Lessons of the Turkish Power Outage

Photo composition, Thursday Review

Photo composition, Thursday Review

Lessons of the Turkish Power Outage
| published April 3, 2015 |

By R. Alan Clanton, Thursday Review editor

A massive power outage which affected about half the country of Turkey and lasted for more than 10 hours is being touted as an example of why the power grids of the United States and other countries require both technological upgrades as well as a careful, top-down retooling of security and safety measures.

Turkey’s power outage was its worst in decades, and it included many of the country’s biggest population centers, including Ankara and Istanbul. The cause has not been determined, and some initial reports suggest the problem might have been antiquated or faulty transmission lines. But government security officials and investigators for the power services say that they have not ruled out terrorism or sabotage, and they are still considering the possibility that the outage may have been the first large-scale example of cyber-terrorism against a nation’s electrical grid.

Power was interrupted in about 40 of Turkey’s 81 provinces, and by some estimates impacted roughly 65% of the population. The outage wreaked havoc on the country, stalling elevators, blacking out traffic lights and traffic management systems, rendering tens of thousands of credit card machines useless, interrupting some cell phone and landline telecommunications service, disrupting mass transit and rail travel, and closing thousands of public buildings, restaurants and markets. In many areas where tourists flock, even ATMs were shut down.

Major airports, tapping into back-up power supplies and generators, were able to operate normally, though with some inconveniences to the computer systems. Some TV stations used generators, and several of Turkey’s largest oil facilities were able to continue to operate using back-up power and its own generating capacity. But nearly all other aspects of life in about half of Turkey were impacted by the blackout some way.

The economic impact of Turkey’s Tuesday-Wednesday outage could run into the billions of dollars, especially when tourism, productivity and banking are factored-in.

But cyber security and counter-terrorism experts say that just such an outage—whether it is the result of faulty equipment or cyber-terrorism—could have equally devastating results in the United States, Britain, France, and scores of other countries.

Security experts working with U.S. power companies say that every day—hundreds of times each day—the American power grid faces some form of attack or some type of attempt at intrusion. Only a decade ago such cyber-attacks on U.S. power companies were rare; but now such attacks occur continuously every day, around the clock. Not only do security experts worry that the United States possesses a weak defensive system to counter cyber-threats to the power grid—almost all of which is now computerized—but that U.S. and its economic allies are unprepared for the full impact of a sustained regional and major metropolitan area outage.

Many security analysts point to the cyber-assaults of the last two 18 month period as testament to the potential risks for the U.S. and Canada: the Target retail data breach, which compromised the credit card and debit card information of 70 million customers; the cyber-attack on JPMorgan Chase last year, which exposed the financial data and personal information of 83 million customers; a recent cyber-attack on Anthem Healthcare systems, which may have exposed millions of social security numbers, billing data, and medical records to criminals; and last December’s massive security breach at Sony Pictures, an attack which cost the company tens of millions of dollars. All of these attacks could have been avoided, say computer experts and security analysts, if vigilance had been maintained and care had been taken to check for obscure, back door entry points.

For example: the JP Morgan Chase breach occurred because the company’s cyber security team inexplicably left one server in the bank’s computer system unprotected by a simple double-authentication process.

In late 2013, hackers who penetrated Target’s massive database for credit card and debit card activity were able to gain access through a back-door—an open portal that security experts should have closed more than a year before the cyber-attack.

Some officials in Turkey are reluctant to embrace the idea that hackers may have caused the day-long power blackout. After all, Turkey’s power grid faced some stresses over the ten day period leading up to the outage. Businesses, municipal officials and residents in dozens of cities report that there have been brief power cuts all across Turkey, some lasting up to an hour—a sign, perhaps, that antiquated transmission lines and outdated control systems were simply facing mechanical and technological hiccups. Power grids sometimes fail in a kind of cascade—one region’s failure triggers a similar failure in an adjacent piece of the grid, triggering a domino effect.

But some computer and cyber experts suggest that those intermittent blackouts could have been the work of cyber-terrorists testing the system, either piece by piece in an effort to understand how the footprints of neighboring power companies interact, or perhaps as a prelude to triggering a nationwide cascade of blackouts.

