COUNCIL ON FOREIGN RELATIONS
CENTER FOR PREVENTIVE ACTION
Introduction
The U.S. power grid has long been considered a logical target for a major cyberattack. Besides the intrinsic importance of the power grid to a functioning U.S. society, all sixteen sectors of the U.S. economy deemed to make up the nation’s critical infrastructure rely on electricity. Disabling or otherwise interfering with the power grid in a significant way could thus seriously harm the United States.
Carrying out a cyberattack that successfully disrupts grid operations would be extremely difficult but not impossible. Such an attack would require months of planning, significant resources, and a team with a broad range of expertise. Although cyberattacks by terrorist and criminal organizations cannot be ruled out, the capabilities necessary to mount a major operation against the U.S. power grid make potential state adversaries the principal threat.
Attacks on power grids are no longer a theoretical concern. In 2015, an attacker took down parts of a power grid in Ukraine. Although attribution was not definitive, geopolitical circumstances and forensic evidence suggest Russian involvement. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before the U.S. Congress that China and a few other countries likely had the capability to shut down the U.S. power grid. Iran, as an emergent cyber actor, could acquire such capability. Rapid digitization combined with low levels of investment in cybersecurity and a weak regulatory regime suggest that the U.S. power system is as vulnerable—if not more vulnerable—to a cyberattack as systems in other parts of the world.
An adversary with the capability to exploit vulnerabilities within the U.S. power grid might be motivated to carry out such an attack under a variety of circumstances. An attack on the power grid could be part of a coordinated military action, intended as a signaling mechanism during a crisis, or as a punitive measure in response to U.S. actions in some other arena. In each case, the United States should consider not only the potential damage and disruption caused by a cyberattack but also its broader effects on U.S. actions at the time it occurs. With respect to the former, a cyberattack could cause power losses in large portions of the United States that could last days in most places and up to several weeks in others.The economic costs would be substantial.As for the latter concern, the U.S. response or nonresponse could harm U.S. interests.Thus, the United States should take measures to prevent a cyberattack on its power grid and mitigate the potential harm should preventive efforts fail.
The Contingency
The U.S. power system has evolved into a highly complex enterprise: 3,300 utilities that work together to deliver power through 200,000 miles of high-voltage transmission lines; 55,000 substations; and 5.5 million miles of distribution lines that bring power to millions of homes and businesses. Any of the system’s principal elements––power generation, transmission, or distribution––could be targeted for a cyberattack. In the Ukraine case, attackers targeted substations that lower transmission voltages for distribution to consumers. Lloyd’s of London, an insurance underwriter, developed a plausible scenario for an attack on the Eastern Interconnection—one of the two major electrical grids in the continental United States—whichservices roughly half the country. The hypothetical attack targetedpower generators to cause a blackout covering fifteen states and the District of Columbia, leaving ninetythree million people without power. Other experts have concluded that an attack on the system for transmitting power from generation to end consumers would have devastating consequences. In one scenario, disruption of just nine transformers could cause widespread outages. Many experts are now also concerned that smart grid technologies, which use the internet to connect to power meters and appliances, could allow an attacker to take over thousands—if not millions—of unprotected devices, preventing power from being delivered to end users.
Regardless of which part of the power grid is targeted, attackers would need to conduct extensive research, gain initial access to utility business networks (likely through spearphishing), work to move through the business networks to gain access to control systems, and then identify targeted systems and develop the capability to disable them. Such sophisticated actions would require extensive planning by an organization able to recruit and coordinate a team that has a broad set of capabilities and is willing to devote many months, if not years, to the effort. State actors, therefore, are the more likely perpetrators, and given these long lead times, U.S. adversaries have likely already begun this process in anticipation of conflict. It is doubtful that a terrorist organization would have both the intent and means to carry out such an attack successfully. In the future, however, criminal groups could pose a real threat. They are growing in sophistication and in some cases rival, if not exceed, the capabilities of nation states. Payments for ransomware—malicious software that encrypts data and will not provide a code to unlock it unless a ransom has been paid—by some estimates have topped $300 million. This funding could allow criminal groups to purchase more sophisticated capabilities to carry out the ultimate ransomware attack.
The likelihood that an attack carried out by a determined and capable adversary would be thwarted by security measures is low. While some U.S. utilities might block attempts by an adversary to gain initial access or might be able to detect an adversary in their systems, many might not have the necessary tools in place to detect and respond. Efforts to improve data sharing that could enable detection by one company to block access across the entire industry are in their infancy. In the Lloyd’s scenario, only 10 percent of targeted generators needed to be taken down to cause a widespread blackout.
