Bracing for a big power grid attack (says USAToday!)

Bracing for a big power grid attack: ‘One is too many’

 From: usatoday.com, by: Steve Reilly, on: March 24, 2015, see the article HERE.

Large transformers

Part of the nation’s power grid is struck by a cyber or physical attack nearly once every four days. Some experts fear the rash of smaller-scale incidents may point to broader security problems with potentially devastating consequences.

About once every four days, part of the nation’s power grid — a system whose failure could leave millions in the dark — is struck by a cyber or physical attack, a USA TODAY analysis of federal energy records finds.

Although the repeated security breaches have never resulted in the type of cascading outage that swept across the Northeast in 2003, they have sharpened concerns about vulnerabilities in the electric system. A widespread outage lasting even a few days could disable devices ranging from ATMs to cellphones to traffic lights, and could threaten lives if heating, air conditioning and health care systems exhaust their backup power supplies.

Some experts and officials fear the rash of smaller-scale incidents may point to broader security problems, raising questions about what can be done to safeguard the electrical grid from an attack that could leave millions without power for days or weeks, with potentially devastating consequences.

“It’s one of those things: One is too many, so that’s why we have to pay attention,” said Federal Energy Regulatory Commission Chairman Cheryl LaFleur. “The threats continue to evolve, and we have to continue to evolve as well.”

An examination by USA TODAY in collaboration with more than 10 Gannett newspapers and TV stations across the country, and drawing on thousands of pages of government records, federal energy data and a survey of more than 50 electric utilities, finds:

• More often than once a week, the physical and computerized security mechanisms intended to protect Americans from widespread power outages are affected by attacks, with less severe cyberattacks happening even more often.

• Transformers and other critical equipment often sit in plain view, protected only by chain-link fencing and a few security cameras.

• Suspects have never been identified in connection with many of the 300-plus attacks on electrical infrastructure since 2011.

• An organization funded by the power industry writes and enforces the industry’s own guidelines for security, and decreased the number of security penalties it issued by 30% from 2013 to 2014, leading to questions about oversight.

Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission, said the power grid is currently “too susceptible to a cascading outage” because of its reliance on a small number of critical substations and other physical equipment.

Because the nation’s electrical grid operates as an interdependent network, the failure of any one element requires energy to be drawn from other areas. If multiple parts fail at the same time, there is the potential for a cascading effect that could leave millions in the darks for days, weeks or longer.

“Those critical nodes can, in fact, be attacked in one way or another,” Wellinghoff said. “You have a very vulnerable system that will continue to be vulnerable until we figure out a way to break it out into more distributed systems.”

‘A GAME CHANGER’

Some of the worst fears of those in charge of the power grid’s security came true shortly before 1 a.m. on April 16, 2013, when unknown attackers unleashed a coordinated attack on Pacific Gas & Electric’s Metcalf substation in northern California.

The attackers severed six underground fiber-optic lines before firing more than 100 rounds of ammunition at the substation’s transformers, causing more than $15 million in damage.

The intentional act of sabotage, likely involving more than one gunman, was unlike any previous attack on the nation’s grid in its scale and sophistication.

Yet officers did not begin investigating the scene until hours after the shooting took place. Security footage from the shooting is grainy. The attackers were never caught.

Power was not lost, but the nature of the Metcalf attack sent shock waves through the industry.

“Shooting at substations, unfortunately, is not uncommon,” Sue Kelly, president and CEO of the American Public Power Association, an industry group, said of the incident at a Senate hearing last year. “But this incident demonstrated a level of sophistication not previously seen in our sector.”

At a California Public Utilities Commission meeting last year to review the incident, PG&E senior director of substations Ken Wells said the Metcalf attack was “a game changer.”

“No doubt about it, …this event caused us and the entire industry to take a new and closer look at our critical facilities and what we can do to protect them,” Wells said.

Following the attack, FERC directed the industry to write new rules for physical security.

The rules, finalized in November, require utilities to identify critical infrastructure that could be vulnerable to attack and come up with security plans. But the new policy drew concern because it does not give FERC authority to independently choose which facilities are critical, leaving the decisions in the hand of industry.

Wellinghoff said while he is glad the new policy is in place, the lack of authority for FERC “could be a loophole that could miss some aspects of the utility infrastructure that are critical.”

Also as a result of the Metcalf incident, PG&E said it would invest $100 million over three years on new security around many of its critical facilities, including better security cameras, fencing and lighting.

Yet records from hundreds of other attacks in recent years show similar weaknesses still exist at thousands of electric facilities across the country, allowing repeated breaches.

