Former CIA Director "...it's a really, REALLY, stupid grid."
As the website for this video is no longer online, we thought it important to post this piece of the video as well as the full transcript.
Thalia Assuras from EnergyNow.com sat down with former CIA Director James Woolsey to discuss the current state of the nation's electric grid and its vulnerabilities. Woolsey says the federal government's oversight of grid security is inadequate and attacks on the grid are "entirely possible."
Energy Now News VIDEO: The Mix: Cyber-terrorism's Threat - Transcript Mon, 08/15/2011 - 12:40
[TEXT ON SCREEN] JUNE 9, 2011
[LEON PANETTA] I've often said that there's a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid.
[ASSURAS] That was former CIA Director and now Defense Secretary Leon Panetta at his Senate Confirmation Hearing in June. He is among a growing number of intelligence and security officials who are concerned about potential attacks against the nation's infrastructure, including the power grid. And think about it -- everything from transportation to water treatment depends on the grid. To help us assess the threats and what's being done to counter them, we're joined for this week's MIX by James Woolsey, the CIA director during the Clinton administration.
[TEXT ON SCREEN] theMIX
[ASSURAS] He is currently chairman of the nonpartisan policy group Foundation for Defense of Democracies and is also a venture partner at Lux Capital Management, specializing in alternative energy ventures. Thanks very much for joining us. Let's turn to Leon Panetta, who said, the next Pearl Harbor could be an attack on the grid. Was he overstating it?
[TEXT ON SCREEN] PROTECTING THE POWER GRID
[WOOLSEY] Not at all, I think Leon's right on the money. Whether it's a physical attack on transformers or a cyber attack, it's entirely possible, and without the electric grid, since, as you said, everything else depends on it, when it goes down, we're not in the 1970s, pre-Web, we're in the 1870s, pre-grid, and we don't have enough plow horses or pump handles.
[ASSURAS] So, what does that mean right across the country? How dramatic would it be, and would government agencies, institutions, be vulnerable as well?
[WOOLSEY] A lot of businesses and some homes and government will be okay for two or three or four days, because people have generators and some diesel fuel. But beyond that, you're back in really primitive circumstances. And the military is no better off than anybody else.
[ASSURAS] But how would that kind of an attack scenario actually happen? What keeps you awake at night?
[WOOLSEY] Well, probing the grid as a hacker, and leaving malware in it, which could be triggered by your government, let's say, at some point, China or someplace else.
[ASSURAS] Software somebody deposited in there.
[WOOLSEY] The difference between doing those two things is a couple or three key strokes. So, yes, I imagine parts of our grid already have malware in them that could be triggered by whoever put it in.
[ASSURAS] In fact, the McAfee Security Agency said that 70 government institutions as well as companies do potentially have malware in them. They've been mined for data. As a former CIA director -- I mean, they're saying that's what's there now -- do you know of more serious attacks that have happened that we don't know about?
[WOOLSEY] It's sometimes very difficult to tell whether something is intentional or not. There was a big outage in Florida a few years ago. There was a huge one in Italy a few years ago. You had the one in the east coast of the United States and eastern Canada in '03. And sometimes there are disputes as to whether it was all or partially caused by something other than just a tree branch touching a power line. And people tend, sometimes, not to agree.
[ASSURAS] So it could have been something else, in fact, in 2003, maybe not that tree near Cleveland?
[WOOLSEY] I think that one was very closely investigated. Chances are it was a natural occurrence. Part of the problem is that the grid is so vulnerable. If a tree branch touching a power line can take 80 gigawatts -- essentially 80 nuclear power plants' worth of power -- offline, and take 50 million people out of having electricity for several days, as that one did -- terrorists are a lot smarter than tree branches.
[ASSURAS] Let's talk about, then, the protective measures that are in place. I was on the phone last week with an assistant secretary at the Department of Energy who said that the Department is spending $30 million a year staying ahead of these cyber security challenges, and also the watchdog over utilities says that it has some standards in place, for example, background checks on employees who want to work for utilities. Are those measures enough?
[WOOLSEY] Not really. They're, essentially, nothing. Because, first of all, DoE doesn't really have any authority over the grid. Nobody has responsibility for the survivability and protection and security of the grid. The FERC, the Federal Energy Regulatory Commission, has responsibility over the transmission grid for some aspects, many aspects, of reliability, but they don't have the authority for security, and neither does NERC, the so-called "watchdog." It's not much of a watchdog. It's essentially the trade association of the utilities. And it's been one of the big problems. They have not done anything really effective in protecting the grid.
[ASSURAS] But you're saying, also, on a federal level, there is no one in charge of cyber security, policy, and defense.
[WOOLSEY] No one in charge of security for the grid, whether it's cyber or transformers or whatever. You can search forever through the federal code to try to find who that person might be.
[ASSURAS] And you think it should be the president?
[WOOLSEY] Well, I think there's a very good reason for it, perhaps, to be the chairman of FERC. But to try out to see what would work, I think, having the Defense Department work with the local utility is the best. What they're doing now, they're constructing what they call a "Smart Grid." And they're going to make it easier for you and me to call our homes on our cell phone and turn down our air-conditioning on a hot afternoon if we're not there. Great, but that may well mean that a hacker in Shanghai with his cell phone could do the same thing or worse. And a so-called "Smart Grid" that is as vulnerable as what we've got is not smart at all, it's a really, really stupid grid.
