If you ask many of the folks on the front line of cybersecurity for our critical infrastructure they will tell you that a large-scale attack is very unlikely to succeed. They will all acknowledge, as they must, that legacy control systems are vulnerable to attack. But, they argue, one of the significant protections against a successful big attack against multiple targets (the type of attack, say, that would take down a large portion of the electric grid) is that the control systems are not homogeneous. In other words, our security is enhanced by the diversity of the cyber systems controlling operations. A piece of malware that would be successful in taking a PEPCO plant in Washington offline would not work against a generating facility in New York. Thus, we have taken some comfort in the fact that an attacker would need to craft dozens (or more) different malware versions; intrude them all without observation; and then activate them all with near simultaneity to achieve a significant strategic advantage. One plant = easy; the East Coast = very very hard.
Or so we thought. That's why I was quite disturbed by a report from the Network Science Center at West Point. The report, entitled "Power Grid Defense Against Malicious Cascading Failure" suggests that attackers have capabilities to create cascading failures on the grid in ways that we may not have previously understood. I confess that the math of the paper is beyond me (and invite any reader with greater knowledge to educate me about it) but the conclusions are pretty stark. Here's a portion of the Abstract (my emphasis):
An adversary looking to disrupt a power grid may look to target certain substations and sources of power generation to initiate a cascading failure that maximizes the number of customers without electricity. This is particularly an important concern when the enemy has the capabilityto launch cyber-attacks as practical concerns (i.e. avoiding disruption of service, presence of legacy systems, etc.) may hinder security. Hence, a defender can harden the security posture at certain power stations but may lack the time and resources to do this for the entire power grid. We model a power grid as a graph and introduce the cascading failure game in which both the defender and attacker choose a subset of power stations such as to minimize (maximize) the number of consumers having access to producers of power. We formalize problems for identifying both mixed and deterministic strategies for both players, prove complexity results under a variety of different scenarios, identify tractable cases, and develop algorithms for these problems. We also perform an experimental evaluation of the model and game on a real-world power grid network. Empirically, we noted that the game favors the attacker as he benefits more from increased resources than the defender. Further, the minimax defense produces roughly the same expected payoff as an easy-to-compute deterministic load based (DLB) defense when played against a minimax attack strategy. However, DLB performs more poorly than mini-max defense when faced with the attacker's best response to DLB. This is likely due to the presence of low-load yet high-payoff nodes, which we also found in our empirical analysis.