Much of what follows is from the National Academy of Science 2012 (for the Department of Homeland Security): “Terrorism and the Electric Power Delivery System” & 2013 “The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters”
Average intruder knowledge and attack sophistication as a function of time. SOURCE: Presented at the workshop by Patricia Hoffman, Department of Energy, February 27, 2013; from Howard Lipson, Carnegie Mellon University (CMU) Software Engineering Institute CERT®. Copyright 1998-2011.
Electricity is ubiquitous, reliable, and taken for granted . . . until the lights go out. Our modern society is almost totally dependent on electrical systems. Electricity is essential to the U.S. economy and way of life. The National Academy of Engineering called the grid the world’s largest integrated machine and a central part of the greatest engineering achievement of the 20th century.
A systematically designed and executed terrorist attack could cause disruptions considerably more widespread and of much longer duration than the largest power system disruptions experienced to date. Since those disruptions have entailed economic impacts approaching 10 billion dollars, it appears possible that terrorist attacks could lead to costs of hundreds of billions of dollars—that is, perhaps as much as a few percent of the U.S. gross domestic product, which is currently about $12.5 trillion. If large, extended outages were to occur during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold.
The reliable operation of the power grid is complex and demanding for two fundamental reasons. First, electricity moves at close to the speed of light (186,000 miles per second, or 297,600 kilometers per second) and is not economically storable in large quantities. Therefore, electricity must be produced the instant it is used. Second, pending the development of affordable control devices, the flow of AC electricity cannot be controlled like a liquid or gas by opening or closing a valve in a pipe, or switched like calls over a long-distance telephone network. Electricity flows freely along all available paths from the generators to the loads in accordance with the laws of physics—dividing among all connected flow paths in the network (U.S.-Canada Power System Outage Task Force, 2004).
A few of the services that fail in a Blackout: Pumping of drinking water, sewage, and irrigation water; the internet, banking, communications, refineries, shipping, and transportation systems; refrigeration, gas station pumps, home and commercial life-support systems (heating, ventilation, and air conditioning), traffic and railroad signals, natural gas and oil (most pipelines use electricity) to power stations, homes, and businesses.
The U.S. power delivery system is extremely complex. It is a network of substations, transmission lines, distribution lines, and less visible automatic and human controls that operate the system, as well as an intricate web of computers and communication systems that tie everything together.
The reliable operation of the power grid is complex and demanding:
- Electricity moves at close to the speed of light (186,000 miles per second) and is not economically storable in large quantities, so electricity must be produced the instant it is used.
- Voltage and frequency must be maintained within the extremely narrow range of 59.98 to 60.02 Hz, or power systems and equipment can be damaged, potentially leading to blackouts if the damage spreads widely
A well-executed terrorist attack could cause hundreds of billions of dollars in damage and take out the grid for over a year
Electric systems are not designed to withstand or quickly recover from damage inflicted simultaneously on multiple components. Such an attack could be carried out by knowledgeable attackers with little risk of detection. A large and coordinated attack by terrorists could leave the electric power system in a large region of the country disabled many months or, in absolute worst cases, several years, because substation and generator step-up transformers are vulnerable to attack from within and from outside the substation, are very large, difficult to move, custom-built, and can take over a year to replace. We no longer make them – getting one from another country can take a while because they’re in such high demand across the developing world.
The Grid is an easy target for terrorists. There are 5,800 major power plants connected by 450,000 miles of high-voltage transmission lines spanning thousands of miles to unguarded facilities protected only by a chain-link fence. This makes the electric grid hard to protect, and so it can be severely damaged by a small number of well-informed attackers.
Cyber-attack. The grid depends on complex systems of sensors and automated and manual controls, all of which are tied together through communication systems, so instead of a physical assault; terrorists can cause blackouts by spoofing, jamming, or sending improper signals. Hacking and cyber-attacks are becoming increasingly common.
Military Attacks. Commandos with special training could mount a far stronger attack than even the most sophisticated terrorist group. The object would be to create havoc and demoralization before overt hostilities commence. A hostile country might take this approach if it were unable or unwilling to declare war but wanted to take some military action against the United States. The ultimate attack would be an overt military operation. The vulnerability of electric power systems can have serious national security implications. In World War II, Germany’s highly centralized electric system was not attacked until late in the war. German officials commented after the war that ‘‘The war would have finished 2 years earlier if the Allies had bombed our power plants. This experience will not be ignored in any future hostilities. (OTA 1990)
Terrorist attacks in other countries. The U.S. Department of State lists over 42 international terrorist groups operating around the world today using rocket propelled grenades, mortars, and small arms. It’s hard, if not impossible, to defend substations from explosions, bullets, or other projectiles fired from a distance. Most attacks so far have come from local groups bent on damaging or destabilizing established ruling power structures. Around 2,500 attacks have occurred over the past 10 years, 528 against substations, 2,539 against transmission towers.
