Looming vulnerabilities and government inaction require a “bottom up” approach to grid security

Editor’s Note: This piece was originally published by the Center for Security Policy.

According to information from the Electricity Information Sharing and Analysis Center (E-ISAC), physical attacks on the U.S. electric grid rose 71% in 2022. Despite 97% of these attacks resulting in “no disruption of service,” the fact that attacks on the grid are on the rise is cause for concern. From 2020-2022, E-ISAC noted 4,493 attacks on energy infrastructure, according to data first leaked to The Wall Street Journal.

One of the most significant attacks occurred last December when over 40,000 residents in Moore County, North Carolina lost power after two Duke Energy substations suffered a “coordinated” physical attack involving rifle fire, damaging hard to replace high voltage transformers. At the time of this writing, there have still been no arrests made relating to the attack.

According to Manny Cancel of the North American Electric Reliability Corporation (NERC), the past year has seen an increase in grid attacks involving firearms and explosives. An advantage of using these types of weapons is that the perpetrators do not have to be as precise in their attack. Cancel went on to say that the most common targets recently have been smaller substations, largely due to their lack of security, something the Secure the Grid Coalition (STG) has been arguing to enhance for years. As CSP President Tommy Waller notes, “when it comes to protecting America’s electric grid, the U.S. government has been MIA for decades.”

On September 20, 2023, STG formally submitted to the Federal Energy Regulatory Commission (FERC) a filing urging them to take immediate action by strengthening the physical security standards for the nation’s bulk electric system.

The filing included a letter from Former House Speaker Newt Gingrich to FERC’s Chairman, Commissioner Willie Phillips, urging the government to re-examine and upgrade the physical security standard.

Many of these “smaller substations” in the U.S. are protected by nothing more than chain-link fencing, and don’t have any security cameras monitoring the stations. For pieces of infrastructure as critical as this, adding something as simple as barbed-wire to the fences may be enough to deter would-be criminals. Tom Popik, Chairman & President of Foundation for Resilient Societies, explains that “some physical protections, such as jersey barriers to prevent vehicle-borne attacks, can be installed quickly and easily. For these cheap fixes, no modified reliability standard is necessary for utilities to move forward on their own—especially given the current threat environment.”

Popik’s recommendations are not only simple and cheap, but they could help prevent a potentially prolonged and devastating blackout. According to a study conducted by the Federal Energy Regulatory Commission, an attack on just nine critical electrical substations could cause enough damage to wipe out electricity for the entire continental United States. Although an attack like this is unlikely due to the scale of planning and execution that would be required, the federal government acknowledging that a vulnerability such as this exists should shock American citizens.

“The Secure the Grid Coalition has been blowing the whistle on the inadequate physical security of the electric grid for years,” said Michael Mabee, who was featured on 6o Minutes last year on subject. “The utility industry and its regulators have failed to protect the American people. The government must step up and mandate grid security. It can no longer be optional.”

Further, the Department of Energy has revealed a staggering 19-fold increase in vandalism and sabotage to the Texas power grid since 2017. In the first 6 months of 2023 alone, there have been 19 reported events in Texas. According to the Electric Reliability Council of Texas’ (ERCOT) Reliability Report, vandalism and sabotage accounted for 35% of all grid events between 2018-2022.

Due to the increased threat of physical attacks on electrical infrastructure, the Department of Energy has pledged $38 million to “modernize the electricity grid.” However, only part of this sum is going towards infrastructure and cybersecurity protections. Because of the federal government’s general lack of support to the grid over the years, local governments have had to take matters into their own hands.

Inspired primarily from the attack in Moore County, legislators in North Carolina, South Carolina and Arizona have introduced legislation requiring enhanced 24-hour security at substations, or higher penalties for causing damage to them. North Carolina Republican state Rep. Ben Moss explained, “when the power goes out, you don’t have heat, don’t have food, can’t get fuel or some medications, the people are unsafe.” Moss called his bill requiring 24-hour surveillance “a conversation opener”among “lawmakers, utilities and security experts” to help the initial process of taming the increase of physical attacks on the grid.

Despite NERC’s Manny Cancel claiming it is “impossible” to protect all 55,000 substations throughout the United States, something needs to be done, because it truly will be impossible to recover from a nation-wide blackout that impacts the lives of millions. Given the federal government’s track record, that action must be “from the bottom up” with counties and states filling the gap.