I’m getting lots of media interview requests and anybody who knows me knows I don’t like cameras. So, I thought I’d put up some comments on the idea of a multi-week power outage across the United States and even across the Continent. There is a lot of fear, uncertainty, and doubt that feeds into a story about turning the lights out for weeks. Is it real? Is it possible? What would happen or be the impact? Those are the kinds of questions I’d like to answer here for just a gloss over the reality. This is the icing, not the cake.
Is it real?
Yes it is possible to take out the power grid in North America. That’s it. It is possible. The NERC/FERC have studied this issue heavily for quite some time. In 1989 there was a geomagnetic disturbance event in North America. Possible does not equate to likely. The lights in the 1989 case didn’t turn out instantly but had a rolling series of outages over about a two day period. At the height of the disturbance there was about a 9 hour outage effecting a fairly large population in the south and eastern seaboard areas. This was a very large magnetic disturbance. So what about a man made event? Something like an electro magnetic pulse (EMP)? Even an extremely large EMP would not necessarily disrupt the entire North American power system. Taking into consideration cascading outages it is unlikely that the entire system would break down. The black out that occurred in 2003 to the Northeast is a good example of a situation where cascades can effect large systems. As in the 1989 outage the 2003 outage was taken care of fairly rapidly.
NERC Interconnections Image courtesy “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack” 2008
So what if it was caused by an EMP? That is an interesting question since there was an EMP Commission that reported on just such an event and the various critical infrastructures dependent on electricity. Contrary to television and movies an EMP doesn’t kill everything. How do we know? In the past there have been extensive tests of devices to see what is resilient and what isn’t resilient. To be sure it is won’t be a good day anywhere subject to an extreme EMP event, but it likely won’t be a Hollywood style shutdown. I know that some people will be disappointed by that. In studies even very large EMP events only effected regions of the United States. As such that means to blanket the United States and likely Canada and parts of Mexico would require significantly more than one device. You are likely looking at dozens if not hundreds of devices all going off at the same time. The United States Navy tested such activities in the 1950s with something called project Argus. That project was partially anti-ballsitic missile test, and EMP style test. Basically the Navy over the Atlantic launched nuclear missiles into space and blew them up to see if it had an effect.
So far it is really hard to take out the North American power grid. Which is actually a group of grids worked by different entities that coordinate between each other and under an advisor and regulatory group called North American Electric Reliability Corporation, and the Federal Energy Regulatory Commission. The grid groupings can be seen in the following picture:
Conceptual Illustration of the inteconnectedness of elmeents contained within each critical infrastrucrure (p 12) Image courtesy “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack” 2008
The basic problem with the diagram is that is shows all the similar connections that everybody knows exists. It doesn’t answer if the complete breakdown in technology is a real problem. Another test done in 2007 by the Department of Energy and Department of Homeland Security showed in a staged cyber attack a generator could be destroyed. Is this cyber attack with kinetic result a better way and maybe a simpler way to bypass the scaling problem that we know exists in kinetic attack? That is the big question. It has been suggested by the ICS-CERT group at DHS that the various control systems are being attacked on almost a daily basis. The question that isn’t asked is by who? Who would have the motive, means and opportunity to attack the electric grid. The big question is motive. Who isn’t tied to the American economy and is so desperate that they would put themselves in jeopardy of an existential conflict response? The cyber attack strategy makes sense from the stand point that it does not have the limitations that the other kinds of events have. We have a few cases studies for using computers to shut down the supply side of the electric grid in the Enron and California energy crisis of 2000/1. The use of the financial trading system based almost completely in the cyber world to have a kinetic effect that furthered financial goals is very interesting.
That leaves us with some examples of large scale outages but we have come nowhere close to a continental level outage.
How is it possible?