‘SO BADLY BROKEN’

Between 2011 and 2014, electric utilities reported 362 physical and cyberattacks that caused outages or other power disturbances to the U.S. Department of Energy. Of those, 14 were cyberattacks and the rest were physical in nature.

Among the incidents:

• In 2011, an intruder gained access to a critical hydro-electric converter station in Vermont by smashing a lock on a door.

• In 2013, a gunman fired multiple shots at a gas turbine power plant along the Missouri-Kansas border.

• Also in 2013, four bullets fired from a highway struck a power substation outside Colorado Springs.

No suspects were apprehended in those three incidents. Federal data show such attacks are not rare within the sprawling, interdependent network of transformers, power lines and other equipment that make up the electrical grid.

Often, such incidents are shrugged off by the local police who initially investigate.

In March 2013, security officers at the Jacksonville Electric Authority in Florida noticed a man climbing a fence surrounding St. Johns River Power Park, which produces energy for 250,000 northern Florida households.

The man fled when approached, Jacksonville Electric Authority spokeswoman Gerri Boyce said, and was later observed trying to enter a second facility. He fled again and was never caught.

Nobody filed a police report, according to Jacksonville Sheriff’s Office documents.

SMALL COMMUNITIES AT RISK TOO

Federal records show it is not just large communities that are at risk of attack. Even small, rural utility companies have been subject to foul play.

After a 2011 cyberattack struck the Pedernales Electric Cooperative — a non-profit utility that serves about 200,000 customers across a vast agrarian region of Texas — the utility’s CEO, R.B. Sloan, shared his surprise with the utility’s board of directors.

“You would think if they really wanted to have an impact, they would go for something (else),” he said in a public meeting. Sloan said at the time that the utility filed reports with the Department of Energy and FBI, but he was concerned about the way they handled it.

“It’s obvious to us that some of the regulatory bodies are not well-equipped to accept these and follow up,” he said during the 2011 meeting. “I think this event has made that very apparent.”

Now an executive for a Georgia utility software company, Sloan declined to discuss the attack.

While the Department of Energy received only 14 reports of cyberattacks from utilities over the past four years, other reporting systems show rising cyberthreats.

The branch of the Department of Homeland Security that monitors cyberthreats received reports of 151 “cyber incidents” related to the energy industry in 2013 — up from 111 in 2012 and 31 in 2011. It is uncertain whether the increase is due to more incidents or an increase in reporting.

Scott Aaronson, senior director of national security for the Edison Electric Institute, a Washington, D.C., group representing electric utilities, said it’s difficult to draw trends from figures reported by utilities because of loose definitions of what constitutes a cyber incident.

“Whether it’s 13, dozens, thousands — it’s been more art than science to identify what an attack is,” he said. “There are probes that happen all the time. Adversaries are essentially looking for weaknesses in a network. I’ve heard people say millions (of attacks occur) a day.”

Aaronson noted that there has never been a successful attempt to cause a power outage through a cyberattack in the United States.

Nevertheless, the interconnected nature of the grid and its reliance on communications protocols that predate modern cybersecurity problems are considered cause for concern by security experts. A simulated cyberattack conducted by the U.S. Department of Energy’s Idaho National Laboratory in 2007 exploited a vulnerability at the facility by altering the timing of a diesel generator’s circuit breakers, causing thick smoke to rise from the plant.

To prevent such attacks, some critical elements of the electricity industry’s infrastructure are completely disconnected from the Internet to keep them insulated from adversaries. The power industry also employs stronger cyberdefense mechanisms than, for instance, the retail industry, which has suffered a string of high-profile cyber intrusions in recent years.

For some industry watchers, physical threats to the grid loom larger. But to experts and officials, each reported attack is worrisome.

Former energy security regulator Josh Axelrod, speaking at a 2013 security conference in Louisville, described a “seven bullets theory” of how a mass outage could be triggered by a physical attack targeting key pieces of equipment.

The Eastern power grid is highly interconnected and relies on rolling power between different utilities, he said, according to a video of the presentation.

“If you know where to disable certain transformers, you can cause enough frequency and voltage fluctuation in order to disable the grid and cause cascading outages,” said Axelrod, who now heads the power and utilities information security practice at Ernst & Young. “You can pick up a hunting rifle at your local sporting goods store … and go do what you need to do.”

Thomas Popik, president of the Foundation for Resilient Societies, a Nashua, N.H.-based advocacy group, argued the power industry is given too much leeway to control its own security rules.

