The East Coast electric grid’s slow recovery from Hurricane Sandy highlights the shortcomings of the overburdened utility system and its susceptibility to damage from a different kind of surprise threat: terrorist attacks, especially hackers, notes one risk manager.
A report released by the National Research Council’s (NRC) Division on Engineering and Physical Sciences, in conjunction with the National Academy of Sciences and the Department of Homeland Security (DHS), shows that a terrorist attack on the U.S. electric delivery system could cause massive blackouts and cost the country billions, even more than what was triggered by the unprecedented storm.
“Power system disruptions experienced to date in the United States, be they from natural disasters or malfunctions, have had immense economic impacts," says M. Granger Morgan, professor and head of the department of engineering and public policy at Carnegie Mellon University, Pittsburgh.
He continues, "Considering that a systematically designed and executed terrorist attack could cause disruptions even more widespread and of longer duration, it is no stretch of the imagination to think that such attacks could produce damage costing hundreds of billions of dollars."
There are approximately 169,000 miles of voltage transmission line miles running through the U.S. fed by 2,100 high-voltage transformers delivering power to 125 million household consumers of electricity, as estimated by the Department of Energy (DOE).
According to the NRC report, the nation’s access to one of its most basic amenities rests on a rusty bed. High-voltage transformers are vulnerable to hits on their physical and information technology infrastructure within and outside their substation locations.
“There is a potential for in-state sabotage if terrorist teams were operating within the U.S. Terrorists certainly have the expertise to establish groups here with the ability to take out big sections of our infrastructure,” says Alan Crane, director of the NRC study. “This doesn’t mean the area will be blacked out for several years, but perhaps for several months with rolling blackouts for several years.”
The clunky transformers weigh about 400,000 lbs., come in a multitude of varying design prototypes, and since they are often custom-built outside of the continental U.S., may take up to two years to replace. If a terrorist attack disables one such piece of technology, it would create blackouts lasting much longer than those caused by downed power lines.
Furthermore, the power grid has been increasingly stressed as companies have restructured generator-to-meter power distribution since the 1990’s in an attempt to keep rates competitive, exposing it to multiple factors that may induce a failure akin to the 2003 blackout, the largest in North American history that affected 50 million customers.
The report proposes that companies develop and stockpile smaller, easier-to-use universal recovery transformers, such as the ones tested by energy companies ABB and CenterPoint Energy during the May 2012 RecX emergency drill program, in which three smaller, universal transformers were deployed from St. Louis to a Texas substation.
Besides the logistics of repairing a transformer, electrical systems may span hundreds of miles of unguarded facilities vulnerable to cyber-attacks through Internet or other telecommunications systems. Modern power systems rely on automated, centrally-controlled supervisory control and data acquisition (SCADA) systems that send data to and from circuit breakers and other locally-operating equipment.
According to a cyber-security report written by the Massachusetts Institute of Technology (MIT), the U.S. National Institute of Standards and Technology Cybersecurity Working Group identified 137 interfaces between the grid systems linking all smart meters, sensors and equipment and generating plants and substations.
A smart, coordinated attack on these systems may not cause a prolonged blackout. However, a hacker who is sending wrong signals to SCADA nodes can tamper with efforts to restore service to a region by distorting communication between its central offices and control equipment.
Karl Zimmel, director of risk management services at UNS Energy Corp., says protecting the grid from cyber hackers is a daily battle regulated by the Federal Energy Regulatory Commission (FERC).
“The annual audit keeping track of various risk assessments of the physical security system, keeping background checks on individuals with access to cyber assets, incident reporting and recovery and business continuity plans is a huge initiative,” he says. “We could be fined up to $1 million a day if we’re ever found to violate the cyber infrastructure compliance.”
One worrisome aspect of the report is the delay in its release. The report was actually completed by the NRC in the fall of 2007, but kept classified by a U.S. Department of Homeland Security mandate. The report was finally cleared for public release in November 2012—meaning that while the face of technology, terrorist organizations and cyber-crime evolve, the exposures announced by the Council have not been updated in more than five years.
In the report’s foreword, Ralph J. Cicerone, president of the National Academy of Sciences, and Charles M. Vest, president of the National Academy of Engineering, wrote, “We regret the long delay in approving this report for public release. We understand the need to safeguard security information that may need to remain classified. But openness is also required to accelerate the progress with current technology and implementation of research and development of new technology to better protect the nation from terrorism and other threats."
The paper goes on to say that the DHS and the U.S. Department of Energy should help initiate and fund model demonstration assessments of a region’s vulnerability to extended power outages in cities, counties, and states and help develop affordable strategies to mitigate these liabilities.