A hacker told us a cyberattack that shuts down the power grid is 'highly unlikely' - but there's a much scarier way to pull it off
But at least one hacker called that an isolated event, and it's one that doesn't really measure up to what would be considered much worse: A cyberattack that shuts down power not for hours, but for weeks and months.
"Is it possible? Sure," Cris Thomas (aka Space Rogue), a strategist at Tenable Network Security, told Tech Insider. "Is it likely? Highly unlikely in my opinion."
Here's why.
It's a matter of perspective. In Ukraine, an alleged nation-state (thought to be Russian hackers) infected a power company with malware that ended up shutting down computers. Once shut down, the lights went off. But the company quickly recovered - in a matter of hours.
"We have power outages [in the United States] that last five or six hours that are regional in nature," Thomas said. "You just don't hear about them because they're not that big a deal."
He added: "The goal of a cyberattack like that against the United States infrastructure from a nation-state … is going to be not just to turn the power off, but to keep it off for an extended period of time or an extended area impacting millions and millions of people."
But that, he said, would be an order of magnitude different than what happened in Ukraine. And a power grid attack like that is something that we've never seen a nation-state ever do.
Though US Cyber Command's Adm. Michael Rogers still worries about that "highly unlikely" scenario anyway, knowing full well how a devastating cyber weapon called "Stuxnet" destroyed Iranian nuclear centrifuges in 2009 (The US and Israel are widely believed to be responsible).
"If you look at what it would actually take to make a major impact in the United States from a power outage standpoint, it would require a pretty massive attack," Thomas said. "It wouldn't be anything really simple."
Stuxnet took many years to develop and implement. But Thomas offered a much easier, and much scarier alternative to a cyberattack, that even the federal government has acknowledged could cause a nationwide blackout for more than a year.
The 'nine substation problem'
"Destroy nine interconnection substations and a transformer manufacturer and the entire United States grid would be down for at least 18 months, probably longer," a government analysis obtained by the Wall Street Journal concluded in 2014.
Thomas called it the "9 substation problem." As the government study showed, there are about 55,000 electric substations - most of which have little security beyond fences - 30 of which are deemed "critical." If just nine transformers of those 30 were messed with, it would be lights out for quite a while.
That's because they are large, difficult to move, and often custom-built, according to the National Academy of Sciences.
Then there are rural electric cooperatives - roughly 1,000 companies responsible for distributing power to tens of millions of Americans. Although they aren't the biggest targets, they have been called one of the biggest risks based on their relatively limited security measures. Taking one of them down could definitely knock out local power, and Tech Insider saw firsthand how that could be achieved back in April.
Attacks like these are not as far fetched as you might think.
Thomas recounted incidents in which snipers fired at power transformers in northern California. Then there was another incident where a man tried to attack the grid in Arkansas.
While a cyber attack may not take down the power grid, it's scary to know that some well-placed bullets could.