Who’s going to fix the grid? Half of workers retire in 5 to 10 years
As many as half of the 400,000 electric utility workers will be eligible to retire in the next 5 to 10 years. This loss of critical skills and training new workers is a significant problem for the electric utility industry, and likely to make nation’s electric power system will less reliable and more vulnerable to external threats, including terrorist intrusion and disruption from natural disasters.
One reason there aren’t enough employees is that they were fired due to industry restructuring, pressures from Wall Street and regulators, mergers and acquisitions, and the evolution of wholesale markets.
This substantial downsizing has made electric utility jobs far less secure and therefore stressful. Many utility engineers report a substantial broadening of work assignments without the necessary time to become “experts” in their new areas of responsibility. They cover more functions and technical areas at less depth, now that so many engineers have been fired. This in turn has led to few students wanting to go into power engineering as a career, most universities have dropped power engineering, only 12 colleges have this degree now.
As the workforce declines, a significant loss of institutional knowledge is occurring. This knowledge is often not documented, and frequently it is known only to a very few people. When today’s employees leave the workforce, this knowledge leaves with them.
Workforce vulnerability. After a terrorist action, restoration workers themselves may become targets (i.e. several line crews were shot at after Hurricane Katrina). Workers on poles and towers and in open areas in substations are particularly vulnerable. Further complications arise if terrorist attacks involve chemical, radio nuclear, or biological agents. Should a pandemic occur it will touch every part of the electric system in ways few have considered, because if workers don’t show up to run the grid, many essential services will stop running (see blackout list in introduction and table 8.1 below)
What to Do? Too much money to protect every installation, buy all the spare parts
Much of the document deals with how to solve these issues, how to protect facilities, the desperate need for engineers to replace the 50% of retiring workers, and how to get private businesses, industries, and essential services to buy back-up generation.
The researchers conclude it would cost too much money to protect every installation, and too much money to buy all the spare parts needed.
The threat to any given utility is modest, so to spread the risk, there is a program to get utilities to share in the cost of buying spare parts collectively, especially transformers. But EPRI has had difficulty getting the electric power industry to do this, which the NAS report calls “a classic case of “tragedy of the commons.”
I think the ruthless nature of capitalism will prevent an effective collective spare parts collaboration, because each privately owned entity is selfishly motivated to make profits for its executives and shareholders only. “The Market” will not spend money to protect the public from a year without electricity unless forced to, and I’m not sure how corporations can be forced to do anything now that corporate lobbyists practically run government and can easily stop such legislation. If that sounds radical, read Republic, Lost: How Money Corrupts Congress–and a Plan to Stop It by Lawrence Lessig, The Corporation: The Pathological Pursuit of Profit and Power by Joel Bakan, Corporations Are Not People: Why They Have More Rights Than You Do and What You Can Do About It by Jeffrey D. Clements, Free Lunch: How the Wealthiest Americans Enrich Themselves at Government Expense (and Stick You with the Bill) by David Cay Johnston, or When Corporations Rule the World by David C Korten.
My Summary of the report
There are many Really Stupid Energy-Electric Grid Interdependencies that will make outages from terrorism, natural disasters, and other causes much worse
Here are some other factors that I think will exacerbate the problems in the future as the system ages and there’s less oil to fix all the growing problems of society:
Natural gas power plants are fed by natural gas pipelines that use electricity to keep the natural gas flowing. So when the electricity goes out, the natural gas will stop flowing to power plants. Terrorists are also likely to take out natural gas transmission lines when they attack the electric system as well. Natural gas pipelines used to use the natural gas flowing through them to power the continued flow of natural gas.
Refineries are fed by oil pipelines that use electricity to keep the oil flowing. So when the electricity goes out, the oil will stop flowing to refineries, and there will be no fuel for ships, trucks, barges, cars, or airplanes.
Gasoline stations need electricity for the pumps. So even if a business or home has had the foresight to buy back-up generators, they won’t be able to get gas or diesel fuel because most gas stations don’t have backup power.
Coal supply chains. Coal travels an average of 848 miles by rail to power plants. Railroads heavily depend on signals, which will be out in an electric blackout. They too are vulnerable to climate change (rising sea level, heat buckled rails, etc.), failing infrastructure, and declining coal supplies. Trains deliver 70% of coal, and a lot of it: over 1 in 5 railcars are carrying coal – over 40% of the weight trains haul. In 2008, 7,710,000 carloads with 878,600,000 tons of coal were delivered by train (AAR).
Microprocessors can’t be made if the electric grid isn’t up or delivers low-quality electricity. The grid can’t function without microprocessors. Over 10% of electric demand is controlled by microprocessors,by 2020 it’ll be over 30% (EPRI, 2003). The electric power system was designed to serve analog electric loads and doesn’t always provide the quality power required by digital manufacturing assembly lines and information systems. A nearly imperceptible 1-second variation in power quality due to transients, harmonics, and voltage surges and sags at a semiconductor-fabrication plant can ruin an entire 30-hour batch of microprocessors and sometimes the manufacturing equipment, and take several days or more for a fabrication plant to recover and resume production again. Any device with a microprocessor is vulnerable to the slightest disruption of electricity. Billions, if not trillions, of microprocessors exist in electronic devices.
