Handing Over America's Electrical Grid to the Russians
By Duane Thresher, Ph.D. April 26, 2018
Despite recent massive data breaches like Equifax and Facebook, Americans seem to have become inured to having their most personal data stolen by foreign hackers, particularly Russia, probably because most don't see an effect immediately. This "hacking fatigue" will end dramatically when America's electrical (power) grid is "pwned". That's hacking slang for taken over. Actually, given the embrace of IT incompetence by government and business it is more like America just handed over its electrical grid to the Russians. I use the past tense because America's electrical grid is probably already pwned by the Russians, but being smart they are just waiting for an important event, like a war, before using and thus exposing their powerful secret weapon. Where will you be when the lights go out?
This article is a first, the first time a real expert in IT and electricity has written about hacking America's electrical grid. Like government and business, the media, particularly the IT media, is full of IT incompetents talking about hacking, and they know even less about electricity. Among many other qualifications in both, I have a BS in Electrical Engineering and Computer Science from MIT, the MIT where every smart guy in the movies is from.
So here free is real expert consulting on the subject. Usually the situation is the reverse: millions of dollars are paid for zero expertise.
America's electrical grid is a network of electric lines and power plants. (By the way, a place to see before you die is Hoover Dam, a 1930's power plant and an engineering feat America is just not capable of anymore. Remember when you go though, that your car will be searched for bombs before you can drive over it.)
America's electrical grid is a network very much like the Internet and for exactly the same reason. That reason is that if one part of the grid goes down the rest of the network is supposed to be able to compensate for it and continue uninterrupted. The Internet actually came after the electrical grid and started from the Department of Defense's ARPANET, whose purpose was to insure communications remained even after a nuclear war destroyed parts of it.
This redundancy would also seem to imply no one can control (including destroying) the electrical grid by controlling it at any one point. But this was before aging electric lines and power plants often running at 100% capacity and before computers controlled them and they were connected by the Internet.
When electric lines and power plants are running at or near 100% capacity, like during the summer air-conditioning months in recent years, if one part of the grid fails, the rest of the grid can't compensate for it and fails too -- a cascade failure.
This was the case during the Northeast Blackout of August 2003, one of the largest blackouts in history. I was in New York City at the time and the chaos it caused was frightening. (Ever see a garbage can thrown through a Radio Shack window?) A blackout is a very powerful weapon.
While physically taking out a power plant to cause this cascade failure might be difficult, and I am not convinced of that (despite their checking for bombs at Hoover Dam), taking out the electric lines would be easier since they can't be guarded everywhere. This might not even require taking out electric line towers, just individual lines. (Ever see sneaker pairs wrapped around electric lines like bolas? Imagine if those were explosive.)
(I ignore taking out America's electrical grid using an electromagnetic pulse, EMP, from a nuclear device, which would be extremely difficult at best, if even possible, although it does make for exciting novels.)
Still, the preceding would involve some physical risk to the saboteurs, although I don't include getting into America as part of that physical risk since that is trivial these days. It would be preferable to be able to take out America's electrical grid remotely, say sitting comfortably in your dacha outside Moscow some August afternoon.
That is quite possible these days with computers controlling America's electrical grid and the Internet connecting them all over the world. Three examples:
The meltdown of the Chernobyl nuclear power plant in Russia on 26 April (today; Happy Chernobyl Day) 1986 was caused by the foolish disabling of cooling systems during testing. This could have been done via power plant computers (although there was no Internet at the time) since most actions in a nuclear power plant have to be done remotely. By the way, the manager who caused the Chernobyl disaster, Anatoly Dyatlov, was incompetent and essentially a political appointee, as many in U.S. Government IT are.
Enron (also an example of pure corporate evil) was in the business of selling energy and gained control of some power plants. During 2000 and 2001 in California, to increase the price of electricity and thus profits, Enron contacted these power plants and told them to turn off the electricity, decreasing the overall supply. This did dramatically increase the price of electricity and profits but caused blackouts in California, which became known as the California Electricity Crisis. Via power plant computers and the Internet, Enron might not even have had to talk to anyone at the power plants to cause the blackouts. Just a few criminal Enron executives turned off California's electricity.
