Electrical grid security in the United States

Electrical grid security in the United States involves the physical and cybersecurity of the United States electrical grid. The smart grid allows energy customers and energy providers to more efficiently manage and generate electricity. Similar to other new technologies, the smart grid also introduces new security concerns.[1]

The electric utility industry in the U.S. leads several initiatives to help protect the national electric grid from threats. The industry partners with the federal government, particularly the National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.[2]

From the 2000s through to the 2020s, the security of the U.S. electrical grid has come into question. Government officials have expressed concern with the possibility of violent extremists and agents of foreign states attacking the nation's electrical grid.[3][4] Cybersecurity is also an issue for electric grid security in the United States with financially motivated crimes being more common than terrorist ones.[5]

Overview

edit

The North American electrical power grid is a highly connected system. The ongoing modernization of the grid is generally referred to as the "smart grid". Reliability and efficiency are two key drivers of the development of the smart grid. Another example is the ability for the electrical system to incorporate renewable energy sources such as wind power and geothermal power. One of the key issues for electric grid security is that these ongoing improvements and modernizations have created more risk to the system. As an example, one risk specifically comes from the integration of digital communications and computer infrastructure with the existing physical infrastructure of the power grid.[6]

In the 2010s and 2020s, attacks to the United States electrical grid have become more frequent, with 2022 being the year with the most attacks.[7] Since 2014, vandalism and confirmed or suspected physical attacks on electrical grid infrastructure have also been the second-largest cause of electrical disturbance events.[8]

In 2012, the National Research Council of the National Academies of Sciences, Engineering, and Medicine published a declassified report prepared in 2007 for the Department of Homeland Security that highlighted the vulnerability of the national electric grid from damage to high voltage transformers.[9]

In October 2022, the FBI published a report that described an increase in reported threats to critical infrastructure from people who espouse "racially or ethnically motivated violent extremist ideology", with an aim of creating civil disorder and inspiring further violence.[10]

In a report concerning extremist threats, the Department of Homeland Security made note of a Telegram document that gave instructions for low-tech sabotage, including attacks on electrical power stations with rifles. The document circulated among online white nationalist communities, which advocate the toppling of the U.S. government.[3][4]

The threat of potential electrical grid cyberattacks by foreign states such as Russia has also been area of concern for electrical grid security.[11][12]

Government oversight

edit

In the U.S., the Federal Energy Regulatory Commission (FERC) is in charge of the cybersecurity standards for the bulk power system. The system includes systems necessary for operating the interconnected grid.[13] However, Ted Koppel argues that the industry has blocked any significant oversight for decades, with only minuscule fines being levied for failing to comply with relatively lax standards as of the early 2010s.[14]

Investor-owned utilities operate under a different authority, state public utility commissions. This falls outside of FERC's jurisdiction.[13]

The initiation of government oversight of the American Bulk Electric System (BES) occurred after two incidents led the government to investigate further the causes of the 1965 North East Blackout alongside another small blackout in 1967 at the Pennsylvania New Jersey Maryland (PJM) interconnection.[15][page needed] These two incidents prompted US Congress to initiate legislation focused on increased oversight of the electric power system, ultimately leading to the Electric Power Reliability Act of 1967. In 1968, the National Electric Reliability Council (NERC) was formed after 12 regional organizations signed an agreement spanning the United States and parts of Canada.[15][page needed] NERC is still around today, yet its name has changed a little, and it is now called the North American Electric Reliability Corporation (NERC). Shortly after this, in 1971, each region had its own Regional Reliability Council, which was in place to ensure collaboration and reliability of the BES, each having a member who served on the NERC board.[15][page needed] The landscape changed in 1971 when 4 of the regionals combined to make one large region known as the Southeastern Electric Reliability Council (SERC), dropping the number of areas from 12 to 9.

In 1997, the first set of Operating and Planning Standards was approved by the NERC board, which started the implementation of certifications and standards to ensure the reliability of the American BES.[15][page needed] While security and reliability efforts ramped up after the 9/11 terrorist attacks, it wasn’t until 2003 that a massive blackout occurred in the Eastern Interconnection, leaving 500,000 people without power. During the investigation, NERC determined that their reliability standards were not being upheld and revamped them by creating reliability standards that were now enforceable.[15][page needed] The Reliability Standard was approved in December 2004 and became effective in April 2005.