I believe that chip fabrication will be one of the first industries to fail, and not just from electric grid outages and/or poor quality electricity. Microprocessors have the longest supply chains, single points of failure in both nations and machinery, require silicon, water and chemicals of up to .9999999% purity, at least 60 minerals (many of them rare), $10 billion dollar clean rooms, and much more. (For details, see my articles The Fragility of Microchips, Microchips and fab plants: a Detailed description, High-tech can’t last: limited minerals and metals, and Motherboards in Computers – too complex to make in the future).
The biggest threat to the electric grid isn’t even mentioned in this report: lack of fossil fuels, uranium, and hydro-power to keep it going
We’re running out of the fossil fuels, uranium, and dams that keep 94.2% of the electric grid running: Coal 37%, Natural gas 30%, Nuclear 19%, Oil 1%, and hydropower (6.2%). We are at (or near) peak coal, peak natural gas, peak uranium, and peak oil.
Most “renewable” power comes from hydro-power, which isn’t really renewable, because dams fail when their short-lived concrete crumbles, and silt up within 50 to 200 years. Within the next 20 years, 85% of U.S. dams that cost taxpayers $2 trillion dollars will have outlived their average 50-year lifespan.
Renewables can’t keep the electric grid running either:
- Wind and solar are too sporadic and unpredictable, and their lifespan is only 20-30 years.
- According to Steven Chu, former US energy secretary, “Without technological breakthroughs in efficient, large-scale energy storage, it will be difficult to rely on intermittent renewables for much more than 20-30% of electricity.” We’re a long way from figuring out how to make low cost, high energy density, fast response, and safe storage devices.
- The grid must stay within an extremely narrow range of 59.98 to 60.02 Hz to prevent blackouts. This limits the use of intermittent renewables like wind and solar, because the more you add, the more unstable the electric grid gets (Halper).
- Adding renewables doesn’t reduce the use of fossil fuels, and can do the opposite, because additional natural gas combined cycle plants need to be built to kick in suddenly when the wind dies.
Terrorists: We are fully capable of ruining the electric grid without any help from you
The biggest threat isn’t terrorism (yet), it’s natural disasters, the aging electric power system, too much complexity, and lack of capital and energy to fix the system.
The Electric Power System is falling apart. The American Society of Civil Engineers gives our energy infrastructure a D+. The electric grid and most of our other infrastructure is old and falling apart. Both the average age and lifespan of power transformers is 40 years old, and much of the rest of the grid is at or nearing the need to be replaced, and this will lead to more and more blackouts. In the late 1990s, the restructuring and re-regulation of the U.S. transmission system led to a decrease in investment and now the grid operates at or near its physical limits, resulting in many parts of the bulk high-voltage system being heavily stressed.
Capitalism ensures most of the money needed to fix the grid will go to fat cats instead. Because of deregulation and over 90% of America’s infrastructure being privately owned, money that ought to have been invested in maintenance and improvements has gone instead to CEO’s, top executives, and shareholders.
Natural Disasters & Climate Change. Hurricanes will be fiercer and more frequent in the future, as will tornadoes, ice storms, extreme droughts and flooding, severe thunderstorms, and the coup de grace – rising sea levels. All of these will take the grid down more often and for longer periods over wider areas.
Too Complex – Too Many Owners and operators, over 3,000 entities to coordinate, many with conflicting goals and interests. The U.S. electric power industry today is composed of a wide variety of players, entities, and institutions, all of which play different roles, and the actions of individual asset owners and operators affect each other.
Deregulation has made the system unstable. Competition in the wholesale electricity market has increased the operational complexity of the power delivery system. Electricity is being shipped much longer distances over a transmission system designed only to provide limited power and reserve sharing among nearby utilities.
- Alice Friedemann. Electric Grid Overview. Energyskeptic.com
- Makansi’s Lights Out. The Electricity Crisis, the Global Economy, and What It Means to You
- Munson’s From Edison to Enron: The Business of Power and What It Means for the Future of Electricity
- Eric J. Lerner. June 2001. What’s wrong with the electric grid? American Institute of Physics.
- Evan Halper. Dec 2, 2013. Power struggle: Green energy versus a grid that’s not ready. Minders of a fragile national power grid say the rush to renewable energy might actually make it harder to keep the lights on. Los Angeles Times.
- Joel Brenner. 2011. “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare”.
- Richard Clarke. 2012. CYBER WAR. The Next Threat to National Security and What to Do About It”.
- H. Byrd. 12 May 2014. Lights out: The dark future of electric power. NewScientist.com
- Gail the Actuary. 7 May 2008. The U. S. Electric Grid: Will It Be Our Undoing? Theoilddrum
- Richard Duncan : Olduvai Gorge – Civilization ends when Electric Grids Permanently Fail
- Cyber Attacks an unprecedented threat to U.S. National Security, a review of U.S. House of representatives March 21, 2013 session on Cyber attacks
- Will we go out with a whimper instead of a bang? Cyberwar more likely than nuclear war
- It’s only a matter of time before Cyber Terrorists launch attacks
- Military Threats: Peak oil, population, climate change, pandemics, economic crises, cyberattacks, failed states, nuclear war.
