The Complex

Shutting Down the Power Grid Is Way Easier Than You Think

If you've been paying even the slightest bit of attention to cybersecurity, you know that the security of power grids is a top concern. It's kind of a disturbing threat, given that almost every other critical infrastructure supporting modern life is dependent on keeping the juice flowing. Well bad news, cyber worrywarts. New research shows there's even more for you to fret about.

A new study published by West Point's Network Science Center (PDF) shows how hackers can cause blackouts by targeting a relative handful of small substations -- the often-overlooked and poorly-defended parts of a power grid. The research, authored by Paulo Shakarian, Hansheng Lei and Roy Lindelauf and sponsored by the Army Research Office, argues that this kind of a strategy can cause a chain reaction of power overloading known a cascading failure.

"An adversary looking to disrupt a power grid may look to target certain substations and sources of power generation to initiate a cascading failure that maximizes the number of customers without electricity," the authors warn. The problem for those trying to defend such systems is that they "can harden the security posture at certain power stations but may lack the time and resources to do this for the entire power grid."

It's a somewhat counterintuitive approach. The distributed and complex structure of America's power grid might seem like a natural obstacle for an attacker looking to cause the most mayhem for the maximum number of people. Properly exploited, though, grid complexity can be an asset according to the study.

The security of networks and software in power generation and transmission facilities has been a constant source of concern among cybersecurity experts. Thus far, no hacker has managed to sabotage an American critical infrastructure system. In fact, if you're looking at threats to the power grid, unlucky squirrels electrocuting themselves on power lines have proven themselves to be a much greater threat to the integrity of the power grid than hackers. Fear-mongering in the debate has also distorted the public perception of relative threats to power grids, leading some to portray humdrum blackouts caused by sooty insulators as the nefarious deeds of cybercriminals.

But that doesn't mean hacking a grid is impossible. In fact, some experts claim it's not quite as hard as you might think.

Using game theory, the researchers in the West Point study modeled a simulated attack on a power grid with an attacker and defender strategizing against each other over the integrity of power delivery on a grid. Instead of trying to take on a large, well-defended parts of the grid, the attacker instead set his sights farther down to just a few smaller substations. By knocking these components offline, the attacker forced them to shift their loads to other parts of the grid, causing successive overloading in other facilities and triggering a cascading failure.

For an example of the kind of damage a cascading failure can do, look no further than the blackout of 2003, which abruptly darkened swaths of the Northeast in 2003. The power outage, which began with an accidental fault on a power line in Ohio, cost $6 billion, left 50 million people in the United States and Canada without electricity and was a factor in the deaths of 11 people.

The foibles of software patching and power generation make this kind of strategy all the more difficult to defend against.

Hackers often exploit little-known security vulnerabilities in commonly-used software in order to get access to sensitive data and systems. Once these vulnerabilities are discovered, they can be patched with software updates. Since much of the software and hardware used in power facilities is proprietary, defenders are often dependent on vendors to find and fix potential vulnerabilities. That can cause problems if power companies, as often happens with infrastructure facilities, use older software platforms which are no longer supported with updates and patches. Even if grid facilities had prompt software updates, though, they can't all shut down to update their systems at once without affecting customers.

Not all is lost, though. Of course, defenders can't be everywhere at once. So to maximize the use of finite security resources, the authors developed algorithms that randomly identify specific nodes to protect in a grid at different times, which can limit the scope of a potential cascading failure.

So while hackers may be able to cause headaches at a handful of substations, smarter algorithms may just be able to keep the lights on for the rest of us.

Getty Images

National Security

Air Force Swears: Our Nuke Launch Code Was Never '00000000'

For nearly a decade, an awkward debate has raged about the U.S. military's nuclear force: Did top Air Force officials really choose "00000000" as a code that could enable the launch of a nuclear missile? Ten years later, in a document obtained by Foreign Policy, the U.S. military told Congress that it never happened. But is the Pentagon telling the truth?

Bruce Blair, a nuclear security expert and former launch officer , says no. Blair, now a scholar and author at Princeton University, first raised the idea in a piece published in 2004. He accused the Air Force of circumventing President John F. Kennedy's 1962 order to install extra security codes to safeguard against accidental or unauthorized launch by putting them in place, but making them painfully simple to the missile launch officers who manned underground bunkers. Doing so, Blair said, effectively eliminated the codes' usefulness.

