Last December, a coordinated cyberattack cut power to more than 100 Ukrainian cities and towns by compromising the same kind of control systems that are used in the power grids of the U.S. and many other countries. It was the first known successful attack on physical infrastructure initiated by cyber criminals.

Could the same thing happen in the U.S.? A panel of experts convened by Bloomberg this morning agreed that American power infrastructure is at risk, but the likelihood of a major nationwide blackout triggered by hackers is unlikely. Ominously, a successful attack on the power grid could be the least of the nation’s problems, said General Michael V. Hayden, former director of both the National Security and Central Intelligence Agencies. That’s because turning out the lights would probably be a precursor to a broader military assault.

Ironically, one of the U.S.’s best defenses against a coordinated attack is the age and complexity of the grid. Not only does the country have multiple electric grids, but the grids themselves are run by an assortment of public utilities, investor-owned corporations and private cooperatives.

Aging infrastructure, while a handicap in many ways, is also a protection. “We’re fortunate to have physical redundancy in the electrical network because so much of it was built in the 1970s,” said Suzanne Spaulding, undersecretary for the national protection and programs directorate in the U.S. Department of Homeland Security.

Scott Aaronson, executive director of security and business continuity at the Edison Electric Institute, an association of shareholder-owned electric companies, added, “The grid grew up over 100 years. There’s biodiversity and redundancy, so taking out 10 nodes is not going to make everything come down.”

Awareness training needed

Which doesn’t mean everything is just swell. Speakers agreed that any hacker who gets inside control systems can do a lot of damage. A mesh of state and federal regulatory agencies hampers communication. Operators and even private citizens need to be better educated about how to differentiate between an attack and a malfunction.

Furthermore, as the power grid becomes more automated and interconnected, the potential for calamity increases. The Eastern Interconnection, which is one of the two major alternating-current electrical grids in North America, uses a lot of computer power to maintain a synchronized frequency of 60 Hz. “This is a highly complex system and that means it’s vulnerable,” said Marcus H. Sachs, senior vice president and chief security officer of the North American Electric Reliability Corporation (NERC).

Better communication between regulatory agencies, power company executives and government security agencies is needed. The Cybersecurity Information Sharing Act of 2015, which Congress approved last year, is a step in the right direction. It requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, non-federal government agencies, local governments and the public. “Congress has been unusually productive in the cybersecurity arena over the last couple of years,” Spaulding said.

Utilities still need to better train operators and even customers to look for unusual events. Many control operators grew up in a world of physical switches and hard-wired cables, meaning that the signs of digital disruption are foreign to them. “What does a cyber event even look like? Someone in a substation or a plant may assume it’s just a malfunction,” said Dennis P. Gilbert, Jr., director of information and cybersecurity, corporate and information security services and alternative power provider Exelon Corp.

Exelon is conducting hands-on training with operators to show them what they should expect to see at a console during a cyber event. The attack on the Ukrainian grid was first noted by an operator at the Prykarpattyaoblenergo control center when the cursor on a screen suddenly began moving on its own. It had been hijacked by a hacker.

It’s not just an IT problem

Operations and IT teams need to be well-acquainted with each other’s skills and tactics before a crisis. “We need to be sure that when an incident happens we aren’t working together by exchanging business cards on the tarmac,” Aaronson said.

Executives at power utilities already understand that protecting the power grid requires a coordinated, multi-disciplinary approach. “I meet with 30 to 40 electric company CEOs every year and they understand that this is not just an IT issue,” Spaulding said.

General Hayden said one thing that makes battling cyber attacks so difficult is that the process is so unlike traditional warfare. Battlefield forces conduct reconnaissance before an attack in order to scope out the enemy. That’s the easy part. But in cyber warfare, an attacker who reaches the reconnaissance stage has already breached the walls. “It’s more difficult to penetrate a network and remain on it unobserved for a long period of time than it is to kick in the door,” he said.

While raising the specter of an attack on the power grid presaging a broader military assault, Hayden was nonetheless optimistic about the nation’s resilience. “The grid is more resilient than we give it credit for,” he said.

And if the U.S. was forced into a firefight with cyber attackers, he said he likes America’s chances. “The greatest concentration of cyber assault firepower in the world is at the intersection of Baltimore-Washington Parkwa and Route 32,” he said, referring to Fort Meade.

Photo of 2003 North American blackout by NASA