In his recently published book, John Farley dives deep into the hacker underworld to provide insight into the ways cyber attacks are carried out and the strategies corporate leaders can implement to protect their most valuable data assets. Click here to purchase Farley’s book from Amazon.com.
Farley, who is VP of Cyber Risk Management at HUB International Northeast, is one of the panelists at the NetDiligence Forum next month. He will share his insights during the session titled: “Cross-Sector Cascading Effects Caused by Cyber Events in the Power and Energy Sectors.”
People have said Farley provides “frightening insight into the ways hackers operate,” and that his book “should be read by every security and IT specialist” in the cyber risk field.
Here’s an excerpt in which he discusses the utility sector:
As far as public records show, the utility sector has not had nearly as many cyber attacks as other sectors, such as health care, retail, and financial services. However, the number of attacks, or attempted attacks, may be greater than we think. The nature of network-security incidents and the data that may have been compromised may determine what the affected organization is legally obligated to reveal publicly. For example, an attack on critical infrastructure may not affect personally identifiable information, and there may not be a legal obligation to notify anyone. However, a successful attack could be far-reaching and perhaps catastrophic for the public at large.
Consider a quote from the Department of Energy’s 2016 report on the state of the cybersecurity of our power grids: “Widespread disruption of electric service because of a transmission failure initiated by a cyberattack at various points of entry could undermine US lifeline networks, critical defense infrastructure, and much of the economy; it could also endanger the health and safety of millions of citizens…Also, natural gas plays an increasingly important role as fuel for the nation’s electricity system; a gas pipeline outage or malfunction due to a cyberattack could affect not only pipeline and related infrastructures, but also the reliability of the nation’s electricity system.” (Click here for the original source.)
Ted Koppel wrote about these vulnerabilities in frightening detail in his best-selling book Lights Out. He describes that since the time that our power industry was deregulated over forty years ago, thousands of small privately owned companies are transmitting power from the power source to the end user. It is doubtful that these companies have significant resources to fend off a sophisticated cyberattack. Their activities are coordinated by supervisory control and data acquisition (SCADA) systems. They can help balance supply and demand in different parts of the country, as power demand rises and lowers in specific geographic regions. Koppel raised the question of SCADA itself being vulnerable to cyberattack, which could literally knock out power to vast areas. Compounding the cyber threat to the power grids is the fact that its proper operation depends on large power transformers. The main concern is how difficult they are to replace if physically destroyed. Each one has a customized design, they are mostly made overseas and are extremely difficult to transport, weighing four hundred thousand to six hundred thousand pounds. It is estimated that it would take over a year to replace one. Consider a cyberattack on SCADA and the independent companies transmitting power in conjunction with a physical attack on the transformers, and it is feasible that a significant power outage could in fact happen.
Koppel not only described how the power grids are susceptible to cyberattack but also revealed just how unprepared both individuals and our government are to deal with a lengthy power outage. If millions of people across a vast geography were without power for several weeks or months, chaos would ensue. No heating or refrigeration, no sewage, no food or medical care over a several-month period could lead not only to economic collapse but the death of all but a small minority of people affected by the outage.
Koppel is careful not to create the impression that an attack on our power grids is easy or even likely to happen, but his research seems to provide proof that it is entirely possible. After Lights Out was published, we saw a cyberattack actually take out Ukraine’s power grid. Investigators determined that the outage was in fact caused by a cyberattack and concluded that malware known as Black Energy was used to carry out the successful attack. Power went out for only half a day, but it seems to prove that Koppel is on to something and that we can expect future power-grid attacks to happen in the future.
We could devote several pages in this book on how to prepare for such a cataclysmic event. However, the reality is that most organizations would not follow anything close to that plan. The few that did would have their best laid disaster plans trampled on by a crazed and desperate majority that did not, and would surely lose the fight for whatever precious resources remain.