Squirrels Keep Menacing the Power Grid. But at Least It’s Not the Russians
Nearly four years ago, Cris Thomas began documenting attacks on the US power grid. The number of incidents was eye-popping; over 1700 in all, impacting nearly five million people. The perpetrators? Squirrels. And birds. Assorted rodentia. Some industrious frogs, too.
Mapping the violence wildlife commits against our power lines—and in the case of a few jellyfish swarms, power plants—has become Thomas’s crusade. He collects and details the outages on the website CyberSquirrel1, and had done so anonymously until revealing is identity at ShmooCon, a hacker convention, late last week. CyberSquirrel1 is more than just a satire, though; it’s Thomas’s attempt to put threats of cyberwar in perspective. Infrastructure security experts, though, aren’t entirely amused.
Squirrel World
CyberSquirrel1 hides a serious argument behind a silly name. While Thomas clearly enjoys collecting these incidents, he hopes not just to amuse, but to educate. Specifically, he wants to put calls of imminent infrastructural cyberattack in perspective.
“I look at the cyberwar hawks rattling their cyber sabers. They’re preaching all this stuff about the power grid going down because of cyber attack, and I really don’t think it’s going to happen,” says Thomas, who works by day as a cybersecurity strategist for Tenable. “Let’s devote our resources to something else.”
It’s true that the power grid is a popular point of cyber concern. Earlier this month, the Department of Energy said that the system “faces imminent danger” of cyberattack. Last spring, the Department of Homeland Security and the FBI teamed up to educate US utilities about the possibility of cyberattacks on their systems.
Those worries didn’t materialize out of nowhere. Hackers compromised power centers in Ukraine in December 2015, taking dozens of substations offline and cutting off power to over 200,000 residents.
But Thomas’s argument against infrastructural doomsday is two-fold. First, he contends that the US electrical grid is under far more strain from wildlife than it ever has been from digital threats. CyberSquirrel1 illustrates that point in an absurd but effective way. Whoever hit Ukraine—almost certainly Russia—has got nothing on the combined impact of North American fauna.
What the animal-based outages also demonstrate, though, is the larger power grid’s resilience. “There’s a lot of rhetoric about how fragile things are, how susceptible to cascading failures. And yet since 2000, there have only been two large-scale blackouts in the country,” Thomas says, referring to the 2011 Northeast and 2013 Southwest blackouts that each left millions without electricity. “In both of those cases, power was restored in less than 24 hours for the majority of people impacted.” Ukraine, too, Thomas notes, was back online after a few hours.
The US, too, would be difficult to bring offline in any significant way for an extended period of time, partly because each region would require its own individual hack.
“The power grid is so distributed, it’s run by both private companies and public companies. It’s different everywhere,” says Chester Wisniewski, principal research scientist at security-company Sophos. “It’s not like there’s one utility you can get in and shut off the power to the whole country.”
In fact, if you did want to shut off power to the whole country, you’d have to physically destroy nine substations, according to a 2014 report [PDF] by the North American Electric Reliability Corporation. That’s not a cyberproblem; that’s an all-out war problem.
Wisniewski isn’t quite as sanguine as Thomas, though. While a cyber-inspired blackout may not be devastating in isolation, it would portend much more serious problems than an army of rascally rodents.
Beyond the Blackout
“The truth of the matter is, no one’s good at predicting these things,” says Robert Lee, founder of Dragos, a security firm focused on industrial control system networks. To a certain extent, though, predictions don’t matter. “What is the impact and scale regardless of the likelihood?
Take the oil industry, which models the impact of catastrophic oil spills regardless of how insignificant the odds. “If you say something is really low probability, people naturally deprioritize it,” says Lee. “If the impact is so significant that it can cause significant damage, it’s not an issue of probability.”
For whatever isolated devastation a squirrel can cause, a coordinated attack on the power grid comes with several more serious concerns. Only state actors have the sophistication to pull off an attack of that magnitude and complexity, for one, meaning that should the grid go down, it would quite possibly lead to an immediate escalation.
“All of these things the American government would classify as acts of war,” says Wisniewski. “As soon as it crosses over into the physical, you crossed a very clear line.”
And while utilities may well be able to staunch an individual attack within a matter of hours, that may not be a realistic way to think of it.
“Our ability to respond to complex cyberattacks, especially when they’re multifaceted, is not nearly as good as we like to pretend,” says Lee. “We have amazing response recover efforts, but how would we respond if an attacker took down power grid, and then also sticks around to try to subvert incident responders, and then also sticks around in other regions?”
That’s before you even get to the psychological aspect. People expect the weather to knock their power lines down, and even squirrels and frogs. Russia or China? Not so much.
Both Lee and Wisniewski appreciate CyberSquirrel1’s core message. The world of cyber defense would be better off with a little less hype and a little more clarity. But while it remains far more likely for bird poop to knock out your lights than a state actor, it’s also true that none of the thousands of animal-related incidents could set of a global crisis. Likelihood matters much less when one time is all it takes.
This article originally referred to NERC as the North American Electric Reliability Council. In 2007, NERC became the North American Electric Reliability Corporation.