Recent Entergy Arkansas attacks further thrust cyber, physical security of grid into spotlight

by Corina Rivera-Linares and Carl Dombek, TransmissionHub

Cybersecurity continues to be an area of concern within the United States energy industry, and the issue gets further thrust into the spotlight when incidents such as the recent physical attacks on Entergy Arkansas facilities, which included the ominous statement, “You should have expected U.S.,” take place.

More recently, Cheryl LaFleur, acting FERC chairwoman, told a congressional panel on Dec. 5 that she is reluctant to publicly reveal many specifics about an April attack on a transmission substation in California for fear that it might yield “copycat” attacks.

LaFleur would be willing, however, to have FERC provide a private briefing for lawmakers. She was responding to questions from Rep. Henry Waxman (D-Calif.) during a hearing before the House Energy & Commerce Committee’s Subcommittee on Energy and Power.

Waxman had pointed to the April attack on a Pacific Gas and Electric (PG&E) substation as evidence of the growing threat to the grid from cyber and physical attacks.

“The FBI and others are investigating this attack,” which involved “military-style” weapons and affected the power flow in California, Waxman said.

LaFleur said she shares the FBI’s concern about disclosure.

“There is a potential about copycat attacks if too much is disclosed,” she said.

Utilities including EntergyPepco Holdings and Southern Company, remain committed to physical and cybersecurity initiatives to keep the grid safe and reliable, officials told TransmissionHub.

Initiatives across the country are working on such issues, including efforts by the National Institute of Standards and Technology, said Kelly Ziegler, senior specialist of environment, health and safety with Consolidated Edison Company of New York, during TransmissionHub‘s TransForum East. Attackers will always be one step ahead, she said.

“There will always be vulnerabilities that we haven’t been able to mitigate because we didn’t know they were there,” she said.

After the Entergy Arkansas attacks, S.Y. Lee, Department of Homeland Security (DHS) spokesperson, told TransmissionHub that protecting critical infrastructure against growing and evolving cyberthreats requires a layered approach.

“(DHS) actively collaborates with public and private sector partners every day, which includes the Department of Energy and owners and operators of critical infrastructure in the energy sector, to help secure the key systems upon which Americans rely,” Lee said.

Rohyt Belani, CEO of the anti-phishing training firm PhishMe, told TransmissionHub that one mechanism threat actors use is social media to research one or two employees at an energy company, understand what their roles entail, then use that information to attempt to gain access to the utility’s systems using an approach known as “spear-fishing.”

“They craft ” very targeted phishing emails to try and trick these people (SCADA system operators) into clicking a link in an email or opening a file that’s attached to it,” Belani said. “Sometimes it’s (as) simple as giving up a username and password on a form that looks very real; it looks like the company’s Outlook Web access or VPN page.”

Belani said their goal is to try to gain a foothold on the employee’s work station, and once that is accomplished, they can probe the internal network, through which it is often easier to reach the utilities’ SCADA systems.

“A lot of people get rattled when they talk about SCADA systems and hackers’ getting close to them,” Belani said. “SCADA systems are like retrofitting security into old technology. The fortunate part is that a lot of them are not accessible directly via the Internet, (so) hackers have to find a way into the internal networks of energy companies before they can make their way to these SCADA systems.”

Spear-phishing, Belani said, is a trend about which companies need to educate their nontechnical personnel.

“When we think of large organizations with tens of thousands of nontechnology employees, the challenge is: How do you continually refresh their knowledge on email and that it’s an attack vector, and you are a target?” Belani said. “These are lessons they really don’t know.”

Entergy Arkansas incidents result in arrest of Jacksonville, Ark., man

The Department of Justice U.S. Attorney Eastern District of Arkansas said on Oct. 12 that Jason Woodring, 37, of Jacksonville, Ark., was arrested on a criminal complaint charging him with destruction of an energy facility.

The affidavit filed with the complaint alleges that Woodring is responsible for multiple acts of sabotage to the power grid in central Arkansas.

On Oct. 11, Lonoke County Sheriff’s Office deputies received multiple calls regarding an explosion on John Shelton Road in Jacksonville, the FBI added, noting that deputies and Entergy employees determined the explosion occurred under power lines near Woodring’s residence.

Agents from the FBI and Joint Terrorism Task Force called to the scene observed a type of blue hose similar to evidence found at another power grid sabotage scene, the FBI said.

“The power grid attacks had the potential to put many lives at risk,” said Christopher Thyer, U.S. Attorney for the Eastern District of Arkansas, in the statement. “When we depend on electrical power not only for comfort and convenience, but also for safety, security and life-sustaining equipment, not knowing where the next attack would occur held the public hostage to an unknown attacker.”

