Video For decades now people have been claiming that the power grid could be taken down by terrorists. However, simple statistical analysis shows that the biggest danger isn't online hackers, but squirrels – aka rats with good PR.
Cris Thomas, a strategist at Tenable Network Security who goes by the moniker Space Rogue, has been tracking animal-induced power outages since March 2013; we briefly checked out his Cybersquirrel1 project in November 2015.
Fast forward to 2017, and Thomas is still beavering way: he's found that not only are furry and feathered critters a much bigger danger to the power grid than hackers, they are also killing people.
In a presentation to the ShmooCon hacking conference at the weekend, Thomas showed that squirrels have been responsible for 879 power outages around the world, with the next most common animal saboteurs being birds – either directly via nests, or resulting from streams of excrement.
"35 years of cyberwar and the squirrels are winning," he said.
In all, he has tracked 1,753 animal-caused power outages that, taken in total, equate to 78 days without power in the US, leaving over 4.7 million people in the dark. These incidents have also caused the death of eight people.
In 2015, a fox shorting out a substation in Utah caused an outage that shut down an oxygen machine and led to the death of a patient. In the same year, three Sri Lankan soldiers were electrocuted after a squirrel caused a fire that broke power lines – causing them to fall on the soldiers' vehicle.
Natural saboteurs come in many strange forms. For example, Thomas found 13 outages attributed to jellyfish that got sucked into water cooling systems and gummed up the works. Another outage was caused by a bird that was collecting acorns in a microwave dish, eventually amassing 300lb of the things, which borked the hardware.
There is a serious point to this
So far, so funny, but there is a serious point to all of this. Thomas sees the project not only as an interesting data exercise, but also as a way to puncture some of the pomposity of so-called cyberwarfare experts.
"Why Cyberquirrel1? Basically to counteract the ludicrous cyberwar claims," he said. "It's really at an epic, unbelievable level some of the bullshit that gets peddled as fact by people at high levels of government and industry who are really spouting stuff they don't know anything about. We're trying to counter some of the FUD that's out there."
The power grid is vulnerable, Thomas explained. The US Federal Energy Regulatory Commission studied the grid and discovered that destroying just nine of the 55,000 substations across the US would black out the country for up to 18 months – what Thomas called a "democracy-ending event."
The energy commission used confidential and protected information to come to its conclusion. Last year, security researchers at iSIGHT carried out a similar study, codenamed Project Gridstrike, and determined that, using publicly available information, an attacker could destroy 15 substations and trigger the same devastating blackout.
But you have to look at the motivations. Any major nation state attacking the US is going to want to keep the power on, so they can see what's going on, he opined. Minor threat actors like North Korea or the Daesh-bags lack the resources and/or motivation to bring down the US grid for a long period.
Actual cyberattacks against infrastructure, such as those in the Ukraine, do occur, but they only last for a few hours at the most. Shutting down the grid long term would take the physical destruction of equipment, not just computer hacking. ®