As Worries Over the Power Grid Rise, a Drill Will Simulate a Knockout Blow
New York Times. WASHINGTON — The electric grid, as government and private experts describe it, is the glass jaw of American industry. If an adversary lands a knockout blow, they fear, it could black out vast areas of the continent for weeks; interrupt supplies of water, gasoline, diesel fuel and fresh food; shut down communications; and create disruptions of a scale that was only hinted at by Hurricane Sandy and the attacks of Sept. 11.
This is why thousands of utility workers, business executives, National Guard officers, F.B.I. antiterrorism experts and officials from government agencies in the United States, Canada and Mexico are preparing for an emergency drill in November that will simulate physical attacks and cyberattacks that could take down large sections of the power grid.
They will practice for a crisis unlike anything the real grid has ever seen, and more than 150 companies and organizations have signed up to participate.
“This is different from a hurricane that hits X, Y and Z counties in the Southeast and they have a loss of power for three or four days,” said the official in charge of the drill, Brian M. Harrell of the North American Electric Reliability Corporation, known as NERC. “We really want to go beyond that.”
One goal of the drill, called GridEx II, is to explore how governments would react as the loss of the grid crippled the supply chain for everyday necessities.
“If we fail at electricity, we’re going to fail miserably,” Curt Hébert, a former chairman of the Federal Energy Regulatory Commission, said at a recent conference held by the Bipartisan Policy Center.
Mr. Harrell said that previous exercises were based on the expectation that electricity “would be up and running relatively quick” after an attack.
Now, he said, the goal is to “educate the federal government on what their expectations should or shouldn’t be.” The industry held a smaller exercise two years ago in which 75 utilities, companies and agencies participated, but this one will be vastly expanded and will be carried out in a more anxious mood.
Most of the participants will join the exercise from their workplaces, with NERC, in Washington, announcing successive failures. One example, organizers say, is a substation break-in that officials initially think is an attempt to steal copper. But instead, the intruder uses a USB drive to upload a virus into a computer network.
The drill is part of a give-and-take in the past few years between the government and utilities that has exposed the difficulties of securing the electric system.
The grid is essential for almost everything, but it is mostly controlled by investor-owned companies or municipal or regional agencies. Ninety-nine percent of military facilities rely on commercial power, according to the White House.
The utilities play down their abilities, in comparison with the government’s. “They have the intelligence operation, the standing army, the three-letter agencies,” said Scott Aaronson, senior director of national security policy at the Edison Electric Institute, the trade association of investor-owned utilities. “We have the grid operations expertise.”
That expertise involves running 5,800 major power plants and 450,000 miles of high-voltage transmission lines, monitored and controlled by a staggering mix of devices installed over decades. Some utilities use their own antique computer protocols and are probably safe from hacking — what the industry calls “security through obscurity.”
But others rely on Windows-based control systems that are common to many industries. Some of them run on in-house networks, but computer security experts say they are not confident that all the connections to the public Internet have been discovered and secured. Many may be vulnerable to software — known as malware — that can disable the systems or destroy their ability to communicate, leaving their human operators blind about the positions of switches, the flows of current and other critical parameters. Experts say a sophisticated hacker could also damage hard-to-replace equipment.
In an effort to draw utilities and the government closer, the industry recently established the Electricity Sub-Sector Coordinating Council, made up of high-level executives, to meet with federal officials. The first session is next month.
Preparation for the November drill comes as Congress is debating laws that could impose new standards to protect the grid from cyberattacks, but many in the industry, some of whom would like such rules, doubt that they can pass.
The drill is also being planned as conferences, studies and even works of fiction are raising near-apocalyptic visions of catastrophes involving the grid.
A National Academy of Sciences report last year said that terrorists could cause broad hardship for months with physical attacks on hard-to-replace components. An emerging effort led in part by R. James Woolsey, a former director of the Central Intelligence Agency, is gearing up to pressure state legislatures to force utilities to protect equipment against an electromagnetic pulse, which could come from solar activity or be caused by small nuclear weapons exploded at low altitude, frying crucial components.
An attack using an electromagnetic pulse is laid out in extensive detail in the novel “One Second After,” published in 2009 and endorsed by Newt Gingrich. In another novel, “Gridlock,” published this summer and co-written by Byron L. Dorgan, the former senator from North Dakota, a rogue Russian agent working for Venezuela and Iran helps hackers threaten the grid. In the preface, Mr. Dorgan says such an attack could cause 10,000 times as much devastation as the terrorists’ strikes on Sept. 11, 2001.
Despite the growing anxiety, the government and the private sector have had trouble coordinating their grid protection efforts. The utility industry argues that the government has extensive information on threats but keeps it classified. Government officials concede the problem, and they have suggested that some utility executives get security clearances. But with hundreds of utilities and thousands of executives, it cannot issue such clearances fast enough. And the industry would like to be instantly warned when the government identifies Internet servers that are known to be sources of malware.
Another problem is that the electric system is so tightly integrated that a collapse in one spot, whether by error or intent, can set off a cascade, as happened in August 2003, when a power failure took a few moments to spread from Detroit to New York.
Sometimes utility engineers and law enforcement officials also seem to speak different languages. In his book “Protecting Industrial Control Systems From Electronic Threats,” Joseph Weiss, an engineer and cybersecurity expert, recounted a meeting between electrical engineers and the F.B.I. in 2008. When an F.B.I. official spoke at length about I.E.D.’s, he was referring to improvised explosive devices, but to the engineers the abbreviation meant intelligent electronic devices.
And experts fear government-sponsored hacking. Michael V. Hayden, another former C.I.A. director, speaking at the Bipartisan Policy Center conference, said that the Stuxnet virus, which disabled some of Iran’s centrifuges for enriching uranium, might invite retaliation.
“In a time of peace, someone just used a cyberweapon to destroy another nation’s critical infrastructure,” he said. “Ouch.”