Substation Attack Gains National Attention Whitepaper
A lot of attention is being paid to security initiatives designed to prevent cyberattacks on utilities. However, not as much seems to be paid to the prevention of physical attacks. Until now.
It was not widely publicized until The Wall Street Journal reported it in early February 2014, but, on April 16, 2013, there was a physical attack on PG&E’s Metcalf transmission substation in San Jose, California. Multiple gunmen using assault rifles fired between 100 and 150 rounds into the fins of the transformers, draining the oil from the fins and subsequently disabling 17 of the 20 transformers. Because the substation was protected only by chain link fence, the snipers had clear shots at the fins. There were no outages as a result of the attack, because PG&E was able to reroute power. However, the assault resulted in $15 to $16 million in damage, and the substation was disabled for almost four weeks. No arrests have been made, but the FBI is leading the investigation. In response to the attack, Jon Wellinghoff , chairman of the Federal Energy Regulatory Commission (FERC) until November 2013, and now a San Francisco energy law attorney, called it “the most significant incident of modern terrorism involving the U.S. power grid that has ever occurred.” He expressed concern that it might have been a test for a larger strike, possibly terrorism, and is calling for federal involvement to ensure greater security around electrical substations, which he describes as “barely protected with a chain link fence and cameras. And even those cameras don’t capture details outside the fence, because they are more focused inside it.” One proposal being discussed in Congress would give FERC the power to write and impose interim rules on grid defenses. But the utility industry would still be able to influence any permanent requirements. However, some utility executives have responded that it would be difficult to come up with rules to improve security that would work in urban and rural environments. “One size fits all may not get you true resiliency,” said Lisa Barton, executive vice president of transmission for American Electric Power, in an interview with The Wall Street Journal. On February 7, Sens. Dianne Feinstein (D-Calif ), Ron Wyden (D-Ore), Harry Reid (D-Nev), and Al Franken (D-Minn) sent letters to FERC and the North American Electric Reliability Corporation (NERC), asking whether stronger federal standards are needed to ensure the security of the national electric grid. “We are concerned that voluntary measures may not be sufficient to constitute a reasonable response to the risk of physical attacks on the electricity system,” said the senators in the letter. “While it appears that many utilities have a firm grasp on the problem, we simply do not know if there are substantial numbers of utilities or other that may not have taken adequate measures to protect against and minimize the harm from a physical attack.” NERC responded with, “NERC addresses physical and cybersecurity through guidelines, mandatory standards, outreach efforts and training exercises in coordination with North American stakeholders and federal agencies.” NERC added that, “(A) rule-based approach for physical security would not provide the flexibility needed to deal with the widely varying risk profiles and circumstances across the North American grid and would instead create unnecessary and inefficient regulatory burdens and compliance obligations. FERC Acting Chairman Cheryl LaFleur responded to the senators by noting that she has directed staff to work with NERC to evaluate whether mandatory standards are needed to protect against physical attacks on the electrical infrastructure. She also said that Congress should consider designating a federal agency (other than FERC) with clear and direct authority to require actions in the event of, or before, an emergency involving a physical or cyber threat to the bulk power system. LaFleur also noted that, in the meantime, non-regulatory efforts have been effective. “To date, our efforts have focused on strongly encouraging utilities to make improvements to their physical security, by explaining why and where they should be made. This approach has resulted in improvements being implemented more confidentially and more quickly than a mandatory regulation could have accomplished under our existing authority. While the PG&E incident is now garnering national attention, it is not isolated. Substation break-ins and destruction occur on a regular basis around the nation. Most of it is the result of thieves trying to steal copper for profi t. However, some of it seems to be for reasons other than theft. In October 2013, an Arkansas man was charged with multiple attacks on the rural power grids of at least two utilities, including high-voltage power lines and a substation, over a period of several months. Earlier this year, the Department of Energy (DOE) and the Department of Homeland Security (DHS), in coordination with the Federal Bureau of Investigation (FBI), FERC, NERC and other industry experts, announced plans to conduct a series of briefings across the country with electricity sector owners and operators, as well as local law enforcement, on the physical security of electricity substations. Utilities themselves are taking steps to improve substation physical security. PG&E, for example, is planning to build opaque fences around its critical transmission substations. It is also planning to staff important locations overnight. The Tennessee Valley Authority (TVA) is intensifying efforts to educate local police about the importance of substations, taking them to the locations, and pointing out how things look when conditions are stable. TVA is also sending employees door to door to ask residents who live near utility property to report any unusual activity. Dominion Virginia Power plans to invest up to $500 million over the next decade to protect transmission substations against security threats. Some of these initiatives include building anti-climb fences or barrier walls around substations, establishing dual perimeters with “no man zones” between them, and key-card access systems for substation yards.