“The system is so badly broken,” Popik said. “For physical protection, the standards are very weak.”

PENALTIES DECREASING

Under guidelines set by the Energy Policy Act of 2005, an industry-funded non-profit – the North American Electrical Reliability Corporation, or NERC — writes standards for the industry, which are then approved or disapproved by FERC, the federal agency that has jurisdiction over the power grid.

In a 2012 report, the non-partisan Congressional Research Service called the regulatory arrangement unusual and said it “may potentially be a conflict of interest” for an industry to write its own rules.

Federal regulators also look to NERC for enforcement of those rules, which has decreased in recent years.

The number of enforcement actions taken by NERC against utilities for failing to follow critical infrastructure protection guidelines decreased 30% from 1,230 in 2013 to 860 in 2014.

After issuing more than $5 million in penalties for critical infrastructure violations in 2013, the organization’s figures show NERC issued less than $4 million in such penalties last year.

NERC president and CEO Gerry Cauley said decreasing fines point to increased compliance, rather than decreasing enforcement.

“Longer term, you expect people to get the message and make the adjustments to keep improving,” he said. “It’s not because we’re being nicer.”

NERC, along with industry funded groups like the Edison Electric Institute, have also fought legislation including the Grid Reliability and Infrastructure Defense Act, or GRID Act, that would eliminate the industry’s self-regulation. Congressional lobbying disclosure records show industry-funded groups spent millions lobbying about the GRID Act since 2010.

Cauley said the industry’s technical expertise is essential to ensuring reliability of the system, and legislation lessening the industry’s oversight role would be “detrimental.”