On Oct. 15, an Entergy spokesperson told TransmissionHub that while the company cannot share details on additional security measures, it has taken appropriate steps to enhance the security at some of its facilities.

As to the incidents themselves, in August, Randall Coleman, special agent in charge of the FBI for Arkansas, announced that the FBI is seeking information to the Aug. 21 incident involving Entergy Arkansas officials’ reporting a downed high-voltage transmission line on Arkansas Highway 321 east of Cabot, where the highway crosses a Union Pacific railroad track.

Inspection of the line indicated it was intentionally cut, and it is believed that the person or persons responsible climbed the 100-foot tower, severed the line with a saw or similar object, and removed several bolts at the base of the tower. While no injuries resulted from the incident, the FBI added, the act created a potential danger to the community.

In an Aug. 22 statement, the FBI said it is offering a reward of up to $20,000 for information leading to the arrest of those responsible for the incident.

In October, the FBI announced a reward of up to $25,000 for information leading to the arrest of those responsible for other incidents, including one on Sept. 29 in which Entergy Arkansas officials reported a fire at the company’s Keo substation on Arkansas Highway 165 between Scott and England in Lonoke County.

There were no injuries and no reported power outages, the FBI said, adding that the fire, which the investigation determined was intentionally set, consumed the control house at the substation.

The person or persons responsible for that incident inscribed a message on a metal control panel outside the substation that read, “You should have expected U.S.,” the FBI said.

On Oct. 6, the FBI said in the statement, First Electric Cooperative officials reported that two of the cooperative’s power poles near the 1400 block of Robin Road behind the McBride subdivision in Lonoke County were intentionally cut, resulting in a power outage that affected some 9,000 customers in the Cabot area.

The FBI, ATF, Lonoke County Sheriff’s Office and Cabot Police Department, in coordination with Energy Arkansas and First Electric Cooperative, are investigating those incidents, including the possibility that they are related and that they are related to the intentionally downed high-voltage transmission line in Cabot on Aug. 21, the FBI said.

Electric power industry takes these threats very seriously

Maintaining the reliability and security of the computers, control systems and other cyberassets that help utilities operate the electric grid is a top priority for Southern and within the industry’s overall reliability effort, said Jeannice Hall, media relations for Southern.

“Cybersecurity is an ongoing effort because the threat continues to evolve,” Hall said. “We continually adapt our defenses to changing threats and leverage actionable intelligence from state and federal agencies to understand the threats facing our company, our industry and the private sector at large.”

Southern is constantly working to strengthen and improve the operation and security of its multiple layers of defenses and to identify and address vulnerabilities, she said.

“We work closely with NERC, DHS and other federal agencies to ensure we meet the cybersecurity standards set for the nation’s electrical grid,” Hall said.

According to its website, Southern has 4.4 million customers and nearly 46,000 MW of generating capacity.

Another company with ongoing cybersecurity initiatives is Pepco. Courtney Nogas, regional communications director for Pepco, told TransmissionHub the company invests extensive time and resources to secure its critical assets, provide the greatest level of assurance and reliability and comply with NERC cyber and physical security standards.

“Pepco takes appropriate, multilayered, defense in depth steps to address cyberthreats,” she said.

Cybersecurity is a national issue as cyberthreats continue to grow and become more sophisticated, Nogas said.

“The electric power industry takes these threats very seriously,” she said. “Protecting our nation’s electric grid and ensuring a reliable supply of power is the electric power industry’s top priority. The electric industry has a strong record of working together and with government partners to identify, assess and respond to cyberthreats.”

According to its website, Pepco serves some 2 million customers in Delaware, the District of Columbia, Maryland and New Jersey.

PPL also lists physical security and cybersecurity as ongoing priorities for all its companies, whose service territories are in Pennsylvania, Kentucky, Montana and the United Kingdom, according to Joe Nixon with PPL corporate communications.

NERC administers FERC-approved cybersecurity standards, which PPL is required to adhere to, Nixon said. “We utilize security best practices and collaborate with industry peers and government agencies.”

PPL cannot go into specifics on physical security or cybersecurity improvements at any of its facilities, but it complies with applicable standards in each area.

“Both physical and cyber security are integral to protecting not only the reliability of the grid, but everything from power plants to power distribution, customer and employee information, financial files and more,” Nixon said.

According to the company’s website, PPL controls or owns some 19,000 MW of generating capacity in the U.S., sells energy in key U.S. markets and delivers electricity and natural gas to some 10 million customers in the U.S. and the United Kingdom.

