The massive power outage that blacked out large parts of the north eastern United States and eastern Canada on August 14 2003 — the largest blackout in North American history — affected an estimated 10 million people in Ontario, Canada and 40 million people in eight US states.

Financial losses related to the outage were estimated to have cost the US and Canadian economies more than $US30 billion.

Yet as Steadfast Group CEO Dick Lord points out, the day started seeming as normal as any other — temperatures were nothing out of the ordinary and there were no thunderstorms, tornados or earthquakes.

When Lord delivers his keynote to the Geospatial Information &Technology Associations’ GITA 2004 Conference in Melbourne this August, he will use a series of temporal maps to show how a simple engineering error, a software malfunction and a communication failure combined to create the largest blackout the first world has ever seen.

Lord — a member of the US Department of Energy Office of Electric Transmission and Distribution Blackout Forum — says he won’t be pointing fingers or assigning blame but will instead concentrate on basic technology and procedures that can prevent this type of catastrophe in the future. Had geospatial technologies been in place at the time, he says, its effects could have been minimised, or even prevented entirely.

“Today some geospatial technologies and IT are commonplace in real-time operations environments,” Lord says. “Yet, in many cases, that technology coalescence has been done without proper consideration for cybersecurity.”

Lord says it’s really convenient to collect real-time data within a utility, for example, and then transmit it over the Internet to enterprise employees who need to see it. But, in many cases, those are plaintext data transmissions over open communications channels. It’s trivial to hack into that data stream, modify it and make bad things happen.

Additionally, the increasing popularity of mobile GIS database transmission opens up a whole new world of vulnerabilities.

“At next year’s GITA Conference in Denver, using my laptop computer inside the conference centre, I’ll produce a live demonstration of hacking into a real enterprise’s mobile GIS data transmissions. Using that newly discovered data, I’ll simulate attack on their infrastructure and describe the outcome. Don’t worry, I won’t give any potential bad guys clues as to how I do it; I’ll just show that we can.”

Using a geospatial presentation format, his discussion will first set the stage that led up to the US blackout and will then run through the series of events that caused it to occur. Looking closely at the role of IT systems, it will provide insight into the cross-communications difficulties among the energy company “first responders” and will present findings that the NERC1-sponsored joint US-Canadian investigative team issued in April 2004 to the President of the United States and to the Prime Minister of Canada, who had jointly formed the team and commissioned its authoritative analysis of the blackout.

As a Blackout Forum2 participant, the Dick Lord will present the team’s findings concerning the issues of operator training, IT systems management and network monitoring, emphasizing the critical importance of establishing and enforcing appropriate policies and procedures for those charged with the responsibility to keep the grid up and running properly. Those findings will lead into a discussion of the new critical infrastructure cybersecurity standards, mandating areas of physical and electronic security for vital cybersecurity assets.

The discussion will expand the lessons learned from the blackout to encompass water, government, information and telecommunications, energy and transportation sectors. It will address the new challenges being introduced by the introduction of mobile geospatial technologies and will conclude with recommendations for some “best practices” to avoid similar incidents in Australia and New Zealand.