The power is out on my street today. The outage was announced well in advance and the reason for the outage is clear: a Southern California Edison crew is replacing a transformer in a vault beneath the street. But even as Edison upgrades the local network's hardware, the Department of Homeland Security is again warning U.S. power companies about software vulnerabilities.
A cyberattack--as yet unattributed, although Russia is clearly the primary suspect--caused the power outage that affected 225,000 people in Ukraine on December 23, according to investigators in the United States. Hackers stole the credentials of system operators and used their access to the industrial control systems of three regional energy distribution companies to flip breakers and shut off the flow of power. A denial-of-service attack simultaneously blocked phone calls into energy distribution centers (to keep operators from knowing the extent of the outage) and malware prevented those centers from switching to backup power supplies.
The basic design of the attack on Ukraine's power grid, which involved infiltrating a network, mapping it, and gaining control of a supervisory control and data acquisition (SCADA) system, resembles the Stuxnet attack that damaged centrifuges being used in Iran's nuclear weapons program in 2010. Stuxnet is widely believed to have been the work of the U.S. and Israeli governments, although neither has acknowledged responsibility.
The warning distributed by Homeland Security's Industrial Control Systems-Cyber Emergency Response Team follows similar warnings issued by analysts in the private sector. The possibility of taking down a power grid via a cyberattack has long been theorized. Last year, a study co-produced by the University of Cambridge Centre for Risk Studies and insurance giant Lloyd's calculated that a cyberattack on the power grid in the northeastern United States could result in financial losses of a trillion dollars or more. It is worth noting, however, that the attack in Ukraine in December is the first actually to cause a power outage.
No one thinks it will be the last.