Can you give some examples of? I can imagine that under the right circumstances you might succeed in blowing up some transformers or even a turbine, but it seems like you’d be up to speed within a month or two on the outside? Or am I missing the gravity somehow?
Pardon? A month or two without power does not seem like an enormous crisis?
Stuxnet destroyed centrifuges. It does not seem impossible that a sophisticated attack could shred some critical equipment.
During the Texas 2021 outage -they were incredibly close to losing the entire grid and being in a blackstart scenario. Estimates were that it could take weeks to bring back power - all this without any physical equipment destroyed or malicious code within the network.
Edit: Had to look it up, the Texas outage was "only" two weeks and scattershot in where it hit. The death toll is estimated at 246-702.
A month or two of isolated outages should not be a crisis in a developed nation with resources and infrastructure.
The fact that the Texas outages killed anyone is a testament to the fact that the USA is, apparently, a developing nation, possibly going through a rough patch.
It’s not like there wasn’t enough generators or fuel in the nation to ameliorate that crisis. It was that, like all developing nations, resources are not available at the point of need despite their widespread availability.
Yes, there is the risk of cascading failures, some industrial processes are very hard to re-start once interrupted (or even impossible) and the lead time on 'some transformers' can be a year or more. These are nothing like the kind that you can buy at the corner hardware store. A couple of hundred tons or so for the really large ones.
Grid infra is quite expensive, hard to replace and has very long lead times.
The very worst you could do is induce oscillations.
Consider that if a cyberattack could destroy a major power grid transformer, for a marginal cost approaching zero, versus the low-end US$10 million a Kinzal ballistic missile would cost to do the same thing (presuming you only need 1 which is...unlikely), that that might be a significant military capability.
> Transformers and turbines of any significance are not off the shelf parts and can have lead times of years
Bloomberg had a decent article[0] about transformers and their lead time. They're currently a bottleneck on building. It wasn't paywalled for me.
"The Covid-19 pandemic strained many supply chains, and most have recovered by now. The supply chain for transformers started experiencing troubles earlier — and it’s only worsened since. Instead of taking a few months to a year, the lead time for large transformer delivery is now three to five years. " [0]
Enough for the entire grid? There are some amount of reserves on hand (eg drunk runs into a telephone pole), but nothing that could replace a targeted attack with the explicit goal of taking out the most vital infrastructure.
And those pole mounted transformers are tiny. The big ones require special transports and can weigh a few hundred tons. Some are so large they are best transported via boat if possible.
These attacks are not at the level of 'flipping a switch'. If they succeed they can destabilize the grid and that has the potential to destroy gear, and while not as costly as blowing up a dam it can still be quite costly.
The reason everyone used carpet bombing in WW2 was the inability to aim competently. This even persisted after WW2, leading to some tests of air-to-air nuclear weapons just to give the missiles a decent chance to actually disable the target they were fired at.
The counter-strategies that the British used to defend against German strikes included "switch off all the lights at night so they don't know where they are" and "order newspapers to lie about which part of the city was damaged in order that spies reading British newspapers and reporting back to HQ said missiles fell short/went too far, causing HQ to incorrectly compensate on the next strike". I don't know if the reverse was true, despite now living in Berlin.
Everyone's supply chains were also much shallower, and equipment much cruder and therefore easier to make (though also less efficient). Half of London or Berlin losing electricity makes a much smaller difference when far less was electrified in the first place, e.g. loss of electricity for a heat pump doesn't matter so much when the terraces and apartment blocks have internal fireplaces and regular coal deliveries.
I was not speaking to just one case. Today's incident, is _the norm_.
These attacks are widespread, damaging, and the repercussions are felt for decades in their wake. We _are_ being carpet bombed, and the costs for the victims are ongoing and growing. The collateral damage is everywhere.
Do you really think there's no impact?
> Cyber units from at least one nation state routinely try to explore and exploit Australia’s critical infrastructure networks, almost certainly mapping systems so they can lay down malware or maintain access in the future.
> We recently discovered one of those units targeting critical networks in the United States. ASIO worked closely with our American counterpart to evict the hackers and shut down their global accesses, including nodes here in Australia.
I guess I shouldn't be drawn by someone calling me an idiot...
But one last try.
You suggested that the cost of cyberattacks on industry, is not so great as when we were destroying it with bombs instead.
However, every time we have power outages, people die. Then we have the cost of securing the infrastructure. And the cost of everyone else affected, who has to increase their resilience.
Your bank is collateral damage, as is the people freezing to death in their homes. Entire industries are on the verge of collapse - getting a new turbine to help stabilise your grid has a lead time of _years_, not days or weeks. And if you hit weeks, people die.
Insurance responds to attacks, and that trickles out to everywhere that is touched. VISA and MasterCard have to prepare for eventualities, because of attacks not aimed at them, but at power infrastructure.
When power is hit... There is nothing unaffected.
Volt Typhoon hit the US power grid, and required a massive multinational effort to extract them, that took almost a year... And VT wasn't intended to do damage, just look for weak spots. So that next time, they can cause damage. As part of that survival process, various hardware partners were kicked to the curb, and the repercussions are still in the process of being felt. Half the industry may have issues surviving because of it.
Industroyer is one of the reasons that Kyiv got as bad as it did. Malware is not some hand-wave and fix thing. Half the city's relays were permanently damaged.
Then of course, there was Stuxnet. Which blew up centrifuges, and the research centres hit are still trying to recover from where they were, then.
Cyberattacks are a weapon of war, people die, industries die, and there is no easy path to recovery following it.
An entire industry exists, just to defend against these kinds of attacks. The money spent on that, is counted, which means it has to be less than the cost of the attack succeeding. Trillions are spent, because there is absolute weight behind surviving these attacks.
If things were easier, it'd be an industry solely focused on backups and flipping a switch. But it's not.
If they succeed they may well not be reversible. The question is if this had succeeded would we have shrugged it off again or responded appropriately?