Lights Out
Page 3
Those charged most directly with protecting the nation’s security are ambivalent about the actual danger of an EMP attack. Janet Napolitano, the former secretary of homeland security, all but dismissed the threat. “You know, if I had to rack and stack the most likely risks that we were dealing with,” she told me, “I would not put that [an EMP attack] in the top, certainly not in the top ten threats to our infrastructure.”
Meanwhile, as noted, NORAD and the nation’s Northern Command are moving their most sensitive communications equipment to a bunker below Cheyenne Mountain. Conflicting risk assessments among our national leaders and foremost experts will become a recurring theme.
3
Regulation Gridlock
It’s Congress screwing around that you should be mad at.
— SENATOR JOHN D. ROCKEFELLER IV
One hot summer afternoon in August 2003, a high-voltage power line in northern Ohio brushed against some overgrown trees and shut down. Sagging power lines, softened by a combination of weather and high current, are a common enough occurrence, and ordinarily the problem would have tripped an alarm. On this occasion the system failed.
As system operators struggled to diagnose the problem, three other lines failed in the same way, forcing the surrounding grid to take on additional current. In just an hour and a half these overburdened lines fell like dominoes, resulting in the largest blackout in North American history. Fifty million people lost power for up to two days in an area that spanned southeastern Canada and eight northeastern states. Eleven deaths were attributed to the outage, and repairs cost an estimated $6 billion.
A U.S.-Canadian task force, headed by senior advisors to the U.S. Department of Energy (DOE)—the chairman of the Federal Energy Regulatory Commission and the Department of Natural Resources, Canada—and chaired by the U.S. secretary of energy and the Canadian minister of natural resources, was established to investigate the blackout. It found that a number of parties had failed to adhere to industry standards. That bland, bureaucratic phrase, “failure to adhere to the industry’s standards,” drew critical attention to the embarrassing fact that in 2003 the electric power industry’s standards were entirely voluntary. Companies that chose to ignore them were entirely free to do so. The U.S.-Canadian task force recommended the implementation of mandatory standards; we’ll look at the mixed results of that recommendation a little further on. It also unexpectedly focused particular attention on a new, seemingly unrelated weakness. The grid, the task force found, was vulnerable to a malicious cyberattack.
It was a remarkably prescient conclusion, considering that the blackout of 2003 was in no way the result of a cyberattack. Following a three-year investigation of North America’s most devastating power outage ever, the task force was warning that hackers could inflict even greater and longer-lasting damage. The industry took note and has since taken modest steps toward accepting mandatory cybersecurity standards. However, this is not an industry that easily embraces external mandates of any kind.
Imagine if an enemy of this country had crafted a system exposing the United States to the most devastating attack in its history. We may already have done a better job of inadvertently designing just such a system ourselves, sowing the seeds of our own downfall more effectively than any enemy of ours could have done. The federal agencies best equipped to monitor infrastructure for signs of cyberattack are precluded from doing so by laws that were designed to preserve privacy. Where there are breaches of infrastructure security, corporations are protected by law against any mandate to share that information with competitors or the federal government. The Obama White House has pushed the notion of information sharing by private industry as essential to deterring cyberattacks; business interests have countered by stressing liability concerns. There is, quite simply, an unavoidable tension between industry’s insistence that it be allowed to operate within a free enterprise system and government’s responsibility to develop high standards of safety and security for what may be the nation’s single most critical piece of infrastructure. This tension has resulted, in the electric power industry, in a high-stakes duel between corporations and government regulators, the consequences of which are cybersecurity regulations so patchwork and inadequate as to be one of the chief sources of the grid’s vulnerability.
The vast majority of electric power companies are privately owned. This has always been true, but a generation or so ago, that majority was made up of relatively few companies. In a model known as vertical integration, these companies owned the plants that generated the power, and they also owned the transmission facilities and the equipment that ultimately delivered the electricity to schools, businesses, hospitals, and homes. The managers of these industries had to be equally invested in securing the equipment that generated the power, safeguarding the transformers and lines that transported it, and protecting the hardware that delivered it to their consumers. Electricity was, then as now, generated by a variety of means, including nuclear, coal, natural gas, and hydro; whatever the energy source, the business model was essentially that of a monopoly, whose interests demanded attention to every aspect of the system.
Slowly, in one state after another, that system has given way to one characterized by limited competition. Now, power is often generated in one location by one company, fed over a separately managed transmission network (often overseen by either a regional transmission organization [RTO] or an independent system operator [ISO]), and ultimately passed on to yet another company for final delivery to the consumer. The consumer has no relationship with the companies that generate electricity or those that transmit it at top efficiency across vast distances. The consumer deals directly only with the local company that delivers the electricity on that final leg. The fact that there are now so many companies competing up and down the line is, of course, what produces a more aggressive marketplace, which works to the advantage of the consumer. That’s the good news.
