Kathleen Davis, Associate Editor
Since the tragedy of Sept. 11, 2001, the energy industry has examined security issues with a magnifying glass. Both physical and cyber security have been dissected, and it seemed like no detail could have possibly escaped debate.
Yet, new areas to diagnose just keep bubbling to the surface.
Recently, the National Research Council (NRC) released their own take on the subject of security. The report, entitled Making the Nation Safer: The Role of Science & Technology in Countering Terrorism, takes a hard look at the electric utility industry, and it appears that the NRC has found an even more powerful magnifying glass with which to peer at electricity. The NRC takes on all the traditional arguments, as well as details like protection against electromagnetic pulse (EMP) and the need for research into heat-shielding equipment.
“The single most important reason to look at every inch of our vulnerabilities?” queried Rob Housman, counsel with Bracewell & Patterson with a specialization in counter-terrorism, in an interview with EL&P about the report’s findings. “Look where complacency got us.”
Housman continued, “When they blew up the World Trade Center the first time, we all said, ‘Oh my God. We have a problem.’ Then we all went back to our day-to-day lives, and nothing changed. We went back to being complacent. We can’t do that again.”
Philip Hanser, principal with The Brattle Group, told EL&P that all the reports on security-including the NRC’s and FERC’s recent standard market design NOPR, which has a security section-come down to one thing: money.
“The question is: How much value do we put on security?” he asked. “How do you generate incentives to make this worthwhile? The economics are in the opposite direction, really-toward centralization rather than distributed generation, for example.”
“It’s just not clear that the market place itself will provide the necessary rewards for doing this; that’s the bottom line,” he added.
“It’s either going to be a carrot, or it’s going to be a stick,” Housman said, adding that he believes there’s going to have to be some impetus (stick=regulatory mandates; carrot=tax incentives) to secure critical components.
“The industry would, certainly, rather see the carrot, but I really don’t know which way it will go,” he concluded.
Hanser did admit that the electric system is much more vulnerable than other infrastructure, and that certain regions, like the American West, top the list of regional vulnerability.
Housman built on this point to say, realistically, that “there’s no such thing, in a democracy, as ‘perfect’ security.” He stated that we need to focus instead on closing the vulnerabilities with the most potential impact, because it is truly not feasible to close positively all of the vulnerabilities in the system.
“In the end, it’s not about eliminating risk; it’s about reducing risk and making the act of terrorism more difficult,” Housman stated.
Hanser agreed, adding that we need to look at potential mixtures, instead of rigid physical or cyber protections.
“If a terrorist were smart, he would combine a cyber attack with a physical one,” he said. “You go in and take out a couple of important transmission lines while a partner is busy interfering with the SCADA system simultaneously.”
Hanser stated that he really doesn’t worry so much about physical power plant security. Instead, he believes the threat to disrupt transmission is a more detailed problem than physically protecting plants.
“I’m much more concerned about [T&D] network issues, because the network angle is the tricky one,” he added. “I don’t know how you truly make secure as complex a network as we have.”
Housman, on the other hand, isn’t so worried about the transmission lines. He thinks it is most important to look at vulnerabilities that seem small but could have massive implications, a ripple effect.
“The notion that terrorists are going to go out and blow up a gazillion miles of wire? That’s probably not going to happen,” he said. “They would more likely to be looking at vulnerabilities like SCADA systems.”
The great, unblinking eye of the NRC made 17 separate recommendations on a variety of issues ranging from the industry’s problematic increase in automation to the possibility of a coordinated attack against the grid. The report also stated that the energy industry (including oil and natural gas) does not possess the ability to appropriately respond to “extensive, well-organized acts of terrorism.”
The NRC was quick to point out, however, that “the scenarios of greatest concern involve the electrical system.” In fact, the NRC warned that a coordinated attack and the attempts to restore power could result in rolling blackouts for as long as “several years,” depending on a low reserve capacity and other factors. (They sited the 1998 Auckland, New Zealand blackout as an example. Their central business district was without power for nearly two months due to four failed transmission lines.)
