There are few issues that cut across as many technical fields and public interests as cybersecurity. In his book Lights Out, journalist Ted Koppel conducted an 18-month investigation into the vulnerabilities utility companies face in light of new cyberthreats.
Cyberthreats are exacerbated by the growing gap between cybersecurity fixes and threats. In his book, Koppel writes about the proliferation of new viruses, such as malicious computer worm Stuxnet, which could potentially destroy equipment and prolong the service disruption from days to months.
Koppel’s investigation shows that utility industry leaders have not given sufficient attention to such threats. His interviews with leading security experts underscore the realities that utilities face today. The separation of generation from distribution, for example, has increased vulnerability for smart grids because of the number of sources, meters, and other endpoints that do not allow for a uniform application of security strategies and tools.
Prolonged outages could greatly effect food distribution, water supply, sanitation, transportation, as well as public safety. The conclusion in the book is that government is not prepared for such a disruption to utilities, and it can ultimately lead to a threat on our survival if the problem does not get solved.
In the book, Koppel asks: Who is prepared? The groups most prepared, he notes, are those who live in remote rural areas and already have practical strategies in place in times of blizzards and power-supply disruptions. Koppel saves his most sobering questions for the end when he asks what will happen in a prolonged disruption when those without food forcibly confront those who have. It may sound like a plot for a movie, but it could come true.
To think further about the inaction and insufficient preparation if this scenario were to come to pass, here are three points to consider:
- Are there tools available to protect us from new threats? Yes, however, they are time-consuming and expensive to deploy, and require restricting permission to operational system access. There is not yet a commercial or government impetus to implement these tools.
- Are there strategies for coping with a prolonged disruption? Yes. There are a number of emergency-planning responses that have been developed, particularly focused on different terrorist threats to urban centers run by the U.S. Army after 9/11. The challenge is to have today’s leaders also prepared for future types of threats.
- Is there more individuals can do? Yes. After 9/11, families were educated on strategies for how to reconnect in the event of a terrorist attack where transportation and communications are disrupted. Similarly there is much more that individuals could do to buffer a disruption until authorities can provide assistance. These include stocking emergency inventories of food, water, batteries, and cooking fuel.
Koppel’s comprehensive book covers all but the steps that need to be taken for legislative action, which are needed in order to improve standards for operational security and to increase budgets for implementing security protocols in small utilities. Legislative action is also needed to expand emergency protocols by agencies at the federal, state and local levels.
IEEE members can certainly help address these problems. The challenge is how to organize members in a way that has a meaningful impact on technical and policy leadership. I welcome your thoughts in the comments section below.
IEEE Member Ralph Sheridan screens startup proposals for Launchpad Venture Group, Boston’s largest angel investment group. He focuses on early-stage technology startups in clean technology and information technology security. Sheridan has testified three times in front of U.S. congressional committees on issues regarding terrorism and technology.