Our electric grid is vulnerable to cyberattacks. Here’s what we need to do

Imagine a day, or even worse, a week or more without power. And the power outage blankets an entire region, or perhaps even the entire country. No air conditioning, no refrigeration, no internet – none of the modern conveniences that we have come to expect as givens in our lives. And no neighborhood with power in close proximity to seek refuge. For some people, the worry over a situation like this is always present and the paranoia spikes every time there is a hiccup in the power supply, even if it’s only caused by a squirrel tripping the circuit breaker on a neighborhood transformer. (Yes, this actually happened in my neighborhood in this summer, creating what sounded like a small explosion outside my home!)

The consequences of such a power outage would be far-reaching and dire. In some areas with extreme heat, like the summertime in Las Vegas or Florida, people could potentially die from lack of access to air conditioning and water as back-up generators aren’t available or sufficient. Alternatively, in the dead of winter, low temperatures could lead to a host of other problems in places like New England, as homes with electric heat grow colder and pipes burst. And unfortunately, emergency services including hospitals are stretched to the limits. 

As these blackouts continue, civil unrest becomes another byproduct. As citizens grow weary of life in a communications vacuum without electricity, they begin to realize that food is rotting in their refrigerators and the shelves of the local supermarket (if it is open at all) are bare. And even if there was power 500 miles away, it might be impossible to leave town to get there because the electric-powered gas station pumps are also not working and gridlock caused by inoperative traffic signals. With lights and alarm systems not functioning, looting and crime waves would become commonplace.

This is a very bleak doomsday scenario. Thankfully, there are various reasons why the odds are against this type of major long-term outage. But as more state-sponsored cyberterrorists take aim at bringing down the United States’ power grid, the government and utilities need to stay coordinated to prevent such an occurrence.

One reason not to worry: mutually assured destruction

Since the early 1950s, humanity has lived with the threat of nuclear annihilation. Yet we have derived a measure of comfort from psychology rooted in game theory, namely that none of the nuclear powers dare attack another for fear of retaliation. Such mutually assured destruction (MAD) has helped act as a deterrent to help keep the peace for almost 70 years.

The same psychology holds true for attacks on our electric power grids. Reports in the popular press have at times presented the U.S. as a potential innocent victim in such an attack. Yet one could assume that the U.S. has the ability to launch its own set of sophisticated attacks. That should and does give pause to nations that would sponsor such attacks. The U.S. would also likely consider such an attack as an act of war.

One reason to still worry: rogue actors

While MAD should deter aggression, one persistent worry is that past attacks didn’t take superhuman abilities. Russia’s 2016 attack on Ukraine’s power grid, for instance, began with a spear phishing attack; the hackers got in the system by sending emails with a malicious Microsoft Word attachment.

To date, there is no 100 percent effective solution to thwarting such attacks because they prey on human weaknesses, rather than a security flaw. Phishing attacks are also relentless – some 100,000 get reported every month and even tech-savvy people who should know better than to fall for them. There are some cybersecurity software defenses that sandbox a link before it executes. But these solutions are not universally deployed at this point,  and won’t catch everything.  

In addition, many of the systems and devices that control the power grid are not easily protected with standard enterprise defenses created by the vendors we all know by name. Some may be running more obscure or obsolete operating systems, and others may not have been designed to run sophisticated security software.

However, with recent advances in machine learning, the industry is improving in the ability to respond to and block attacks. This is very good news. But what is worrying is that it doesn’t take a state-backed team of hackers to pull off such attacks. The idea of a rogue group targeting our utilities is also a possibility, one in which MAD doesn’t play as much of a role.

The solution: government-business partnerships

I’m as pro-capitalism as anyone and I usually avoid looking to the government to solve major problems. Utilities are a special case though. They are already treated differently in the market because they are natural monopolies. The barriers to entry are too high for competitors and, because of economies of scale, more competition would mean higher prices.

Utilities are also prime targets for hostile enemies. In traditional warfare, air-based attackers aim for power plants because it is understood that without them, the enemy is helpless to fight back. The same is true for cyberwarfare. Whether utilities companies wish to or not, they are on the front lines of our various cyberwars with foreign nations.

According to a recent Wall Street Journal report, owners of private utilities say they need more help from the federal government and the military. Their request came after a group of presidential advisers warned of the possibility of a “catastrophic power outage” from a cyberattack.

We shouldn’t hesitate a second to heed their call. Cyberwarfare may not look much like the traditional kind, but it is. We wouldn’t allow Russian, Chinese or North Korean planes on our soil and near our electric plants. We need to use the same level of defense to protect our utilities from similar threats in the cyber sphere. And this can only be accomplished by bringing together the best talent and technology from the commercial and government sectors. That won’t rule out the possibility of an attack, but it will mitigate the chances of what could be a major catastrophe.