1(630)802-8605 Ravi.das@bn-inc.net

Here in the United States, we have a lot that we do take for granted.  We always assume that things are going to be available when we either expect them or want them to be.  In other words, we live in an on-demand society (in fact, very similar to a Cloud based structure). 

If we don’t get it right when we want it, we get upset, and even throw a little bit of a temper tantrum.  I have experienced this a number of times myself this week but learned that being patient is a huge key to success.

So, now let us paint a little picture with the background I have just established.  Just imagine one morning you wake up, and you turn on the lights to get start your day and get ready for work.  The only problem is that there is no light. 

So, you think it is a bulb that is burnt out, you replace, and still no lights.  Now, you go to your other devices to see if there are working, namely your Smartphone and computer.

But now you discover that they are not working either.  Frantically, you look outside your window to see if your other neighbors have been impacted.  And most certainly, yes, they have been impacted.  So out of a state of being frantic, you try somehow to call your electrical company (ComEd maybe??) and try to report the power outage, but the only problem is that you can’t – your Smartphone is dead.

But here is something that probably you did not think about – the outage that you and your neighborhood is facing is not just some temporary power loss – rather, it is a long term blackout, and the main cause of it was, believe it or not, a Cyberattack. 

Because of that, nobody knows what the real culprit of it was, or how long it will take to restore power.  Worst yet, there is really no way to communicate – the entire society as a whole is completely paralyzed.

But, it’s not just your place of residence that has been impacted.  Everything that relies on this electrical power has come to a grinding halt – so how do you go on with your life?  This is probably the worst part of the whole Cyberattack that just unfolded. 

Luckily so far, something like this has not happened here in the United States – but the potential for it remains quite strong, as the Cyberattacker of today is getting a lot more sophisticated and stealthier in what they do.

This is kind of hack is known as an attack on our Critical Infrastructure.  In fact, the American society is starting to get afraid of this, and because of that, the Federal Government is also starting to wake up and trying to figure how to avoid this possibility that was just painted from actually happening. 

This is best exemplified by a recent that was conducted by the Government Accountability Office, also known as the “GAO” for short. 

In it, they examined what the impacts would be if a Cyberattack were to target the national electrical grid.  What was found was grim at best:  The United States electrical system is at huge risk for becoming a victim of a Cyberattack, and this risk is only growing exponentially every day. 

In order to come to this conclusion, the GAO conducted an exhaustive audit of the national electrical grid and compared the risks that were discovered to what the Department of Energy’s (DOE) plan is to recover if such an attack were to occur. 

Although they were not specifically mentioned (primarily because of security reasons), the GAO also found quite a number of serious and hidden vulnerabilities along the electrical generation process – from the time it is first produced to the ultimate destination point, which is powering our homes and businesses. 

Because of this, the Cyberattacker now has a choice of where they want to launch their attack, and from there, make that into having a cascading effect.

In other words, all the Cyberattacker has to do is just find one weak and crucial spot in the national power grid, and from there, deploy a piece of malware that can spread itself like wildfire all throughout, which could impact major cities simultaneously in just one attack. 

In their report, the GAO did strongly warn that the proliferation of the Internet of Things (IoT) and the use of GPS systems to help synchronize the electrical grid operations are making this much worse in this regard.

The reason for this is that both the IoT and GPS rely heavily upon interconnectedness with other devices both in the physical and virtual worlds in order to operate at an optimal level.  But all of these connections have created one huge Cybersecurity nightmare:  This has greatly expanded the attack surface from which threats and their variants can be launched into.

My Thoughts On This

As I was writing this blog, this really jolted me and made me think:  My entire livelihood is dependent upon a steady and regular flow of electricity!!!  True, I do have a battery on my laptop, it only lasts about two hours until it needs to be fully charged again.  The GAO did make some recommendations, but much to my dismay, they were just very general in nature, with no actual specifics being given.

I am not sure if this has been done purposely, or they just could not come out with any concrete steps to be taken at this point.  But here is what they have mentioned:

*Create a specific plan to protect the national power grid, as well as an Incident Response and Disaster Recovery plan in case it is hit by a Cyberattack;

*To also create a plan that constantly checks for risks and vulnerabilities that are posed to the national power grid on a real time basis;

*Make sure that any Cybersecurity plan that has been formulated comes into compliance with the NIST Cybersecurity Framework;

*To examine what the real risks are if multiple targets are all hit at once, in different geographic locations (as I have described earlier). 

No matter what, in the end, this is a very, very real threat.  The only problem is that with our Critical Infrastructure, these are all legacy based systems.  You just cannot rip them out and replace them with new ones. 

The same also goes for the various security technologies that are deployed to protect them.  You just cannot implement anything; you have to put in those tools that will interact with the existing security systems that are already in place in the Critical Infrastructure.

In other words, they cannot be dedicated security systems, they have to be added on to what is already in place.  This actually complicates things even further, as you have now legacy based systems trying to co mingle with the latest and greatest.  While they may prove to be interoperable amongst one another in a testing environment, how they all work together in the real world could be an entirely different story. 

More on this to come in the future . . .

More details on this study can be seen at the below link:

https://www.gao.gov/assets/710/701079.pdf