Whether the result of vandalism, terrorism, or rusted equipment, could such a calamitous blackout happen in the United States?

In fact, one such massive outage occurred in New York in August of 2003, when the largest power outage in American history effectively shut down all of New York City, and sent power failures cascading into nine northeastern and Midwestern states, and triggering related outages as far away as Detroit, Toronto and Ottawa. The blackout eventually shut down power for more than 50 million people in the U.S. and Canada, setting a record for both the number of homes affected and for the outage’s economic impact. CNN and Fox News broadcast images of tens of thousands of New Yorkers walking home across bridges—back to Staten Island, or back to New Jersey.

Months later the problem would be traced to a set of antiquated transmission lines in rural Ohio, but for several days there were fears—compelling and visceral in the early days of the post-9/11 era—that terrorism might have been the cause. It was a hardware failure—a massive collapse which demonstrated not only how fragile the U.S. power grid really was, but also how many misunderstandings existed even by the managers, supervisors, and engineers of the systems.

The 2003 blackout also demonstrated that the U.S was deeply vulnerable to the hundreds of disconnects in communication between different parts of the grid. Like the post-9/11 consensus that said that neither the CIA nor the FBI were forthcoming in sharing important data about terror suspects, so too was blame placed on power companies, then unwilling or unable to engage in real time technological cooperation or information sharing. One of the things mandated by Congress after the 2003 outage: operations centers for all North American power companies now use standardized forms of measurement, and all can monitor the grid in real time, using the same graphs, numbers and calibrations.

But is the U.S. power grid adequately protected from cyber intrusion and terrorism?

A recent investigative study by USA Today, in conjunction with Gannett newspapers, found numerous troubling problems with the American electric grid. Among those issues: thousands of substations and tens of thousands of transformers which sit in plain view and are rarely protected by digital video surveillance or any other measures. Substations are often surrounded only by standard chain link fence, and their only markings are designed to warn people of the hazards of the voltage. Many of the nation’s transmission lines, especially those which pass along state and local easements (sometimes in rural areas, sometimes through suburbs) are also unprotected. Lines and their towers can be easily attacked by paved or dirt road where there may be little more than a chain and a padlock to discourage an intruder.

Another concern: since 2011 there have been no major arrests in any of the thousands of known cyber-attacks, nor the hundreds of physical attacks to power equipment. No one has ever been arrested in the sniper/gunfire assault on a northern California power plant in which the attackers (based on smudgy, grainy security camera footage, law enforcement officials have always suspected the assault involved a crew of two to three) deliberately severed phone, internet and fiber optic cables, then opened-fire on the facility with more than 100 rounds of automatic gunfire. That attack was widely regarded by state and Federal investigators to be the work of well-coordinated terrorists.

That no one took credit for the attack, terrorism experts theorize, was the result only of the lucky fact that the plant never lost power. That no one was ever identified or caught perhaps makes it a troubling reminder of the vulnerabilities of the power grid.

But some experts worry less about the lone wolf—or the small band of terrorists with bolt-cutters and high-powered rifles—than they do about the determined cyber terrorist bent on causing a widespread power failure. And government officials worry mightily enough about unpredictable and extreme weather without also adding to the fear that a terrorist might use a computer vulnerability to collapse the power grid during a sustained heat wave, or, for that matter, during the sort of record-breaking winters the U.S. has experienced two years in a row. Far from a problem of mass inconvenience, those tens of thousands of people walking across bridges in New York City back in 2003 illustrate just how dangerous a coordinated attack would be if, for example, the same blackout was a deliberate act of sabotage in the northeast in mid-January.

How many lives would be lost in sub-freezing temperatures? How many structures would burn to the ground as desperate residents ignite unsafe fires? Conversely, what would be the economic and health consequences of a successful cyber-attack on the power grid in mid-July?

From 2011 to 2014, utility companies have reported to state and Federal agencies at least 362 attacks—physical or cyber or both—which have resulted in some form of power disruption. Those 362 incidents have produced no arrests.

Related Thursday Review articles:

China May be Behind Anthem Cyber Attack; Thursday Review staff; February 6, 2015.

U.S. Central Command Hit by Hackers; Thursday Review staff; January 13, 2015.