“Virtually all of our privately held infrastructure-and even much of our publicly held infrastructure-is somewhat at risk, was arguably ‘underprotected’ for years, although now they’ve geared up security on quite a bit of it,” Housman said.
“We haven’t had a significant attack by a foreign entity on our shores since Pearl Harbor,” Houseman continued. “We were fortress America, and we didn’t build our power grid-or anything else for that matter: communication infrastructure, transportation infrastructure-with the notion of making it a hardened target. So before you point a finger at the power industry, you must realize that this is true for pretty much all of our infrastructure.”
What the NRC sees
“Several recent trends in the energy industries have increased the vulnerability of their infrastructures and made serious loss of service from terrorist attack more likely,” the NRC wrote in Making the Nation Safer. According to the NRC, these include:
- A increase in the use of automation and computerization combined with industry consolidation and more centralized control;
- Congested transmission corridors and increased reliance on unsecured telecommunications and SCADA systems;
- Investment reduction and increased reliance on vendor technology and outsourcing;
- A decrease in research and development;
- Large equipment located outdoors, making it vulnerable to weapons;
- Equipment operating at elevated temperatures, which could be targeted by heat-seeking devices;
- Isolation of transmission lines and towers;
- Control systems co-located with the equipment being controlled.
The report concluded, “The most insidious and economically harmful attack would be one that exploits the vulnerabilities of an integrated power grid. ‘A chain is only as strong as its weakest link’ applies here. Simultaneous attacks on a few critical components of the grid could result in a widespread and extended blackout.”
The report recommended:
- That the industry should conduct studies to identify vulnerabilities, including those of connected Canadian and Mexican assets;
- That utilities, ISOs and RTOs should identify the most critical equipment for protection and quickly secure it;
- That FERC should review transmission lines to identify opportunities to protect against cascading damage;
- That the Office of Homeland Security should identify statutory authority for emergency actions;
- That the manner in which data is transmitted between control points and SCADA systems should be reviewed;
- That research should be undertaken to adapt the traditional extra high voltage (EHV) transformer into a smaller, cheaper, portable version, making them less vulnerable and more easily replaced;
- That surveillance technologies developed for defense and intelligence agencies should be examined for possible use in defending distributed transmission assets;
- That smart controls should be developed to limit manipulation outside of normal operating settings;
- That simulation tools for modeling prevention, response and recovery should be developed;
- That a cyber-intelligent grid should be established which combines a warning system with adaptive islanding;
- That a coordinating council should be formed to oversee research and ensure implementation.
“Some of their recommendations make a lot of sense,” Hanser stated. “While the EMP section seems a little beyond the usual, the revelations about SCADA, for example, are important. The communications on SCADA aren’t secure, and there isn’t much in terms of coding for a lot of these systems. That makes sense to think about and seems fairly sensible.”
But, no matter how much sense the NRC suggestions seem to have, pushing them through to fruition remains the problem.
“In the end, the biggest issue remains money,” Hanser reiterated. “We’re saddled with the issue of dealing with security at a time in which the market rules are unsettled, making it very tricky for investment: ‘If the regulations change, will I get recovery in the future?'”
“With restructuring, security has not been an issue the industry can really focus on or move forward with. It’s not their fault, really; you can only put out so many fires at a time,” he added.
Housman also concluded that the issue of investment may be what it all boils down to; he’d like to see a blend of public and private incentives (“read: money”) to secure the electric utility industry. “I believe there ought to be incentives; I’m a big fan of incentives. The purpose of the power grid is not security. These are private industries; their function isn’t homeland security. They just don’t do that. What they do is bring you power.”
“The reticent to move isn’t because these aren’t patriots. These are good American citizens; they don’t want to see their facility blown up with them in it. So, all of the rationales line up, save one, which is money.”
Housman, specializes in counter-terrorism, public and corporate security, and government relations. Last year, he co-authored Protecting America’s Critical Energy Infrastructure from Terrorist Attack. He can be reached at firstname.lastname@example.org. Hanser maintains an industry focus regulation and restructuring, electric market price forecasting, market power and market structure, and electric transmission.. He can be reached at email@example.com or 617-864-7900.