SAN FRANCISCO — Don't believe the hype. Hackers cannot easily take down the North American electrical grid to cause massive blackouts, despite numerous news stories, magazine articles and books claiming that they can, a cybersecurity expert told the last week's RSA Conference.
"There are lots of misunderstandings about threats to the electric grid," said Selena Larson, an intelligence analyst at Maryland cybersecurity firm Dragos and a former CNN reporter. "The reality is that a destructive incident at one site would require highly tailored [malware] tools and operations, and would not effectively scale."
That's because U.S. power plants use different makes and models of hardware and software, are often at least partly isolated from the internet and from each other, and have already undergone a fair degree of hardening against cyberattacks. There's very little chance that a single hacker or group of hackers could knock out the power across a large swath of North America at once.
Those inconvenient facts haven't prevented journalists and writers from penning what Larson deemed needlessly alarming stories. One July 2018 opinion piece in The New York Times entitled "To Hackers, We're Bambi in the Woods" began with a nightmare scenario of an America thrown back to the Stone Age by a cyberattack that kills the power, stops the trains, empties bank accounts and opens literal floodgates.
Later that same month, The Wall Street Journal ran a story called "Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say," lending credence to the nightmare scenario. But it was incorrectly reported — it was based on old information that had been revisited in a DHS presentation.
Larson didn't mention "Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (opens in new tab)," a best-selling 2015 book by former ABC News anchor Ted Koppel.
"A well-designed attack on just one of the nation's three electric power grids could cripple much of our infrastructure — and in the age of cyberwarfare, a laptop has become the only necessary weapon," reads the jacket blurb following another apocalyptic scenario of a months-long blackout leading to societal collapse.
The truth is that Russian hackers do try to get into American power plants, but so far they've only seemed to be performing reconnaissance, Larson said. Destructive malware has infected the office networks of some power companies, but the companies weren't specifically targeted, and the malware didn't cross over into plant operations.
"A ransomware infection at the financial-services division of an electric utility doesn't automatically translate to a blackout," Larson said.
While most state-sponsored hacker groups targeting power plants and other industrial-control systems only gather information, two other have gone further, Larson said. Those were the Electrum group, which used malware dubbed CrashOverride to take down a Ukrainian power plant in 2016, and the Trisis group, which infected the safety systems at a Saudi petrochemical plant in 2017.
Both attacks have been attributed to Russian state-sponsored hackers, and the Saudi-plant attack led another presenter at RSA 2019 to conclude that cyberattacks would soon kill people, either deliberately or accidentally.
But as Dragos founder and CEO Robert M. Lee stated in a 2017 blog posting describing the CrashOverride malware, "the public must understand that the outages could be in hours or days, not weeks or months."
Lee said that Dragos had "high confidence" that the CrashOverride hackers were the same who had in fact targeted U.S. and European infrastructure companies in 2014. And CrashOverride contained modules to "delete files and processes off of the running systems" to sabotage computer systems.
Larson said, however, that the CrashOverride creators had spent months or years planning the attack, and that the malware was specifically designed for that power plant. The attacks couldn't easily scale across the world, or even across Ukraine.
There are true cyberattack threats out there, Larson added. For example, the Russian NotPetya ransomware worm in June 2017 cost the Maersk shipping line an estimated $200 million, and FedEx an estimated $300 million. The North Korean WannaCry attack the previous month crippled hospital computer systems in Europe and North America.
But in terms of the North American power grid, small animals such as squirrels, cats and raccoons are a much larger threat than hackers, and have caused hundreds of localized blackouts, Larson said. That mundane detail doesn't sell books.
The public should be reassured, she added, that the North American power grid (there are in fact three grids) has always been engineered to limit both the duration and the geographic reach of blackouts, and that there's no single power switch that can turn it all off.
"The truth is that the North American electric grid is resilient and segmented," Larson said.