Electric Disturbance Events: What is the public allowed to know?

Electric Disturbance Events are reported to the Department of Energy, but huge gaps exist in the publicly available information

Utility companies and grid operators are required to submit reports on electric disturbance events to the Department of Energy (DOE). The publicly available information from these reports is incomplete and confusing when compared to reports submitted by the North American Electric Reliability Corporation (NERC). These discrepancies must be fixed.

First, a brief primer on the “Form OE-417” and electric disturbance reporting.

In 1974, Congress passed the Federal Energy Administration Act which created a new government agency to oversee energy in response to the oil embargo of 1973. A few years later, the Federal Energy Administration became the Department of Energy (DOE). One of the many things that DOE does is collect information on “electric disturbance events.” DOE collects this information on what is known as a Form OE-417 (“Electric Emergency Incident and Disturbance Report”). Only a small amount of this information is available to the public and is difficult to find and even more difficult to read and analyze.

What does this information look like? The publicly available information on electric disturbance events is in the form of a spreadsheet which is neither user friendly nor frequently updated. As of August 4, 2019 data was only available through the end of May.

Here is an example of what it looks like to us. On May 27, 2019 tornadoes and thunderstorms hit the Dayton Ohio area causing destruction and over 68,000 customers lost power. Here is what the publicly available OE-417 entry looks like:

DOE keeps archives of these spreadsheets on their website back to 2000. The form has changed a bit over the years and has changed names from the EIA-417 to the present OE-417.

Here’s another example. Remember the Great Northeast Blackout of 2003? It was a cascading failure that began with untrimmed foliage in Ohio, add in some computer error, a touch of human error and the result is 55 million people without power – 45 million in the U.S. and 10 million in Canada. Here is what the OE-417 entries look like:

In this case. there were multiple reporting entities involved and so there are multiple reports. It is interesting that the “Number of Customers Affected” in these reports comes nowhere near the 55 million that ultimately were without power during this extraordinary blackout.

Very few people have ever heard of the OE-417 or this reporting requirement. We have a false sense of security about the reliability of the electric grid. We also have a false sense of security that our government is on top of the threats to the electric grid.

Part of what puts us in danger is the general public’s lack of knowledge of the threats and our government’s lack of public information – and in fact their coverup of critical information that the public needs. If the public really knew what was going on, there would be an outcry to fix the broken regulatory scheme that endangers the electric grid and all of our lives.

But I digress. Let’s get back to the exciting world of the OE-417 and how electric disturbance events are reported.

What electric disturbance events must be reported?

Depending on the type of event (or “alert criteria”), there are three different time requirements for reporting:

1. An “Emergency Alert” must be reported within 1 hour
2. A “Normal Report” must be filed within 6 hours
3. A “System Report” must be filed within one business day.

In addition, updates are required if there are significant changes to the initial report and a final report must be filed within 72 hours. There are 24 alert criteria listed on the Form OE-417 and the instructions. (8 for an “Emergency Alert”; 4 for a “Normal Report” and  12 for a “System Report.”)

For example, here is how cyber attacks would be reported:

• A “cyber event that causes interruptions of electrical system operations” would have to be reported within 1 hour.
• A “cyber event that could potentially impact electric power system adequacy or reliability” would have to be reported in 6 hours.

For physical attacks:

• A “physical attack that causes major interruptions or impacts to critical infrastructure facilities or to operations” would have to be reported in 1 hour.
• A “physical attack that could potentially impact electric power system adequacy or reliability; or vandalism which targets components of any security systems” would have to be reported in 6 hours.
• A physical attack resulting in “damage or destruction of its Facility that results from actual or suspected intentional human action” would have to be reported within 1 business day.

What do the OE-417’s tell us about threats to the grid?

I did an analysis of all the publicly available OE-417 data from 2010 through May of 2019. (I started in 2010 because that is when the NERC CIP Coverup began.) First of all, there were 166 different “event types” reported many of which were either duplicates or related. For example, there were at least 24 different “event types” that denoted a physical attack. There were at least 50 “event types” that denoted a disturbance caused by weather. I grouped these 166 “event types” into 15 categories (actually “causes”) so that we could get a sense of what has actually threatened the electric grid in the past 8 1/2 years.

There have been a total of 1766 electric disturbance events filed during the period of January 1, 2010 through May 31, 2019.

Unfortunately, the public OE-417 data is so bad that there were 251 electric disturbance events where I was unable to identify a cause (14% of the reports). These are highlighted in yellow in the chart. Also, there were 68 generation, transmission and distribution interruptions I was not able to distill down further into what caused the “interruptions.” Therefore, there were a total of 319 electric disturbance events (18%) where I couldn’t identify the cause. I was able to identify a cause in 1447 electric disturbance events, or 82% of the OE-417 reports filed. (I used this 1447 known population for the study below.) 

The results are disturbing to say the least.

Weather: As you might suspect, weather was the cause of the majority of the disturbances, 749 events, or 52%. If you believe that weather is getting worse in recent years, then this number should concern you greatly.

Physical Attacks: Shockingly, there were 578 physical attacks on the grid, or 40% of the incidents. As I have reported, the “physical security standards” for our electric grid are a sham and enforcement is almost non-existent. (Read: “Physical Security: The Electric Grid’s Dirty Little Secret.”)

Fuel Supply Deficiency: If you live in New England, pay attention. There were 61 events, or 4% of the events. related to fuel supply deficiency. With the retirement of coal and nuclear plants, this is only going to get worse. Remember: We all love solar and wind but it is not reliable (i.e., the sun doesn’t shine and the wind doesn’t blow 24 hours a day).  You can run coal and nuclear 24/7. Just sayin’. Gas fired plants are great, but they require a pipeline. If the pipeline is attacked or explodes, oh well. Maybe Americans will decide to reduce their electricity usage? (Naw, didn’t think so.) Fuel security and supply are issues we need to deal with.

