Let me state
now that I’m not in the business of reviewing books. However, I recently read
Ted Koppel’s book, Lights Out,
and I wish to make a couple points about it.
First, this
is a very important book. Regardless of what you think of it (and you really
shouldn’t have an opinion on it before you’ve read it, should you?), I
recommend you read it since I’m sure it’s going to have a lot of influence on
public opinion, and especially on Congress. I do want to point out that
suspicion of electric utilities is one of the few areas where Republicans and
Democrats in Congress are in agreement.
Second, this
book isn’t primarily about cyber security, despite what the book jacket says.
It’s about what could happen if there were an extended power outage (i.e. more
than a few days) that covered an extended region (say 5-10 states, especially
if one or two major cities were included). What would happen? Chaos and death,
that’s what. This is close to indisputable.
However,
Koppel isn’t saying that a cyber attack is most likely to cause this type of
outage. He discusses other events like EMP and solar storms that could be more
devastating. The book’s main purpose is to document how there seems to have
been just about zero planning on the national level (and little on the state or
local level) for an outage of this magnitude and duration, no matter what the
cause. And it issues a call to action to start that planning.
Of course,
doing something like storing MREs for the entire city of New York will be very
expensive; Koppel admits that. The point is that this type of outage (again,
whatever the cause) would be devastating enough that there needs to be some
preparation, no matter how small the probability that this could happen. Of course,
the question of large transformers weighs heavily in both the problem and the
solution (although Koppel doesn’t attempt to outline a solution, just give
broad hints on what it might entail).
What does he
say about NERC CIP? Very little (he doesn’t mention it by name), and what he
says isn’t very accurate. Yet it doesn’t really matter for his argument. Even
if CIP were the best-written, most-effective set of standards in history, the
possibility of a serious cyber attack would never be reduced to zero. And even
if the chance of a cyber attack were
zero, there could always be a huge solar storm (in fact, we just narrowly
missed one in 2012. And the 1859 Carrington Event
would have been absolutely devastating had it hit in modern times).
However,
even though a cyber attack isn’t really the focus of this book, it will almost
certainly be perceived that way. My guess is many people in Congress will take
the book as confirmation that the electric power industry just can’t be trusted
writing its own cyber regulations. And this is why you need to read the book –
to be prepared.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment