This month, thousands of power grid operators were challenged to respond to an imaginary assault on the nation’s electrical networks. The consequences of the Pearl Harbor-scale war game were said to be devastating.
Lessons learned from the exercise will be issued in several months by the GridEx III organizer, the North American Electric Reliability Corp. (NERC), the grid’s federally designated security monitor. Still, an unstated message that emerged from the GridEx III exercise is, "Don’t hit us yet. We aren’t ready."
That’s also the takeaway from a new book by television journalist Ted Koppel, "Lights Out." And it’s a conclusion reached by scores of officials and experts who have been sounding the alarm at security conferences and at hearings on Capitol Hill. With cyberattacks and defenses constantly evolving, they warn that staying on top of the threat is an undeclared war with no end.
Gerry Cauley, NERC’s chief executive, told reporters after the first day of GridEx III on Nov. 18 that the severity of the game had been dialed way up to stress operators and expose weak points. A coordinated physical and cyberattack on the magnitude of the GridEx III scenario would be "very rare and very difficult" to execute, Cauley said.
But what about a much more limited attack directed against a single city’s power infrastructure?
Koppel’s book tour has been a tour de force since late October. PBS, C-SPAN and "CBS This Morning" have pumped into America’s living rooms his warnings about an insecure electric grid and the government’s lack of preparedness in the event of a major attack.
Some of the authorities Koppel quotes say that even a single successful cyber and physical attack could disable critical generation and transmission equipment for weeks or more. Grocery stores, pharmacies, gasoline stations, cellphone service, elevators and workplaces would go without power. Hospitals, police and fire stations, and emergency shelters that had backup generators would have to find fuel suppliers that weren’t themselves without power.
Koppel goes on to assert that government agencies at all levels are not prepared to deal with the human crises that would follow from a blackout in a major U.S. city that lasted more than a few days. The result could be mass evacuation of a million people, rivaling or exceeding those in New Orleans during Hurricane Katrina.
Koppel does not dig into the details of the debate about the electric grid’s exposure to a mass attack. He does quote some very worried experts.
When he asked Janet Napolitano, the former Department of Homeland Security secretary, what chance there was that a nation-state or independent actor could knock out part of the power networks, she replied, "Very high — 80 percent, 90 percent. You know, very, very high."
On the other side, he quotes a "very senior" industry executive unwilling to be named who downplayed the risks of a cascading outage across large parts of North America. Yet this official wasn’t as confident about the likelihood of a more limited but still crippling assault.
"I almost guarantee you," the official said, "they’re not going to be able to create widespread damage — I mean, when you say, ‘take down the grid,’ you know, Long Island could go out. It could go black, but the rest of the United States wouldn’t."
The limited attack is the most likely scenario, says James Clapper, the director of national intelligence. He told Congress in April that rather than a "Cyber Armageddon" that takes out swaths of U.S. infrastructure, the U.S. intelligence community expects "an ongoing series of low- to moderate-level cyberattacks from a variety of sources over time."
Transformer spares
Much of the debate and discussion about threats to the grid from physical and cyber attacks centers on the potential destruction of high-voltage power transformers that move power across the grid.
Koppel reports government and industry officials expressing confidence that spare supplies of large power transformers could meet the needs even in a crisis. He quotes Caitlin Durkovich, assistant secretary for infrastructure protection at the Department of Homeland Security, saying, "There are already between two hundred and three hundred high voltage supertransformers available."
However, the Energy Department’s Quadrennial Energy Review cautioned, "Despite expanded efforts by industry and federal regulators, current programs to address the [transformer] vulnerability may not be adequate to address the security and reliability concerns associated with simultaneous failures of multiple high-voltage transformers."
How quickly could the 400,000-pound-plus reserve transformers be moved, even if only a relatively few were required to bring power back to a major city? The assessments from GridEx III aren’t public, but one leading power company, MidAmerican Energy Co. in Des Moines, Iowa, told EnergyWire it had cut the actual delivery of a large transformer in half. It still took 45 days, however, even with that remarkable fast-track effort. If that is the standard, it could mean six weeks without power for a U.S. metropolis (EnergyWire, Nov. 23).