The U.S. military says that's not the case. A new wave of media coverage sparked by online media outlets last year prompted the House Armed Services Committee to ask about the issue, and the military responded by insisting "00000000" was never used.

"A code consisting of eight zeroes has never been used to enable a MM ICBM, as claimed by Dr. Bruce Blair," the new document, obtained by FP, insists, while laying out the basics on how a nuclear missile can be launched.

The release of the document comes at a time when the Air Force's Minuteman nuclear missile arsenal is aging, and faces stiff financial competition if it is to be modernized. It also comes amid a string of embarrassing incidents for the "missiliers" who oversee intercontinental ballistic missiles. The mission, once considered among the military's most crucial during the Cold War, has sustained a decrease in attention from the Air Force that has "declined conspicuously," according to a 2010 report released by the Pentagon.

Those concerns were stirred again this month, after service officials disclosed that they effectively had removed 34 nuke officers from their positions after investigators discovered evidence of some of them cheating on a monthly aptitude test. Foreign Policy obtained the new document just before news of the cheating scandal emerged.

Blair, a critic for decades on the U.S. handling of nuclear weapons, wrote in 2004 that the Air Force's Strategic Air Command quietly decided set the locks to all zeroes in order to circumvent a demand from then-President John F. Kennedy in 1962.

"During the early to mid-1970s, during my stint as a Minuteman launch officer, they still had not been changed," he wrote. "Our launch checklist in fact instructed us, the firing crew, to double-check the locking panel in our underground launch bunker to ensure that no digits other than zero had been inadvertently dialed into the panel."

The Air Force made the decision, Blair alleged, because it was less concerned with accidental launches than with too many safeguards interfering if a launch was needed. The story made a comeback late last year, when it was featured on the website Today I Found Out. It then spread to the technology blog Gizmodo, the Huffington Post, the Daily Mail newspaper in London and other news outlets, prompting the Air Force to respond to questions about the issue from Congress.

But Blair, who has testified before Congress on nuclear policy, told Foreign Policy that while the new document describes in some detail how the Minuteman missile program works now, it leaves out key basics from before 1977. That is when a program known as Rivet Save added in additional security precautions, including new launch codes, allowing the United States to reduce the number of personnel needed for the program.

"Before this real enable code system was adopted, there was no technical safeguard and both crewmembers were thus required to stay awake throughout the alert period in the underground capsule," Blair said. "Thus the document errs and misleads when it says that the 00000000 enable code system was never used."

The military's new response to Congress also states that upon the direction of the president, two "separate and distinct processes are required to launch an ICBM." First, the missile must be enabled, or "unlocked," it says. The enabled missile must then be commanded to launch from two separate launch control centers, using a series of codes that are not stored in the control centers, the response says.

Blair said that contention is misleading, too. A single control center could fire "the entire squadron of 50 missiles" using a device called a single-vote timer, he said. If none of the other four launch control centers stopped a launch command using the timer, the missiles would be fired after the timer expires, he said.

Attempts to solicit comment from the Air Force were unsuccessful. However, Lance Lord, a retired four-star general and former nuclear launch officer, said he does not recall any codes including all zeroes ever being used. Like Blair, he recalled that both crew members in a launch control center were required to stay awake prior to Rivet Save being put in place in the late 1970s.

Blair has consistently defended his story over the years, most recently in a December exchange with the blog The War Room. He told Foreign Policy he questions the Air Force's motivation for responding now, considering the service wants to replace or rebuild its existing Minuteman arsenal and needs Congress to approve money to do so.

The U.S. military's new response to Congress fails to address Blair's long-held claim that nuclear codes in the early 1970s were different than they are today, said Jeffrey Lewis, director of the East Asia Nonproliferation Program at the Monterey Institute for International Studies. Asked to review the new military document by Foreign Policy, he said confirmation of Blair's story hinges heavily on the documents Blair says he has (but refuses to share). Lewis added that the argument over the past existence of "00000000" codes is "really just a proxy for a broader question about our reliance on nuclear weapons and the trust we place in government.

"Bruce is correct about the major historical narrative at stake - the United States Air Force, particularly Strategic Air Command, generally resisted the introduction of technical safeguards out of concerns that such measures might make it more difficult to use the weapons in the event of a conflict," Lewis said. "Like many other practices of the period... the Air Force's emphasis on readiness at the expense of safety at that time seems, admittedly with the benefit of hindsight, unwise in the extreme."

140113 Blair ICBM Code Response by Dan Lamothe