Why Cyber Risks to the Grid Are – and Are Not – MAD
By Andy Bochman
Nov 19, 2009 - 3:16:15 PM
As you may suspect by now, Jack and I are not fans of alarmist language. You won't hear us using terms like "Cyber Pearl Harbor" or "Cyber 9/11" unless our purpose is to debunk them, as Jack did quite thoroughly on his former blog, Suitable Security, here.
We find that hysteria is not a particularly promising state of mind to be in when one is attempting to make the world better, safer and more secure. And that's the lead-in to this second post re: the recent 60 Minutes feature on ominous trouble in Cyberland.
Oh, one more thing before the post really starts -- I should explain the kitten. The kitten is here to help you relax. OK? Let's begin.
MAD, or Mutually Assured Destruction, is a Cold War-era term which neatly describes why nuclear deterrence works and has so far kept our planet from being reduced to a glowing ember from a massive thermonuclear exchange. You are still relaxed I see ... that's good.
Last week we posted a link to, and a couple of comments on, an alarming 60 Minutes episode on cyber security risks to critical U.S. infrastructure. It described how vulnerable the U.S. is to computer hackers and used examples from DOD, the financial sector and the electrical grid. An additional level of disturbing detail was provided by former Director of National Intelligence (DNI) Mike McConnell, who said he's certain that foreign code is resident on national grid systems. Our own anecdotal experience with critical systems in other industries corroborates this. In hacker lingo: We are "owned."
Still relaxed? You should be, because there's ample evidence, in the 60 Minutes material and elsewhere, that even as we are heavily targeted, we also have substantial penetration of our potential adversaries' systems. Hence, the resemblance to MAD. I'm making this comparison preemptively before some journalist or K Street analyst does, because I think it's worth laying a few of the cards on the table and thinking about this in a non-alarmist fashion. Here's a short list of attributes to compare and contrast.
Nuclear characteristics:
- Once underway, nuclear war is for keeps; you're either launching nukes or you're not
- Though some once believed in it, "limited nuclear war" is generally considered unlikely
- While we work to make missile defense a reality, our best defense against nuclear attack has been a good offense (see: deterrence)
- Damage from nuclear exchanges is usually believed to be catastrophic
- With missiles and bombers heading our way, it's fairly easy to discern the origin of attack, and hence, the attacker
- There are currently nine countries listed as nuclear nations. Others seek to join this group, but it's expensive, complicated and time consuming, not to mention dangerous and sometimes destabilizing
Grid Cyber characteristics:
- Probes and attacks are happening all the time by multiple parties and damage in various degrees is being absorbed by all involved
- All cyber war is, by definition, limited
- Our best defenses are multi-layered, resilient and constantly evolving
- Damage is infinitely variable in severity and often hard to detect
- Often we cannot identify attack origin or attacker
- Any country, organization or individual with access to the Internet can be an attacker
So the cyber wars are already well underway and yet you are still able to read this post on your computer or smart phone. This is because given the degree of inter-dependency of the global economy, most industrialized nations have little desire to wreak massive cyber havoc on their neighbors, who, while they compete in many domains, are also full-time partners. Though you'll sometimes hear speculation to this effect, especially as it concerns the Smart Grid as a "hackers' paradise," it's unlikely (though possible) that catastrophic harm can befall the diverse U.S. national grid from cyber attack alone. But that doesn't mean major localized or regional damage couldn't be wrought.
Takeaways:
- Unlike with nukes, where deterrence between nuclear nations has worked so far, no one is fully deterred from experimenting with and sometimes wielding cyber weapons against our grid or other critical U.S. infrastructure systems. Most nations do, however, seem deterred from launching massive cyber attacks on us and others ... and life and commerce go on
- International crime gangs and other non-state bad actors abide by completely different rule sets from those described above. Deterrence means much less to them, so we've got to continue to bring our cyber security "A game" to the Smart Grid buildout as well as to the rest of our critical national infrastructure
- Understanding and accepting that all sides "own" other systems conjures up the alternative title to the Cold War classic "Dr. Strangelove," which was "How I Learned to Stop Worrying and Love the Bomb." I'm not suggesting you begin loving cyber risks to the grid or Smart Grid; just want you to worry a little less if the 60 Minutes piece has rendered you sleepless or immobile. Clearly we’ve got work to do, but as NASA and the NY Times point out, we’re not going to die tomorrow or the day after tomorrow
- For a somewhat more detailed, lucid examination of cyber risks to the grid, see University of Minnesota's Dr. Massoud Amin's short paper "Electricity Infrastructure Security," which is PDF downloadable here.
So, if you've made it this far, I've got a question for you: Did the kitten help?
Jack Danahy and Andy Bochman are authors of the Smart Grid Security Blog.
Smart Grid Security resources on SGN
Why Smart Grid Security Is About So Much More Than Smart Grid Security
Subscribe to our FREE eMail News Alert!
Smart Grid Newsletter (SGN) is the insider's guide to the Smart Grid revolution. It consists of a FREE bi-monthly email summary, along with a companion Web site that contains the full stories and other helpful materials.Benefits of subscribing: SGN is the only central source for all of the news, trends, research and marketplace information relevant to grid automation. In it, you will read about cutting edge technologies; successful pioneers and how they got ahead; regulatory changes that could unleash new markets; the latest research; and new opportunities for sales of grid-related products and services.