Koppel interviewed DHS Secretary Jeh Johnson for the book, quoting him as giving an offhand assurance: "I’m sure FEMA [the Federal Emergency Management Agency] has the capability to bring in backup transformers." Then Koppel quotes FEMA Administrator Craig Fugate about whether FEMA could in fact move spare transformers rapidly around. "No. Most people expect … that somehow we have enough tools in the tool chest to get power turned back on quickly. The answer is no."
There are other transformer strategies, but they remain on the shelf.
In 2012, ABB Group, the global energy equipment manager, produced a mobile recovery transformer called RecX with support from DHS and the Electric Power Research Institute. Designed to move in three pieces aboard trucks, it has "plug and play" features that can shorten its movement and installation to a week, ABB says. The single RecX unit was shipped from ABB’s St. Louis manufacturing plant to Houston and hooked up, passing all its tests (ClimateWire, June 9, 2011).
ABB and other U.S.-based manufacturers are eager to build the units, but so far, there is only one because of questions of who would pay for them. Congress hasn’t been able to address the issue.
"We’ve been waiting for this for three years," said Craig Stiegemeier, ABB’s business development and technology director (EnergyWire, April 6).
There appear to be loose ends on other parts of the DHS response plan. Johnson told a Council on Foreign Relations audience Nov. 4, "We do have a national cyber incident plan that is a working document. It hasn’t been finalized yet, and potential attacks on the power grid are part of that plan."
DHS’s role following a large-scale cyberattack on the grid was part of the interim National Cyber Incident Response Plan issued in 2010 but is not yet completed. Only in August did Johnson direct the DHS Homeland Security Advisory Council to make recommendations to complete the plan (EnergyWire, Nov. 16).
Physical assaults
Following the 2013 attack on the Metcalf substation outside San Jose, Calif., the Federal Energy Regulatory Commission staff conducted an internal study of the most vulnerable U.S. high-voltage substations. Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security, told state utility regulators in November 2013, "We’ve identified key nodes, substations and generators that if we were attackers we would target." It isn’t known publicly whether these key facilities have received priority protection (EnergyWire, Nov. 21, 2013).
Under pressure from congressional leaders, FERC in March 2014 directed NERC to develop a draft physical plan for the entire high-voltage network in 90 days. After extensive industry input, FERC issued Order 802 approving the plan in November last year.
Utilities covered by the plan were required to assess the vulnerabilities of their transmission substations by Oct. 1, 2015, and complete security plans no later than April next year, three years after the Metcalf attack. There is no deadline for completing the plans. That will depend on the actions — improved monitoring will probably take less time than actions requiring major construction, FERC’s staff said.
McClelland testified before Congress this year: "Given the national security dimension to this [cyber and physical] threat, there may be a need to act quickly to protect the grid in a manner where action is mandatory rather than voluntary." That echoed testimony he has given almost annually for the past five years, a recommendation that the entire Congress has not dealt with.
FERC has no authority over local distribution utilities, regulated in most cases by state public service commissions, whose attention to cybersecurity threats varies widely, according to a study prepared for the National Association of Regulatory Utility Commissioners (EnergyWire, Feb. 17).
The vulnerabilities so often described, and cited again by Koppel, have prompted three leading grid security experts to call for a wholly new strategy that is designed to provide absolute protection for the grid’s most important installations. The implication is that these installations are not yet adequately protected.
"To disrupt today’s nation-state adversaries and tomorrow’s cyber terrorists and hacktivists, we must reengineer selected last-mile and endpoint elements of the grid," Michael Assante, Tim Roxey and Andy Bochman said in a recent paper. Assante is NERC’s former chief security officer. Roxey is a current NERC vice president and head of the electric power industry’s cyberthreat information-sharing program. Bochman is senior cyber and energy security strategist of the Idaho National Laboratory.
"If we narrow our vision and set our sights on the comparatively small number of systems that MUST, from a national security perspective, be kept safe, we already have the process and technology means at our disposal to take back control," they write. The concept is simple, they add, but not the execution (EnergyWire, Nov. 5).
