If hackers cause a blackout, what happens next?

An effort is underway to map potential fallout from damaging cyberattacks on US critical infrastructure to aid first responders in the case of a major assault.

If hackers take out a local power station, the electricity may go out. But what else might happen?

Could harmful software spread? Would water systems stop functioning? Will hospitals need power generators? What else could malicious hackers hit after turning off the lights?

That's what two veteran cybersecurity researchers are setting out to discover. In a bid to help emergency responders mitigate potential damage after digital assaults on such industries as power suppliers, water facilities, or chemical factories, they're attempting to chart the chain reactions of cyberattacks. 

"What is the impact of somebody coming in and hitting a regional portion of the power grid and taking it down?" asks Brian Biesecker, a 30-year veteran of the National Security Agency who now works for Esri, a mapping software firm. "That impacts not only the power grid, but also all of your ability to provide pumping for your water, all your emergency services ... all of these various cascading effects."

No one has ever mapped the earthly reverberations of cyberattacks on a large scale, says Mr. Biesecker, who teamed up with Shane Cherry, an infrastructure analysis and technology manager at the Department of Energy's Idaho National Laboratory, to map the likely ripple effects of hacks.

The effort is expected to last three years and is funded by the Energy Department and Esri. Biesecker and Mr. Cherry will rely on standard mapping techniques and geographic language in hopes of broadening the understanding among the various stakeholders – technologists, cybersecurity specialists, business executives, and government officials – about the full effect of cyberattacks. 

Experts have so far pinpointed only a handful of malicious hacks that have caused physical damage. One of the most significant and well documented was the attack on the Ukrainian power grid in December 2015.

The unprecedented hacker-induced blackout there left 225,000 residents in the dark for several hours. The assailants, who some experts say were Russian government proxies, targeted systems at three Ukrainian power companies. Simultaneously, the perpetrators clogged telephone networks by directing an army of infected devices to make bogus calls, thereby preventing legitimate calls from getting through.

After the Ukraine grid hack, NSA Director Adm. Mike Rogers said in March that it's a "matter of when, not if" a nation-state attempts a similar cyberattack against US critical infrastructure. What's more, Homeland Security, the head agency for defending US private sector and civilian government networks, has warned all industries to be on guard for digital abnormalities in their systems to prevent or minimize any potential outages.

"This type of attack can happen in any critical infrastructure company across all sectors," Ret. Brig. Gen. Gregory Touhill, former DHS deputy assistant secretary for cybersecurity and communications, said of the Ukraine episode at a Washington cybersecurity conference in April. He was named the first-ever US Chief Information Security Officer in September.

One of many challenges with this geography project is that the spread of malware across a network, let alone a region, is hard to forecast, as are the malicious computer commands of an unknown adversary, say Biesecker and Cherry.

With hurricanes, weather models predict the path of the storm, says Cherry. But, he says, "when you are talking about people who are trying to do harm via cyber means, it's as much an art as it is science. So it's very hard to predict what pathways they are going to take."

While the cybersecurity industry may be good at detecting cyberattacks, figuring out how to contain them has continued to vex specialists. "The bottom line is that we don't fully understand the effects that a cyberattack may have on a system, such as a water treatment or distribution facility," says Cherry.

For instance, during an apparent hack that could have become a public health issue, activists with ties to Syria, at least twice, adjusted the amount of chemicals used to treat tap water in an undisclosed country, according to a March Verizon Security Solutions data breach digest. The incident occurred at some point during the past eight years at an unnamed plant, when the hacktivists broke into an insecure Internet-connected control system. While they managed to handicap production so that it took longer to replenish water supplies, the facility was able to swiftly reverse the tinkering with minimal customer impact.

Other pockets of the US government and industry also are trying to visualize the potential physical world repercussions of a cyberattack, on a smaller scale.

For example, the Air Force expects to deploy a "virtual test bed of the cyberthreats" by September 2021. It'll involve geographically dispersed networks of an unnamed energy sector entity and explore how the outcomes of a digital attack affect "the resiliency of the Air Force mission," according to a Sept. 26 contracts notice.   

Sue Gordon, second-in-command at the National Geospatial-Intelligence Agency, says she has challenged her staff at the US spy mapping agency to consider how the link between digital activity and physical space could be useful to the defense and intelligence communities.

"No answer to that yet. But it’s a great question" says Ms. Gordon. "There are too many people that think that cyber is its own domain and quite frankly everything resolves to physical."