an effect or not. We've seen in the past that a simple branch falling on a power line took down the western states. This was a chance situation that took advantage of complexities of that system that the operators didn't understand.
I think that any malevolent attack with human intent behind it could have a much more damaging effect against a system than a branch falling on an electric power wire.
The Eligible Receiver scenario -- if that same operation was run today, could you repeat their successes?
We've looked at a number of electrical power systems, a number of electrical power infrastructure sectors, and we were able to postulate multiple effects given the vulnerabilities that we identified. Our goal is to improve those systems and stop the negative effects. We won't speculate on the broad consequences that we could achieve as a red team.
People say that the grid is a very complicated thing, that it's not one grid, it's multiple grids, lots of different systems. Is there a possibility, though, just to define it overall for us, that cascading effects through a system that is tied together could cause wider damage than one might expect?
If an adversary were trying to have a widespread effect on the electrical power grid, they'd have to be relatively sophisticated. These systems are engineered to be fault-tolerant by industry, and so it would take a lot of detailed work, a lot of sophistication and a coordinated attack. It is not easy to do.
But if that was a sophisticated opponent, could they do it?
A sophisticated opponent may be able to achieve these results, especially if industry doesn't take steps to secure their systems.
... Could your team, if you wanted to, take down the entire grid in the United States?
The IDART red team could demonstrate numerous vulnerabilities and system effects against U.S. critical infrastructure that are scenario-dependent and adversary-dependent, and we do this so that we can help improve the systems so that they can't be taken down in the future and a cyber Pearl Harbor won't affect the U.S. infrastructures.
But could you if you wanted to?
I won't answer that question. ...
Worst-case scenario. Joe Weiss says you could cause the loss of power in America for a period of about six months. What's your comment on that? Now here's a guy who knows SCADA systems. He's an engineer, he's been at this a long time
I think it's highly unlikely that there could be a cyber attack on the U.S. electric power grid that could take it down for extended periods. We have a lot of good people working those systems that have built in robustness and fault-tolerant measures. A cyber attack can only have limited consequences, and I don't believe that they could go down for a long period of time. They could go down for minutes and possibly for days.
But look what we did in Sept. 11 and the response to that particular attack. We had an outpouring of support and help and response from people that were intending to respond and those that weren't. If we had an attack on the electrical power grid, I believe that we would respond quickly to remedy that situation.
President, Cyber Defense Agency
What I fear is a campaign that holds down the entire power grid for a long period of time. You bring down the power grid, you bring down every other infrastructure. You bring down water. You bring down transportation. And once you do that, the whole fabric of our society is decayed significantly. And it's not clear how we, as a society, would survive a two-month downtime of our power grid. That would be a significant event. That is the nightmare scenario that I am worried about.
Why is that even a possibility to think about?
If you think about the degree to which we depend on our computers, both in the operation of our systems like power, and in the design of the systems like power, in the design of the systems which design those systems, you'll see that, if you go back far enough, and if you think about this deeply enough, and you figure out how we actually operate things, it's possible, if you have enough time, if you go back in time far enough, that you can do these things.
Now, I don't know for a fact that one can do these things. Nobody has developed the scientific case for it. That's part of the problem. That's part of what we're concerned about is that the full nature of the threat has not yet been identified. And we think this is an important and urgent problem to do. But a number of us who have seen accidental failures within these systems extrapolate those failures forward and believe that it's possible to mount attacks that are pretty serious.
Dick Clarke and other people who talked to us say, "All right, yeah, it's possible to bring down part of the electrical grid for a day or two. It's not possible to take it down for a couple of weeks or a couple of months. That's just unrealistic."
I strongly believe that it's possible because we've seen it happen in the small failure scenarios as opposed to the intentional attack scenarios. I think one of the things that we did in our letter to the president was to run through a scenario. And what we used was failures that have happened. For example, the Pacific Northwest grid failed for reasons that had to do with errors in how it was operated and lack of understanding of how our systems actually work. If you take a look at these failures, any failure that can happen can be induced. And if you actually do it intentionally, you can probably do it to a much larger level than it actually happened. So we believe, very strongly, it's possible.
So you bring down the entire grid in North America? It's a possibility because everything is interconnected?
Yes. The way the power system works today is that if a piece of our power grid goes down, you use the neighboring power grids to provide enough power in order to bring the generators back up again. Well, if the neighboring power grid is down, how do you do that? So, if you bring down the entire power grid simultaneously, you're going to have to bootstrap the entire system, from the smallest generators get enough power somewhere working to boot the next piece of the power grid, which can be used to then get the next piece of the power grid back up again. And nobody knows how to do that.
My guess is that it's doable, but it's going to be very, very hard to do because we're going to have to figure out how to engineer that answer when it happens to us, as opposed to now.
Presidential Adviser for Cyberspace Security (2001-2003)
The idea being pushed now is having a single market design to nationalize the power grid. Does that worry you? Does that create more security problems or less?
Right now our electric power companies, both the generating companies, and the distribution companies, have paid very little attention to security in cyberspace. It took them a long time to even admit that they were connected to the Internet. Now they know that they are. And now they also know that they're running a control software, SCADA, that is available to our enemies, because it's software that's sold around the world. They are beginning to understand that they need to have security. And the Federal Electric Regulatory Commission is beginning to understand that it needs to regulate that in order to create an even playing field.
In this one case, I think, federal regulation makes sense, because without it, these electric power companies are not going to pay attention to security.
So, what would you suggest?
I'd suggest the Federal Electric Regulatory Commission create an even standard for all power-generating companies, and all power distribution companies, and a high standard that's achieved in several steps over the course of the next several years.
With what results?
Well, I think, SCADA systems need to be encrypted. People who have access to them need to do authentication so that we have a high level of authentication so that no one else can get in unless they're authorized. And we have a high level of encryption so that if somebody does get in, they can't change the system.
But, we also need to make sure that our control signals, the signals that we send out over the electric power grid, are not sent and clear, they're not broadcast on radio, but they're on fiber optic cables that are not connected to the Internet, and the messages are encrypted.
home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
FRONTLINE : wgbh : pbsi
published apr. 24, 2003
background photograph copyright © photodisc
web site copyright 1995-2013 WGBH educational foundation