“The people who run and manage and design the system have to be at the table there to figure out how it should work,” he said. “We wouldn’t want to lose that. I think we would actually take a step backward if we did that.”

~~~~~~~~~~

As many of our readers know, I’ve been writing about our power grid for some time. Although the article concentrates on direct attacks on the grid itself, it doesn’t mention two other sources of grid damage: solar flares (Coronal Mass Ejection or CME’s), and an intentional high altitude nuclear blast by a rogue nation (like North Korea, Iran, or Russia).

What are the chances of serious damage to the grid – regardless of the source? Honestly, I don’t know and neither does anyone else, but there are sound, logical reasons that we should be paying more attention to the grid, not the least of which is the opportunity for catastrophic impact on our way of life. We aren’t talking about losing power for a few hours, or even a few days. We are in a precarious situation where if major damage causes a cascading shutdown and large transformers are damaged, we could be without power for weeks, months, even years.

Perhaps the devastating results of a grid failure have finally awakened some of the hardcore deniers. That’s the reason for posting a story taken from USAToday that illustrates that more people are beginning to realize that aging and vulnerable electrical transformers are the Achilles heel of the U.S. power grid. The transformers, the largest of which can cost $1 million to $8 million, are key to moving electricity from power-generating plants to consumers across the country, but could be rendered useless by relatively low-tech attacks. But, it gets even worse – because of the cost of the transformers, the utility companies carry very few spares. And worse yet; even where a “spare” might be located, most utility company’s transformers are custom built to their specifications so they’re not all alike. So company A’s spare unit may not work in company B’s environment. And that problem is aggravated by the fact that few of the large transformers are still manufactured in the United States and the lead time for ordering these big transformers can be a year or more.

So, what happens when the grid goes down? Without electricity, the cell towers and internet shut down. Without electronic communication (or electricity), grocery stores and drugstores won’t get restocked and food and medicine will be gone in a few days (or less). Gasoline pumps won’t work, water can’t be pumped to your home and there are no lights, no heat or air conditioning – in other words, it’s going to be at best, extremely inconvenient and at worst, can easily be life threatening. It’s (past) time to take our power grid seriously.

Garnet92

 

 

 

Tagged , . Bookmark the permalink.

20 Responses to Bracing for a big power grid attack (says USAToday!)

  1. Hardnox says:

    I like that you post these articles. The warnings have been going on for years yet no facilities and infrastructures have been protected except the big G’s.

    I can imagine what things will be like when the EBT cards don’t work.

    • I.R. Wayright says:

      It will be like the shooting gallery at the boardwalk, only with live targets.

    • Garnet92 says:

      Guys, as a “mini-prepper” I’ve often wondered how long it would take for things to go really wrong – to the point of having to defend our homesteads.

      The real key is the size of the geographical area affected. If the area is relatively small, help can come from untouched surrounding cities. If the power is out for a few states (as in the Northeast), other surrounding states can lend a hand. It may take a few days, but water and food can be trucked in. But, as the size of the area grows, the ability to help gets spread thin.

      Most people can survive a few days of being without power, although some who depend on equipment (dialysis, oxygen concentrators, etc.) may not make even a few days. I suspect that we’ll see a rise in deaths in just a few days.

      A week will see many food and medicine items that will become unusable due to lack of refrigeration. Grocers don’t keep much backup stock anymore because they depend on “just in time” delivery to restock, and without deliveries, grocery shelves will be empty in a few days.

      Couple that with EBT cards not working and we’ll likely see rampant looting and thugs attacking people who “have stuff.” I’m guessing that within 2-3 weeks (maybe sooner), those of us who might have enough supplies to last it out will be forced to defend our homes against those who would take it all.

      It’s not a pretty picture.

      • Kathy says:

        Garnet, you’re thinking the same thing I am. Few people would last more than several days, and if the power is off for any length of time, well then, there’s no such thing as too much ammo.

      • Hardnox says:

        Garnet, the picture you painted certainly isn’t pretty at all. PLUS, the cops will be home protecting their families and their stuff. The military isn’t large enough to protect squat except big G’s command and control centers. Ditto with the National Guard and reserve units. They’ll all be home protecting their own.

        I know we’ve discussed this before but the proposed cost per household to protect the grid was a mere $20. It’s crazy why they haven’t done it. Instead they focused on big brother smart meters. WTF!

    • Uriel says:

      Yep Old folks barely get helped while young healthy people get much more. It would be chaos.

  2. Uriel says:

    Wow Garnet. I had No idea of the magnitude already experienced. Total weak spot for us geez you would think the powers that be would be clamping down hard on this. But then maybe that is some fools plan — go dark to take over.

    • Garnet92 says:

      I know that we’d like to think that our national government is looking out for us, but in this case, they’re betting our well-being that nothing happens. I haven’t compared the actual dollars, but I’ll bet that we could make significant progress in safeguarding the grid by using the funds now devoted to supporting the millions of illegals that Obama has encouraged into the U.S. and applying those funds to protecting the electrical grid – for everyone.

      • Uriel says:

        Amen to that. Garnet. Christ said get yourself in order before helping others. In this case the billions spent on illegals and others could and should be channeled first to our own in country problems. Helping others can only come if we are secure first in ourselves.

  3. asdf says:

    it is only a matter of time until obama is successful at bringing down the grid.

    when it happens, he will implement the next part of his plan:
    martial law
    suspension of the constitution
    permanent presidency for himself

    • Garnet92 says:

      I wish I could disagree asdf, but I wouldn’t put it past him. Only point of difference though is that he wouldn’t seize the presidency “permanently,” he’d say that it would only be “temporarily,” until stability could be established (but especially with him defining “stability,” that could take years).

  4. CW says:

    The crisis in California resulting from their failure to adequately prepare for the terrible drought that they always knew could happen should be a lesson to the rest of the country about the failure to prepare for a catastrophic event with our electrical infrastructure.

    Thanks so much for alerting people such as myself to this looming crisis, Garnet. You’ve done a stellar job on it.

    • I.R. Wayright says:

      The drought in California is going to affect all of us. It will deepen the recession/depression, cause food prices to rise (or shortages), and probably make sizable numbers of folks to flee the state for greener pastures. They will spread their liberal ideas to other states like they have been doing to places like Colorado.

      • CW says:

        Right you are, I.R. They’re just like locusts moving on to their next crop.

      • Garnet92 says:

        True dat, I.R. Dingbat Brown is the last person that would ever take steps to ward off an impending disaster. They’ve known about their problems with their water supply and rather than invest in the future, they’ve preferred to set aside money to build a high speed train boondoggle which (hopefully) will go no where. And they’ll continue to stand by and watch a beautiful state dry up and die.

    • Garnet92 says:

      Thanks CW. You know that politicians aren’t going to spend taxpayer funds to ward off some possible catastrophe when they can direct it to their campaign contributors and cronies – in their minds, getting a much better return on investment.

  5. Kathy says:

    You have to wonder what DHS’ marching orders are. Were they actually focused on the security of the nation, they’d be strengthening our power grids instead of buying up ammo and weapons, and groping old ladies in airports.

    • CW says:

      …and helping to give the country away to the illegals.

    • Garnet92 says:

      So true Kathy. It’ll probably take George Soros creating a transformer manufacturing plant to get DHS to consider acquiring spare Acme Transformers and other necessary parts and placing them in appropriate places around the country in preparation for damage to the grid. When “George speaks, Obama listens.”