Aging power grid presents security gap
WASHINGTON — Energy regulators' efforts to harden the power grid against snipers and terrorists are fueling a debate over whether they're diverting resources from other threats, such as cyber attacks.
The Federal Energy Regulatory Commission this month ordered the power industry to identify critical facilities and devise a plan to protect them from attack.
“My concern is that we don't shift our focus and our resources,” said John Norris, a FERC commissioner who voted for the order while cautioning against overreacting to the sniper attack last year on a power substation in California. “The rush to do this seems to be based on a very incomplete set of facts about what happened.”
As the electricity network has become increasingly dependent on software and the Internet, the utility industry has focused on combating potential cyber attacks.
The attack in April at Pacific Gas and Electric Co.'s Metcalf substation near San Jose resurrected a 20th-century threat — an old-fashioned, military-style assault on the power network.
Shooting for 19 minutes, rifle-toting attackers knocked out 17 giant transformers that funnel power to Silicon Valley. A minute before a police car arrived, the shooters disappeared into the night.
Regulators seek the best way to guard against all threats to the generators, transformers and thousands of miles of high-voltage power lines that make up the electrical grid while encouraging modernization of the aging network.
Norris said the United States should focus on developing technologies, such as microgrids, that can quickly isolate damaged components from the rest of the network in the event of an attack. Advanced technologies can make better use of data to improve awareness of incidents affecting the grid, he said.
“You address multiple threats, not just physical threats,” Norris said. At a FERC meeting in February, he said, “Our future is in a much smarter and more nimble grid.”
Former FERC Chairman Jon Wellinghoff for years has warned that the grid's most critical components, such as transformers that adjust electrical voltage, are vulnerable and could be better protected with relatively simple measures, like improved fencing.
An attack knocking out major critical components “would result in catastrophic failure, potentially, of the interconnect,” Wellinghoff said.
FERC's March 7 order required the North American Electric Reliability Corp., a nonprofit known as NERC that is responsible for ensuring the reliability of the grid, to produce by June standards to guard against physical attacks. The standards should require utilities to identify their most critical components and show that they're adequately protected.
“It was a good step to take, ultimately,” Wellinghoff said. “We'll see what NERC does and how long it takes.”
Gerry Cauley, head of the nonprofit, said he shares Norris' concerns about overreaction to the California attack, and that utilities can increase physical security by improving existing protections like lighting, cameras, surveillance equipment and key-card access at substations. The California incident showed that companies need to be concerned about the line of sight for potential gunmen, he said.
“I would like the standard to drive a more heightened look than what we've seen in the past,” Cauley said.
After the attack on the Metcalf substation near San Jose, FERC provided the industry with a list of steps to improve security at substations, said Tom Kuhn, president of the Edison Electric Institute, a Washington-based industry group for publicly traded utilities, including Duke Energy Corp. and Exelon Corp.
The list has not been made public. FERC spokeswoman Mary O'Driscoll declined to acknowledge its existence. EEI spokesman Jeff Ostermayer wrote in an email that he couldn't provide the list “for operational security reasons.”
Disabling as few as nine electricity substations and destroying a transformer manufacturer could plunge the nation into a blackout that would last for 18 months, The Wall Street Journal reported on Thursday, citing an internal FERC report.
Acting FERC Chairman Cheryl LaFleur did not deny the existence of the report, though she said that publishing sensitive information “crosses the line from transparency to irresponsibility, and gives those who would do us harm a road map to achieve malicious designs.”
San Francisco-based PG&E plans to spend $100 million in the next four years to bolster its network against further attacks, said Brian Swanson, a company spokesman.
Although the April attack disabled transformers at the substation, the company was able to prevent customers from losing power, he said. The utility has since worked with law enforcement to increase patrols and deployed security guards to provide a round-the-clock presence at critical units, Swanson said.
Ultimately, the steps industry and regulators take to guard against physical attacks will be a balancing act between securing the grid and shielding consumers from high costs.
According to Wellinghoff, there are probably fewer than 100 power substations, primarily in rural areas, that are most critical to the network and may need heightened protection. While costs would vary among substations, the expense would be minimal if spread among taxpayers, he said.
“They should be spread over everybody because it affects everybody,” he said.