NATO’s Achilles’ heel: power grids

NATO leaders spent much of the last year trying to improve the mobility of Alliance forces across the European continent. While the elimination of logistical barriers between allies is an important first step, arguably too little attention was paid toward the cyber resilience of the transport infrastructure itself. A single cyberattack against the central power grid of a NATO country would seriously impair the Alliance’s capacity to respond to a crisis—undoing all the hard work NATO leaders have put into mobility.

The rapid digitization of power grids across Europe has proven to be a double-edged sword. On the one hand, growing reliance on the Internet of Things and industrial control systems has allowed companies to cut operational costs and boost efficiency. On the other hand, digitization has made companies more vulnerable to cyber threats, as most of the “smart” systems were built with performance and not security in mind.

A number of major cyberattacks against power grids have exposed the magnitude of these vulnerabilities.

In 2015, a hacker group attacked the industrial control systems of an electrical grid in Ukraine, which left more than 230,000 residents in the dark for up to six hours. A year later, another cyberattack successfully compromised the Ukrainian power grid, took control of some of its industrial control systems, and cut a fifth of Kyiv’s power for about an hour.

While these incidents were bad enough, cyberattacks can have far more serious consequences than just temporary supply disruptions. A powerful cyberattack against the central power grid of a NATO country, particularly at a time of heightened political tensions, could undermine the credibility of the Alliance’s deterrence and defense posture by weakening its capacity to send reinforcements.

In the event of a blackout, for example, most airports would quickly lose access to air-traffic control and other critical services, which are essential for the orderly management of flights. In some airports, fueling services would also be disrupted as there would be no electricity to move fuel from storage facilities. While planes could travel even under emergency conditions, they would likely have to operate at reduced speeds to minimize the risk of accidents.

The rail network would be among the hardest hit by a power outage. Thanks to the growing popularity of electric-powered locomotives in Europe, a large chunk of the rail network would immediately become paralyzed. Trains would come to a standstill on open track, bridges, or in tunnels, and severely clog up the tracks. Railway control centers and other facilities, including loading cranes, would eventually stop working, too. Though in some places it would be possible to switch to manual settings, only a very limited volume of traffic could be handled.

Given their acute dependence on a constant supply of high-voltage power, seaports would also be instantly debilitated. The loading and unloading of ships would have to be suspended since the cranes used at the terminals could not operate without electricity. The pumping of liquid goods such as petroleum, both for transport and refueling purposes, would also come to a grinding halt. Ultimately, large bottlenecks would develop at loading areas, which, given their reliance on railways, could make cargo movement next to impossible.

Power grids are among the most attractive targets for cyberattacks because they offer hackers the greatest bang for their buck. Hackers only need to infect and take down a single power grid to impact the entire transportation sector of a country. Conversely, hackers would have to simultaneously infect and take down hundreds, if not tens of thousands of computers, in order to have a similar effect on the transportation network.

While many grid operators run highly sophisticated cyber security protocols and often have sufficient redundancy to withstand component failure, this might not be enough. A single powerful cyberattack alone could slip through the net, infect the operator, take down the grid, and cause havoc across the board.

To mitigate the threats cyberattacks pose to power grids, both national governments and private companies need to join forces and build public-private-partnerships to address the cyber dimension of energy security. While most energy and cyber networks are in private hands, governments could still provide support by developing cyber resilience strategies or voluntary cyber security standards for critical infrastructure owners and operators.

Given their near-total reliance on the private sector, militaries, too, need to develop a greater interest in the cyber resilience of power grids. Unlike during the Cold War, when the bulk of critical infrastructure was in public hands, today around 90 percent of NATO’s supplies and logistics are moved by private companies. Therefore, the robustness of the Alliance’s deterrence and defense posture, by and large, depends upon an uninterrupted flow of electricity.

If the central power grid of a NATO country was taken offline by a cyberattack during a political crisis, it could have dire consequences for the Alliance. In the event of a blackout, airports, railways, and ports would be either severely impaired or completely crippled, meaning the cavalry will not just arrive too late, it might not arrive at all.

Lukas Trakimavičius is an independent security and energy policy consultant specializing in the Euro-Atlantic region. Follow him on Twitter @LukasTraki.

Image: U.S. Army M1A2 Abrams tanks arrive at the Grafenwoehr Training Area, Jan 31, 2014. ((U.S. Army Photo by Markus Rauchenberger)