Beyonce and voodoo have been ruled out as potential culprits in the bizarre 33-minute blackout during last night's Super Bowl. But what about hackers? It took just a few minutes after the lights went out in the Superdome for hackers to begin hinting they had something to do with it. "#TangoDown Superbowl XLVII," tweeted the most popular Twitter account of the hacktivist collective Anonymous. It's an outlandish claim and almost certainly a troll. But it's possible, and here's how it might have happened.
To be clear, there's no reason to suspect hackers are to blame for the blackout according to Entergy, the power company that supplies electricity to the Superdome. "We haven't seen anything at this time to suggest that this is a cyberattack," Entergy spokesman Michael J. Burns told me this afternoon.
But the fact that Entergy doesn't completely rule out hackers says a lot about the potential for malicious nerds to wreck real-life havoc these days. During the blackout, computer security experts unleashed a flurry of speculation on Twitter, most only half-serious, that some hacker had taken over the Superdome to show off their skills.
"It is entirely possible that a negative actor" shut off the lights, said James Arlen, a senior consultant at Leviathan Security Group who advises clients in the financial and utility sectors on computer security. "Is it likely? No."
It's especially unlikely given what we know so far of the blackout. It's been traced to a problem with a sensor on the power lines that feed into the stadium, which are operated by Entergy. The sensor detected an unidentified "abnormality," then cut power to part of the Superdome in order to "isolate the issue," according to an Entergy statement. This would suggest that if hackers were behind the blackout, they somehow tricked Entergy's sensor into shutting off power. Which means hackers would have had access to part of the power grid itself.
This is theoretically possible: experts have warned of cyberattacks on the U.S. power grid with increasing urgency in recent years. Hackers could exploit vulnerabilities in the supervisory control and data acquisition, or SCADA systems that control power utilities, along with dams and other industrial facilities. But this would be an enormous feat, and to date there have been no confirmed attacks like this in the U.S., according to Arlen. (Though the U.S. and Israeli-created Stuxnet virus was able to disrupt Iranian nuclear weapons facilities by attacking their SCADA system.)
An easier route than taking over the power grid would have been for hackers to break into the network of the Superdome itself. Most large buildings like the Superdome manage their utilities using what's known as a building automation system, or BAS, Arlen said. Often a BAS is connected to the internet to allow remote access by maintenance personnel and to monitor the efficiency of heating and lighting systems. BAS systems are not always as secure as other sensitive computer networks. Theoretically, a hacker who broke into the Superdome's BAS could shut down the lights, Arlen said. This could happen remotely, by hackers chancing on an unsecured network through a Google search, or through a physical intrusion. Arlen recalled one security audit of a large stadium during which he discovered an unsecured network port connected to a vendor kiosk outside the stadium. If a hacker had plugged their laptop into the port, they could have made their way through the network and screwed with the BAS.
From a spectator's point of view, what a hacker did once they got into the building is far more interesting than how they did it. And as much as any technical unfeasibility, it's the blackout's lameness that suggests a boring technical glitch, and not a mischievous hacker is to blame.
"If you're going to do that, you do something a little grander," Arlen said. "What would be funny would be turning off half the lights, then turning them back on, then turning off the other half," Arlen said.
That's one of the few things that could have topped Beyonce's performance.
Update: Officials have now ruled out a cyberattack.