(CNN) – We’ve heard of hackers targeting emails. It happened last month when thousands of democratic national convention emails were compromised and then leaked. Here’s a much scarier scenario. What if hackers could target key infrastructure, like power grids?
Marty W. Edwards, Director, DHS Cyber Emergency Response Team said, “What happened is one of these large breakers or several of these large breakers were operated remotely by the attacker.”
It was the first known cyber-attack of its kind. Three attacks. Thirty minutes apart. Against three electrical substations serving Ukraine’s power grid.
Suzanne Spaulding, DHS under Secretary, Natl Protection and Programs Directorate said, “This is not theoretical, this has happened. We’ve now had a cyber-attack on critical infrastructure that was destructive.”
Destructive and a real threat to the United States says Suzanne Spaulding who’s in charge of protecting the nation’s 16-critical infrastructure sectors.
A power outage impacts everything from air-traffic control to subways & traffic lights, cell phones, computers, water and food supplies.
CNN was given rare access to a government test facility in Idaho Falls where a team of cyber experts lead by Marty Edwards is busy identifying hackers and trying to stop them.
Is it difficult for some sort of a cyber attacker to take down a power grid?
Marty W. Edwards: “It’s much simpler than we would like it to be.”
To show us just how simple it is, the cyber team recreated the Ukraine attack. A hacker, using a common email-phishing-scam, steals an employee’s credentials, takes full control of a computer operating the power grid, and shuts it down.
In the Ukraine, power was knocked out to several of their substations. Could that happen here?”
Marty W. Edwards: “It could. All of our infrastructure is run by these computerized systems.”
Underscoring America’s vulnerability, the malicious computer code identified as having played a role in Ukraine’s attack, is the same code DHS recently admitted is in 100’s if not 1000’s of us computers that control critical infrastructure. The code, known as “black energy,” has been linked to Russia.
Suzanne Spaulding: “There are companies across the country, and this is not just with respect to electricity companies, that don’t fully appreciate the nature of the threat.”
75-80% of the nation’s critical infrastructure is owned and operated by private sector companies. Despite many warnings, some companies have failed to take even basic cyber-security measures.
Marty W. Edwards: “It ultimately comes down to a business decision for the company.”
A business decision that could allow attackers not only to turn off the lights but destroy the machinery as well.
I’m standing on actual testing site of the Aurora generator. It was the first test of its kind to prove that a cyber attacker could gain control of a generator and cause it to self-destruct. If an attack were to happen on a generator, how long would it take to get back online?”
Marty-Edwards: “Oh wow, Some of those generators and some of this large electrical equipment takes years to manufacturer.”
So far, DHS has trained about eleven-thousand in the government and the private sector on how to better secure their systems.