Let me state now that I’m not in the business of reviewing books. However, I recently read Ted Koppel’s book, Lights Out, and I wish to make a couple points about it.
First, this is a very important book. Regardless of what you think of it (and you really shouldn’t have an opinion on it before you’ve read it, should you?), I recommend you read it since I’m sure it’s going to have a lot of influence on public opinion, and especially on Congress. I do want to point out that suspicion of electric utilities is one of the few areas where Republicans and Democrats in Congress are in agreement.
Second, this book isn’t primarily about cyber security, despite what the book jacket says. It’s about what could happen if there were an extended power outage (i.e. more than a few days) that covered an extended region (say 5-10 states, especially if one or two major cities were included). What would happen? Chaos and death, that’s what. This is close to indisputable.
However, Koppel isn’t saying that a cyber attack is most likely to cause this type of outage. He discusses other events like EMP and solar storms that could be more devastating. The book’s main purpose is to document how there seems to have been just about zero planning on the national level (and little on the state or local level) for an outage of this magnitude and duration, no matter what the cause. And it issues a call to action to start that planning.
Of course, doing something like storing MREs for the entire city of New York will be very expensive; Koppel admits that. The point is that this type of outage (again, whatever the cause) would be devastating enough that there needs to be some preparation, no matter how small the probability that this could happen. Of course, the question of large transformers weighs heavily in both the problem and the solution (although Koppel doesn’t attempt to outline a solution, just give broad hints on what it might entail).
What does he say about NERC CIP? Very little (he doesn’t mention it by name), and what he says isn’t very accurate. Yet it doesn’t really matter for his argument. Even if CIP were the best-written, most-effective set of standards in history, the possibility of a serious cyber attack would never be reduced to zero. And even if the chance of a cyber attack were zero, there could always be a huge solar storm (in fact, we just narrowly missed one in 2012. And the 1859 Carrington Event would have been absolutely devastating had it hit in modern times).
However, even though a cyber attack isn’t really the focus of this book, it will almost certainly be perceived that way. My guess is many people in Congress will take the book as confirmation that the electric power industry just can’t be trusted writing its own cyber regulations. And this is why you need to read the book – to be prepared.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.