By: Hammaad Salik & Rao Ibrahim Zahid
Darkness. Extended periods of darkness, longer and more profound than ever experienced by the Pakistani nation. On Saturday, 10th of January 21, at 1841 GMT, what the NTDC declared as an “engineering fault” in one of the National grid sections led to ‘cascading failure’ throughout the country. A nation of more than 210 million people plunged into total and utter darkness. Still, despite the media attention, cyber events are now such commonplace that we have absorbed them into the catalog of daily outrages that we observe, briefly register, lay off a few people from their jobs, and ultimately ignore. More worrisome is that we cannot potentially identify such events as cyber-attacks but instead classify them as a physical system malfunction. At the same time, our leaders have developed a scant consolation in the fact that a significant cyberattack on the grid has not happened and is impossible. Many digital migrants believe the notion that some adversaries have neither the abilities nor the motives to launch sophisticated cyber-attacks against our nation’s infrastructure. On the contrary, we do not possess the capability to respond proportionately when choosing actions against such threats.
We have been living for more than a few decades to assume a nuclear war with India as the real possibility. Ultimately both Islamabad and Delhi concluded that mutually assured destruction, holding each other hostage to the fear of nuclear reprisal, was a healthier approach to coexistence than hoping to survive a nuclear winter. We are living in different times now. Whether the threat of a nuclear war has receded or whether we have simply become inured to a condition we cannot change, most of us have finally learned to ‘stop worrying.’ Though, the ranks of our adversaries who can and would inflict severe damage to Pakistan have grown and diversified into the domain of cyberspace called ‘Warfare 2.0′.
Electricity is what keeps our society tethered to modern times. With our critical infrastructures now connected to this hyper-connected landscape’ cyber space’, we have developed dependencies we could not have imagined a generation ago as much as we have grown positive reaping benefits of the dream, ‘Digital Pakistan.’ We remain mostly oblivious to the potential catastrophe of a well-targeted cyber-attack. The very structure that keeps electricity flowing throughout Pakistan depends upon computerized systems called ‘Scada Systems’ for the grid to remain fully operational and maintain the supply and demand of electricity in perfect balance. The internet provides instant access to these systems that maintain equilibrium. If a nation-state actor or a sophisticated adversary manages to gain access to one of these systems and succeeds in throwing the precarious balance of kilter, the consequences would be devastating as such experienced-on 10th of January. Prudence suggests that we at least consider the possibility of a cyberattack against the National grid, the consequences of which would be so devastating that no administration should consider it anything less than an act of war.
Suppose one is to speculate on the events of 10th of January. In that case, one possible scenario could be a cyber-attack designed to open a circuit breaker, wait for the system or generator to slip out of synchronism, and reclose the breaker, all before the protection system recognizes and responds to the attack, dropping the frequency from 50Hz to 0Hz. The failure of even a single generator could cause widespread outages and cascading effects of the National Grid. If a task force is created to investigate the blackout, it will draw critical attention to the embarrassing fact that most utility companies in Pakistan fail to adhere to the global industry standards. Moreover, Pakistan does not have its industry standards. We may already have done a better job of inadvertently designing such a system ourselves, mainly due to the monopoly of utility providers and our ignorance that no such standards exist, sowing the seeds of our downfall more effectively than any enemy of ours could have done.
Another famous analogy we hear from people operating the Nuclear critical infrastructures is ‘air-gap.’ A concept similar to Russian matryoshka or nesting dolls where a system in which no two operational parts are physically connected- while they sit inside the other, they never touch. Iran’s Natanz facility also believed it was air-gapped and secure until Stuxnet penetrated it: an alleged Joint U.S. – Israeli intelligence operation. Interestingly, when the 10th of January events unfolded, images were shared on media platforms of utility operators sitting in the control rooms trying to restore the power. One close look at the photos circulating at that time on “The Pakistani Blackout” tells us we are still running Windows XP on our grid workstations. It is pertinent that before we even start boasting about air-gap configurations, we should investigate serious issues like updating Windows. Furthermore, it would be safe to believe that our adversaries are already inside the networks.
History often provides a lens through which irony comes into focus. Suppose such an event or information of a cyber-attack would become known. In that case, authorities in Pakistan like to go down the ‘Prove the attack happened’ or ‘Attribution’ route that is, unless and until it happens, there is no proof that it can; for now, what we are left with, for better or worse, is the testimony of experts in the domain. In 2007, Idaho National Laboratory conducted the Aurora Generator Test to demonstrate how a cyber-attack can destroy an electric grid’s physical components. As a nation, we are only 25 years behind to question cyber threats to our critical infrastructures’ existence. Alternatively, in 2015, Black Energy malware compromised the information systems of three energy distribution companies used by the APT ‘Sandworm’ to disrupt Ukrainian electric supply. Most damaged was Prykarpattyaoblenergo – An electric power distribution company where everything appeared normal on the screens of SCADA engineers while; in the background, hackers opened the circuit breakers to take the substation offline. These attacks not only have to be launched by a nation-state actor, but it is also literally possible that a well-trained and well-motivated independent organization like Al-Qaeda and ISIS has the capability to inflict pain and instill terror by going after the National Grid.
As writers, we are confident that Pakistan has no plan and policy to deal with the aftermath of a cyberattack on the grid. We are undoubtedly unprepared, but why isn’t the issue even on our list of National priorities. For the most part, it is primarily the reactive culture. We are disinclined to anticipate disaster, let alone prepare for it. On the other hand, countries like the U.S. that excels in cyber have the ‘Grid Reliability and Infrastructure Defense Act’ to counter the consequences of a large-scale cyberattack on the U.S. National grid.
However, most importantly, it is the wrong prioritization of projects and investments, if any, in the domain of ICTs. Projects like National CERT are considered more important than protecting the National Grid. Our leaders have failed to realize that having a National CERT is valueless without electric power. The very nature of the internet is flawed by design. Although we can try adding layers of security to it, you can never make something secure that was designed to be insecure. As guardians of the grid, we need to push towards National policies and regulations that are stringent and complied with by utility providers. Moreover, the question still stands as we enter the age of cyber-induced blackouts, what would we do when the “Lights Go Out?”