Short of outright conflict with a state adversary, several plausible scenarios in which the U.S. power grid would be subject to cyberattack need to be considered:
- Discrediting Operations. Given the importance of electricity to the daily lives of Americans, an adversary may see advantage in disrupting service to undermine public support for a U.S. administration at a politically sensitive time.
- Distracting Operations. A state contemplating a diplomatic or military initiative likely to be opposed by the United States could carry out a cyberattack against the U.S. power grid that would distract the attention of the U.S. government and disrupt or delay its response.
- Retaliatory Operations. In response to U.S. actions considered threatening by another state, such as the imposition of economic sanctions and various forms of political warfare, a cyberattack on the power grid could be carried out to punish the United States or intimidate it from taking further action with the implied threat of further damage.
There are many plausible circumstances in which states that possess the capability to conduct cyberattacks on the U.S. power grid––principally Russia and China, and potentially Iran and North Korea––could contemplate such action for the reasons elaborated above. However, considerable potential exists to miscalculate both the impact of a cyberattack on the U.S. grid and how the U.S. government might respond. Attacks could easily inflict much greater damage than intended, in good part because the many health and safety systems that depend on electricity could fail as well, resulting in widespread injuries and fatalities. Given the fragility of many industrial control systems, even reconnaissance activity risks accidentally causing harm. An adversary could also underestimate the ability of the United States to attribute the source of a cyberattack, with important implications for what happens thereafter.Thus, an adversary’s expectations that it could attack the power grid anonymously and with impunity could be unfounded.
Warning Indicators
A series of warning indicators would likely foretell a cyberattack on the U.S. power grid. Potential indicators could include smaller test-run attacks outside the United States on systems that are used in the United States; intelligence collection that indicates an adversary is conducting reconnaissance or is in the planning stages; deterioration in relations leading to escalatory steps such as increased intelligence operations, hostile rhetoric, and recurring threats; and increased probing of electric sector networks and/or the implementation of malware that is detected by more sophisticated utilities.
Implications for U.S. Interests
A large-scale cyberattack on the U.S. power grid could inflict considerable damage. The 2003 Northeast Blackout left fifty million people without power for four days and caused economic losses between $4 billion and $10 billion. The Lloyd’s scenario estimates economic costs of $243 billion and a small rise in death rates as health and safety systems fail. While darker scenarios envision scarcity of water and food, deterioration of sanitation, and a breakdown in security, leading to a societal collapse, it would be possible to mitigate the worst effects of the outage and have power restored to most areas within days. At this level of damage, the American public would likely demand a forceful response, which could reshape U.S. geopolitical interests for decades. Traditional military action, as opposed to a response in kind, would be likely.
In addition to the direct consequences of a cyberattack, how the United States responds also has implications for its management of the situation that may have prompted the attack in the first place, the state of relations with the apparent perpetrator, the perceived vulnerability of the United States, and the evolution of international norms on cyberwarfare.
How the U.S. government reacts, more than the actual harm done, will determine whether the cyberattack has a continuing impact on geopolitics. If the incident reveals a U.S. vulnerability in cyberspace that can be targeted to deter the United States from taking action abroad, the implications of the incident would be profound. If, on the other hand, the U.S. government shows firm resolve in the face of the attack and does not change its behavior in the interest of the attacker, the event is unlikely to have significant consequences for the role of the United States abroad.
On the domestic front, a highly disruptive attack would likely upend the model of private sector responsibility for cybersecurity. As was done with aviation security after 9/11, Congress would likely move quickly to take over responsibility for protecting the grid from cyberattack by either creating a new agency or granting new authorities to an existing agency such as U.S. Cyber Command. Such a move would likely reduce the efficiency of grid operations and open the door to expanding government’s role in protecting other sectors of the economy. A devastating attack might also prompt calls to create a national firewall, like China and other countries have, to inspect all traffic at national borders. However, the experience of other countries and the technical reality of the internet suggest that these firewalls are ineffective for cybersecurity but well suited to restricting speech online and censoring information.
Download full version (PDF): A Cyberattack on the U.S. Power Grid
About the Council on Foreign Relations Center for Preventive Action
https://www.cfr.org/about-center-preventive-action
The Center for Preventive Action (CPA) helps policymakers devise timely and practical strategies to prevent and mitigate armed conflict around the world, especially in those places where U.S. interests are most at risk. Geopolitical friction among the major powers has been steadily growing in recent years while many parts of globe has seen an increase in violent conflict. Other threats to international peace and security, whether it be violent extremism, cyberattacks, or the proliferation of deadly technologies, are also evolving in new and destabilizing ways.
Tags: Center for Preventive Action, CFR, Council on Foreign Relations, CPA, Cyber Attack, Cyber Terrorism, Cyberattack, Power Grid