The event that would come to be known as “Cyber Harbor,” or “Cyber 11th,” started small. One morning, the “autopilot” mode on some Tesla cars started going haywire. First, dozens, then thousands of cars began veering into oncoming traffic all across the country. Emergency rooms were swamped with crash victims. Then, office workers in dozens of industries watched in shock as their computers began spontaneously deleting files. It took about 24 hours for officials to realize that these scattered problems were connected. The power grid was next: Blackouts began in California and soon rolled across most of the U.S. The Internet started crumbling as well. Routine communications became impossible.
It took only a few days for grocery-store shelves to go bare. Gas stations put out “No Fuel” signs. Even if supplies of food and gas were available, trucks couldn’t deliver them. The country’s banking system had collapsed; with credit cards and ATMs disabled, truckers had no way to buy diesel fuel. The backup generators powering hospitals, police stations, water-treatment plants, and other critical infrastructure eventually drained their fuel tanks and went silent.
In most cities, the looting tapered off after about two weeks. There was nothing left to steal. By then, armed gangs had begun roaming the suburbs, breaking into houses and ordering the terrified homeowners to surrender any hidden caches of food.
The above scenario is hypothetical, of course (or at least so it remains at the time I write this). But a large-scale cyberattack on the United States of the sort I describe here is becoming more thinkable by the day. Ukrainian military victories and Western sanctions have pushed Vladimir Putin into a desperate corner. And while Russia is now making a show of negotiations, there’s no doubt Putin is keeping his options open. Russian leaders have raised the threat of nuclear weapons several times during this conflict. We need to take that threat seriously, especially if Putin concludes that his regime, and therefore his life, is at risk. But a full-blown cyberwar is far more likely than a nuclear exchange. And it could be just as devastating.
We usually think of cyberattacks as threats to things that exist in the nonmaterial world—assets such as personal data, bank accounts, or trade secrets. For example, the 2014 hack of Sony Pictures’ emails and other records nearly destroyed the company simply by exposing confidential information, including nasty cracks studio execs had made about various Hollywood players. Ransomware attacks routinely force businesses to pay up large sums to get back their critical files. But hackers can also wreak havoc in the physical world—the world of industrial facilities, power plants, and pipelines. That’s when things really get scary.
This isn’t a new worry, but it is a risk that’s growing, for several reasons. First, our vital infrastructure is more automated than ever before. Most big industries use some sort of SCADA system to operate remote equipment. The acronym stands for Supervisory Control And Data Acquisition, and that’s just what these systems do: They monitor conditions, such as the pressure in a particular tank, and they send instructions, say, a command to turn on a pump or close a valve. Today, SCADA systems are used to operate everything from oil refineries to stoplights. If hackers were to seize control of such networks, they could do enormous damage. In 2010, for example, the Stuxnet worm—allegedly created by U.S. and Israeli cyber warriors—burrowed into the SCADA system that controlled Iran’s nuclear centrifuges. The resulting chaos reportedly set Iran’s nuclear program back by as much as two years.
Second, there are more computers to hack: Not just smartphones and laptops, but the myriad devices that make up the Internet of Things—digital doorbells, smart speakers, thermostats, children’s toys, and more. These IoT devices are all connected to the Internet, and many are poorly protected from digital intruders. Hackers might be able to spy on you through your security cameras or disable your digital front-door lock. More likely, they’ll hijack your devices to serve in a “botnet army” they can use for other malicious activities such as Distributed Denial of Service (DDoS) attacks that overwhelm targeted websites with bogus traffic. “Everything is becoming vulnerable in this way, because everything is becoming a computer,” writes security expert Bruce Schneier in his genuinely terrifying book, Click Here to Kill Everybody. A single hacked Hello Barbie is unlikely to bring on the apocalypse, of course. But the existence of hundreds of millions of such devices—all connected to the Internet—is a force multiplier for cyber warriors.
That interconnectedness of all these previously disparate technologies is the third factor greasing the skids toward cyberwar. Not long ago, the only way to start your car was by using a small piece of precisely tooled metal—a key. Today, most cars can be started remotely, including from your smartphone. Modern vehicles contain 50 or more computer systems, and many receive automatic, over-the-air software updates. Once, a criminal who wanted access to your car would have had to jimmy the lock. Today, a few bits of malicious code could give a hacker entrée to all vehicles of a particular make and model. To put it another way, hackers trying to sow chaos on our highways wouldn’t need to target individual cars; they could target entire networks of cars. Now apply that same logic to other networks of crucial technology: gas pumps, ATMs, aircraft cockpits, hospital ICUs, and so on.
The SCADA networks that control critical infrastructure such as pipelines and power plants are pretty well protected. But in some ways, they are less secure than they once were. Two decades ago, most SCADA networks were hardwired, standalone systems. You couldn’t access them through the Internet. That made it a lot harder for hackers to find a way in (though not impossible, as the Stuxnet centrifuge attack showed). Today, these systems typically use the Internet to communicate with their various components, such as, say, pumps on a pipeline. Those Internet links give hackers many more points of entry, or, in security jargon, a bigger “attack surface.”