Cyber Attacks: I was also surprised to learn that there have been 29 cyber attacks reported during this period (2% of the reports). What is most disturbing is that during the same period, the North American Electric Reliability Corporation (NERC) annual reliability reports seem to paint a completely different picture.

OE-417 vs. NERC Reliability Reports

Here is what NERC reported in their annual reports during this same period (note that the report each year is on the previous year, e.g., the 2019 report is for the events of the year 2018):

• 2019 Report (page ix): “In 2018, there were no reported cyber or physical security incidents that resulted in an unauthorized control action or loss of load.”
• 2018 Report (page viii): “In 2017, there were no reported cyber or physical security incidents that resulted in a loss of load.”
• 2017 Report (page 3): “In 2016, there were no reported cyber or physical security incidents that resulted in a loss of load.” (Odd, since the Buckskin Utah transformer attack took place in 2016.)
• 2016 Report (page v): “In 2015, there were no reported cybersecurity incidents that resulted in loss of load. There was one physical security incident that resulted in a loss of approximately 20 MW of load.”
• 2015 Report (page 7): “[N]o Reportable Cyber Security Incidents or physical security reportable events resulted in loss of load on the BPS in 2014.” (Odd, since the Nogales Station in Arizona was attacked by an IED in 2014.)
• 2014 Report: No mention of cyber or physical attacks. (Odd, since the Metcalf Transformer attack took place in 2013.)
• 2013 Report: No mention of cyber or physical attacks.
• 2012 Report: No mention of cyber or physical attacks.
• 2011 Report: No mention of cyber or physical attacks.

There is clearly a huge disconnect between what the industry defines as a cybersecurity or physical security incident and what is reported on the OE-417s. Below are the OE-417 entries for the Metcalf attack (2013), the Nogales attack (2014) and the Buckskin attack (2016).

While this minimal information was reported on the OE-417, NERC did not find any of it noteworthy enough for their annual reports. These three events were significant physical attacks against the grid. (Read more HERE.)

And on cyberattacks, here’s what the United States Government Accountability Office (GAO) had to say in Congressional testimony on October 21, 2015:

“Cyber incidents continue to affect the electric industry. For example, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team noted that the number of reported cyber incidents affecting control systems of companies in the electricity subsector increased from 3 in 2009 to 25 in 2011. The response team reported that the energy sector, which includes the electricity subsector, led all others in fiscal year 2014 with 79 reported incidents. Reported incidents affecting the electricity subsector have had a variety of impacts, including hacks into smart meters to steal power, failure in control systems devices requiring power plants to be shut down, and malicious software disabling safety monitoring systems.”

But NERC reported no cybersecurity incidents in their annual reliability reports for the same periods! Are you kidding me? In what possible world is this level of misinformation acceptable?

Does it bother anybody else that NERC has completely ignored these events, while the OE-417 – a form you may never have heard of before reading this article – contains such scant information?

Does it bother anybody else that there were 578 physical attacks against the grid reported on the OE-417’s between 2010 and the present, yet according the NERC there was only one during the same period?

Does it bother anybody else that there were 29 cyberattacks against the grid reported on the OE-417’s between 2010 and the present, yet according the NERC there were none during the same period?

Does it bother anybody else that DHS has a completely different number of cyber incidents than DOE, who has a completely different number than NERC?

It is clear to me that the public and Congress are not getting enough information on threats to the grid and what is reported on the OE-417s and what NERC wants us to believe are not the same.

Does the public – and Congress – have a right to know? Do we have a right to better information?

Conclusion

The American people and Congress are not getting enough information to see 1) what is going on and 2) whether the regulatory regime is effective. First. NERC is withholding the names of CIP violators (so we do not know if there are egregious or repeat violators and can’t hold anybody accountable). Second, we see the flawed OE-417 information where we can’t even see what the cause of 18% of the reported disturbances. Finally, we see that there is an unexplained disparity between the OE-417 reports and the NERC annual reliability reports. These deficiencies must be corrected.

I have the following recommendations for the Department of Energy (DOE):

1. Each OE-417 needs to list a root cause for each disturbance reported.
2. The “Number of Customers Affected” block on the OE-417 does not always seem accurate.
3. The OE-417s and the NERC Reliability Reports do not seem to tell then same story. Since DOE owns the OE-417, can we force NERC to address the OE-417 data in their annual reliability reports?

I have the following recommendations for the Federal Energy Regulatory Commission (FERC):

1. The OE-417s and the NERC Reliability Reports do not seem to tell the same story. Since you are NERC’s regulator, can you force NERC to address the OE-417 data in their annual reliability reports?
2. We need transparency and disclosure of the names of CIP violators in order to give incentive to the industry to fix the longstanding physical and cybersecurity weaknesses which plague our electric grid.

I have the following recommendations for the North American Electric Reliability Corporation (NERC):

1. You are not the industry’s champion – you are their regulator. Buy a back hat and regulate.
2. You must start disclosing the names of the CIP violators once the violations are mitigated. This will provide the industry with incentive to try harder on cyber and physical security. They are not trying hard enough.
3. You must discuss and analyze the OE-417 data in your annual reliability reports.

I have the following recommendation to Congress:

1. The public and Congress needs reliable and accurate data on the threats to the electric grid. We are not getting it and this must be fixed.
2. We must not allow the industry to protect CIP violators – we need to hold the industry accountable for physical security and cybersecurity.

###

UPDATE: I have created an OE-417 Electric Disturbance Events Database. Click HERE!