The Energy Policy Act 2005 was finalized and signed into law in August 2005. Section 215 authorized the Federal Energy Reliability Commission to certify and provide oversight of one Electric Reliability Organization responsible for the mandatory enforcement of the NERC Reliability standards.[15][page needed] NERC then applied to FERC for certification in April 2006 and was certified in July 2006. In 2007, NERC provided regional delegation for enforcement to eight regional entities: Florida Reliability Coordinating Council; Midwest Reliability Organization; Northeast Power Coordinating Council: Cross Border Regional Entity, Inc.; Reliability First Corporation; SERC Reliability Corporation; Southwest Power Pool, Inc.; Texas Reliability Entity, a division of ERCOT; and Western Electricity Coordinating Council.[15][page needed] This led to what is now known as the NERC Critical Infrastructure Protection Standards being approved by FERC in June of 2007. As of 2024, there are six regional entities, including the Midwest Reliability Organization, Reliability First, Northeast Power Coordinating Council, Texas Reliability Entity, Western Electricity Coordinating Council, and the SERC Reliability Corporation.[16] Since their creation, these regional entities have ensured the reliability and security of the American BES by enforcing the mandatory NERC CIP standards.[16] Throughout the years, the standards have evolved to meet the changing threat landscape of cyber and the risks facing the operational side of the BES yet continue towards the same mission of maintaining the security and reliability of the BES.[16]

Cybersecurity

edit

In his 2015 book, Ted Koppel argues that all utilities, but especially smaller ones, do not truly air-gap their operations from the internet, leaving significant attack surfaces.[14]

In 2016, members of the Russian hacker organization "Grizzly Steppe" infiltrated the computer system of a Vermont utility company, Burlington Electric, exposing the vulnerability of the nation's electric grid to attacks. The hackers did not disrupt the state's electric grid, however. Burlington Electric discovered malware code in a computer system that was not connected to the grid.[17]

As of 2018, two evolutions are taking place in the power economic sector. These evolutions could make it harder for utilities to defend from a cyber threat. First, hackers have become more sophisticated in their attempts to disrupt electric grids. "Attacks are more targeted, including spear phishing efforts aimed at individuals, and are shifting from corporate networks to include industrial control systems."[18] Second, the grid is becoming more and more distributed and connected. The growing "Internet of Things" world could make it so that every device could be a potential vulnerability.[18]

Terrorist attack risk

edit

As of 2006, over 200,000 miles of transmission lines that are 230 kV or higher existed in the United States. The main problem is that it is impossible to secure the whole system from terrorist attacks. The scenario of such a terrorist attack, however, would be minimal because it would only disrupt a small portion of the overall grid. For example, an attack that destroys a regional transmission tower would only have a temporary impact. The modern-day electric grid system is capable of restoring equipment that is damaged by natural disasters such as tornadoes, hurricanes, ice storms, and earthquakes in a generally short period of time. This is due to the resiliency of the national grid to such events. "It would be difficult for even a well-organized large group of terrorists to cause the physical damage of a small- to moderate-scale tornado."[19]

Potential solutions

edit

Today the utility industry is advancing cybersecurity with a series of initiatives. They are partnering with federal agencies. The goal is to improve sector-wide resilience to both physical and cyber threats. The industry is also working with National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.[20]

In 2017, electric companies spent $57.2 billion on grid security.[21]

In September 2018, Brien Sheahan, chairman and CEO of the Illinois Commerce Commission and a member of the U.S. Department of Energy (DOE) Nuclear Energy Advisory Committee, and Robert Powelson, a former Federal Energy Regulatory Commission (FERC) commissioner, wrote in a published piece in Utility Dive that cyberthreats to the national power system require stronger national standards and more collaboration between levels of government. Recent to their article, the U.S. Department of Homeland Security confirmed that Russian hackers targeted the control room's of American public utilities. The electric distribution system has become more and more networked together and interconnected. Critical public services depend on the system: water delivery, financial institutions, hospitals, and public safety. To prevent disruption to the network, Sheahan and Powelson recommended national standards and collaboration between federal and state energy regulators.[22]

Some utility companies have cybersecurity-specific practices or teams. Baltimore Gas and Electric conducts regular drills with its employees. It also shares cyber-threat related information with industry and government partners. Duke Energy put together a corporate incident response team that is devoted to cybersecurity 24 hours a day. The unit works closely with government emergency management and law enforcement.[13]

Some states have cybersecurity procedures and practices:[13]

  • New Jersey: Utilities are required to put together comprehensive cybersecurity plans.
  • Pennsylvania: Utilities must keep physical and cybersecurity, emergency response and business continuity plans. They also have to report severe cyberattacks.
  • Texas: The state's public utility commission conducts annual security audits.

