A highly disturbing and realistic possibility — one, in fact, that has been a headache for years — has moved up a notch amid the Russia-sparked war in Ukraine. Russia could launch a devastating attack on the U.S. power grid. The country has inflicted malware on America in the past and might not be particularly concerned about the ramifications.

After all, Russian President Vladimir Putin has already hinted that weapons deliveries to Ukraine by the U.S. and other NATO nations may be an act of war. Russia, as well as China, Iran and North Korea, are believed to have the means to successfully attack the U.S. power grid.

Independent cybersecurity researchers have already been urging the federal government to move quickly to release any information it might collect about potential cyber campaigns, including a nationwide power grid attack. They don’t want to see a repeat of 2016, when U.S. officials waited months before blaming Russia for trying to influence the presidential election that year by hacking and disseminating Democrats’ emails.

Far worse could be yet to come if Putin or Russia-based cybercriminals decide to retaliate against the West.

History of power grid attacks

The U.S. electric grid is comprised of power plants and other electricity generators coupled with transmission and distribution lines and related infrastructure. Strong electric grid cybersecurity is critical to safeguarding the reliability and resilience of the grid. If the grid is penetrated by malware, tens of millions of Americans, possibly far more, could be left without heat, light, refrigeration, water, phones and internet access.

The prospect of a potential attack should not be confused with idle speculation. Power grid attacks have already occurred elsewhere, and Russia has at times been deemed the likely culprit. In particular, a cyberattack on a utility substation in Ukraine in 2015 impacted 230,000 people for several hours after roughly 60 substations were knocked offline. Cyber experts say Russia has a history of using Ukraine as a test bed of sorts. In the case of the Ukraine, its grid is a relatively small scale cyber operation, making it a comparatively easy pilot target.

Already, cybercriminals worldwide have increasingly been targeting power grids and related energy systems, mindful of their enormous impact on modern society. Last year, a report by IBM said that the energy industry was the third most-targeted sector for such attacks, behind only finance and manufacturing. Third place was up from ninth place in 2019, Big Blue said.

Also last year, Department of Energy Secretary Jennifer Granholm said that enemies of the U.S. had the capability to shut down the nation’s power grid, and added that “there are very malign actors trying, even as we speak.” In January, meanwhile, there were two Department of Homeland Security warnings about threats to the U.S. grid.

To disrupt the power grid, hackers would likely attempt to compromise either multiple grid substations or bigger control centers.

The former type of attack occurred in San Jose, California roughly nine years ago, when gunmen reportedly fired at high voltage transformers at a substation. The unknown criminals, never found, scattered when police were called, but authorities discovered that the attackers had reconnoitered the site and had marked firing positions with piles of rocks.

There are roughly 55,000 such substations nationwide, each housing transformers — the workhorses of the grid. Some power grid experts contend that the entire country could suffer a coast-to-coast blackout if as few as nine select substations were compromised.

The other probable grid attack methodology would target control centers, which span much broader territories. If hackers can disable communications at a control center, cutting a grid operator’s visibility into their system, utility officials could be blocked from reenergizing a line if a substation protective relay is disabled. This would probably require the work of a highly skilled insider. A nefarious electrical engineer, for example, could do a system analysis to determine how best to destabilize the power grid and pass the information to the actual attackers.

Hardening critical infrastructure attack vectors

None of this should suggest that U.S. power grid infrastructure has negligible power grid cyber protection. After a massive blackout in the Northeast in 2003, which was caused by a software bug and equipment failures, critical infrastructure organizations implemented federal resilience and defense standards. These created minimum baselines for defending against natural disasters and also promoted best practices for network defense, including two-factor authentication, network segmentation and strict, widely distributed access controls.

These steps hardened electricity generation and transmission systems against attacks. Unfortunately, however, not all segments of the power grid have been held to these standards. For instance, local power distribution entities often lack adequate resources and defenses. And while hackers may have a harder time fully compromising more formidable targets, they can still achieve many of their goals by probing persistently.

One huge weakness — perhaps unavoidable — is the growing array of digital technologies to help manage the flow of power and cut planet warming emissions, such as interconnected solar arrays and smart thermostats.

The growth of digital online methods aren’t limited to these, either. Energy companies used to disconnect operation systems from the broader internet, making it harder for hackers to penetrate the most critical infrastructure. Increasingly, this is no longer the case, as companies install more sophisticated monitoring and diagnostics software to improve their systems’ operational efficiency. The bottom line is that the power grid is hugely complex, providing hackers with more grid entry points that can be exploited.

If there is any good news in all of this, it’s that diesel and gas combustion turbines can typically be started with batteries, which means even large power plants may be able to get back up and running within 24 hours of an attack. Yet, recovery from a grid attack will ultimately depend on the breadth of the impact and the amount of damage that has occurred. This isn’t knowable ahead of time, and that is disconcerting.