Because the system’s maintenance and protection reside in so many different hands, though, and because its complexity has made each player more dependent on computerized control systems, the grid is also more vulnerable than it used to be. New forms of interconnections between and among firms create new pathways through which malicious cyberattacks may travel. Security and day-to-day reliability become a shared responsibility, and as with any other chain, the electric power grid may only be as strong as its weakest link. Leaders in the industry will argue that they have invested enormous resources in protecting their infrastructure, and they have. But smaller companies with lean profit margins are simply not inclined to spend a great deal on cybersecurity. The weakest links in this system tend to be the smaller companies with the poorest security and maintenance practices.
General Keith Alexander, who retired as director of the National Security Agency (NSA) in 2014, explained the issue as a simple cost/benefit ratio. “Your small and medium-sized companies cannot afford a world-class cyber threat team,” he said. Major corporations might have “world-class” teams, but “you go to a small bank and they say, ‘I can’t afford that. I’m trying to make it through next week, and you want me to buy some cyber guy Google is trying to pay? I can’t do that.’ ” This presents a particularly serious problem within the power industry because of the interconnectedness of the grid. “If you bring down the small [companies] in the right order,” Alexander explained, it could initiate a domino-like “cascade effect.” Cascading outages could compromise the systems of larger companies, quickly threatening the entire network. “It’s not that they’re bad,” he said of less well-defended companies. “It’s just that they don’t have the infrastructure, the resources to do what actually needs to be done.”
One might assume that the federal government, in the interest of safeguarding what is arguably the most critical infrastructure network in the country, can simply impose security and maintenance standards on the industry. But at present it cannot.
The grid has been operating according to reliability
standards since the 1960s, but until 2003 those standards were established by the industry’s own membership and compliance was entirely voluntary. There was the impression of oversight, but this was an illusion. Until 2003 the industry’s coordinating body, the North American Electric Reliability Corporation (NERC), merely suggested standards to its membership. No sanctions were imposed on companies that ignored them.
The August 2003 blackout was a wake-up call for both industry and government regulators. What ultimately emerged, though, still amounts to a lot less than effective oversight of the electric power industry. Regulations that were once optional are now mandatory. That’s a significant change, but the industry continues to have the last word on which of the regulations put forward for the governance of its conduct it is prepared to accept. The Federal Energy Regulatory Commission can and does propose regulations for the industry. But each of those proposals has to be put to a vote by the NERC membership, which represents the entire industry. Since each regulation proposed by FERC requires approval by two-thirds of NERC’s members—large and small, major corporations and those with tighter budgets—the system is not designed to generate the most rigorous standards.
Only when the industry has shaped and polished the regulations that will govern its behavior is FERC finally empowered to enforce the rules that emerge. NERC has an enforcement capacity as well, but in 2013 it levied only $5 million in penalties against utilities failing to meet mandatory defense standards. In 2014 the sum of all penalties dropped to less than $4 million. To provide context, in August 2013 the industry’s 3,200 utilities sold $400 billion worth of electricity; penalties added up to less than 0.001 percent of gross revenues. Those wishing to view the glass as half full will point out that electric power is one of the few infrastructure sectors where mandatory cybersecurity regulations of any kind have been established. However, when all is said and done, FERC is merely enforcing regulations that it may have proposed but which the industry itself has modified to meet its own interests.
Then, too, there is FERC’s limited jurisdiction. American democracy rests on a foundation of competing tensions among local, state, and federal laws, and laws governing the electric power industry reflect those tensions. The nationwide transmission of electricity along high-voltage power lines is subject to federal regulations, enforced by FERC. Once the electricity has been conveyed from the generating facility to its ultimate point of distribution, though, it is no longer under federal jurisdiction. To be clear: while electricity is being conveyed across the country at maximum efficiency, the process is subject to federal regulations. Once it’s handed off to the local companies that transmit electricity to the local consumers, no federal regulations apply. At that point, it’s under state authority—fifty different jurisdictions, in which regulations focus almost exclusively on the financial side of the business. The state commissions that govern those local companies control the rates that local utilities can charge, but many of them pay scant attention to issues of grid security. Yet security standards are legislated as a state-by-state responsibility, and the industry has taken the position that any state law insisting that the industry itself bear that liability, from the point of generating electricity up to and including the point of delivery to the consumer, would conflict with federal law. Once the electricity gets to its actual point of distribution, the industry argues, any federal laws governing the industry no longer apply.
To say that this loophole sticks in George R. Cotter’s craw is to understate his passion. His expertise on the vulnerabilities of the electric power industry comes from a lifetime’s experience within the National Security Agency, in which he served as chief of staff, as chief scientist, and twice as head of its technology division.
Cotter fumes at what he regards as the idiocy of the regulations enforcing the security of the electric power industry. The final leg of the system, Cotter explained, everywhere that electricity is actually delivered to consumers, is not covered by federal security regulations, and the industry wants to keep it that way. “Most of the critical infrastructure is in urban areas. Entire national security establishments are not covered by the law or by NERC.” Of his old NSA headquarters, he noted that while the agency itself is protected, “the electric power coming into the agency is not.” When asked about the chances of industry supporting a national set of standards, Cotter was pessimistic. “They view deregulation as far more important than cybersecurity protection for their facilities,” he said, echoing Keith Alexander’s business-first explanation. “They’ve taken a very strong position on this with FERC, that the communications and networks that interconnect all of this are not covered by the standards.”