- China is working on cyber attacks of our infrastructure and stealing secrets
- Emergency drill: Cyberattack on electric grid. Wald, Matthew L. August 16, 2013. As Worries Over the Power Grid Rise, a Drill Will Simulate a Knockout Blow. New York Times.
- Cyber Attack Methods. Who are the cyber attackers?
- Energy infrastructure cyberattack targets
- Actual cyber attacks
- House hearing: protecting small businesses against cyber-attacks 2013
- S. House: Iranian cyber threat to the United States
- Electric grid large power transformers take up to 2 years to build. Excerpts from Department of Energy “Large Power transformers and the U.S. electric grid”.
- EMP effect on electrical transformers. A review of Dr. Jeff Masters 2009 “A future Space Weather catastrophe: a disturbing possibility”.
- The EMP Commission estimates a nationwide blackout lasting one year could kill up to 9 of 10 Americans through starvation, disease, and societal collapse
- Electromagnetic pulse threat to infrastructure (U.S. House hearings) from the transcripts of the 2012 and 2014 hearings
- Chip Fab Plants need electricity 24 x 7. The electric grid needs chips. The Financial system needs both.
- Electric Grid Overview
- Terrorism and the Electric Power Delivery System. National Academy of Sciences. Excerpts from the National Academy of Science 2012 “Terrorism and the Electric Power Delivery System” & 2013 “The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters”
- What would happen if the electric grid was cyberattacked?
AAR. Association of American Railroads. August 2013. Railroads and Coal. Aar.org
EPRI (Electric Power Research Institute). 2003. Electricity Technology Roadmap: Meeting the Critical Challenges of the 21st Century: Summary and Synthesis. Palo Alto, Calif.: EPRI.
Halper, Evan. Dec 2, 2013. Power struggle: Green energy versus a grid that’s not ready. Minders of a fragile national power grid say the rush to renewable energy might actually make it harder to keep the lights on. Los Angeles Times.
LaCommare, K.H., Eto, J.H., 2004. Understanding the cost of power interruptions to U.S. electricity consumers. Ernest Orlando Lawrence Berkeley National Laboratory, LBNL-55718, Berkeley, CA, September. http://eetd.lbl.gov/ea/EMP/EMP-pubs.html
OTA (Office of Technology Assessment). 1990. Physical Vulnerability of Electric System to Natural Disasters and Sabotage. OTA-E-453. Washington, D.C.: U.S. Government Printing Office.
NAS. 2013. The Resilience of the Electric Power Delivery System in Response to Terrorism and Natural Disasters: Summary of a Workshop. National Academy of Sciences.
Substations, especially those with high-voltage transformers, are probably the most vulnerable to terrorist attack because they are essential components of the transmission system and would take a long time to replace. • Control centers coordinate the operation of the grid to maintain reliability of the system. The loss of a control center, which is the brains of the system, can have a substantial impact on the operations of the electric grid. Much of the vulnerability of the control center is related to cybersecurity threats,
David Owens, Edison Electric Institute, noted that while much of the discussion is focused on the bulk power system, the most common challenges are at the distribution level, which can then end up affecting the bulk power system. He reiterated that substations and substation transformers are potential points of vulnerability in the system. According to John Kassakian, Massachusetts Institute of Technology (MIT), substation attacks are a problem that can cause tremendous disruption, particularly if key lines are affected as in the case of a switching station. Sarah Mahmood, DHS, noted that the manufacturing lead time for a single, large transformer can be up to 18 months plus another 2-3 months to get it installed and operational. Reducing this downtime is the motivation for DHS’s Recovery Transformer Program (RecX), which is discussed in great detail in Box 2-1. Joseph McClelland, Federal Energy Regulatory Commission (FERC), noted that additional complications can arise from the specialization of transformers such as changes in energy efficiency, which can impact interchangeability and thereby reduce the number of spare units for a particular location.
Ultimately, any of these vulnerabilities could lead to significant outages. Daniel Bienstock, Columbia University, detailed the ways in which one part of the network can have devastating impacts on the rest of the system, stressing segments that may not even be in proximity to each other.