National Grid USA, which, according to its website, delivers electricity to some 3.3 million customers in Massachusetts, New York and Rhode Island and serves some 3.4 million natural gas customers in those states, also has efforts underway on cybersecurity and physical security.

“While we don’t discuss details of the preparation work we make for things like this, I can tell you (that) our emergency response plan that we are required to file with regulators every year addresses all sorts of attacks, not just restoring power or what happens when we lose power if there were cyberattacks (and) physical attacks. We have an emergency plan,” said Fred Kuebler, director of U.S. media relations with National Grid.

The company also participates in drills throughout the year and works with outside local, state and federal agencies to continue monitoring and assessing any threats that may be out there and how to address those threats, he said.

“The same goes for any possible physical attack and any cyberattack,” Kuebler said. “We make use of the latest technology. We drill for cyberattacks and work with outside agencies that deal in that area.”

National Grid continues to monitor its system on the physical and cyber side to address any attack that could come along, he said.

National Grid is a subsidiary of National Grid plc, which, according to its website, owns and maintains the high-voltage electricity transmission network in England and Wales; Scotland has its own network. Also, the company’s U.K. distribution networks deliver natural gas to some 10.9 million consumers.

Farther north on the East Coast in Vermont, Green Mountain Power (GMP) has technologies in various locations in relation to cybersecurity, said Dorothy Schnure, GMP corporate spokesperson.

In some places, GMP has security cameras with remote monitoring, she said. The company also has motion-detection security lighting, fence monitoring technology that detects when a fence is compromised — being climbed — as well as door and gate activation sensors.

“We’ve got some monitoring on our fiber-optic network and we encrypt the data,” Schnure said.

“In terms of cybersecurity, when we implemented our smart grid technology, we submitted a cybersecurity plan to the DOE in conjunction with Sandia Labs. The DOE has approved that plan, which we are now implementing. While it can never be 100 percent secure, we are diligent and are always on the lookout for problems.”

GMP does not have any suspected physical or cyberattack other than minor copper theft, but that is not considered an attack, Schnure said.

According to the company, which serves more than 250,000 customers, GMP generates, transmits, distributes and sells electricity in Vermont.

Iberdrola USA, a subsidiary of Iberdrola S.A., also has initiatives to address cybersecurity.

As a part of Iberdrola’s worldwide operations, Iberdrola USA has been working for three years to put in place common security standards and technology across its organization, said Bob Kump, president and CEO of Iberdrola USA, in a statement.

Some examples include technology for managing physical access to the company’s facilities and the deployment of state-of-the-art surveillance and video analytics to protect remote facilities. In addition to better security, features such as thermal imaging technology also provide safety and operational benefits, he said.

“Iberdrola USA is taking a holistic approach to managing the security of our physical, information and cyber assets,” Kump said. “This year we united all security operations under a chief security officer who reports directly to me. Keeping our assets and operations secure is one of the biggest challenges we face, and we’re developing strategies, organizational capabilities and technology to achieve best-in-class performance.”

Iberdrola USA is working with several global leaders in the security and intelligence industry on a top-to-bottom review of the company’s security policies and practices. They are developing a comprehensive security framework and compliance program to ensure the security of the company’s physical, information and cyber assets, Kump said.

Iberdrola USA is not aware of any physical attacks or cyberattacks against its facilities. Kump also said that like most companies, Iberdrola USA has experience with the complexity and difficulty of ensuring the privacy and security of its data, but it has not reported attempts to damage or control its critical systems.

Regarding physical security, Iberdrola USA companies have reported copper thefts from substations and operating facilities, but Iberdrola USA’s security improvements have contributed to the successful prosecution of copper thieves in some recent cases and the successful prevention of theft and damage, Kump said.

According to the company’s website, Iberdrola USA Networks operates from New York to New Hampshire to Maine, delivering natural gas and electricity to nearly 3 million customers through its five operating companies: Central Maine Power, New York State Electric & Gas, Rochester Gas and Electric, Maine Natural Gas and New Hampshire Gas.

TransmissionHub Chief Analyst Rosy Lum contributed to this article.


  • The Clarion Energy Content Team is made up of editors from various publications, including POWERGRID International, Power Engineering, Renewable Energy World, Hydro Review, Smart Energy International, and Power Engineering International. Contact the content lead for this publication at

Previous articleDuke Energy Progress’ natural gas plant at Wilmington, N.C., enters service
Next articleRenewable energy policies boost non-hydropower sources in West
The Clarion Energy Content Team is made up of editors from various publications, including POWERGRID International, Power Engineering, Renewable Energy World, Hydro Review, Smart Energy International, and Power Engineering International. Contact the content lead for this publication at

No posts to display