[ASSURAS] Vulnerabilities is what you're telling me. We're not taking care of them.
[WOOLSEY] We're not.
[ASSURAS] Jim Woolsey, thanks so much.
[WOOLSEY] Thank you.
Energy Now News VIDEO: The Mix: Cyber-terrorism's Threat - Transcript Mon, 08/15/2011 - 12:40
[TEXT ON SCREEN] JUNE 9, 2011
[LEON PANETTA] I've often said that there's a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid.
[ASSURAS] That was former CIA Director and now Defense Secretary Leon Panetta at his Senate Confirmation Hearing in June. He is among a growing number of intelligence and security officials who are concerned about potential attacks against the nation's infrastructure, including the power grid. And think about it -- everything from transportation to water treatment depends on the grid. To help us assess the threats and what's being done to counter them, we're joined for this week's MIX by James Woolsey, the CIA director during the Clinton administration.
[TEXT ON SCREEN] theMIX
[ASSURAS] He is currently chairman of the nonpartisan policy group Foundation for Defense of Democracies and is also a venture partner at Lux Capital Management, specializing in alternative energy ventures. Thanks very much for joining us. Let's turn to Leon Panetta, who said, the next Pearl Harbor could be an attack on the grid. Was he overstating it?
[TEXT ON SCREEN] PROTECTING THE POWER GRID
[WOOLSEY] Not at all, I think Leon's right on the money. Whether it's a physical attack on transformers or a cyber attack, it's entirely possible, and without the electric grid, since, as you said, everything else depends on it, when it goes down, we're not in the 1970s, pre-Web, we're in the 1870s, pre-grid, and we don't have enough plow horses or pump handles.
[ASSURAS] So, what does that mean right across the country? How dramatic would it be, and would government agencies, institutions, be vulnerable as well?
[WOOLSEY] A lot of businesses and some homes and government will be okay for two or three or four days, because people have generators and some diesel fuel. But beyond that, you're back in really primitive circumstances. And the military is no better off than anybody else.
[ASSURAS] But how would that kind of an attack scenario actually happen? What keeps you awake at night?
[WOOLSEY] Well, probing the grid as a hacker, and leaving malware in it, which could be triggered by your government, let's say, at some point, China or someplace else.
[ASSURAS] Software somebody deposited in there.
[WOOLSEY] The difference between doing those two things is a couple or three key strokes. So, yes, I imagine parts of our grid already have malware in them that could be triggered by whoever put it in.
[ASSURAS] In fact, the McAfee Security Agency said that 70 government institutions as well as companies do potentially have malware in them. They've been mined for data. As a former CIA director -- I mean, they're saying that's what's there now -- do you know of more serious attacks that have happened that we don't know about?
[WOOLSEY] It's sometimes very difficult to tell whether something is intentional or not. There was a big outage in Florida a few years ago. There was a huge one in Italy a few years ago. You had the one in the east coast of the United States and eastern Canada in '03. And sometimes there are disputes as to whether it was all or partially caused by something other than just a tree branch touching a power line. And people tend, sometimes, not to agree.
[ASSURAS] So it could have been something else, in fact, in 2003, maybe not that tree near Cleveland?
[WOOLSEY] I think that one was very closely investigated. Chances are it was a natural occurrence. Part of the problem is that the grid is so vulnerable. If a tree branch touching a power line can take 80 gigawatts -- essentially 80 nuclear power plants' worth of power -- offline, and take 50 million people out of having electricity for several days, as that one did -- terrorists are a lot smarter than tree branches.
[ASSURAS] Let's talk about, then, the protective measures that are in place. I was on the phone last week with an assistant secretary at the Department of Energy who said that the Department is spending $30 million a year staying ahead of these cyber security challenges, and also the watchdog over utilities says that it has some standards in place, for example, background checks on employees who want to work for utilities. Are those measures enough?
[WOOLSEY] Not really. They're, essentially, nothing. Because, first of all, DoE doesn't really have any authority over the grid. Nobody has responsibility for the survivability and protection and security of the grid. The FERC, the Federal Energy Regulatory Commission, has responsibility over the transmission grid for some aspects, many aspects, of reliability, but they don't have the authority for security, and neither does NERC, the so-called "watchdog." It's not much of a watchdog. It's essentially the trade association of the utilities. And it's been one of the big problems. They have not done anything really effective in protecting the grid.
[ASSURAS] But you're saying, also, on a federal level, there is no one in charge of cyber security, policy, and defense.
[WOOLSEY] No one in charge of security for the grid, whether it's cyber or transformers or whatever. You can search forever through the federal code to try to find who that person might be.
[ASSURAS] And you think it should be the president?
[WOOLSEY] Well, I think there's a very good reason for it, perhaps, to be the chairman of FERC. But to try out to see what would work, I think, having the Defense Department work with the local utility is the best. What they're doing now, they're constructing what they call a "Smart Grid." And they're going to make it easier for you and me to call our homes on our cell phone and turn down our air-conditioning on a hot afternoon if we're not there. Great, but that may well mean that a hacker in Shanghai with his cell phone could do the same thing or worse. And a so-called "Smart Grid" that is as vulnerable as what we've got is not smart at all, it's a really, really stupid grid.
[ASSURAS] Vulnerabilities is what you're telling me. We're not taking care of them.
[WOOLSEY] We're not.
[ASSURAS] Jim Woolsey, thanks so much.
[WOOLSEY] Thank you.