The bombing of the Boston Marathon by two young Chechen immigrants to the United States and the damage on April 16 to several transformers at the critical PG&E Metcalf Road substation that serves Silicon Valley should remind us that attacking critical infrastructure by cyber means isn't the only way to injure the U.S. economy by terror.
In fact, the threat scenarios that truly frighten the anti-terrorism folks in federal, state and local governments include multiple attack vectors and wave attacks. If a dedicated group of terrorists really wanted to do maximum damage for the least cost, a combined physical and cyber attack, conducted in waves over several hours or even days, would be the most effective way to strike a serious blow at our critical infrastructure. I find it important to note that the perpetrators of the "vandalism" at the Metcalf substation have not been caught as of this writing.
I've written before about the dangers of attacks on the electrical grid. The power companies and the North American Electric Reliability Corp. (NERC) are locked in a game of "that can't happen" and "we are in compliance," rather than acting swiftly and decisively to improve cybersecurity (and physical security, for that matter). They falsely equate security with legal risk and liability, rather than understanding that improving both physical and cybersecurity is actually improving the reliability of the grid.
It is a good thing that the oil and gas, refining and chemicals sectors have taken cybersecurity (and physical security) seriously as a subset of process safety. The water and wastewater distribution sectors are also taking security seriously. It is to be hoped that the Metcalf incident will help the electric utilities to do so, but frankly, based on the record of NERC and the large utilities over the past 10 years, I doubt it.
Compliance and conventional risk management can't be used in the case of cybersecurity, especially in the case of combined attacks conducted in waves. Compliance is a legal fiction that says that an audit indicates that the utility is operating in accordance with the letter of the regulations. If the regulations themselves, such as the NERC CIPs, are not specifically designed to address increased reliability through security, the audit will not show security deficits. It's not intended to. What it is intended to do is to shift the burden of liability after an attack from the utility to the regulations. "It's not our fault; we were in compliance."
While risk management does work, most of the time, in the case of accidental incidents, it is unreliable and worse than useless in the event of an active, directed terrorist attack. So operating from a conformance or compliance or risk management view will not make us safer or more secure in our critical infrastructure.
The question is, though, how long we can wait before we begin to actually put policies in place to improve reliability in the electric utilities, rather than assuring legal compliance.
What happens if a major incident does occur? Remember, the same results can be from a concatenation of accidental incidents as from a directed, intentional, terrorist attack.
Supposing the Boston Marathon bombers had decided to bomb the substations around Boston, or managed to hit a large turbine generator? What would happen if it were not possible to get power restored to any large urban area for weeks or maybe even months? The results would not be pretty.
So we should use the Boston Marathon bombing as a wake-up call, and be "thankful" the bombers hit a running event instead of a part of our critical infrastructure killing many more. I know that sounds rude, but we need to face the reality that we are continually under threat and deal with it, now, before a real disaster happens.