The timing couldn’t have been more striking. The night before last I finished reading Ted Koppel’s 2015 book Lights Out, which warns us of the risk of cyberattacks on the U.S. power grid, and then yesterday news came out that Russian hackers had apparently attempted to infiltrate the computer network of a small Vermont utility company—presumably to gain access to the electric grid.
Now on this last day of 2016 I’m inspired to reflect on this concern and what it portends about the need to ramp up our focus on resilience.
Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, probably wasn’t the best book to be reading in bed each night over the past few weeks (relative to restful sleep), but it covers a topic that all of us—especially policymakers—should become familiar with. Veteran reporter and newscaster Ted Koppel provides an exhaustive review of the vulnerability of our power grid to cyberattacks and what a widespread power outage would do to us.
The book’s scenario is pretty scary: savvy computer hackers could break into the antiquated computer systems that manage our electrical grid. Once inside that network, they could create power outages across huge swaths of the nation that last for weeks or even months.
Such actions could be carried out by a rogue nation like Iran that wants to impart damage to us and our economy, or it could come from a lonely outcast living in a basement apartment in his mother’s house who feels picked on by society and wants revenge. We’ve had our share of high-profile loners like that in recent years with their mass killings in schools and movie theaters, but similar anger could be expressed, suggests Koppel, in a far more extensive manner by taking down the power grid.
Lights Out describes just what could result from such a cyberattack—and it isn’t pretty. Unlike natural disasters, a grid collapse could extend over a far wider region. With a storm or earthquake, the Federal Government, though the Federal Emergency Management Agency (FEMA) and the military, could fairly quickly come to the rescue—bringing in generators, supplying food and water, and deploying troops to prevent looting and maintain order.
With a widespread power outage lasting weeks, most towns and cities would be largely on their own. Critical supplies would very quickly run out. Koppel quotes Jerome Hauer, who had served in the 1990s as New York City’s director of emergency management and then served until early-2015 as the New York State commissioner of homeland security and emergency services, about how vulnerable a city like New York would be to an extended power outage.
Consider food—just one of the challenges the City would face: “Without federal assistance, Hauer said, New York City ‘could probably last for two days.’” Store shelves would empty out within a matter of hours. The City warehouses millions of meals ready to eat (MREs), but with a population of 8 million, those meals wouldn’t go very far.
Disaster relief agencies are fairly well positioned to deal with isolated natural disasters, such as a Hurricane Katrina or Superstorm Sandy, but a widespread power outage would wreak havoc. Koppel paints a pretty scary picture and describes a near-universal unwillingness to address such a glaring vulnerability.
Lights Out quotes extensively from George Cotter, a former chief scientist at the National Security Agency. In an April 2015 white paper, quoted in the book, Cotter wrote:
With adversaries’ malware in the national grid, the nation has little or no chance of withstanding a major cyberattack on the North American electrical system. Incredibly weak cybersecurity standards with a wide-open communications and network fabric virtually guarantees success to major nation-states and competent hacktivists. This [electric power] industry is simply unrealistic in believing in the resiliency of this Grid subject to a sophisticated attack. When such an attack occurs, make no mistake, there will be major loss of life and serious crippling of National Security capabilities.
Even communicating to the public, during such an emergency, would be next to impossible. Notes Koppel: “It would be the ultimate irony if the most connected, the most media-saturated population in history failed to disseminate the most elementary survival plan until the power was out and it no longer had the capacity to do so.”
It was with this context that I read the news about the effort to gain access to Burlington Electric’s network. According to an article in this morning’s New York Times, a maleware code that has been linked to Russian hackers was found on a laptop computer at Burlington Electric, a small municipal utility company in my state of Vermont that is part of ISO New England—the system that manages electricity distribution throughout the Northeast.
Apparently, this is the same maleware code—referred to as Grizzly Steppe—that has been linked to recent Russian hacking of Democratic e-mails during the 2016 presidential elections. The maleware was found on a laptop computer that was not connected to the electric grid, but the implication is that it easily could have been. The situation garnered national attention and should serve as a wake-up call.
Missing in Lights Out
While Lights Out has played an important role in alerting us to this huge vulnerability—and I’m guessing that sales will increase in light of the Burlington Electric hacking—I was struck by the lost opportunity for addressing how to achieve greater resilience to such cyberattacks. There is extensive discussion in the book about the Mormon response to disasters, including food storage and distribution, but little beyond that.
Koppel quotes Howard Schmidt, the former cybersecurity coordinator for the Obama Administration, saying, essentially, that the public is helpless. “There’s nothing I can do that can protect me if the rest of the system falters,” according to Schmidt.
Actually, there is a lot we can do. We can store food in our homes, as I argued in this 2015 blog—which recommended keeping a six-week supply on hand and rotating through that food inventory to keep it fresh. We can keep our homes reasonably safe during extended power outages through the design strategy of “passive survivabililty,” an idea that the Resilient Design Institute has been championing since its founding in 2012, and that I’ve been writing about that since 2015, following Hurricane Katrina.
Perhaps most importantly, we can work to build stronger communities—with our immediate neighbors and within our larger circles of friends and family. During an extended, widespread power outage, communities will have to self-organize and help themselves. We can start preparing for that today by getting to know our neighbors.
To understand why this is so important, get hold of a copy of Lights Out.
# # # # #
Along with founding the Resilient Design Institute in 2012, Alex is founder of BuildingGreen, Inc. To keep up with his latest articles and musings, you can sign up for his Twitter feed. To receive e-mail notices of new blogs, sign up at the top of the page.