The timing couldn’t have been more striking. The night before last I finished reading Ted Koppel’s 2015 book Lights Out, which warns us of the risk of cyberattacks on the U.S. power grid, and then yesterday news came out that Russian hackers had apparently attempted to infiltrate the computer network of a small Vermont utility company—presumably to gain access to the electric grid.
Now on this last day of 2016 I’m inspired to reflect on this concern and what it portends about the need to ramp up our focus on resilience.
Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, probably wasn’t the best book to be reading in bed each night over the past few weeks (relative to restful sleep), but it covers a topic that all of us—especially policymakers—should become familiar with. Veteran reporter and newscaster Ted Koppel provides an exhaustive review of the vulnerability of our power grid to cyberattacks and what a widespread power outage would do to us.
The book’s scenario is pretty scary: savvy computer hackers could break into the antiquated computer systems that manage our electrical grid. Once inside that network, they could create power outages across huge swaths of the nation that last for weeks or even months.
Such actions could be carried out by a rogue nation like Iran that wants to impart damage to us and our economy, or it could come from a lonely outcast living in a basement apartment in his mother’s house who feels picked on by society and wants revenge. We’ve had our share of high-profile loners like that in recent years with their mass killings in schools and movie theaters, but similar anger could be expressed, suggests Koppel, in a far more extensive manner by taking down the power grid.
Lights Out describes just what could result from such a cyberattack—and it isn’t pretty. Unlike natural disasters, a grid collapse could extend over a far wider region. With a storm or earthquake, the Federal Government, though the Federal Emergency Management Agency (FEMA) and the military, could fairly quickly come to the rescue—bringing in generators, supplying food and water, and deploying troops to prevent looting and maintain order.
With a widespread power outage lasting weeks, most towns and cities would be largely on their own. Critical supplies would very quickly run out. Koppel quotes Jerome Hauer, who had served in the 1990s as New York City’s director of emergency management and then served until early-2015 as the New York State commissioner of homeland security and emergency services, about how vulnerable a city like New York would be to an extended power outage.
Consider food—just one of the challenges the City would face: “Without federal assistance, Hauer said, New York City ‘could probably last for two days.’” Store shelves would empty out within a matter of hours. The City warehouses millions of meals ready to eat (MREs), but with a population of 8 million, those meals wouldn’t go very far.
Disaster relief agencies are fairly well positioned to deal with isolated natural disasters, such as a Hurricane Katrina or Superstorm Sandy, but a widespread power outage would wreak havoc. Koppel paints a pretty scary picture and describes a near-universal unwillingness to address such a glaring vulnerability.
Lights Out quotes extensively from George Cotter, a former chief scientist at the National Security Agency. In an April 2015 white paper, quoted in the book, Cotter wrote:
With adversaries’ malware in the national grid, the nation has little or no chance of withstanding a major cyberattack on the North American electrical system. Incredibly weak cybersecurity standards with a wide-open communications and network fabric virtually guarantees success to major nation-states and competent hacktivists. This [electric power] industry is simply unrealistic in believing in the resiliency of this Grid subject to a sophisticated attack. When such an attack occurs, make no mistake, there will be major loss of life and serious crippling of National Security capabilities.
Even communicating to the public, during such an emergency, would be next to impossible. Notes Koppel: “It would be the ultimate irony if the most connected, the most media-saturated population in history failed to disseminate the most elementary survival plan until the power was out and it no longer had the capacity to do so.”
Burlington Electric
It was with this context that I read the news about the effort to gain access to Burlington Electric’s network. According to an article in this morning’s New York Times, a maleware code that has been linked to Russian hackers was found on a laptop computer at Burlington Electric, a small municipal utility company in my state of Vermont that is part of ISO New England—the system that manages electricity distribution throughout the Northeast.
Apparently, this is the same maleware code—referred to as Grizzly Steppe—that has been linked to recent Russian hacking of Democratic e-mails during the 2016 presidential elections. The maleware was found on a laptop computer that was not connected to the electric grid, but the implication is that it easily could have been. The situation garnered national attention and should serve as a wake-up call.
Missing in Lights Out
While Lights Out has played an important role in alerting us to this huge vulnerability—and I’m guessing that sales will increase in light of the Burlington Electric hacking—I was struck by the lost opportunity for addressing how to achieve greater resilience to such cyberattacks. There is extensive discussion in the book about the Mormon response to disasters, including food storage and distribution, but little beyond that.
