{"id":6244,"date":"2017-01-22T14:53:29","date_gmt":"2017-01-22T22:53:29","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/22\/news-97\/"},"modified":"2017-01-22T14:53:29","modified_gmt":"2017-01-22T22:53:29","slug":"news-97","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/22\/news-97\/","title":{"rendered":"Squirrels Keep Menacing the Power Grid. But at Least It’s Not the Russians"},"content":{"rendered":"

<\/p>\n

\n

Nearly four years ago, Cris Thomas began documenting attacks on the US power grid. The number of incidents was eye-popping; over 1700 in all, impacting nearly five million people. The perpetrators? Squirrels. And birds. Assorted rodentia. Some industrious frogs, too.<\/p>\n

Mapping the violence wildlife commits against our power lines\u2014and in the case of a few jellyfish swarms, power plants<\/a>\u2014has become Thomas\u2019s crusade. He collects and details the outages on the website CyberSquirrel1<\/a>, and had done so anonymously until revealing is identity at ShmooCon, a hacker convention, late last week. CyberSquirrel1 is more than just a satire, though; it\u2019s Thomas\u2019s attempt to put threats of cyberwar in perspective. Infrastructure security experts, though, aren\u2019t entirely amused.<\/p>\n

Squirrel World<\/h3>\n

CyberSquirrel1 hides a serious argument behind a silly name. While Thomas clearly enjoys collecting these incidents, he hopes not just to amuse, but to educate. Specifically, he wants to put calls of imminent infrastructural cyberattack in perspective.<\/p>\n

\u201cI look at the cyberwar hawks rattling their cyber sabers. They\u2019re preaching all this stuff about the power grid going down because of cyber attack, and I really don\u2019t think it\u2019s going to happen,\u201d says Thomas, who works by day as a cybersecurity strategist for Tenable. \u201cLet\u2019s devote our resources to something else.\u201d <\/p>\n

It\u2019s true that the power grid is a popular point of cyber concern. Earlier this month, the Department of Energy said that the system \u201cfaces imminent danger\u201d of cyberattack. Last spring, the Department of Homeland Security and the FBI teamed up<\/a> to educate US utilities about the possibility of cyberattacks on their systems. <\/p>\n

Those worries didn\u2019t materialize out of nowhere. Hackers compromised power centers in Ukraine in December 2015, taking dozens of substations offline and cutting off power to over 200,000 residents. <\/p>\n

But Thomas\u2019s argument against infrastructural doomsday is two-fold. First, he contends that the US electrical grid is under far more strain from wildlife than it ever has been from digital threats. CyberSquirrel1 illustrates that point in an absurd but effective way. Whoever hit Ukraine\u2014almost certainly Russia\u2014has got nothing on the combined impact of North American fauna.<\/p>\n

What the animal-based outages also demonstrate, though, is the larger power grid\u2019s resilience. \u201cThere\u2019s a lot of rhetoric about how fragile things are, how susceptible to cascading failures. And yet since 2000, there have only been two large-scale blackouts in the country,\u201d Thomas says, referring to the 2011 Northeast and 2013 Southwest blackouts that each left millions without electricity. \u201cIn both of those cases, power was restored in less than 24 hours for the majority of people impacted.\u201d Ukraine, too, Thomas notes, was back online after a few hours.<\/p>\n

The US, too, would be difficult to bring offline in any significant way for an extended period of time, partly because each region would require its own individual hack. <\/p>\n

\u201cThe power grid is so distributed, it\u2019s run by both private companies and public companies. It\u2019s different everywhere,\u201d says Chester Wisniewski, principal research scientist at security-company Sophos. \u201cIt\u2019s not like there\u2019s one utility you can get in and shut off the power to the whole country.\u201d <\/p>\n

In fact, if you did want to shut off power to the whole country, you\u2019d have to physically destroy nine substations, according to a 2014 report<\/a> [PDF] by the North American Electric Reliability Corporation. That\u2019s not a cyberproblem; that\u2019s an all-out war problem.<\/p>\n

Wisniewski isn\u2019t quite as sanguine as Thomas, though. While a cyber-inspired blackout may not be devastating in isolation, it would portend much more serious problems than an army of rascally rodents.<\/p>\n

Beyond the Blackout<\/h3>\n

\u201cThe truth of the matter is, no one\u2019s good at predicting these things,\u201d says Robert Lee, founder of Dragos, a security firm focused on industrial control system networks. To a certain extent, though, predictions don\u2019t matter. \u201cWhat is the impact and scale regardless of the likelihood?<\/p>\n

Take the oil industry, which models the impact of catastrophic oil spills regardless of how insignificant the odds. \u201cIf you say something is really low probability, people naturally deprioritize it,\u201d says Lee. \u201cIf the impact is so significant that it can cause significant damage, it\u2019s not an issue of probability.\u201d<\/p>\n

For whatever isolated devastation a squirrel can cause, a coordinated attack on the power grid comes with several more serious concerns. Only state actors have the sophistication to pull off an attack of that magnitude and complexity, for one, meaning that should the grid go down, it would quite possibly lead to an immediate escalation.<\/p>\n

\u201cAll of these things the American government would classify as acts of war,\u201d says Wisniewski. \u201cAs soon as it crosses over into the physical, you crossed a very clear line.\u201d <\/p>\n

And while utilities may well be able to staunch an individual attack within a matter of hours, that may not be a realistic way to think of it. <\/p>\n

\u201cOur ability to respond to complex cyberattacks, especially when they\u2019re multifaceted, is not nearly as good as we like to pretend,\u201d says Lee. \u201cWe have amazing response recover efforts, but how would we respond if an attacker took down power grid, and then also sticks around to try to subvert incident responders, and then also sticks around in other regions?\u201d<\/p>\n

That\u2019s before you even get to the psychological aspect. People expect the weather to knock their power lines down, and even squirrels and frogs. Russia or China? Not so much.<\/p>\n

Both Lee and Wisniewski appreciate CyberSquirrel1\u2019s core message. The world of cyber defense would be better off with a little less hype and a little more clarity. But while it remains far more likely for bird poop to knock out your lights than a state actor, it\u2019s also true that none of the thousands of animal-related incidents could set of a global crisis. Likelihood matters much less when one time is all it takes.<\/p>\n

This article originally referred to NERC as the North American Electric Reliability Council. In 2007, NERC became the North American Electric Reliability Corporation.<\/em><\/p>\n

https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\"Squirrels<\/div>\n

A site that chronicles animals versus the power grid makes a good point about cyberwar hype, but an attack would still be serious business. The post Squirrels Keep Menacing the Power Grid. But at Least It’s Not the Russians<\/a> appeared first on WIRED<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[10629,1707,10630,4175,10631,714,6957],"class_list":["post-6244","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-cyberattacks","tag-cyberwar","tag-electric-grid","tag-infrastructure","tag-power-grid","tag-security","tag-squirrels"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6244"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6244\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6244"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}