Media hype concerning attacks on ““the grid”” abound - but just what would be necessary to achieve an at-scale disruption of electric utility operations in Europe or North America? This presentation will explore this issue focusing first on events that actually brought grid operations to their knees: the 2003 Italian/Swiss, US/Canada, and Denmark/Sweden blackouts; and the 2006 European blackout event. Based on these events (which were not cyber in origin), we will explore grid resiliency and how interconnections, inter-dependencies, and N-1 (sometimes also phrased as N+1) resiliency come into play for maintaining power operations.
Based on this discussion, we will then explore how a sufficiently patient, motivated, and resourceful attacker could either produce or take advantage of conditions to actually create large-scale outage events. The focus here is not on relatively short, geographically limited disruptions in service (such as 2015 and 2016 Ukraine), but rather potentially long-term or physically disruptive (or destructive events) across large regions. To explore this, we will discuss chaining cyber impacts with environmental or operational variability, and how potential attackers could utilize manufactured grid-level disturbances to produce negative outcomes. Specifically, this discussion will look at two frequency deviation events (one in Europe, one in the United States) in 2019 as actual examples of conditions that could be leveraged to achieve wider disruption.
Finally, this presentation will conclude with what actions asset owners, operators, and defenders can take to either detect or mitigate such events. First and foremost - greater visibility into operations and communications is necessary to both identify potential attackers as they move toward their objectives and what operational changes or alterations might take place when attackers initiate effects. However, this comes with an important caveat: in systems such as electric utility operations, no provider - from the municipal distribution authority through the multinational utility operator - is isolated and alone. Thus, truly identifying grid-scale attack attempts requires greater, faster communication and coordination among all stakeholders involved in an operational area. While truly grid-scale events induced via cyber remain theoretical at this time, adversaries are investing in the capabilities necessary to make such effects possible. Defenders will only be able to counter such moves through a combination of enhanced visibility, improved reaction time, and sharing information as quickly as possible with partner organizations.