Electrical grids in the United States are vulnerable to both cyber-attacks and space weather, federal officials have said.
But an assault that combines the skills of a hacker with a physical attack on key parts of a grid’s infrastructure may result in hundreds of millions of U.S. homes and businesses losing electricity.
“I am most concerned about coordinated physical and cyber-attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures,” Gerry Cauley, president and CEO of the North American Electric Reliability Corp., said at a recent Senate hearing.
Scott Pugh, of the Department of Homeland Security’s interagency program office, said at an energy conference in April that there are maps — not available for public viewing — that “show you a handful of substations — six or so — [where] you could take out those six substations and black out most of the U.S. east of the Mississippi, if you knew which six [they] were. And in many cases you could do it with a hunting rifle from a couple hundred yards away.”
There are some 1,500 companies that generate electricity in the United States, and the hodgepodge of federal agencies that oversee them have limited statutory authorities to force them to protect themselves against attacks, the Senate Energy and Natural Resources Committee hearing revealed.
“Limitations in federal authority do not fully protect the grid against physical and cyberthreats,” Joseph McClelland, director of the office of reliability at the Federal Energy Regulatory Commission, said.
Legislation passed in 2005 gave the agency the authority to impose reliability standards on “bulk,” or large-scale, power systems. That law excludes local distribution facilities, federal installations located inside grids, and major cities such as New York. Hawaii and Alaska also don’t fall under the commission’s jurisdiction.
Officials are concerned about two threats: electromagnetic pulses, which come from solar storms or weapons, and cyber-attacks, particularly on “smartgrids,” which it turns out, are not very “smart” when it comes to protecting against hackers.
“No single security asset, technique, procedure or standard — even if strictly followed — will protect an entity from all potential cyberthreats,” said Gregory Wilshusen, director of information security issues at the Government Accountability Office. “The cybersecurity threat environment is constantly changing and our defenses must keep up.”
However, in the case of smartgrids, utilities continue to employ them without the necessary safeguards, the GAO has found. There is a lack of security features consistently being integrated into smartgrids and the current regulatory environment makes it difficult to ensure that power companies are properly protecting them.
Physical attacks against the grid can cause equal or greater destruction than cyber-attacks, McClelland said. An electromagnetic pulse, or EMP event, could seriously degrade or shut down large swaths of the nation. Depending on the attack, a significant part of the infrastructure could be “out of service for periods measured in months to a year or more,” he said.
“The self-reporting requirements, the enforcement provisions under the existing standards are important,” he said. “But at the end of the day, if there’s no enforcement provisions, there’s no teeth behind the provisions.”
The National Institute of Standards and Technology has guidelines for utilities to gird themselves from physical and cyber-attacks, but they do not address coordinated attacks, said Wilshusen. NIST “guidelines did not address an important element essential to securing smartgrid systems — the risk of attacks using both cyber and physical means.”
Meanwhile, there have been three major studies that looked at the possible effects of a massive solar storm on U.S. electrical grids. They reached different conclusions, Pugh said at the National Defense Industrial Association Environment, Energy Security and Sustainability symposium in New Orleans.
Experts are trying to map the grid and figure out what would happen in the event of an attack or solar storm, Pugh said. But there is nothing that requires the 1,500 companies to share proprietary data about their equipment, so coming to firm conclusions is difficult.
Transformers — which number about 2,000 nationwide — are a key vulnerability. Strong electrical pulses caused by a weapon or solar storm can irreparably damage them, he said.
“If you need a dozen of those tomorrow because somebody attacked the grid, or we had a space weather event that took out a dozen, you might be waiting quite a while,” he said. They weigh about 300 tons, can only be delivered by special rail car, and most are now manufactured overseas.
DHS’ Science and Technology Directorate, in partnership with the Department of Energy, has developed a “recovery transformer.” It is made of lighter materials, and is compact enough to be transported by truck. It can also be shipped without the hundreds of gallons of cooling oil it needs to function. The coolant would be inserted onsite. There are three U.S.-made transformers being tested now. To show how quickly they could be deployed, they were moved from a factory in St. Louis to a site in Houston, where they were up and running all within one week. Operational tests are ongoing and conclude next year. If the transformers are shown to be reliable, then utilities can decide whether they want to purchase them and have them on hand.
But that would be optional unless federal laws are passed that require companies to keep rapidly deployable transformers at the ready, Pugh noted.