Congressman James Langevin, a Democrat from Rhode Island, is cofounder and cochair of the Congressional Cybersecurity Caucus. He sits on both the House Armed Services Committee and the House Intelligence Committee. What keeps him up at night is the fear of an attack on critical infrastructure and the inadequacy of current security measures. He knows how firmly the security of the electric industrial grid is in the hands of the private sector. “Nobody’s in charge there, nobody has responsibility, nor can anybody require that they do work. One would think that FERC could direct and require more cybersecurity be employed by the owners and operators of the electric grid. They do not.”
Former senator John D. Rockefeller IV (D-W.Va.), who has served as chairman of both the Senate Commerce and Intelligence Committees, has similarly given up hope of enforcing tough security measures on the electric power industry. There was a time, he told me, when he could count on the support of a number of senior Senate Republicans. “Then all of a sudden comes the Chamber of Commerce in 2011 and some lobbyist goes back there and says, ‘We gotta shut this thing down…overregulation, heavy-handed government, et cetera.’ ”
“What were they afraid of?” I asked.
“They were afraid,” said Rockefeller, “of having to spend money that they couldn’t prove to themselves they would actually need to spend.”
Rockefeller was wistful about the level of bipartisanship that existed before the Chamber of Commerce intervened. He ticked off the Republicans: Kay Bailey Hutchison, John McCain, Olympia Snowe, Susan Collins, Joe Lieberman. They would meet in a secure room at the U.S. Capitol Visitor Center. “We had so many meetings with so much braid. There would be this mass of generals and admirals, all saying, as Mike McConnell [then director of national intelligence] said: ‘For the record, if we were attacked, we would lose.’ ”
“He was talking about cyberattack?” I asked.
“Yes,” said Rockefeller.
4
Attack Surfaces
Here’s that password.
— HACKER AT BLACK HAT CONFERENCE
It is not easy to convey how and why the electric power grid is so surpassingly vulnerable to cyberattack. First we must understand a little more about the exchange and conveyance of electricity. As discussed, deregulation of the electric power industry broke up the old, vertically integrated monopolies. Whereas those companies generated the electricity, sent it across great distances along high-voltage transmission lines, and then distributed that electricity to the consumers, now different companies are responsible for different phases of the process. The company that distributes electricity in one community, for example, can buy power from a number of companies generating electricity in other parts of the country. Breaking up the industry into a marketplace of interconnected parts introduced competition, which lowered prices. It also increased the system’s vulnerability to cyber intrusion.
With apologies to what is an infinitely more complex and sophisticated industry, imagine a giant balloon attached to a thousand different valves. Some of the valves introduce air into the balloon, while others extract it. Take too much air out and the balloon collapses. Put too much in and it explodes. Now imagine a computerized system that keeps it all in balance, so that the balloon remains perfectly inflated. That’s a very crude analogue to the system that keeps t
he electric power industry in balance. If you could hack into that computerized system and throw supply and demand out of balance, it could have devastating consequences.
These days, Richard A. Clarke is chairman of Good Harbor Security Risk Management, a Washington, D.C., firm that offers advice on cybersecurity. In 1998 President Bill Clinton named Clarke national coordinator for security infrastructure protection and counterterrorism. He remained at the White House in the same role under President George W. Bush, eventually becoming special advisor to the president on cybersecurity. I turned to Clarke because he is particularly adept at reducing complex technical issues into layman’s language. “So it’s winter,” said Clarke, “and Chicago needs more electricity” between the hours of, say, 2:00 and 5:00 p.m. “Florida Power and Light, which has more capacity than it needs in the winter, says, ‘I can provide it and here’s how much I’ll charge.’ ” Assume that Florida Power and Light has offered the best deal, to the advantage of consumers in Chicago. But now that electricity has to get from Florida to Chicago, and pathways are limited. Communities are inclined to object to the presence of high-tension wires near people’s homes. Because of what’s come to be known as the NIMBY (not in my backyard) factor, there are relatively few high-power transmission lines in key locations around the country.
Clarke likes to compare those high-power transmission towers and cables to a rail line. It’s an analogy that shouldn’t be taken too literally, other experts have cautioned, but it is helpful in underscoring the fact that the conveyance of electricity along those transmission lines has to be scheduled. In our theoretical deal, Florida Power and Light has agreed to dump power onto the grid between two and five in the afternoon. The difference between trains and electricity is that electricity isn’t conveyed directly from point A to point B. The electricity leaving Florida probably won’t be delivered to Chicago. It’s all about maximum efficiency and maintaining overall balance between demand and supply throughout the system. To coordinate this, the industry has set up regional authorities, the regional transmission organizations and independent system operators, which monitor “traffic” to ensure that no transmission lines in their area become overburdened.