Cyber Canon Book Review: "Blackout: Tomorrow Will Be Too Late," by Marc Elsberg
Book Reviewed by: Sergej Epp, Chief Security Officer, Central Europe
Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.
Our modern society will not work without electricity. It gives us warmth, light, food and the possibility of social connectivity through the internet and mobile phones. Electricity is an indispensable, integral part of everybody’s life in the twenty-first century. But what happens if we suddenly lose this privilege?
“Blackout” is a conspiracy thriller describing an intercontinental collapse of power grids caused by a terrorist group. It’s an exciting thriller about a former hacker and IT professional trying to hunt for a terrorist group that used cyber and physical-enabled attacks to cause a collapse of the electrical grids across Europe.
The author describes, in a well-researched way, how simple tampering with smart meter software could cause a domino effect leading to a fatal disaster for our society. Since its release in 2012 (German) and 2017 (English), this book contributed significantly to the discussion about the vulnerabilities in critical infrastructure and the importance of cybersecurity in its journey to digitalization. For example, in 2014, “Blackout” was selected as Scientific Book of the Year by the German Scientific Society. Since then, Marc Elsberg has been invited on a regular basis to professional cybersecurity conferences to discuss critical infrastructure.
The story starts with Piero Manzano, a former hacker who discovers malicious code installed on his smart meter at home before the blackout. After recognizing that the backdoor can be used to switch off smart meters, which he believes to be a potential root cause for the outages, Piero tries to warn local law enforcement. Because nobody takes him seriously, he starts an investigation on his own. Very soon, he identifies further traces proofing a cyber-attack on the Europeen power grid. However, the perpetrators are very successful in hiding their traces, making it difficult for Manzano to uncover them. Moreover, Monzano himself soon becomes a prime suspect, after a suspicious email emerges, suggesting he’s one of the conspirators.
It’s an almost realistic scenario about the dependencies of our society on electricity and what happens if we lose it, starting from a simple toilet flush or gas stations not working anymore up to a nuclear disaster, which can be caused due to a lack of electricity for nuclear plants.
This book touched me personally when I read it the first time a few years ago, since I myself, probably due to the influence of my cybersecurity career, anticipate technical facts of vulnerabilities in our journey to digitalization more emotionally than the average person.
Most novels - especially thrillers - lack realistic explanations of cybersecurity or its dependencies. On the other hand, professional cybersecurity books are often not exciting enough for non-cybersecurity people.
In “Blackout,” Elsberg successfully combines both a thrilling story with well-researched facts about the potential impact of a cyber-enabled sabotage campaign against electricity providers in Europe.
In this book, the terrorist used a vulnerability/backdoor in smart meters in order to manipulate demand for electricity on a massive scale. One of the sabotage techniques used by the terrorist is manipulation of several power plants and electricity switching points by malware. Manzano discovers a relationship between all the power plants causing the problems. Apparently, all affected power plants used the same software from a fictitious software developer called Talaefer. Furthermore, there is an indication that the chief architect of this company introduced a hidden backdoor into the same SCADA software prior to its release. As a result of this manipulation, the European grid frequency was heavily destabilized due to power fluctuations. Step by step, this triggers blackouts across all of Europe.
Extreme and rapid power fluctuations are indeed a serious problem as confirmed by the German Federal Network Agency and also proven in incidents like the US Northern blackout of 2003. Supply of electricity always has to be matched by equal demand to avoid a crash of electrical grids. On the other hand, it’s obviously possible to manipulate smart meters at scale in an easy way. Security Researcher Mike Davis showed this initially at Blackhat 2009, and with IoT malware like Mirai, it’s been proven at a large scale in the wild by cyber criminals.
The topic of supply-chain vulnerabilities gained a lot of press attention since the controversial Bloomberg story in 2018. The security community agrees that beyond proper code checks for vulnerabilities there should be zero-tolerance for weaknesses in the software development process around critical infrastructure such as lack of segregation of duties, the four-eye principle and proper release management.
Most of us have experienced an electricity blackout for a few minutes or hours, due to a downed power line or some other reason. However, I had never thought about how bad the complications might be after a few days without electricity. Some immediate effects are clear to all of us: frozen food starts to melt, internet and lights stop working, the gas stations will not be able to provide fuel and you won’t be able to flush the toilet, etc. However, humans and animals would also be in danger very soon simply due to traffic chaos or people stuck in elevators. Cows would suffer because milking machines could no longer pump their milk. Elsberg describes these chain reactions step by step, covering how the situation evolves to a horrible disaster due to failing cooling systems in nuclear plants and the closing of hospitals. It’s not a surprise that this part sounds so realistic because Elsberg sourced a scientific study on “Threats and Vulnerabilities of Modern Societies based on example of Electricity Blackout,” created for the German parliament.
In the book, Manzano is still able to use the internet from multiple locations, like the Europol headquarters, during the blackout. While the classical internet protocols were made with the purpose of surviving such scenarios or even a nuclear war, readers question if the internet will still be available during a nationwide or even continent-wide blackout. Considering the fact that some websites or internet services are hosted outside of Europe, and therefore not affected by blackout, emergency generators and satellite uplinks can be used to establish internet connectivity. Furthermore, multiple countries are running independently powered networks for critical communication, such as BDBOS in Germany. A recent blackout in Venezuela in 2019 is a good example, which shows that even countries with limited investment in network infrastructure will not lose 100% of connectivity in such a scenario.
Overall, this book is a thrilling and intelligently written novel, which addresses the concerns of our modern digitalized society, the related cybersecurity concerns and dependency on electricity. While some technical and story details are not completely accurate (e.g. how is a terrorist able to travel from Turkey to Brussels without a plane?), the general threats projected in this thriller are very real. In 2015, we saw in Ukraine the first real cyberattacks on power grids in the wild. Consequently, it's more than important to create awareness and explain the potential implications of a serious cyberattack to public society and decision makers. Sometimes all you need to anticipate a complex topic is a novel told in a thrilling and simple way.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!