The utilities are relatively well prepared for physical attacks on the grid infrastructure that are dispersed, uncoordinated, and limited according
According to Dr. Kassakian, much more challenging is the case of a widespread coordinated attack. For instance, in the case of the 9/11 World Trade Center attack, there was a significant communications issue, as multiple agencies had different protocols that hindered a coordinated response. Furthermore, such an attack might take place across multiple nodes in the system, which can result in the types of cascading blackouts mentioned previously. Such attacks also typically occur without warning, reducing opportunities for pre-emptive mitigation strategies. Transmission lines are vulnerable to air attack in numerous ways. He also pointed out that an attack on a switching station, which serves as an interconnect between multiple lines, might be just as disruptive as a coordinated attack. One particularly damaging and coordinated attack could utilize the threat of an electromagnetic pulse (EMP) weapon. While there are some parallels to a geomagnetic disturbance such as the one that shut off power throughout the northern reaches of the United States and Canada on March 13, 1989, an EMP device has a far more localized and targeted impact. Massoud Amin, University of Minnesota, and Dr. Kassakian both noted that an EMP weapon, which could be as small as a briefcase, could be used to attack the control systems of the grid at the same time as an attack on the physical infrastructure, thus significantly compounding the effect of the physical attack by disabling some of the inherent balancing mechanisms in the grid. A cyberattack combined with a physical attack on the infrastructure may have a similarly crippling effect,
Nature can launch its own devastating, widespread attack. While utilities may typically be prepared for an “n-1” or “n-2” event, Mr. Whitley noted that Hurricane Sandy was an “n-90” event. Long Island lost all ties to Connecticut and New Jersey, and New York City lost all ties to New Jersey (Figure 2-2). Over 8 GW of generation capacity went offline, both through loss of transmission and, more directly, through flooding, resulting in over 2 million customer outages in the immediate aftermath.
The use of a spare recovery transformer was seized upon by many in attendance as a serious option to reduce the vulnerability of the system to failed equipment. While the components of a substation are relatively easily replaced, the difficulty of and lead time necessary for replacing a transformer is a hindrance that can slow down the mitigation response. Anjan Bose, Washington State University, currently on leave and serving on the Department of Energy’s Grid Tech Team, did mention that the recent rebirth of transformer manufacturing in the United States, as described by Mr. Ball, does reduce the amount of downtime a utility might expect for replacement.
BOX 2-1 The Department of Homeland Security Recovery Transformer Program Sarah Mahmood, Department of Homeland Security, described the successful deployment of a recovery transformer outside Houston, Texas. The RecX recovery transformer program is designed to act as a rapidly deployable spare for a 365 kV:138 kV/200 MVA transformer, reducing the amount of time for transport and installation from 2 or 3 months down to about a week. The key design feature is to replace the three-phase transformer with three single-phase transformers. Each is smaller and weighs much less than a full three-phase transformer, allowing it to be delivered by truck rather than train or barge.
Because there is no longer funding for the RecX program, replacements for these larger transformers are not being developed at this time. Until those transformers are designed, the highest capacity part of the transmission system is still vulnerable to long-term outages. There was a further question about the susceptibility of these transformers to attack—while Ms. Mahmood agreed that these transformers are just as susceptible to a physical attack as those they replaced, the RecX transformer is slightly less susceptible to ground-induced currents and, therefore, EMP weapons.
In order to provide more reliable and efficient service, the electric power delivery system is incorporating an ever increasing amount of data transfer, with communications occurring over a wide array of systems. Massoud Amin, University of Minnesota, noted that the systems have become so intertwined that operators may forget where the data is coming from, citing an anecdote of a power plant operator who was receiving all of his commands over the internet. Granger Morgan, CMU, pointed out that while adding more points of intelligent control can add capacity, stability, and flexibility, it also adds more entry points for cyberattack.
While the sophistication of cyberattacks is increasing, the level of technical knowledge necessary for the attack is decreasing
the power sector is an increasing target for cyberattacks, both in the United States and abroad. Stressing the ubiquitous nature of cyberattacks, Terry Boston, PJM Interconnection, recalled a common saying: “There are two types of people: those who’ve been attacked, and those who don’t know they’ve been attacked.” With such attacks becoming commonplace, it is crucial to understand where the underlying vulnerabilities lie in the electric power delivery system.
the new world that is emerging—just as critical infrastructure has become increasingly integrated with the electric power system, so too has the grid become more reliant upon the communications network. An increasing number of sensors applied to the grid allows for both improved flexibility and increasing automation. However, Mr. McClelland noted that such an increase in automation increases the number of on-ramps for cyberattacks. And as Mr. Rasche pointed out, this increased integration with the communications infrastructure can leave the grid vulnerable, as layer upon layer of connectedness results in an increasing amount of trust placed in suppliers. The legacy systems common in transmission and distribution systems often communicate via insecure protocols,
One of the biggest challenges in securing this legacy hardware is the fact that these very protocols are created through standards organizations, and such processes are, by design, very slow to change. Therefore, more robust network, system, and security management protocols are necessary for transmission and distribution systems to identify the types of security faults common to antiquated hardware.
Modernized hardware and software do not necessarily offer increased protection, however. As Fred Hintermeister, North American Electricity Reliability Corporation (NERC), pointed out, supply chain security is critical to ensuring that a particular subsystem is secure, regardless of the system or vendor. Dr. Nielsen agreed, expanding on the necessity of knowing who wrote the software for every component of all of your partners’ systems. While this may seem a daunting task, the increasing number of attacks is pushing hard on utilities and their partners to ensure that their systems are secure at every level. NERC is working with a global network of governmental intelligence sources, vulnerability researchers, and others to develop products that specifically address emergent issues, particularly in the area of cybersecurity. A system is only as secure as its weakest link, and it is a crucial part of established NERC procedure to push mitigation measures out to the relevant bulk power system entities in a timely manner so that they may address the full chain of operations.