Koppel quotes Howard Schmidt, the former cybersecurity coordinator for the Obama Administration, saying, essentially, that the public is helpless. “There’s nothing I can do that can protect me if the rest of the system falters,” according to Schmidt.
Actually, there is a lot we can do. We can store food in our homes, as I argued in this 2015 blog—which recommended keeping a six-week supply on hand and rotating through that food inventory to keep it fresh. We can keep our homes reasonably safe during extended power outages through the design strategy of “passive survivabililty,” an idea that the Resilient Design Institute has been championing since its founding in 2012, and that I’ve been writing about that since 2015, following Hurricane Katrina.
Perhaps most importantly, we can work to build stronger communities—with our immediate neighbors and within our larger circles of friends and family. During an extended, widespread power outage, communities will have to self-organize and help themselves. We can start preparing for that today by getting to know our neighbors.
To understand why this is so important, get hold of a copy of Lights Out.
# # # # #
Along with founding the Resilient Design Institute in 2012, Alex is founder of BuildingGreen, Inc. To keep up with his latest articles and musings, you can sign up for his Twitter feed. To receive e-mail notices of new blogs, sign up at the top of the page.
Thank you Alex for this timely review on Koppel’s book Lights Out AND a call to action for us to mobilize as a community to get prepared for widespread power outages.
I participated in a Resilient Boulder pilot program called Better Together last fall that did just that. We were ‘trained’ to become neighborhood resilience ambassadors and emergency managers to connect with neighbors and identify who had what needs, skills, tools, provisions, generators, wood stoves, etc so we can be better prepared now to weather disruptions as a community, knowing there will be no widespread rescue effort available.
We also developed emergency home “Go Kits” for potential evacuations and “Stay Kits” for sheltering-in-place. I can say that while there is more to be done, particularly around passive survivability features, I am many steps closer to being prepared as a result. And I feel much more connected to my neighbors, which is priceless.
Hopefully this Better Together program, which launches in 2017, will spread to the other 100 Resilient Cities and beyond. I am happy to connect those interested in getting started.
As always, thank you Alex for showing us what is next and what is important to act on now.
Valerie – That sounds like a great initiative. I live in Maryland and work in DC. I’d like additional information about the Better Together program. This would be great to share with my local community and town council.
Marcus – I am checking into the launch date for Better Together and will provide an update and hopefully a resource link for you as it becomes available. Stay tuned!
Thanks Valerie. Look forward to hearing more about the program.
Marcus – I have an update for you on the Better Together program. On February 15th, a page about Better Together will be added to their new web platform that was just launched yesterday, Resilient Together. http://www.resilienttogether.org.
Here in Boulder, the course will be offered three times in 2017. I benefitted greatly participating in the pilot training program and now understand the importance and impact of a grassroots community effort for emergency preparedness and recovery.
If you have specific questions, the program organizer has offered to talk directly with you.
Thanks! I don’t have any specific questions at the moment. I’ll wait until the page is launched. Right now this is great to share and have as a case study on what my community can do. It will take some more consensus building before leaping to a program like this.
No, Russia didn’t hack Vermont’s power grid
http://boingboing.net/2016/12/31/no-russia-didnt-hack-vermon.html
Thanks, Alex. Great coverage of an important topic especially given the Trumped-up denials of our president-elect. Koppel’s analysis is scary to say the least. Perhaps one of the first infrastructures we need to build are fortresses against cyberattacks and not a wall along the Mexican border.
Since the original Washington Post article came out suggesting that Russian hackers had attempted to infiltrate the Burlington Electric Power Company computer network, further investigation has been conducted, and the Washington Post has published a new, more in-depth article on the episode:
https://www.washingtonpost.com/world/national-security/russian-government-hackers-do-not-appear-to-have-targeted-vermont-utility-say-people-close-to-investigation/2017/01/02/70c25956-d12c-11e6-945a-76f69a399dd5_story.html?utm_term=.a9ea0f04c6df
The arguments presented in Ted Koppel’s book Lights Out, however, remain strong, however. Our power grid remains vulnerable to cyberattacks, though it is good to know that the Federal Government advised utility companies to search for malware on their computer systems.