site specific, but now they are connected into larger information networks. Malicious intruders may gain access through a thumb drive and a desktop computer. A multitude of new entry points are provided by the proliferation of wireless devices and possibly by the smart meters that are part of the smart grid and that provide two-way communications between homes and the electrical distribution system.11
A test at a national laboratory in 2007 showed what happened when a hacker infiltrated an electric system. A SCADA system was used to take control of a diesel generator and cause it to malfunction; it shook and shuddered and banged until it eventually blew itself up in a cloud of smoke. The Stuxnet virus that slipped into the Iranian centrifuges in 2010 caused them to spin out of control until they self-destructed.
It is not just the power system that is at risk. Obviously, other systems—involving energy production, pipelines, and water—share similar vulnerabilities, as do all the major systems across an economy.
In response to this threat, nations are struggling to design the policies to meet this threat. The U.S. Department of Defense has created a Cyber Command. It is also developing a new doctrine in which a major attack on critical infrastructure, including energy, could constitute an “act of war” that would justify military retaliation. The Council of Europe has established a convention on cybersecurity to guide national policies. But these need to be matched by efforts by companies and bolstered with considerable investment and focus. New security architectures have to be introduced into systems that were designed without such security in mind. And they need to be coordinated with other countries. After all, it takes only 135th of a millisecond for an attack to hit a server from anywhere in the world.
Can active defense prevent a cyberattack that seriously damages electricity or some other major energy system, with all the dangerous consequences that can flow from it? Will the risks be properly anticipated and acted upon? Or will the analysis have to wait until a national commission goes back after a “cyber Pearl Harbor” and assesses what went wrong and what was missed—and what could have been done. “In the nineteenth century, steamboats regularly blew up,” one study noted, “but Congress waited 40 years until a long series of horrific accidents led to safety regulations.” At a recent meeting of 120 experts on cybersecurity, the question was asked: How long before a destructive cyberattack on the country? The consensus answer was bracing: within three years.12
BRINGING CHINA AND INDIA “INSIDE”
One of the fundamental reasons for establishing the IEA in the 1970s was to prevent that mad scramble for barrels that had sent prices spiraling upward and threatened to rip apart the Western alliance. It worked, establishing a system for more durable and constructive cooperation. That same kind of approach is needed now with China and India to help ensure that commercial competition does not turn into national rivalries, thus preventing future scrambles that inflame or even rupture relations among nations in times of stress or outright danger. Both China and India have moved from the self-sufficiency and isolation of a few decades ago to integration into the global economy. The energy consumption of both is rising rapidly; in 2009 China became the world’s largest energy consumer. Neither China nor India is a member of the IEA, and neither looks likely to become one anytime soon, both because of membership rules and their own interests.
Yet even if they do not join, they can collaborate closely. If they are to engage on energy security, they have to come to the conclusion that their interests can be served and protected in global markets—that the system is not rigged against them and that they will not be disadvantaged compared with other countries in times of stress. And they would have to decide that participation, either formally or informally, with the international energy security system will assure that their interests will be better served in the event of turbulence than going it alone. China, India, and Russia all now have memorandums of understanding with the IEA. Given their growing scale and their importance, their participation is essential for the system to work more effectively.
SECURING THE SUPPLY CHAIN
Energy security needs to be thought of not just in terms of energy supply itself but also in terms of the protection of the entire chain through which supplies move from initial production down to the final consumer. It is an awesome task. For the infrastructure and