Risk Assessment and Cybersecurity. Given the prevalence of attacks (Figure 3-3), it is crucial to evaluate how best to maintain system integrity with minimal risk.
The regulatory process itself is not well designed for cybersecurity.
NERC can develop standards for reliability and cybersecurity and submit them to FERC, but because the process is both slow and open, it is not adequate for national security purposes—in effect, both the threat and the mitigation strategy are announced through the regulatory process.
Given the nature of the cyberthreat, there was significant discussion over the potential for catastrophic damage, particularly for causing damage to the physical infrastructure. Dr. Morgan cited recent work at Carnegie Mellon indicating a low probability that a hacker could destabilize the bulk power grid by toggling customer loads via hacked smart meters. However, Mr. McClelland cited both the Aurora test at Idaho National Laboratory and a collaborative project with Lawrence Berkeley National Laboratory to identify critical frequency vulnerabilities for customer load shedding as evidence of the sensitivity of certain aspects of the physical infrastructure to cyberattack.
Most obviously, according to Dr. Amin, wireless and public internet access should be avoided at all costs. Mr. Boston suggested building the system like a nuclear secure lab, where communication is handled as an information diode that does not “shake hands” with the computer, so that information transfer is one-way.
1 A. Narayanan, 2012, The emerging smart grid: Opportunities for increased system reliability and potential security risks, Dissertations, Paper 138, available at http://repository.cmu.edu/dissertations/138.
2 Video available at http://www.youtube.com/watch?v=fJyWngDco3g.
3 J. H. Eto, et al, 2010, Use of frequency response metrics to assess the planning and operating requirements for reliable integration of variable renewable generation, LBNL-4142E, December, available at http://certs.lbl.gov/pdf/lbnl-4142e.pdf.
Assessing the vulnerability of a system is difficult, particularly in the case of a zero-day, or previously unknown, vulnerability. How can one measure resilience to an unanticipated event?
Large blackouts can be particularly devastating and happen much more frequently than a normal distribution predicts.
the impact of a blackout exponentially increases with the duration of the blackout, and the duration of restoration decreases exponentially with the availability of initial sources of power. For several time-critical loads, quick restoration (minutes rather than hours or even days) is crucial. Blackstart generators, which can be started without any connection to the grid, are a key element in restoring service after a widespread outage. These initial sources of power include pump-storage hydropower, which can take 5-10 minutes to start, to certain types of combustion turbines, which take on the order of hours.
For a limited outage, restoration can be rapid, which will then allow sufficient time for repair to bring the system to full operability, although there may be a challenge for subsurface cables in metropolitan areas. On the other hand, in widespread outages, restoration itself may be a significant barrier, as was the case in the 1965 and 2003 Northeast blackouts. Natural disasters, however, can also lead to significant issues of repair—after Hurricanes Rita and Katrina, full repair of the electric power system took several years
This interconnectedness is one of the major reasons the electrical grid is an attractive target for terrorist attack—namely, other services have become dependent on the electric power system. David Kaufman, FEMA, recognized that impacts of overlapping interdependency could cascade because the supply chain for many industries has become globalized—for example, according to Mr. Kaufman, truck production in Louisiana was shut down by the earthquake in Japan, which halted the supply of a particular mineral needed for metallic paint. Thus, evaluating resilience in response to a power outage goes far beyond the electric power sector.
Services critical to a community are diverse, including elevators, subways, traffic signals, police stations, cell phone towers, grocery stores, ATMs, and gas stations. Joseph McClelland, FERC, pointed out that not only does the electric power system feed into these services, but in some cases it is reliant on these systems as well. For instance, with a shift in generation fuel from coal to natural gas, the energy sector is increasingly reliant on the natural gas pipeline infrastructure; with events like the Telvent compromise in 20123 and the Shamoon cyberattack in 20124 in Saudi Arabia and Qatar, resilience to terrorism and natural disaster for the electric power system involves both upstream and downstream dependencies. The natural gas system may be particularly stressed during the winter when it is being used for heating, making the system especially vulnerable to attack.
Telvent Canada is a company that provides remote administration and monitoring tools for the energy sector. In September 2012, the company discovered that its internal firewall and security system had been breached by a Chinese hacking group. Shamoon is a computer virus capable of transmitting information about the files of the infected computer as well as deleting all data from the hard drive. It was first used on August 15, 2012, by hackers from a group called the Cutting Sword of Justice in an attack on Saudi Arabia’s national oil company, Aramco. It was also suspected in a later cyberattack on a large liquefied natural gas company in Qatar, RasGas.
Much of the information necessary to make good decisions is classified and/or proprietary, but any such decision making needs to be made in the public domain.
