South Australian power shutdown ‘just a taste of cyberattack'

By Professor Roger Bradbury

A one-day shutdown led to hundreds of millions of dollars in losses to the economy, disruptions to citizens’ lives and an unravelling of political, social and economic certainties.

Sure, South Australia has peculiarities that made it particularly susceptible to such an event. But the shutdown nevertheless shows in high relief the vulnerability of today’s interconnected systems of critical infrastructure.
What we saw then was not just a loss of the electricity network but also the shutdown of the other infrastructure networks: telecommunications, water, sewerage, transport, financial services, the Internet and so on.

Advanced Western societies have spent the past 30 years refining and interconnecting their critical infrastructure, improving their efficiency but also increasing their vulnerability. We’ve reached the point where the interconnections are more or less complete, so every critical infrastructure – energy, water, finance, transport or cyber – is dependent, to a high degree, on every other.

This interdependency means disruptions in one infrastructure quickly spread to all other interconnected systems. And because these infrastructures – with the exceptions of cyber and transport – are organised in a top-down hierarchy, it means if the disruptions can spread up to the top of the tree, they can then spread down to the rest of the network.

This is what happened in South Australia. Excessively hierarchical networks in key infrastructures enabled – one may say encouraged – the collapse of each of those networks.

A cyberattack would take advantage of these interdependencies and would look exactly like the chaos in South Australia. Such an attack would be initiated through the Internet rather than through the electricity system but a cyberattack would not stay inside the cyber system. It would spread to electricity, water, financial, transport and other systems big time. It would bring them to their knees.

How likely is it that we may suffer a full-blown cyberattack? And what may we do to reduce our vulnerability?

To answer the first question, we need to know several things about cyber.

The first is, at present, it would require the resources of a nation-state to launch a cyberattack of this magnitude. It would not be a terrorist job.