Three Questions about Physical Grid Security
- Written by Massoud Amin
Today the North American electric power system consists of about 15,000 generators, 450,000 miles of high-voltage (100kV or higher) transmission lines, over six million miles of lower-voltage distribution lines and more than 15,000 substations. Last year's attack on a California substation did not awaken concerns about the network’s physical security. Here are the three key questions I have been asked repeatedly in the last 13 years, going back to when I directed infrastructure security R&D post 9/11 at the Electric Power Research Institute.
(1) How serious a problem is a physical attack on electric infrastructure, which has redundancy built in? Is cyber-security a stronger concern?
The short answer is that the sky is not falling, but we are not bullet-proof.
The transmission system is an interstate grid whose primary purpose is to connect generating plants with electrical load centers, like cities, and with high-demand commercial and industrial facilities. In turn, the local distribution system provides service to residential, commercial and small business customers.
The existing power-delivery system is vulnerable to natural disasters and intentional attack. A concerted terrorist attempt to disrupt the power-delivery system could have particularly adverse effects on national security, the economy and the lives of every citizen.
Both the importance and difficulty of protecting power systems have long been recognized. In 1990, the Office of Technology Assessment (OTA) of the U.S. Congress issued a detailed report, Physical Vulnerability of the Electric System to Natural Disasters and Sabotage, concluding: “Terrorists could emulate acts of sabotage in several other countries and destroy critical [power system] components, incapacitating large segments of a transmission network for months. Some of these components are vulnerable to saboteurs with explosives or just high-powered rifles.” The report also documented the potential cost of widespread outages, estimating them to be in the range of $1 to $5/kWh of disrupted service, depending on the length of outage, the types of customers affected, and a variety of other factors. In the New York City outage of 1977, for example, damage from looting and arson alone totaled about $155 million—roughly half of the total cost.
While this is not a new threat —there were incidents of grid sabotage before 9/11 in the Pacific Northwest, South Africa, Brazil, Colombia, Middle East, and the former Yugoslavia —the slow response, breadth and depth of the 16 April 2013 attack on California’s Metcalf substation cast light on several areas that must and can be remedied.
Absolute and proactive defense is unlikely to be achieved for all critical elements in the near- to mid-term (or ever due to lack of a cost-recovery mechanism in a highly uncertain policy macro-environment). But we have the technology, processes and training to support the deployment of countermeasures to detect, disrupt, neutralize or localize coordinated multipronged attacks. This has been an achievable goal in most, if not all, situations addressed. From a strategic, resiliency and all-hazard viewpoint, in addition to concerns about terrorists and saboteurs, risks have changed, with increased extreme weather events, aging infrastructure and other factors (see question 3 below).
Both physical and cyber security challenges have been investigated, and at times addressed by those with a need to know. Yet the spectrum of threat changes rapidly, which necessitates much more resilient and adaptive mindsets, cultures, systems and solutions. In practical terms this will require a committed and coordinated approach addressing all hazards: Triaging will be required for effective risk-managed and desirably proactive countermeasures that account for interdependencies with fuel supply, communication systems, transportation, personnel and markets, as well as primary, secondary and tertiary multi-directional impacts, and pragmatic cost-effective remedies and cost-recovery options.
The situation has become even more complex because accounting for all critical assets includes thousands of transformers, line reactors, series capacitors and transmission lines. Protection of ALL the widely diverse and dispersed assets is impractical because there are so many involved.
(2) How much money should the government and industry spend on physical security for the electric system, as opposed to cyber-security? Has there been enough focus on physical security?
While there is no cookie-cutter answer to the question of what percentages of investment should go to physical security and to cyber security, respectively, we can think in terms of policies, processes and methodologies that share a common vision, objectives, metrics and approaches informed by actual data and prioritized by risks.
By way of background, within days after the tragedies on 9/11, the Infrastructure Security Initiative (ISI) grew out of EPRI’s rapid response to the terrorist attacks of September 11, 2001. An interdisciplinary team was quickly assembled to prepare an Electricity Infrastructure Security Assessment, which provided a preliminary analysis of potential terrorist threats to the North American electricity system, together with some suggested countermeasures. Building on these recommendations, ISI was created as a two-year effort focused on four major program areas selected based on risk and feedback from a wide range of stakeholders, from about 35 programmatic recommendations. These were coordinated with EPRI programs and with ongoing efforts of the North American Electric Reliability Council (NERC, now Corporation), industry trade associations, the U.S. Department of Energy (DOE), and the Office of Homeland Security (now the Department of Homeland Security).