In December 2018, U.S. Senators Cory Gardner and Michael Bennet introduced legislation intended to improve grid security nation-wide. The bills would create a $90 million fund that would be distributed to states to develop energy security plans. The legislation would also require the U.S. Energy Department to identify any vulnerabilities to cyberattacks in the nation's electrical power grid.[23]

In March 2019, Donald Trump issued an executive order that directed federal agencies to prepare for attacks involving an electromagnetic pulse.[24] In May 2020, he issued an executive order that bans the use of grid equipment manufactured by a foreign adversary.[25][26]

Electricity Subsector Coordinating Council

edit

The Electricity Subsector Coordinating Council (ESCC) is the main liaison organization between the federal government and the electric power industry. Its mission is to coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. The ESCC is composed of electric company CEOs and trade association leaders from all segments of the industry. Its federal government counterparts include senior administration officials from the White House, relevant cabinet agencies, federal law enforcement, and national security organizations. [16]

Attacks on the electrical grid in the United States

edit

1975

edit

California

edit

In March and April of 1975, a "closely guarded" Pacific Gas and Electric substation was bombed twice in two separate incidents, knocking out power to more than 22,000 customers. The New World Liberation Front (NWLF) took credit for these attacks.[27]

Washington

edit

On 31 December 1975, an electrical substation in Seattle, Washington was bombed by the George Jackson Brigade.[28]

2013

edit

Arkansas

edit

Multiple attacks on electrical infrastructure were carried out by Jason Woodring in Central Arkansas between August and October 2013. Woodring attacked power lines and an electrical tower near Cabot, a switching station in Scott, and power lines and poles in Jacksonville.[29] [30][31][32]

Metcalf, California

edit

Metcalf sniper attack
CCTV footage (Attacks begin at around 1:54)
LocationCoyote, California, U.S.
DateApril 16, 2013 (2013-04-16)
12:58 – 1:50 a.m. (PDT)
TargetPG&E Metcalf substation
Attack type
Sabotage
Weapons7.62×39mm rifles

On April 16, 2013, an attack was carried out on Pacific Gas and Electric Company's Metcalf transmission substation in Coyote, California, near the border of San Jose. The attack, in which gunmen fired on 17 electrical transformers, resulted in more than $15 million worth of equipment damage, but it had little impact on the station's electrical power supply.[33][34][35]

2016

edit

Utah

edit

In 2016 a Utah man attacked a substation with a rifle. He was convicted and sentenced to federal prison. Court documents indicated that he had planned to attack other stations as well.[36][30][32][31]

Vermont

edit

In 2016, members of the Russian hacker organization Grizzly Steppe infiltrated the computer system of a Vermont utility company, Burlington Electric, but did not disrupt the state's electric grid. Burlington Electric discovered malware code in a computer system that was not connected to the grid.[37]

2022

edit

Jones County, NC

edit

On November 11, 2022, an electrical distribution substation belonging to Carteret-Craven Electric Cooperative in North Carolina was damaged by vandals. The damage resulted in the loss of electrical power to more than 12,000 residents.[38][39][40][41]

Washington and Oregon

edit

At least six attacks were carried out against electrical infrastructure in the Pacific Northwest in late November, 2022. Two of the incidents involved firearms.[42]

Moore County, NC

edit

Moore County substation attack
 
Damaged substation fence in West End
LocationMoore County, North Carolina, U.S.
DateDecember 3, 2022 (2022-12-03)
c. 7:00 p.m. (EST)
TargetDuke Energy substations
Attack type
Sabotage
WeaponsFirearms
Deaths1