Not surprisingly, hacking, viruses, and other threats to these networks are on the rise. Failures of SCADA and similar systems have knocked out signals along busy freight and passenger rail lines, simultaneously shut down 13 Chrysler manufacturing plants, and forced the Browns Ferry nuclear-power station offline. In 2016, the U.S. Justice Department revealed that the computerized control system for a small dam in Rye, New York, had been temporarily taken over by Iranian hackers. The head of the NSA’s in-house team of “white-hat” hackers told a conference, “SCADA security is something that keeps me up at night.”
Last year, the mysterious hacking collective Darkside infiltrated the SCADA system for Colonial Pipeline, the biggest artery that delivers gasoline and other fuels from Texas refineries to the East Coast. Rather than trying to damage the pipelines directly, the hackers simply encrypted crucial files on the computer network. They then demanded a huge ransom to un-encrypt them. Colonial had to shut down more than 5,000 miles of pipelines for nearly a week. Had the shutdown continued, the northeast’s supply of gasoline and jet fuel would have been cut almost in half. The FBI believes that Darkside is a criminal group based in Russia. Evidence suggests the hackers weren’t actually trying to close the pipeline; they were just after money. But, intentionally or not, the Darkside hack was a kind of proof of concept: It revealed just how easy it is to cripple U.S. energy infrastructure.
The electric power grid is another worry. Hackers routinely try to infiltrate U.S. power plants, control centers, and substations. As in the Darkside case, most intruders are after data and money, as opposed to trying to destroy the grid. But today’s freelance cybercriminals could easily be recruited by hostile governments to tackle more ambitious projects. In 2017, the U.S. Department of Energy and several states conducted a two-day simulation of a cyberattack on the East Coast power grid. The results were sobering. It would take roughly three weeks to restore power, the experts concluded, and the blackout would also disrupt supplies of gasoline and other necessities.
These threats aren’t merely theoretical. In 2015, suspected Russian hackers infiltrated an electricity transmission station outside (surprise, surprise) Kyiv, Ukraine, blacking out part of the city. The highly automated malware simply took over grid operators’ computers and began remotely flipping circuit breakers as the stunned workers watched. “It seemed like something in a Hollywood movie,” one said. Fortunately, utility workers were able to restore power manually within an hour. But that was cold comfort. Security experts believe that the intruders weren’t actually trying to trigger a long-term blackout; they were just doing a trial run. WIRED magazine concluded: “The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild.”
Grid saboteurs have also made what appear to be practice runs targeting U.S. power networks. One chilling 2013 incident at a power substation in northern California even included physical attacks on infrastructure. Investigators believe that multiple attackers severed underground fiber-optic cables and then fired more than 100 rounds of ammunition at the facility’s transformers. The attackers, who seemed to have had detailed knowledge of the substation’s weak points, were never caught. Grid experts shudder at the notion of a coordinated attack combining such physical attacks on infrastructure with widespread cyber disruptions.
But cyber warriors don’t need access to transformers or pumps to do a lot of damage.
In 2012, Iranian hackers attacked Aramco, the Saudi Arabian energy giant that produces about 10 percent of the world’s oil. The hackers didn’t try to blow up oil refineries or crash supertankers. They just exploited a weakness in Microsoft’s Windows operating system to take over the computers of some 40,000 Aramco office employees. Workers in marketing, finance, HR, and other departments watched as the “wiper virus” systematically erased files and then disabled 85 percent of the company’s computers. Aramco’s only solution was to unplug every workstation and completely disconnect from the Internet.
Of course, that made work impossible. In an effort to go green, Aramco had done away with most paper records. So the company didn’t have a database of customers or vendors, or even contact information for its own employees. Even though its refineries and drilling rigs had been left untouched, Aramco struggled to keep product flowing. Gasoline tankers backed up for miles at Aramco refineries as workers tried to invent paper-based systems for billing and record-keeping on the fly. It took months to sort out the mess. There’s a lesson here: It is natural to focus security efforts on high-risk infrastructure such as pipelines or power plants. But even humble back-office functions can prove crucial if they are disabled en masse. Everything is connected.
Whether they originate from Russia, or Iran, or just from bands of dirtbag hackers, bigger and bolder cyberattacks are coming. In the U.S., the military, law enforcement, and the private sector are all improving their cybersecurity chops. But we need to do more. In his recent Commentary piece “The World Has Changed and We Must Change Along With It,” Eli Lake warned that the U.S. must also prepare for the possible day when our digital defenses fail and our critical infrastructure goes dark. “Doing so requires the revival of the Cold War concept of civil defense,” he writes. Every community needs a plan to cope with an extended breakdown of the power grid, communications, and other vital services. That should include ensuring fuel supplies for backup diesel generators, and even stockpiling emergency food rations.
Private business and public utilities should rethink their fashionable focus on lean, just-in-time supply chains. Efficiency has been the watchword, but as the Covid pandemic revealed, hyper-efficient supply chains are also hyper-vulnerable to disruption. We need more redundancy—more slack in the system. That goes double for the power grid and other physical infrastructure. It’s important to protect these systems from attack. But it is just as important to ensure they can bounce back quickly if they are damaged. Even people in seemingly noncritical fields should remember that nothing digital is secure. Virtual assets need redundancy, too: Any information an organization can’t function without should have a paper backup.
Homeowners as well need to plan for the worst. We don’t all need to start building fallout shelters, but every home should have enough food, medicine, batteries, and other essentials to survive for three weeks at least. And toilet paper. Never forget the toilet paper.
Photo: Christiaan Colen
We want to hear your thoughts about this article. Click here to send a letter to the editor.