The four ISI program areas are given the highest priority based on voting by participants in the organizational meeting. More detailed discussion of each area is provided in subsequent sections of this document.
- Vulnerability Assessment. Vulnerability Assessment offered a comprehensive and consistent method for determining the impact of potential terrorist attacks on power system components throughout the end-to-end electricity supply chain.
- Strategic Spare Parts Inventory. Recovery time from a terrorist attack or natural disaster can be reduced by providing spare parts of existing equipment (long lead-time items, such as HV transformers) and by developing standardized “recovery transformers” with multiple voltage taps for future deployment.
- “Red Team” Attacks. In this program, a team of experts launched mock assaults on selected utility systems (with prior approvals), probing for weaknesses in a manner similar to the FAA’s Red Team efforts to break through airline security. We included multi-pronged attacks on highly interdependent systems. ISI provided a forum for sharing unattributable results and lessons learned for the benefit of all involved and the broader stakeholder with a need to know.
- Secure Communications. A scoping study was performed to determine how to develop a secure, private communications network for the electric power industry, as an alternative to Internet-based systems.
Noting the high sensitivity of this work, membership in ISI was restricted to companies engaged in the generation, transmission and distribution of electricity and public agencies with an official responsibility for supporting the security of critical electricity infrastructure.
From a broader perspective, ISI tied in the security work to our several foundational and applied initiatives, including our comprehensive work on security and resilience of complex interactive systems (Also see Complex Interactive Networks/Systems Initiative: Final Summary Report.) We developed and implemented smart and adaptive ‘skeptical’ systems that rapidly (and with high-confidence) evaluated potential problems and eliminated ones that were unrelated to potential multi-pronged (physical or cyber) attacks, and developed effective countermeasures.
Furthermore, we focused on emergency control and adaptive islanding of the grid using intelligent sensors and high-speed communications to respond to system problems that would otherwise lead to major blackouts. In addition, ISI developed:
- Security enhancements for the information systems connected to the grid and its control mechanisms.
- Effective responses to potential terrorist threats to the system in the near and medium term. This report was distributed to EPRI member CEOs, the White House, DOE and the Department of Defense. As a result, we were encouraged to develop a security initiative.
- End-to-end physical, cyber and market vulnerability assessments from fuel sources to distribution networks.
- Enhanced security of utilities communications infrastructure; developed and implemented resource-constrained high-speed encryption for critical nodes.
- Countermeasures to enhance security of the control systems and cyber-security.
- An extended NERC database on strategic spare parts (such as high-voltage recovery transformers) together with EEI and NERC.
- Two alternative advanced recovery transformers that are lighter, more modular and easier to manufacture in the United States and can be delivered in a much shorter time than previously (one to two years). The rollout for this took nearly a decade in partnership with the U.S. Department of Homeland Security for one transformer with substantially changed design criteria and a larger foot print.
More recently, on 7 March 2014, the FERC issued an order concerning the need for physical security standards, which directs NERC to provide reliability standards within 90 days that do three things:
- Require owners or operators of the bulk-power system to perform a risk assessment of their systems to identify their “critical facilities.”
- Require owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities.
- Require those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security.
For comprehensive analyses and recommendations from the U.S. NAE, please see Terrorism and the Electric Power Delivery System, which was declassified after hurricane Sandy, and published on 14 November, 2012.
3) What other issues arise from incident like last year’s Metcalf assault?
Terrorist and criminal assault scenarios are only a part of a much wider range of dangers to the grid. We face increased risk from all-hazard stressors, because of aging infrastructure, inadequate investment in the whole power system, absence of policies that are conducive to modernization and greater prevalence of climate extremes.
Since Superstorm Sandy struck New York City and the U.S. Northeast a year and a half ago, issues with power restoration following such violent events have received a lot of attention. But it needs to be understood first of all that a massive, physical assault on the scale of the October 2012 storm is bound to overwhelm the power infrastructure, at least temporarily. No amount of money or technology can guarantee uninterrupted electric service under such circumstances.
Second, the power industry in the United States is just beginning to adapt to a wider spectrum of risk. It is noteworthy that both the number and frequency of annual, weather-caused, major outages have increased since the 1950s. Between the 1950s and 1980s, those outages increased from two to five each year.
In the period 2008-2012, those outages increased to between 70 and 130 per year. In that five-year period, weather-related outages accounted for 66 percent of power disruptions and affected up to 178 million customers.