On December 3, 2022, a shooting attack was carried out on two electrical distribution substations located in Moore County, North Carolina, United States. Damage from the attack left up to 40,000 residential and business customers without electrical power. Initial estimates were that up to four days could be required to fully restore power in the area. A state of emergency and corresponding curfew were enacted by local government officials in the wake of the incident.[43]

Pierce County, WA

edit

Four power substations in the Tacoma, Washington area were vandalized on the morning of December 25, 2022. At one point, over 14,000 were without power.[44] The damage has been estimated at $3 million to repair, and is expected to take up to three years to complete.[45]

Two men with previous criminal records of thefts were arrested on January 3, with the reported motive being to cut the power to serve as part of a wider plan to burglarize several businesses in the area.[45][46]

References

edit
  1. ^ McDaniel, Patrick; McLaughlin, Stephen (May 2009). "Security and Privacy Challenges in the Smart Grid". IEEE Security & Privacy Magazine. 7 (3): 75–77. doi:10.1109/MSP.2009.76. S2CID 40490304.
  2. ^ "Cyber & Physical Security". www.eei.org. Retrieved December 27, 2018.
  3. ^ a b Musa, Amanda; Almasy, Steve; Hanna, Jason (December 6, 2022). "Power may be back for thousands on Wednesday night as authorities continue to go through tips on electric substation attack". CNN.
  4. ^ a b Miller, John (December 5, 2022). "Attacks on US power grid have been subject of extremist chatter for years. DHS bulletin warns of attacks on critical infrastructure amid other targets". CNN.
  5. ^ Walton, Robert. "Sophisticated hackers could crash the US power grid, but money, not sabotage, is their focus". utilitydive.com. Utility Dive. Retrieved December 11, 2022.
  6. ^ Khurana, H.; Hadley, M.; Ning Lu; Frincke, D. A. (January 2010). "Smart-grid security issues". IEEE Security & Privacy Magazine. 8 (1): 81–85. doi:10.1109/MSP.2010.49. S2CID 1218073.
  7. ^ Morehouse, Catherine. "Physical attacks on power grid surge to new peak". POLITICO. Retrieved December 26, 2022.
  8. ^ "North Carolina substation attack raises security concerns for U.S. electric grid". NBC News. December 8, 2022. Retrieved December 26, 2022.
  9. ^ "Terrorism and the Electric Power Delivery System". National Research Council. November 14, 2014.
  10. ^ "Strategic Intelligence Assessment and Data on Domestic Terrorism". Federal Bureau of Investigation.
  11. ^ "Vulnerable U.S. electric grid facing threats from Russia and domestic terrorists". www.cbsnews.com. August 28, 2022. Retrieved December 26, 2022.
  12. ^ Office, U. S. Government Accountability. "Securing the U.S. Electricity Grid from Cyberattacks". www.gao.gov. Retrieved December 26, 2022.
  13. ^ a b c d Douris, Constance (January 16, 2018). "As Cyber Threats To The Electric Grid Rise, Utilities And Regulators Seek Solutions". Forbes. Retrieved September 17, 2018.
  14. ^ a b Koppel, Ted (2015). Lights out: a cyberattack, a nation unprepared, surviving the aftermath (First ed.). New York: Crown Publishers. ISBN 978-0-553-41996-2.
  15. ^ a b c d e f g Nevius, David (March 1, 2020). The History of the North American Electric Reliability Corporation (PDF). NERC.
  16. ^ a b c d NERC (2023, October 1). 2024 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan. Retrieved January 1, 2024, from https://www.nerc.com/pa/comp/CAOneStopShop/ERO%20CMEP%20Implementation%20Plan%20v1.0%20-%202024.pdf
  17. ^ Eilperin, Juliet; Entous, Adam (December 31, 2016). "Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say". The Washington Post. ISSN 0190-8286. Retrieved May 3, 2020.
  18. ^ a b Walton, Robert (May 21, 2018). "Cybersecurity and the distributed grid: A double-edged sword". Utility Dive. Retrieved September 17, 2018.
  19. ^ Schainker, R.; Douglas, J.; Kropp, T. (March 2006). "Electric utility responses to grid security issues". IEEE Power and Energy Magazine. 4 (2): 30–37. doi:10.1109/MPAE.2006.1597993. S2CID 5779202.
