Watching the tensions of response and resiliency pulled and prodded by the concepts of conflict and conflagration you might be right to think nobody has a clue what would happen in a war where cyber is a large component. On one edge you have prophets of doom dancing in the fires of dystopian futures. On the opposite edge you have unicorn kissing and rainbow waving confederates. How can we tease out of this something that looks like reality? Using examples of past conflicts will inherently result in biased discussion. Specifically what happens if the power grid goes down and how might be examine that issue? Since the electric grid failure is one of the boogeymen of the cyber age it seems a ripe target for out attention. So, lets take the grid down and see what happens.
First, I want to make sure we’re leaving the politics out of this situation. Second, there is a failure in understanding causation, correlation, and bad luck. Third, I’m not going to detail specifics but we’ll talk in-depth about responses. As such let’s talk through a little mental experiment. To start some fiction should suffice.
Early in the second Bush presidential term a series of random events resulted in the situation room at the Whitehouse being activated. The Department of Homeland Security Fusion center in New York had a person with possible terrorist ties who had electrocuted himself and taken down a big chunk of the North Eastern power grid. Looking through the critical infrastructure reports over the last few hours an analyst putting two and two together got five for an answer. It appeared that in New Mexico and Washington State individuals had also been electrocuted. Thinking that two is a coincidence and three is a pattern an alert was sent up the chain of command. Within an hour the evolving situation was briefed to the president and his primary advisors were gathered.
Not long after the group was gathered it was discovered that the person in New York had left a suicide note, the person in New Mexico was an electric repairman who accidentally jumped a high power line with fatal results, and the person in Washington State was involved in a traffic accident. As such no agent or dire threat was emerging and an all clear was announced. Such, are the points of opportunity for creativity.
As the conversation between the president and his advisors turned towards cigars and baseball the president asked, “What would we have done if there was a coordinated attack?” Pulling out a binder the advisors worked through a quick discussion of incident management and national directives on coordination. The president then asked, “How do we know we could get the grid back up. I remember the outage in the first part of my presidency. It was a total mess.” The advisors referring back to memorandums and directives felt that it wasn’t an issue. The president unrelenting asked, “Have we ever tested this. Not some simulation but an entire grid outage and recovery?” In unison the advisors said it wasn’t possible to test such a thing. Finally the president said, “I think we need to do it. I think it is in the national interest to reboot the power grid and see what shakes out of that system.”
I’m not picking on former president Bush. If anything I think we saw that he took these things seriously. The fact that most people thinking about a full-scale test of the electric grid would say it is silly, or crazy, or not possible is testament to what some of my fellow academics call strategic fragility. We will discuss relatively informally the concepts in the structure of the political, strategic, operational, and tactical. These are only starting points as an entire book could be written about this topic and never step into the realm of fear, uncertainty, and doubt. Furthermore, what we’re talking about is not really crazy but examines the issues in a new light. In some ways most companies would consider this kind of test a best practice. You have to suspend disbelief for a bit but I think the thought experiment is worth it.
Politics
We can imagine the first thing upon an announced nationwide outage of the electrical grid being congress saying the President doesn’t have the authority. Then a cacophony of legal discussions and whether the government can/will be sued by people injured by such a process. There is of course a big difference between a storm or natural event taking out the electric grid, and a man-made purposeful exercise. There is also a difference in a political entity deciding to do this as a test rather than in mitigation of a threat.
I would suggest in the interest of national security that the President does have the power to turn off the electric grid. Most people will have a problem with that, but the powers are likely to be found in the FEMA and various national security acts over time. If there was a large-scale solar storm about to hit the power grid the power companies might need the political cover of such an act to allow for turning off the grid. There are not a few, but numerous cases in which such a power might be wielded for the common good.
As to the legal suits and issues I can’t comment. I’ve been told the answer in legal terms is maybe to everything but one question and that answer is “yes” to “can we sue”.
The political question will revolve around the center of one specific issue. Is actually testing the response capability of recovering the electric grid a national issue that needs to be considered? The President likely has the specific authority to do this but answering the question would be an onerous process. As I stated earlier actually testing recovery is a tenet of good recovery processes leading to better resilience. The fact that we likely can’t even conceive of the idea and would likely never do it points out the specific political impediments to being secure.