It is possible to take out the North American power grid. Is it probable is a completely different question. In a question scoped neither by resources or motives almost anything is possible. No matter how little probability of success you might find. Two very astute hackers at a convention called ThotCON pointed out that squirrels are more detrimental to the power grid than hackers. With compelling research and evidence they traced outages to computer generated outages and squirrel derived outages and the squirrels were number one by landslide of smoking fur. One point that they missed in the great presentation is motive. Currently there is little motive for a human agent to take down the American power grid and squirrels have a lot of things but common sense isn’t one of there best traits. With the evidence of Enron, and various other events over the years it most assuredly is possible to take down the power grid. it is less likely to keep it down for a long period of time, and even less likely to be able to drop the grid all at the same time. There are all kinds of simple reasons such as generation run amok (to much generated electricity for the current load), and loss of control on grounding capacity (dealing with power overages) that might be worth looking into. I figure that if I can come up with those issues that NERC/FERC has likely figured the remediation out too. The NERC/FERC through the EMP council looked at the telecommunications infrastructure and time for outage and how power would be restored.
Interdependence between power and telecommunications (p 15). Image courtesy “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack” 2008
What is the impact?
The impact is likely not people screaming in the streets. It is possible to create that kind of response but rarely does any agency consider that kind of strategy. I’ll get to people going “lord of the flies” later, but what could we expect.
In two to three hours people are getting concerned. They are starting to think about what is in their refrigerator spoiling. There may be a few parties and depending on time of year and the weather across the country people are starting to prepare for the worst. In general before people miss a meal they are more concerned about bringing resources into play to insure their family is safe. If school children are being brought home or schools are closing their is a rapid change in schedules. At most what you see is a “circling the wagons” kind of mentality. People are more interested in making sure everybody is accounted for and safe.
There is a key point here that people rarely talk about. I’ve asked the question of utility operators in the past and gotten conflicting information of when power outages happen. It is my contention that they happen in the spring and summer afternoon and early evenings. The reason is that is when thunderstorms from the heat of the day are most prevalent, and power usage in the heat of the day is at it’s highest. I have no evidence for this and it is not explanatory for winter storms. The reason it is important is that it puts power repair crews at a disadvantage for getting power up as they go into the night time hours.
In a day of the outage food in warmer climates is starting to spoil. Depending weather people in norther climates may be getting cold. There are a lot of studies in how fast a home will get cold based on the outside temperatures and it is highly dependent on the construction date and standards the home was built to. The more urbanized the location the less resilient the food supply and secondary energy supplies. We have a rural area case study that we can think about. In 2009 the central plains was hit by a major ice storm leaving nearly half a million people without power. In some rural locations the storm would leave rural residents without power for over two weeks. The storm left 55 people dead from weather related traumas. As to urban effects in 2012 a fast moving wind storm called a derecho hit the capital region of the United States. With massive winds and power it took out the power to most of the national capital region fairly quickly. The kinetic effect of the storm destroyed the physical infrastructure and Washington DC was literally plunged into the dark. Budget cuts and other problems would be blamed for keeping tens of thousands of people without power for nearly ten days in a highly urban environment.
In multi week outages people start to adapt. The result of the derecho in Washingto DC was not pandemonium and end of times behavior. The result was that people in deep trouble pulled together and responded to the issues with as much good will as they could muster. Roads were closed, people were injured, and emergency services across a fairly wide area were swamped. Nobody ate anybody else. The police didn’t go nuts.There were some negative behaviors but the most important thing observed by me during that storm and the earthquake was prioritization. There is significant evidence in the media reports to suggest that after an earthquake, a hurricane and then derecho the emergency management people were more than prepared. The efforts in my opinion after the September 11, 2001 bombing of the Pentagon to coordinate and fix emergency management practices in the national capital region worked.
The power companies brought up corridors of power to malls, hospitals and schools fairly quickly. As gasoline supplies in cars started to run low they power companies then made gas stations a priority. There was significant flexibility in the response, but there most assuredly was only so many resources to respond.