  20. ^ "Cyber & Physical Security". Edison Electric Institute. Retrieved September 18, 2018.
  21. ^ [1](registration required)
  22. ^ Sheahan, Brien J.; Powelson, Robert F. (September 4, 2018). "Cyberthreats require strengthened standards, increased government collaboration". Utility Dive. Retrieved September 13, 2018.
  23. ^ "Senators' bills aim to protect power grid from cyberattacks". The Journal. December 3, 2018. Archived from the original on December 28, 2018. Retrieved December 27, 2018.
  24. ^ Blair, Christopher W.; Mahoney, Casey; Pindyck, Shira E.; Schwartz, Joshua A. (March 29, 2019). "Trump issued an executive order to prepare for an EMP attack. What is it, and should you worry?". The Washington Post. Retrieved May 3, 2020.
  25. ^ Miller, Maggie (May 1, 2020). "Trump issues executive order to protect power grid from attack". The Hill. Retrieved May 3, 2020.
  26. ^ Xu, Adam (May 9, 2020). "US Moves to Exclude Chinese Equipment from Electric Power Grid". Voice of America. Retrieved May 9, 2020.
  27. ^ "A Power Substation On Coast Is Bombed 2d Time in 12 Days". The New York Times. April 9, 1975.
  28. ^ Burton-Rose, Daniel (October 1, 2010). Creating a Movement with Teeth: A Documentary History of the George Jackson Brigade. PM Press. p. 41. ISBN 978-1-60486-461-8.
  29. ^ "Arkansas Man Sentenced to 15 Years for Attacks on Central Arkansas Power Grid". Justice.gov. June 18, 2015.
  30. ^ a b "The attacks on power substations in Moore County weren't the first of their kind". The News & Observer. December 1, 2023.
  31. ^ a b "North Carolina power outage: Federal memo flags Washington, Oregon substation attacks similar to Moore County". Fox News.
  32. ^ a b "Other states reporting power outage attacks similar to North Carolina, Moore County, document says". CBS17.com. December 7, 2022.
  33. ^ Koerth-Baker, Maggie (August 13, 2018). "Hacking The Electric Grid Is Damned Hard". FiveThirtyEight. Retrieved August 13, 2018.
  34. ^ "Sniper Attack On Calif. Power Station Raises Terrorism Fears". NPR. February 5, 2014.
  35. ^ Serrano, Richard; Halper, Evan (February 11, 2014). "Sophisticated but low-tech power grid attack baffles authorities". Los Angeles Times. Archived from the original on May 7, 2014. Retrieved January 9, 2018.
  36. ^ KUNZELMAN, MICHAEL; DREW, JONATHAN; SANTANA, REBECCA (December 5, 2022). "EXPLAINER: US power grid has long faced terror threat". Associated Press.
  37. ^ Eilperin, Juliet; Entous, Adam (December 31, 2016). "Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say". The Washington Post. ISSN 0190-8286. Retrieved December 23, 2023.
  38. ^ "REWARD: Up to $75,000 for information leading to arrest of those responsible for power grid attack". WRAL.com. December 7, 2022.
  39. ^ "Cooperative Substation Vandalized". Carteret-Craven Electric Co-op.
  40. ^ "Another North Carolina power substation was disabled before the Moore County attack". AOL.com.
  41. ^ "Carteret-Craven Electric Cooperative substation vandalized in Maysville". carolinacoastonline.com.
  42. ^ Wilson, Conrad; Ryan, John (December 8, 2022). "String of electrical grid attacks in Pacific Northwest is unsolved". Oregon Public Broadcasting.
  43. ^ "'Intentional, willful and malicious': 40K without power after substation attacks in Moore County". The Fayetteville Observer. December 4, 2022. Archived from the original on December 4, 2022. Retrieved December 4, 2022 – via Associated Press.
  44. ^ "Two Tacoma Power substations, one PSE facility vandalized Christmas Day, authorities say". Seattle Times. December 25, 2022. Retrieved December 26, 2022.
  45. ^ a b Bernton, Hal; Carter, Mike (January 3, 2023). "Two charged in Pierce County Christmas Day substation attacks". Seattle Times.
  46. ^ Domonoske, Camila (January 4, 2023). "FBI says two men attacked Washington's electric grid in order to commit a robbery". NPR.

See also

edit

Further reading

edit