Someone is Hacking Our Power Grid and That’s Not Even the Worst of It
Most people would rightly be very disturbed by reports that a hostile force has hacked the computer systems of U.S. nuclear power plants. The consequences of an intrusion into our energy grid could be catastrophic.
Yet, judging by the deafening silence in the public at large, people are clearly not aware that these attacks have been made, successfully, on numerous energy and nuclear power companies in the United States.
We should all be concerned about this, and not necessarily for the reason you think.
The Department of Homeland Security and the Federal Bureau of Investigation issued an “urgent joint report” in early July. The report said that since at least May of this year, hackers have gained access to the computer networks of nuclear and other energy facilities.
They targeted people who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material.
The hackers also appear to be trying to map computer networks for future attacks.
These attacks are coming at the same time as we are discovering that hackers are using tools stolen from the N.S.A. to hit private businesses. With these stolen N.S.A. tools, hackers can access a computer, steal that person’s credentials, and gain seemingly legitimate access to a company’s computer system. From these computers, hackers can distribute malware into critical infrastructure.
This may or may not be what happened with these energy companies. However, we do know that hackers using the N.S.A. tools may have already infected tens of thousands of computers worldwide.
It’s bad enough that the attacks occurred. As Ted Koppel detailed extensively in his book “Lights Out,” the U.S. power grid is ridiculously vulnerable and our government is horrifyingly blasé and unequipped to prevent or respond to it. Well-known novels like those in the “One Second After” trilogy have described what extended power outages might look like in one community in America. And it is terrible.
The most frightening part of recent reports, however, is not that they document what Koppel predicted and that we are unprepared for. It’s not that the hacks presage the chaos and brutality of “One Second After” and similar books. No, the most frightening aspect of these attacks is our U.S. government’s response.
According to our government, we have nothing to worry about.
Let’s review:
There has been a documented cyberattack on U.S. nuclear and other energy facilities.
We believe that the hackers are attempting to map computer networks for future attacks.
We believe that the cyberattackers are targeting people with direct access to potentially harmful plant systems.
We know that tens of thousands of computers worldwide are now infected with the “DoublePulsar” tool originally developed by the N.S.A. and stolen from them.
DoublePulsar allows hackers to steal an employee’s credentials and gain access to a company’s computer system. It is virtually undetectable unless you know that you have to look for it.
So we have an unknown enemy that can impersonate unknown thousands of company employees and thus access sensitive computer networks and company data.
All of this is happening at a time when our energy grid has been breached by hackers trying to gain deeper access to the networks that control the power grid.
And yet, the F.B.I. and the Department of Homeland Security issued a joint statement saying that the energy company hacks give “no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”
Contrary to this deceptive reassurance, from a cyber security standpoint there are few things that pose a greater danger to our public safety. And from a physical security standpoint, hacking of our power grid is near the top of the list.
The threat is so grave that President Trump has ordered the Secretary of Energy and the Secretary of Homeland Security to report to him by August 9 about:
How bad a power outage would be following a cybersecurity incident;
How ready we are to manage such an incident; and
If we are not ready, what we are lacking.
The information requested in this Executive Order is critical to our community security and will provide crucial information about what we must do to prepare for this credible threat.
But other agencies of our government want you to believe that there is “no indication of a threat to public safety.”
As citizens, we need to take responsibility for our own safety as much as possible. Some of my other comments point out the need to be vigilant, and to arm ourselves legally and responsibly in preparation for credible threats. (This is part of the reason that, as Sheriff, my office provides free concealed carry training in my community.)
This responsibility includes keeping ourselves informed of credible threats. In this case, the federal government has done us all a disservice by refusing to acknowledge the threats posed by these energy and nuclear power company attacks. We deserve better and our communities will be safer if we are candidly and transparently informed of the threats against us.