According to a Summarybio News analysis of public Energy Department reports, suspected and confirmed physical attacks on electric grid infrastructure have been the leading cause of electrical disturbance events since 2014.
The recent attack on two North Carolina substations, which knocked out power to thousands of people, has raised questions about the country’s electric grid and its numerous power plants, which have faced increased threats in recent years.
Outside of weather, suspected and confirmed physical attacks on electric grid infrastructure have been the leading cause of electrical disturbance events since 2014, when private companies that run power stations were required to increase security standards in response to an attack in California the previous year, according to an NBC News analysis of public Department of Energy reports.
According to the reports, nearly 600 electric emergency incidents and disturbances were caused by suspected and confirmed physical attacks and vandalism on the electric grid during those nine years. There were 106 attacks or vandalism incidents tracked by the Energy Department data from January to August 2022.
The incidents, which are self-reported to the federal government by power companies, provide little to no detail about what happened. Experts say they can range from theft of copper wire to planned assaults aimed at causing power outages, as is suspected in North Carolina.
“The significance of this outage in North Carolina in the middle of a really cold winter should not be underestimated — it’s a huge deal,” said Neil Chatterjee, chairman of the Federal Energy Regulatory Commission (FERC) during Trump’s administration. “We must be aware of this and take physical security and cybersecurity seriously. There are standards and other approaches we can use to harden and protect our critical energy infrastructure.”
Duke Energy restored power to all of its North Carolina customers Wednesday evening, four days after 45,000 customers were left without power following what officials described as an intentional and coordinated attack on two Moore County substations. The motive for the attack, according to Moore County Sheriff Ronnie Fields, is unknown. It is also unclear what kind of safeguards were in place to prevent such an attack.
Duke Energy spokesman Jeff Brooks declined to provide specifics about the security measures at the sites, but described the company’s security approach as “robust.”
“We have multiple layers of protection on our critical grid systems that help us monitor and respond when there are disruptions,” he explained. “So what we’re doing now is certainly focused on the restoration activity, but there will undoubtedly be lessons learned from this that we will incorporate into our future plans.”
In response to the attack, Deputy Secretary of Energy David Turk, 30 CEOs from across the electricity sector, officials from Duke Energy, and officials and investigators from the FBI, Department of Homeland Security, the White House, and the National Security Council convened a call on Monday.
They discussed the attack, and industry executives were instructed to remain vigilant and report any and all incidents that could be construed as threatening.
“Until we can start connecting some of the dots, we really need to see where this is trending.” “What’s going on?” the official inquired. “There was a real call out to say that we should go ahead and share that information while also remaining vigilant.”
Uncertain rules or a risk-based approach?
The current standard, which was implemented in 2014, requires power companies to develop risk, threat, and vulnerability assessments, as well as a physical security plan for each station, all of which must be verified by a third party. It does not, however, require them to take concrete or specific security measures at each site.
According to Adrienne Lotto, senior vice president of grid security, technical, and operations services at the American Public Power Association, a power company advocacy group, the current standard works well because it is tailored to the specific risks at each site. She also stated that the utility sector has responded to the threats using best practices.
“Using a risk-based approach, the sector tends to focus on those assets that have a high impact or risk to the bulk electric system,” she explained.
Others, however, believe that the current standard is ineffective. Critics say it is a hazy set of rules that gives electric utility companies a lot of leeways rather than requiring and enforcing security measures.
The standards, according to Jon Wellinghoff, who was appointed chairman of FERC during the Obama administration, are “extremely vague” and “not prescriptive,” as they do not require things like block walls or cameras.
“They simply say that companies must identify which parts of their infrastructure are critical, and each utility must then decide which parts of their infrastructure they want to subject to the standards,” he explained. “Then they must devise a plan to protect them, which can essentially be anything that complies with the broad, hazy outline of the standards.”
According to a senior Department of Energy official, the North Carolina substation was not considered high impact because it was not believed that damage to it would have had a significant impact.
“Because this was a low-impact substation, it has a different set of requirements in terms of the physical security measures that it would employ,” the official explained. “We’ll be working with Duke to really understand and assess the situation in terms of what security measures were in place, and that will inform the dialogue in terms of what we might change.”
The last major change in security standards occurred in 2013, when a coordinated firearm attack at a transmission substation outside San Jose, California, raised concerns about a massive weakness in the United States’ electric system.
Those responsible for the Metcalf sniper attack are still on the loose. They set up multiple firing positions and cut power station communications before attacking 17 transformers, threatening a major blackout. The power company, PG&E, was able to reroute power to affected areas, but the attack could have resulted in an energy outage affecting all of Silicon Valley, according to Wellinghoff, who was chairman of FERC at the time.
Future Directions for a New Standard
Those who favor a new security standard say there are significant bureaucratic obstacles to such a proposal.
Following the 2003 Northeast blackout, Congress passed the Energy Policy Act of 2005. Under that law, federal regulators were required to rely on a “electric reliability organization” to develop and enforce reliability standards for the country’s transmission networks. The industry’s expertise, according to some, would lend itself to developing strong reliability standards, while federal regulator FERC would approve the standards developed by the organization.
Since 2006, the North American Electric Reliability Corporation has been in charge of developing reliability standards, but critics claim that this process has effectively allowed the industry to make its own rules, robbing FERC of its ability to act as a regulator.
The North American Electric Reliability Corporation, a nonprofit founded by the electricity industry, stated that its security requirements are risk-based rather than one-size-fits-all.
“The assets in North Carolina were not individually deemed critical to the grid, and the recent attack did not result in an uncontrolled or cascading outage, which is what the standards are intended to protect against,” said Kimberly Mielcarek, a group spokesperson. “However, this raises the issue of the need to review an event that affects several non-critical assets, the cumulative impact of which can be greater than any single asset failure.”
Mielcarek went on to say that industry expertise is the best way to “ensure our standards are technically sound and don’t have unintended consequences on the grid.” FERC, she pointed out, has the authority to order the organization to create a standard if it deems it necessary.
However, for those who want more action, Wellinghoff believes that an act of Congress may be the only way forward.
“Encouraging people to do things does not result in results,” he explained. “You have to give someone the authority to actually do something, to write a regulation, put it in place, and require it to be implemented, as well as to oversee and enforce it.”
However, Chatterjee expressed doubt that a significant standard change would be required. He claims that private companies are effectively encouraged to act out of fear that an attack will cause share prices to fall. He believes that simple fixes such as adding concrete walls rather than chain-link fences could be a significant step forward.
“We have to believe that these actors understand what they need to do to protect their systems,” he said. “Standards are important, but they are not the be-all and end-all.”
CORRECTION (9:24 p.m. ET, December 7, 2022): An earlier version of this article misspelled the surname of a former Federal Energy Regulatory Commission chairman. Neil Chatterjee, not Chatterley, is his name.