There is a significant issue that is not discussed. The metropolitan areas were prioritized, the suburban areas then were next for recovery efforts, and then followed by the rural areas. As this follows the leaves of the power grid out from city centers it makes sense. What is interesting though is the power generation facilities are rarely in downtown areas. Often power generation is in rural areas. We could have a long discussion on the structure of generation and distribution differences between the east coast and west coast. A key takeaway is some patterns are more resilient than others and that the differences change the response mechanism.
So how do we get to break things and kill people?
That is an interesting question. If you could find a well funded threat actor with enough resources to throw at a less than sure thing you might be able to take out the grid. Those are some very large “if’s” that you have to fill. That thing we call cyber which spans the people and technology spectrum of how modern technology works is not an easy thing to disrupt. Focusing on network centric attacks ignores the larger domain of threats to the power grid. People who say only a computer can be used and it is cyber ignore the hybrid attack at their peril. I would no more go to war with armor and leave my infantry and air support at home than I would use cyber and ignore kinetic actions. Most of the systems that are critical to society are purposefully built to allow for and be resilient to disruptions. It is the design decision made early in the operations of critical infrastructure. Bad things happen and engineers design for systems to fail gracefully.
The keystone that people look for is to bring a catastrophic failure to a large system with a simple push or pull on a particular system point. That is pretty simplistic. Luckily for attackers they can skip the keystone concept and just scale an attack. Often in threat modeling risk management people look for a critical single point to attack that will cascade through a society. It isn’t that I stab somebody but that I stab the correct arch duke and that I am the right hostile entity. The second errant premise is that a distributed denial of service (DDOS) is some kind of catastrophic attack. That would be the case if you were inside the ICS/DCS of a critical infrastructure, but that is not likely. The next prevalent almost television scenario attack is for an insider to blow something up by inserting a USB key. This will likely work as a delivery mechanism for malware on a case by case basis but it is very hard to scale without detection. So, we still want to blow something up!
The primary way that I can think of to attack the grid is to do so through the financial management system. Make people think that there is a either not enough electricity of to much electricity and hope to catch the consumers on the down side. This particular strategy worked in the case of Enron to cause blackouts in California. It is scalable and has the strange preponderance in the short term to possibly make the hostile entity money. It would be rapidly detected but the feedback mechanisms in the financial side of the power industry might actually cause volunteer scaling efficiencies. That is people uninvolved following normal behavior would join the attack unwitting.
That isn’t a very sexy attack and it wouldn’t likely work as government regulatory mechanisms kick in. Taking out the grid is looking harder and harder. That is a factor of building something that is resilient to attack by mother nature. There is another way though.
Each of the grid systems move power between entities. An attack on the command and control systems of the coordination activities between grid segments would seem to be a good strategy. However, that particular strategy fails to take down the entire grid. You’d likely be able to take down 20 percent of the grid based on various large scale blackouts where human intervention kept automated systems from failing. Now we get into the land of silly tin foil hats. That leap usually starts with the phrase, “what if?”
What if you crafted a really nasty piece of malware that would only attack the human computer interface for the power generation facilities? What if you did this in such a way that it was only going to run on those systems that are actively generating electricity? Even more important what if that piece of malware was polymorphic and self constructing so that it was not detectable between machines or over time? What if that malware was not injected by a person on a USB key but became part of the supply chain and was pushed out five or six years ago in a final update to an aging operating system that almost all of the human computer interfaces for power generation used? Perhaps the malware was a functional unit of the ICS/DCS software? What if everybody had unicorns to ride and pandas as familiars? In such a scenario where the final what if is, “what if it wasn’t detected for years and finally operationalized?” It likely wouldn’t take out the entire grid.
If it did happen the result impact would be substantial. In such a scenario I don’t know how long the power would stay out, but I do know that some power generation facilities and distribution networks can be run by hand. The 1950s technology is still being used in some parts of the larger distribution network. Even if ICS/DCS has been put into place the old “by hand” control systems still exist.
Take what you will from the discussion of a major black out and the human toll it might cause. A lot of people much smarter than I on this issue have been studying this problem set since the advent of power distribution networks.