Cyber attacks are already widespread, and the exposure of critical systems is a grave concern among top intelligence officials. James Clapper, the U.S. Director of National Intelligence, called the threat of cyber attack a “critical national and economic security concern” in his 2012 Worldwide Threat Assessment report and testimony in January.
“We currently face a cyber environment where emerging technologies are developed and implemented faster than governments can keep pace,” Clapper testified. “The well publicized intrusions into NASDAQ and International Monetary Fund (IMF) networks underscore the vulnerability of key sectors of the US and global economy.”
In terms of energy security specifically, cyber attacks on individual systems – like pipelines or oil refineries – would likely not cause catastrophic damage to our economy, said Gal Luft, co-director of the Institute for the Analysis of Global Security, a Washington based think tank focused on energy security.
“During Hurricane Katrina we lost 14 refineries because of the storm… and the economy kept on going and we didn’t see any serious disruption,” said Luft, who is also an advisor to the United States Energy Security Council. “So you could hack into a refinery and take it out, but its not something that I think could really cause a catastrophic destruction to our economy.”
The North American electric grid, however, represents a critical vulnerability, Luft said. “If you bring down the North American grid just like in 2003, when tens of millions of people were out of power because of blackouts, that’s the kind of thing that could really cause severe economic damage.”
But Luft said a massive attack – like what Defense Secretary Leon Panetta called a “cyber Pearl Harbor” – is unlikely. “I think that requires a lot of money, that requires very impressive tactical sophistication, and I think you probably need to see a government behind it,” Luft said.
Nonetheless, the electric power system’s reliance on computers and its immense scope – including more than 200,000 miles of transmission lines, thousands of generation plants and millions of digital controls – makes it difficult to protect.
According to a 2011 joint report from the McAfee Inc. software security company and the Center for Strategic and International Studies, most critical systems were not designed with cyber security in mind. The principal concern, the report noted, has always been maintaining a steady supply of power.
That means many companies – despite the growing risk of cyber attacks – still use default passwords to protect their systems because they allow for quick and easy access during emergencies or routine maintenance. This could also mean easier access for the wrong people – those looking to infiltrate and sabotage rather than repair the systems.
Some companies also outsource services, often without knowing who exactly is performing the service or what kind of security protocols are in place, Luft said. He emphasized the internal threat to infrastructure, and likened it to airport security.
“If you don’t vet the workers at the airport – the technicians who work on the planes and all the service personnel at the airport – you’re not going to get a high level of security,” Luft said. “There are always going to be vulnerabilities that come from within.”
But external threats exist as well, and Daniel Yergin, co-founder and chairman of Cambridge Research and Energy Associates, emphasized those threats in his recent book “The Quest: Energy, Security, and the Remaking of the Modern World.”
“The potential marauders may be recreational hackers who, despite their benign appellation, can do great damage… They can be cybercriminals, seeking to steal money or intellectual property… They can be governments engaged in espionage… Or they can be terrorists or other non-stage actors using digital tools to wreak havoc and disrupt their avowed enemies.”
And although the U.S. has yet to incur a significant attack, the potential destruction of hackers and cyber attacks is evident from phenomena like the Stuxnet computer virus, which some scholars say transformed cyber attacks from a theoretical to a tangible risk.
Many speculate that the sophisticated virus was state-sponsored—either by the United States, Israel or both—and designed to infiltrate Iran’s uranium enrichment facility. Following the launch of Stuxnet, the facility suffered a series of unexplained failures including the self-destruction of its centrifuges.
According to the McAfee report, Stuxnet proves governments can and will develop malware to sabotage their enemies’ critical infrastructure, especially that upon which a nation’s power, gas, oil, water and sewage systems depend.
In May 2010, in response to the growing threat of cyber attacks, the government created the U.S. Cyber Command to defend and protect military networks. In addition, the Senate is currently debating the Cyber Security Act of 2012, which aims to improve digital security at critical infrastructure both within and outside of the United States.
But some scholars say even with the actions the government is taking, some of the most pertinent threats to our systems are beyond our control.
Big oil terminals in Saudi Arabia, such as Ras Tanura, are crucial structures that if jeopardized could cause tremendous damage to the U.S. and global economy, Luft said. “Those are the places we need to pay attention to…unfortunately, the United States cannot do very much about it because it’s in Saudi sovereignty.”