America the Vulnerable and Today's WSJ Article

One of my favorite cyber security books is Joel Brenner's 2011 "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare" (I just noticed the paperback version  has a new title "Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World". I prefer the old title). I also have the audio version from, and it is a great performance too. I've used this book's materials in a number of talks, and I will be coming back to it frequently in my blog posts. Since reading this book several years ago, I see many news stories in a completely new light. I cannot encourage you strongly enough to read this book.

Today I am highlighting a hypothetical scenario described in the book's chapter "June 2017" and today's (4 March 2014) Wall Street Journal article "Transformers Expose Limits in Securing Power Grid". 

The "June 2017" chapter paints a grim but compelling story of what could happen if an adversary (in this case China) leverages our cyber vulnerabilities in a coherent campaign. Examples of each cyber component in the story has already happened or has been shown to be possible. In other words, the story is hypothetical but very real. Let me pick up from several pages in...

Washington–12:00 P.M.; San Diego–9:00 A.M.; Honolulu–3:00 A.M.

The San Diego grid goes down, followed by the grids in Seattle (another big Navy base) and Honolulu. In California's Central Valley, turbines in three electric generators mysteriously blow up. The secretary of energy tells the president that this kind of equipment takes twelve to twenty-four months to replace.

"What?!" the president says. "Don't I have emergency powers to deal with that?"

"We don't make those generators in this country anymore, Mr. President–haven't made them for years."

"Who does make them?"

"India, sir. The Indians make them, and the Chinese."

Today's Wall Street Journal article refers to the vulnerability of transformers instead of generators, but much of the threat is the same.

The U.S. electric grid could take months to recover from a physical attack due to the difficulty in replacing one of its most critical components.

The article describes the long process it took FirstEnergy Corp to order a transformer from South Korea and install it in a new substation in Pennsylvania.

Total elapsed time from purchase to delivery: about two years.

The gist of this part of Brenner's "June 2017" chapter and the WSJ article is that our most critical infrastructure (our power grid) is vulnerable, can take months to recover from if damaged, and to a great extent we will depend on foreign countries for critical components. This dependence on foreign countries and our vulnerability means that foreign countries can dictate our national policies.

Very scary stuff. Again, if you have a chance, I strongly encourage you to read Brenner's book.

BTW: Here is video of a generator being physically damaged by a cyber attack. Fortunately, in this case the attack's purpose was just to demonstrate the potential.