Third, our ability to withstand such conditions will improve as we harden the grid and adopt practices to improve restoration performance after a physical disturbance. Investments made in advanced metering infrastructure and coming investments in distribution automation are just the beginning of a multi-decade, multi-billion-dollar effort to achieve an end-to-end, intelligent, secure, resilient and self-healing system.
Naturally, such investments to harden the grid and support resilience will vary by region and by utility, depending on factors like the extent of legacy equipment and the functions or locations of equipment within a utility’s service territory. For example, in the areas affected by Sandy, underground substations along the coasts may have to be rebuilt on the surface, while it might be more cost-effective to selectively underground some overhead lines found further inland.
Generally, the pursuit of an intelligent, self-healing grid with security built into devices (even using secure chips obtained from trusted foundries for “highly critical” nodes), and deployed in a layered defense architecture (not just protecting the perimeter with fences, dogs, guns, cameras and guns, which are often necessary but insufficient) will make power systems highly reliable in most circumstances. Adding and utilizing existing intelligence—sensors, communications, monitors, optimal controls and computers—can substantially improve the grid’s efficiency and reliability. Additionally, the smart grid will facilitate distributed generation, judicious redundancies and make electricity pricing more transparent to customers, allowing them to manage the cost of their electricity.
But as we enter into that promising process of reconstruction and renewal, we must also bear in mind the challenges arising from split jurisdiction over the grid. While the bulk transmission system is under Federal supervision, the distribution grid, metering and other aspects of the grid are regulated by individual states. As a result, oversight of cyber and physical security is divided, along with other regulatory functions.
Given the state-of-the-art in electricity infrastructure security, creating a secure resilient smart grid with self-healing capabilities is no longer a distant dream; together we have made considerable progress. But considerable challenges including several economic and policy issues remain to be addressed; these include:
- What overall system architecture is most conducive to maintaining security? We know the answer to this, the layered defense noted above integrated with a 3-layered architecture. [See One Man's Journey to the Self-Healing Grid and The Self-healing Grid: A Concept Two Decades in the Making]
- What threat level is the industry responsible for? And what does government need to address? For example, what should be done if teams of a dozen gunned intruders appear at “critical” facilities combined with other coordinated multi-pronged modes of attack?
- Will market-based priorities support a strategically secure power system? Who will pay for it and what are the economic incentives for such investments?
- Our society has a short attention span and shifting memory in response to energy crises because, typically, we put out the “biggest fires” of the day as they occur. Energy policy and technology development require long-term commitments as well as sustained and patient investments in technology creation and development of human capital.
Taking all those factors into account, on behalf of IEEE-USA 2013 National Energy Policy Recommendations and ASME, I have recommended the following to the U.S. Congress, public and private stakeholders [please see 2013 Caucus Briefing]:
- Take necessary actions to facilitate, encourage, or mandate the implementation of risk-informed secure sensing in layered defense (or “defense in depth”) architectures. This starts at the micro level of chips and extends out to both the physical and cyber infrastructure, as well as to people, policies, procedures and cultures. Additionally, the technology must be capable of augmenting fast reconfiguration and self-healing, and be built into the infrastructure in efficient and cost-effective manner.
- Mandate security for the Advanced Metering Infrastructure, providing protection against personal profiling, guarantee consumer data privacy, real-time remote surveillance, identity theft and home invasions, activity censorship and decisions based on inaccurate data.
- Avoid wireless and the public Internet, which increase public vulnerability.
- Bridge the jurisdictional gap between Federal/NERC and the state commissions on cyber security.
- Make electric generation, transmission, distribution and consumption safe, reliable and economical in their own right. Asset owners should be required to practice due diligence in securing their infrastructure as a cost of doing business.
- Develop coordinated hierarchical threat coordination centers – at local, regional and national levels – that proactively assess precursors and counter cyber attacks.
- Speed up the development and enforcement of cyber security standards, compliance requirements and their adoption. Facilitate and encourage security as design criteria in devices, architectures, communication, protocols and standards.
- Increase investment in the grid and in R&D areas that assure the security of the cyber infrastructure (algorithms, protocols, chip-level and application-level security).
- Develop methods, such as self-organizing micro-grids, to facilitate grid segmentation that limits the effects of cyber and physical attacks.
In summary, while progress is being made and we have come a long way in the last 7-10 years, it has been slow and a lot more remains to be done in mitigating risks in effective coordinated ways and with more clarity on cost recovery.
There remains a big ‘commons’ problem here – the amount of investment any firm should make in its interest is far different than the investment that should be made for the industry as a whole. We have a fundamental national structural problem in dealing with this issue that has not been resolved.