A cyber attack on the East Coast's energy system would result in widespread public confusion as everything from electricity to gasoline supplies would be cut off for as much as several weeks, the Energy Department said Tuesday.
The agency released a report outlining the results of a major cyber-attack simulation conducted in December called "Liberty Eclipse."
The simulation was the first of its kind to incorporate the effects of a multi-state cyber incident. It showed where federal and state authorities would be lacking in their response to the effects of a major attack by enemy computer hackers, although the name of the would-be attackers was unnamed.
"The exercise consisted of a scenario that involved a widespread power outage caused by a cyber incident," the report said. "The time to restore power was originally estimated to be three weeks due to the need to manually restart and to test systems' operations."
On top of that, "the loss of power to retail gas stations, petroleum jobbers and terminals would have resulted in a major fuel shortage compounded by motorists topping off fuel tanks in areas where the power was still on," the report said.
A number of state and governors groups participated in the two-day attack simulation, which included states as far south as Virginia and as far north as Massachusetts. The region is one of the most densely populated in the nation, with many of the states sharing an interconnected energy system.
One of the key findings was not particularly reassuring. "The public will face a great deal of uncertainty following a significant cyber incident that causes physical damage (such as a long-term power outage or petroleum disruption), creating a considerable challenge for public information and expectation management, particularly around restoration times," the report read.
To reduce uncertainty, public information programs in the states need to be beefed up, according to the report. Social media, in particular, is recommended as "an important communications mechanism that can reduce misinformation and provide the public with information on response and recovery efforts," according to the report.
The report also revealed a surprising lack of coordination at the state and federal levels in communicating with businesses.
"The cyber incident coordination frameworks at both the state and federal levels need to be further defined and synchronized with industry," read the top key finding of the report. What that means is that agencies at all levels don't adequately understand their roles in responding to a cyber incident, especially when it comes to communicating with utilities and refineries.
Energy planning to be much more detailed in dealing with cyber incidents, clearly defining the roles and responsibilities of all state agencies involved in an effort to inform the public, the report said.
The Energy Department, the Department of Homeland Security and the FBI also need to better "coordinate to identify legal restrictions on sharing cybersecurity information gathered during an FBI law enforcement action," the report recommended.
In addition, the agencies need to "more clearly define their roles and responsibilities" as well as better communicate "expectations more clearly to states and industry."