Distributed generation, which could pose a challenge for reliability and safety as power flow becomes a two-way street.
Mr. Owens cited net metering as one particular case that does not adequately account for the fact that a customer’s renewable generation from rooftop solar, for example, is not equivalent to power generated by the grid. John Kassakian, MIT, also pointed to renewable portfolio standards as a key cost burden being placed unfairly on utilities through public policy.
1 National Research Council, 2012, Terrorism and the Electric Power Delivery System , The National Academies Press, Washington, D.C.
Annual sales in 2006 were $326 billion. Electricity outages in the U.S. cost an estimated $80 billion every year, mostly from small disturbances (LaCommare).
Table 2.1 Major Industry Players in the U.S. Electric Industry
- Asset Owners: 1) Vertically integrated utilities (owning generation, transmission, and distribution) 2) Generation and transmission utilities 3) Transmission utilities or companies 4) Distribution utilities 5) Generation companies 6) Marketing companies
- Institutional Structures of Asset Owners: 1) Investor-owned electric utilities (IOUs), 2) Rural electric cooperatives (RECs or Co-ops) 3) Municipal utilities (MUNIs) 4) Federal power agencies
- Other Asset Operators and Coordinators: 1) North American Electric Reliability Council (NERC), 2) Independent system operators (ISOs) 3) Regional transmission operators (RTOs) 4) Regional reliability organizations (RROs)
- Government Entities and Regulatory Authorities: 1) State regulatory commissions, 2) Power marketing authorities (PMAs) 3) Federal Energy Regulatory Commission (FERC) 4) U.S. Department of Energy (DOE) 5) Energy Information Administration (EIA) 6) Bonneville Power Administration (BPA) 7) Tennessee Valley Authority (TVA) 8) V Western Area Power Administration (WAPPA)
- Industry Associations and Institutions: 1) Electric Power Research Institute (EPRI), 2) National Regulatory Research Institute (NRRI) 3) Edison Electric Institute (EEI) 4) National Rural Electric Cooperative Association (NRECA) 5) Electric Power Supply Association (EPSA) 6) National Association of Regulatory Utility Commissioners (NARUC) 7) Association of State Energy Research and Technology Transfer Institutes (ASERTTI) 8) National Association of State Utility Consumer Advocates (NASUCA)
NERC requires organizations to register as one or more of: Generator owners, Generator operators, Transmission service providers, Transmission owners, Transmission operators, Distribution providers, Load-serving entities, Purchasing-selling entities, Reliability authorities, Planning authorities, Balancing authorities, Interchange authorities, Transmission planners, Resource planners, Standards developers, and/or Compliance monitors.
Table 8.1. Examples of Critical Social Services that depend on Availability of Electric Power
- 911 and other dispatch centers
- Police headquarters and station houses
- Fire protection services
- Emergency medical services
- Hazardous materials Response Teams
Medical Services: Ambulance, Life-critical hospital care, Clinics and Pharmacies, Nursing Homes
Communications and cyber services
- Radio broadcast media
- Television broadcast media
- Cable television
- Conventional and wireless telephone and data systems
- Wired data service
- Computer Services
Water and sewer: Water supply & Sewer systems
Natural gas. Pipes may burst in cold weather if homes/buildings are left without heat.
- Retail groceries (cash registers, lighting, etc)
- Wholesale grocery and distribution networks
- Food production facilities (farms, animal facilities, processing, packaging, etc)
- Refrigeration: Spoiled food in homes and grocery stores
Financial Cash Machines Credit card systems Banks
Fuel Bulk fuel delivery Local storage infrastructure Retail gasoline sales
Non-emergency government services
- Information service offices: Important for distributing emergency information. Risk of chaos if information not available.
- Operations units
- Prisons and other detention facilities: Potential risks to prisoners, guards, and public if security systems fail.
- Traffic lights
- Tunnels (esp ventilation)
- Light rail systems and subways
- Stranded commuter trains (i.e. outage in Italy 110 trains with 30,000 passengers)
- Conventional rail systems, including railroad crossings
- Air traffic control, navigation, landing aids, and airport operations
- River lock and dam operations
- Drawbridge operations
Lighting: buildings, residential (risk of fires from candles), commercial and industrial, street
Building operations: elevators, space heating and cooling
Other instabilities.Some states have more stringent environmental regulations than at the federal level, and don’t allow coal generated electricity, making it harder for systems operators to meet reliability objectives. This is made even harder when communities build renewable-energy-based resources like wind for generation, since unreliable renewables are often far from customers, and not able to generate electricity when the need is greatest, increasing the complications of system design, operation, [and the need for natural gas combined cycle plants to make up for the lack of power].
Other Impacts (OTA 1990)
- Agriculture. There can be significant hazards to livestock and produce during a blackout. Sensitive processes include incubation, milking, pumping, heating, air-conditioning, and refrigeration.
- Residential. Consumers do not have air-conditioning, heat, hot water, lights, freezers, refrigerators, stoves and microwave ovens, toasters, home computers, elevators etc.
