While I enjoyed the first two Bruce Willis Die Hard movies, Live Free or Die Hard was a different story. The coordinated, near simultaneous cyberattacks of the power grid, financial systems, government databases, and media satellites was so over-the-top that I couldn't suspend my disbelief long enough to enjoy the movie. Maybe that's because I've long been suspicious of the terms cyberterrorism and cyberwarfare. In fact, the threats of thunderstorms, tornadoes, and overgrown trees are a greater threat to the daily delivery of your electricity fix than hackers. So are strategically placed explosives.But in light of some of the news that's been trickling out, I'm starting to up my concern level. According to several news reports, including this story by Thomas Claburn, hackers, apparently profit motivated, managed to turn the lights off in several cities while also demanding extortion money. Fortunately, these events occurred outside the United States.
I wouldn't get too worked up over these events. But we need to be prepared, probably better prepared than we are today. Fortunately, just this week, the Federal Energy Regulatory Commission is strengthening how it secures the IT systems underlying the power grid.
I've long argued that if the utilities protect themselves from traditional cyberattacks using standard best IT security practices then they'd be prepared against most types of attacks that could be levied against them. The tools available to cyberterrorists are no different than those available to anyone else. There's no special class of cyberterrorist attack tools.
The same is true for physical terrorism. If the utility industry is adequately prepared for natural disasters such as hurricanes, tornadoes, and earthquakes, then we're prepared for most anything a small group of terrorists could do. There's not much difference between the response to unexpected natural disasters and unexpected terrorist attacks. In fact, natural disasters would likely be worse, and cover a wider geographic area.