Such an attack—executed not by gun-wielding terrorists on planes but by hackers activating software programs from thousands of miles away—could “deny large regions of the country access to bulk-system power for weeks or even months,” concluded a National Academies of Science study declassified late last year. “An event of this magnitude and duration could lead to turmoil, widespread public fear, and an image of helplessness that would play directly into the hands of the terrorists. If such large extended outages were to occur during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold.”

And the cyberthreat is growing as U.S. utilities seek to modernize aging electric infrastructure. When power companies invest in updating the 20th-century power grid with 21st-century “smart-grid” technology—particularly digital tools that increase the efficiency of electricity distribution while cutting global-warming pollution—they’re also making the grid more vulnerable to devastating cyberattacks.

“The modernization of electric utilities nationwide has left security loopholes that can be fairly easily exploited by hackers. It’s created more efficiencies for utilities and convenience for consumers. But it’s come at the expense of security,” said Michael Dubose, managing director at Kroll, a risk-management firm, and a former chief of the Justice Department’s Computer Crime and Intellectual Property Division.

“A few years ago, the grid was routinely being hacked by the Chinese and Russians…. They mapped the lay of the land, and now we have to assume they’re inside the firewall,” Dubose said.