Stuxnet was a computer virus (actually a worm) believed to have been developed jointly by the U.S. and Israeli governments (given U.S. Government IT incompetence, I would guess Israel did more). It was used to significantly damage the Iranian nuclear program via physically damaging the centrifuges that produced nuclear fuel.
Chernobyl and Stuxnet together demonstrate that hackers, particularly state-sponsored hackers, could cause a nuclear power plant meltdown. Note that the Russians are still embarrassed about Chernobyl and would love to show that it could happen in America too.
It would be far easier and more catastrophic to crash America's electrical grid than to learn how to fly airliners, hijack several, and crash them into the World Trade Center towers and the Pentagon. Oh yeah, that already happened.
It would be far easier and more catastrophic to hack America's electrical grid than for high school dropout and traitor Edward Snowden to hack the NSA. Oh yeah, that already happened.
So who is protecting America's electrical grid from its greatest threat, state-sponsored foreign hackers?
The National Protection and Programs Directorate (NPPD) is part of the Department of Homeland Security (DHS). It is tasked with protecting America's physical infrastructure, particularly its electrical grid, and its cyber infrastructure, particularly its Internet. In short, everything I have discussed above ... and was more qualified to do so than anybody in the NPPD.
The NPPD official responsible for cybersecurity is Assistant Secretary for Cybersecurity Jeanette Manfra. Under Obama she held several DHS positions but lost her job when Trump became president in January 2017. She was out of work for 6 months before becoming Assistant Secretary in July 2017, which is surprising since she is probably a Trump hater and President Trump values loyalty.
Before the DHS, Jeanette Manfra worked for Booz Allen Hamilton, the NSA contractor that gave us IT incompetent traitor Edward Snowden, now living in Russia, and others like him. Snowden was a high school dropout who easily passed the background check to get into the NSA, specifically to hack it, which he easily did.
Jeanette Manfra's only education is a BA in History and an MA in International Relations. In other words, Manfra has zero IT education and zero electrical engineering education. Yet she is in charge of America's cybersecurity and so electrical grid security.
Would you trust your life to a lawyer without a law education or a doctor without a medical education? Kirstjen Nielsen is a lawyer who is Secretary of Homeland Security, the head of DHS. How about it Kirstjen, should I be able to practice law without a legal education?
Jeanette Manfra is not even smart enough to protect her own family. She posts her maiden name, location, photos of her children, and a list of her parents/siblings/cousin, with photos, on her Facebook page. For those in security, especially higher-ups, that is dangerous stupidity.
Jeanette Manfra will be the next Anatoly Dyatlov and be responsible for a disaster worse than Chernobyl: the takeover of America's electrical grid by the Russians.
Russia may already have taken over America's electrical grid, by planting root kits on the electrical grid computers. A root kit is the ultimate in hacking. After an initial hacking, it allows for continued secret access to the computers. It hides itself by changing the operating system so it can't even be looked for. It is thus very difficult to find even if it is known there has been a hacking, particularly if those looking are IT incompetent.
Russia may even have done this with agents in U.S. Government IT. A big part of background checks, by the FBI for government IT jobs for example, are credit checks, since someone who is in debt is more easily bribed. Equifax was hacked, possibly by the Russians, which not only gave them access to the financial records of many government employees, but more importantly also allowed them to alter credit checks, to for example get one of their agents a government job by making sure he passes a background check.
If the Russians have already taken over America's electrical grid why haven't they done anything? Is this another Y2K scare?
The Russians taking over America's electrical grid is far more of a threat than Y2K ever was. (I know, I know, maybe nothing bad happened on Y2K because it was prepared for, but that's a lesson here too.)
The Russians are smart. That's why we fear them so much. During war, weapons that are known to the enemy can be protected against, so secret weapons should only be used, and thus made known, for something really big. For example, in many wars, particularly World War II, enemy codes have been broken, but extreme measures were taken to keep this a secret until it was used for something big because otherwise the enemy would have just changed the codes.
IT incompetent Equifax data breach CIO Dave Webb (BA in Russian) and IT incompetent Equifax data breach CISO Susan Mauldin both retired comfortably after the breach, without any legal consequences at all. We'll see how Jeanette Manfra fares after the Russians take over America's electrical grid. People get violent when the power goes out.