“If you think a control-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities,” Napolitano said at a Washington Post cybersecurity event, noting the effects in some cases can be “life threatening.”
While yes, cybersecurity should be taken seriously, Sandy is not an example of how dangerous a cyber attack could be.
What do I mean I hear you cry? Sandy is a prime example of what someone could do to physically interrupt the power system. While you could find a way to get a breaker to open or close unintentionally, the easier method of disrupting utilities is to find critical points and physically knock them out.
First, let me do a quick explanation of what’s going on in the NYC area. Most power distribution in the NYC area is below ground. This makes it below sea level. This is one of the reasons they shut down many areas early, in an effort to protect equipment so that it can return to service more quickly. Still, that equipment has to be cleaned, transformers for example have to be washed, insulation checked, and refilled with cooling oil. This takes time, though much less time than having to fly in a replacement transformer, removing the old one, and installing and commissioning the new one.
So what we have is a bunch of distribution points that were/are full of water, need to be drained, the equipment cleaned, checked, maintained, and replaced possibly in some instances. All of this must be done before re-energizing that circuit.
So why did I take the time to explain all that? Well because it illustrates that if done properly, a physical attack, can easily do more damage than any cyber attack, and even more than that you have decreased the potential recovery time. But that’s not all. Say you execute an attack on physical infrastructure and take out 2 transmission level transformers on a main artery.
You have now done triple digit damage in the millions if not more. Plus it will take 2-3 years, at a minimum, to replace the transformers. Any stock they have for those transformers is in very limited supply. This means if you hit a couple of places at once, you could very well permanently cripple the ability for a region to get the power necessary to operate.
Seriously, think about this, cyber-security to protect assets worth millions of dollars and provide hundreds of millions in revenue are going to be left unguarded by their owners and operators? Get real. The bigger and harder problem is physical security. How do you stop someone from running a truck into a transmission tower?
Why do I bring all this up? Because our overlords often start screaming about “necessity” in an effort to create new regulations and requirements which honestly are unnecessary. They’re unnecessary because do you think a utility company doesn’t want to protect its equipment? For every minute a transmission line is down they’re loosing millions of dollars in lost revenue.
We’ve seen these cries before and yet again it is to drum up “FUD” among people who don’t really understand how the system works. FUD is how you make a bunch of people clamor to do something when nothing really needs to be done. That’s what Janet’s doing with her latest ramblings.
Barron is the owner, editor, and principal author at The Minuteman, a competitive shooter, and staff member for Boomershoot. Even in his free time he’s merging his love and knowledge of computers and technology with his love of firearms.
He has a BS in electrical engineering from Washington State University. Immediately after college he went into work on embedded software and hardware for use in critical infrastructure. This included cryptographic communications equipment as well as command and control devices that were using that communications equipment. Since then he’s worked on just about everything ranging from toys, phones, other critical infrastructure, and even desktop applications. Doing everything from hardware system design, to software architecture, to actually writing software that makes your athletic band do its thing.