Modern field guide to security and privacy

If hackers cause a blackout, what happens next?

An effort is underway to map potential fallout from damaging cyberattacks on US critical infrastructure to aid first responders in the case of a major assault.

Carlos Barria/Reuters

If hackers take out a local power station, the electricity may go out. But what else might happen?

Could harmful software spread? Would water systems stop functioning? Will hospitals need power generators? What else could malicious hackers hit after turning off the lights?

That's what two veteran cybersecurity researchers are setting out to discover. In a bid to help emergency responders mitigate potential damage after digital assaults on such industries as power suppliers, water facilities, or chemical factories, they're attempting to chart the chain reactions of cyberattacks. 

"What is the impact of somebody coming in and hitting a regional portion of the power grid and taking it down?" asks Brian Biesecker, a 30-year veteran of the National Security Agency who now works for Esri, a mapping software firm. "That impacts not only the power grid, but also all of your ability to provide pumping for your water, all your emergency services ... all of these various cascading effects."

No one has ever mapped the earthly reverberations of cyberattacks on a large scale, says Mr. Biesecker, who teamed up with Shane Cherry, an infrastructure analysis and technology manager at the Department of Energy's Idaho National Laboratory, to map the likely ripple effects of hacks.

The effort is expected to last three years and is funded by the Energy Department and Esri. Biesecker and Mr. Cherry will rely on standard mapping techniques and geographic language in hopes of broadening the understanding among the various stakeholders – technologists, cybersecurity specialists, business executives, and government officials – about the full effect of cyberattacks. 

Experts have so far pinpointed only a handful of malicious hacks that have caused physical damage. One of the most significant and well documented was the attack on the Ukrainian power grid in December 2015.

The unprecedented hacker-induced blackout there left 225,000 residents in the dark for several hours. The assailants, who some experts say were Russian government proxies, targeted systems at three Ukrainian power companies. Simultaneously, the perpetrators clogged telephone networks by directing an army of infected devices to make bogus calls, thereby preventing legitimate calls from getting through.

After the Ukraine grid hack, NSA Director Adm. Mike Rogers said in March that it's a "matter of when, not if" a nation-state attempts a similar cyberattack against US critical infrastructure. What's more, Homeland Security, the head agency for defending US private sector and civilian government networks, has warned all industries to be on guard for digital abnormalities in their systems to prevent or minimize any potential outages.

"This type of attack can happen in any critical infrastructure company across all sectors," Ret. Brig. Gen. Gregory Touhill, former DHS deputy assistant secretary for cybersecurity and communications, said of the Ukraine episode at a Washington cybersecurity conference in April. He was named the first-ever US Chief Information Security Officer in September.

One of many challenges with this geography project is that the spread of malware across a network, let alone a region, is hard to forecast, as are the malicious computer commands of an unknown adversary, say Biesecker and Cherry.

With hurricanes, weather models predict the path of the storm, says Cherry. But, he says, "when you are talking about people who are trying to do harm via cyber means, it's as much an art as it is science. So it's very hard to predict what pathways they are going to take."

While the cybersecurity industry may be good at detecting cyberattacks, figuring out how to contain them has continued to vex specialists. "The bottom line is that we don't fully understand the effects that a cyberattack may have on a system, such as a water treatment or distribution facility," says Cherry.

For instance, during an apparent hack that could have become a public health issue, activists with ties to Syria, at least twice, adjusted the amount of chemicals used to treat tap water in an undisclosed country, according to a March Verizon Security Solutions data breach digest. The incident occurred at some point during the past eight years at an unnamed plant, when the hacktivists broke into an insecure Internet-connected control system. While they managed to handicap production so that it took longer to replenish water supplies, the facility was able to swiftly reverse the tinkering with minimal customer impact.

Other pockets of the US government and industry also are trying to visualize the potential physical world repercussions of a cyberattack, on a smaller scale.

For example, the Air Force expects to deploy a "virtual test bed of the cyberthreats" by September 2021. It'll involve geographically dispersed networks of an unnamed energy sector entity and explore how the outcomes of a digital attack affect "the resiliency of the Air Force mission," according to a Sept. 26 contracts notice.   

Sue Gordon, second-in-command at the National Geospatial-Intelligence Agency, says she has challenged her staff at the US spy mapping agency to consider how the link between digital activity and physical space could be useful to the defense and intelligence communities.

"No answer to that yet. But it’s a great question" says Ms. Gordon. "There are too many people that think that cyber is its own domain and quite frankly everything resolves to physical."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to If hackers cause a blackout, what happens next?
Read this article in
QR Code to Subscription page
Start your subscription today