- Transportation A blackout affects virtually every mode of transportation (box D). Subways, elevators, and escalators stop running, street traffic is snarled without traffic lights. Gasoline pumps do not work, taxis and buses decline over time. Parking lot gates and toll booths will not operate. Trains can function, but it can be hazardous without signal lights. Other transportation effects result from the inability to deliver goods.
- Looting and fires. Looting and arson can severely strain police and fire-fighting and services. During the New York City blackout there were 1,037 fires (primarily arson)
- Water supply systems often rely on gravity to move water from reservoirs through the mains and to maintain pressure throughout the system. Some power may be required at pumping stations and reservoirs. Loss of pressure in mains hampers free-fighting and may permit contaminants to seep into the water supply.
- Electricity is needed in treatment and pumping of sewage. An outage at a treatment plant causes raw sewage to bypass the treatment process and flow into the waterways. Lack of pumping station power prevents sewage flow and ultimately causes a backup at the lowest points of input (usually basements in low-lying areas. Many sewage treatment plants and pumping stations have standby power supplies, but only for short durations. After standby power is exhausted, untreated sewage flows continuously from the treatment plant.
- Destruction of Four or More Major Transmission Substations. The destruction of more than 3 transmission substations would cause long-term blackouts in many areas of the country. Only a few areas have a good enough geographic balance of load and generation to survive this very severe test.
Costs of blackouts: food spoilage, damage to electronic data, life-support systems inoperable in hospitals, arson and looting (in the 1977 New York City blackout, this accounted for half of the economic costs — $155 million), overtime payments to police and fire personnel, increases in insurance rates, lost productivity at commercial and industrial companies. Many industrial processes are highly sensitive to power disruptions. An interruption of less than 1 second can shut plant equipment down for several hours. Outages can spoil raw materials, work-in-progress, and finished goods. Spoilage is a significant problem in chemical processes, steel manufacture, food products, and other industries (OTA 1990)
Sabotage and Vandalism: Insulators on distribution lines are a frequent target for vandals with guns. To date, no long-term blackouts have been caused in the United States by sabotage. However, this observation is less reassuring than it sounds. Electric power system components have been targets of numerous isolated acts of sabotage in this country. Several incidents have resulted in multimillion-dollar repair bills. In several other countries, sabotage has led to extensive blackouts and considerable economic damage in addition to the cost of repair
United States before 1990: Over the past decade there were few notable acts of sabotage, and apparently none that were intended to cause harm other than to the local utility. The most common cause has been labor disputes. In July 1989, a tower on a 765-kV line owned by the Kentucky Power Co. was bombed, temporarily disabling the line. No arrests have been made. In 1987-88, power line poles and substations were bombed or shot in the Wyoming-Montana border area. Later in 1988, similar attacks were experienced in West Virginia. Such attacks had also occurred in 1985 in West Virginia and Kentucky. All these attacks occurred during coal mine strikes. Two Florida substations were heavily damaged by simultaneous dynamite explosions in 1981 in one of the most expensive incidents. Damages totaled about $3 million, but no significant customer outages resulted. No arrests have been made, but circumstantial evidence points to a contractor labor dispute. Incidents stemming from unknown motives include the cutting of guy wires and subsequent toppling of a tower on the 1,800-MW, 1,000-kV DC intertie in California in 1987. There was negligible impact on the power system, because the load on the line was light at the time and it was scheduled for maintenance the next day, so alternate power routes had already been arranged.
Another incident demonstrates that saboteurs can mount a coordinated operation. In 1986, three 500-kV lines from the Palo Verde Nuclear Generating Station were grounded simultaneously over a 30-mile stretch. It happened at a time when none of the nuclear reactors was operating, so no disruption occurred. Under different conditions, the reactors would have shut down. No arrests have been made.
El Salvador: Attacks on electric power systems have been most severe in El Salvador. The Farabundo Marti National Liberation Front (FMLN) has repeatedly bombed or fired on transmission towers, substations and hydroelectric power plants. Up to 90 percent of the entire Nation has been blacked out by the FMLN during some sabotage campaigns. The FMLN has even produced a manual detailing how to attack an electric power system. According to official sources, the FMLN has launched over 2,000 attacks on electric systems since 1980. The Sendero Luminosa (Shining Path) revolutionary group has adopted a similar strategy in Peru, frequently leaving Lima, as well as a 600-mile stretch of the country, blacked out or under power rationing for 40 to 50 days (OTA, 1990).
Industries most dependent on electricity (in New Jersey): aluminum, wet corn milling, cement, pipelines (oil, natural gas, water), electrometallurgical products, petroleum refining, platemaking, soybean oil mills, carbon black, smelting and refining of copper, industrial organic and inorganic chemicals, plastics and resins (Greenberg, Met al. 2007. “Short and Intermediate Economic Impacts of a Terrorist Initiated Loss of Electric Power: Case Study of New Jersey.” Energy Policy 35(1):722–733.