Strategic
Imagine an announced outage for April 2 of the entire North American power grid. At 2AM Eastern Time the grid will go down nation wide (inclusive of Mexico and Canadian attached customers). What a great time to attack America. So obviously military bases will have to have power. Since we know that there are populations that need power to simply survive hospitals will have to have power too. Many traffic and safety systems actually have back ups but they need to be checked. What other systems need to continue to operate to maintain good national order? Laying those systems out on a grid defines a category of organizations and systems that might not be found in the critical infrastructures we’d normally consider.
As an example what supply chains might be disrupted by having to take the equivalent of a national holiday? The aluminum industry uses electricity extensively in their smelting process. The pharmaceutical industry uses electricity in their manufacturing process. How many days would it take to work out that kind of bubble in the various industries given months to plan for the event? Planning doesn’t seem to be part of the national character. After the summer storm in DC of 2012 many people bought generators for the duration of the power outage that lasted a week in some cases. Only to return those generators after the outage had been fixed. This is in light of the fact that there have been numerous outages in the National Capital Region. That kind of consumer behavior is a very brittle activity with extensive downstream effects.
Operational
How and when do you turn off the national power grid? There are specific constraints on the various operators of the infrastructures that would need to be discussed. The coordination of such an event with a tight timeline might simply make it impossible. Getting the people in a room to talk about taking down what they make their living doing is going to be emotional at best and chaotic in the worse sense. Never mind the arguments over authorities to do such a thing. What are the chances that compliance might be an issue as people in some companies refuse to comply with the outage requirement and what would you do to them for not participating?
These kind of issues in collaboration and coordination appear to work fairly well at the regional level between the various electrical generation utilities. There is a seam that can be operationalized in that during the DC storm mentioned earlier the teams to respond had to come from all over the region and outside of the region. In a highly distributed event requiring a significant presence from each generation and distribution entity getting such a program off the ground might be nearly impossible. There just aren’t enough people to assist in the recovery effort when the outage has been announced. Let alone during an unannounced outage.
The amount of time needed to get various coordination committees and leadership (advisory) groups together depicts another seam. If the overhead of the recovery process is too high the process will fail under it’s own weight. In regional outages various national level leaders have emerged but at some point they as individuals are saturated and the chaos envelopes even them. This issue also points out that simulations and war games simply can not capture the reality of the recovery process. Coordination takes another wrinkle when you consider the ramifications of storage of information in pan regional companies. If you’ve followed a standard back up and recovery process your national continuity of operations location may actually be out of service too. Your emergency services information detailing the location of sick, injured, or helpless people stored on a server in the cloud may not be accessible since they are experiencing an outage too. Regardless of the local power generation capability of a data center the connections to the data center must be functional too.
Tactical
This all results in a very tactical level of control being required to maintain resilience of the larger systems. Since the command and control mechanisms are eroded by the loss of electricity the tactical level is severely impacted. Think how many reasons and excuses you can come up with to not do such an exercise. Even knowing that exercising the continuity of operations planning process is a requirement for many companies we would never do this at the government level or nation-state level.
The individual who relies on the generator must have a fuel source, and that fuel source likely requires an electric source to pump it. I had a conversation with a gas station operator and I said they should install a plug into the pump so when the electricity was out I could run the pump off my car battery. The gas station owner scoffed at me and said something to the effect he couldn’t have people hooking electric up around his pumps. Now think about this. The general public is slinging a gas pump around that is dripping highly flammable liquid and moving that device up against a high static electricity source. No issues with that, but powering the pump through a safe form of power is too much risk. For the want of safety resilient strategies are abandoned without thought.
Conclusion
There is a lot here to contemplate and likely a wee bit of chatter about how ridiculous the concept is to even think about. I’m up for that criticism and acknowledge it. The thought experiment though provides an insight into what the real risks of strategic infrastructure attacks might look like, and how the reliance on those infrastructures might fail.
All of this discussion hasn’t even opened up the thoughts of how elevators in major cities might affect high-rise dwellers, or how the financial trading systems might fail or not be resilient enough to withstand the outage. This is the breadth of the discussion and unfortunately is filled with more fear than really needed. Yet, that is what needs to be done to really understand the totality of the issue of losing the electrical grid.