By: Paul Tiao, Partner at Hunton & Williams LLP and former Senior Counselor for Cybersecurity to the FBI Director
American Blackout is not a movie about cybersecurity. It is about disaster preparedness. The 90-minute docudrama devotes less than five minutes to the cyber attack, saying only that it involves some sort of “malicious code” that somehow causes transformers and substations to blow up all over country. The rest of the movie follows the breakdown of civil society during a ten-day, nationwide blackout.
The fact of the underlying cyber attack is incidental. The point of the movie is that if people do not stockpile at least a few days’ worth of water and food, then they may find themselves and their neighbors resorting to barbaric behavior for the sake of survival in the event of an extended power outage. That’s a good point and most of us can probably improve our preparation for tornadoes, terrorist attacks, and the like.
What the movie does not focus on is how the cyber attack took place, who was responsible, how the malware managed to spread across the entire electricity grid, how it caused things to blow up, or why it took ten days to get the power back up. The movie simply assumes, without explanation, that a cyber attack could actually cause a ten-day, nationwide power outage. In fact, that is extremely unlikely. However, combined with depictions of hysteria and the near-total breakdown of civil society, this movie is sure to generate conversation about cyber threats and our state of cyber preparedness, even though it is not actually a movie about cyber.
So, let’s talk about that. But, let’s focus on real threats and real preparedness efforts. Today’s cyber threats – hacktivists, criminal organizations, insider threats, nation states, and terrorists – are serious and persistent. The concern that a cyber attack on an industrial control system could lead to physical consequences in a discrete facility or location is legitimate and real. However, the government and the electric utility industry are well aware of this. They are both taking action to reduce cybersecurity risks through improved network security practices, increased sharing of cyber threat information within industry and between the government and industry, and more aggressive efforts to arrest cyber threat actors here and overseas. Substantial progress is being made, but much remains to be done by industry, the administration, and Congress.
A big part of industry’s cybersecurity effort centers on preparedness, reliability and resilience.
- First, the electricity grid is divided into three segments – the eastern interconnect, the western interconnect, and the segment operated by the Electric Reliability Council of Texas. These segments are very distinct, so it is unlikely that an attack on one segment would have a cascading impact on another – certainly not an impact that causes the other two to go down in their entirety.
- Second, the electric utility industry is highly regulated. Utilities are required to comply with mandatory critical infrastructure protection standards that address reliability, infrastructure design, relay effects, and operational procedures with regard to both cybersecurity and physical security. These requirements are designed to ensure a defense-in-depth that would prevent significant cascading effects in the event of a cyber attack.
- Third, utility companies have long-term, mid-term and short-term preparedness programs designed to ensure resilience in the face of catastrophic events. These programs include maintaining an inventory of spare equipment, sharing spare equipment with each other, maintaining multiple layers of redundancy through primary and backup systems, creating robust repair capabilities, and maintaining the ability to perform manual monitoring and balancing functions via voice communications if data communications go down. For example, in April, criminals fired multiple gun shots at a San Francisco area substation and cut nearby fiber optic cables, thereby shutting the substation down and disabling 911 service. No electricity customers lost power.
In short, the electric utility industry is taking every reasonable precaution to be prepared for physical and cyber attacks and natural disasters. Outages have been prevented or confined to discrete localities, and nationwide blackouts of the sort depicted in the movie have not taken place. While the cybersecurity threat is serious one, let’s not allow a docudrama about disaster preparedness to distract us from the real cybersecurity challenges in front of us.