The possibility of a terrorist attack knocking out the power grid makes for a good headline, but could it really happen? The U.S. Federal Energy Regulatory Commission (FERC) says yes.
If terrorists are ever able to knock out nine of the nation's 55,000 substations, the U.S. power grid could suffer coast-to-coast blackouts lasting 18 months or more, according to leaked excerpts from a FERC report.
There are 30 substations in the U.S. that play a critical role in the nation's grid operations, the report said. If any nine of them were taken offline, there could be widespread blackouts for weeks — or far longer.
Just because a crippling grid attack is possible, doesn't mean it's going to happen. But terrorist attacks on the power grid don't just make for good headlines — they're already happening.
Is the grid vulnerable to terrorist attacks?
It's no surprise to see headlines warning that the grid is susceptible to attack. But why all the concern now?
Well, it doesn't help that a Pacific Gas & Electric substation that feeds Silicon Valley was shot by snipers last year. And it's not the only such incident. A man tried to take down the power grid in central Arkansas by bringing down several power lines (with a stolen tractor and a passing train) and setting a substation on fire, causing $2 million worth of damage.
These attacks show the grid is vulnerable to terrorism, a finding confirmed by a previously classified report sponsored by the U.S. Department of Homeland Security.
Leaked portions of the FERC report paint a dark picture. "Destroy nine interconnection substations and a transformer manufacturer and the entire United States grid would be down for at least 18 months, probably longer," a summary of the report reads.
Perhaps most disturbingly, the California substation attack, in which snipers destroyed 17 transformers, "demonstrates that it does not require sophistication to do significant damage to the U.S. grid," according to FERC.
And it's not just physical attacks. Despite the recent focus on physical security, some say cyberattacks present an even greater threat to the grid.
A "sophisticated, targeted cyberattack" could knock out large portions of the U.S. power grid for 9 to 18 months, cybersecurity consultant Joe Weiss told Utility Dive. Such an attack would be "irrecoverable," he said.
More than a decade after 9/11, experts believe the U.S. has failed to adequately safeguard critical infrastructure, including grid operations, from cyberattacks.
"We've been led down the path to believe that: one, these systems are secure; and two, other countries don't have the capability to effectively attack the U.S. electric grid," Weiss said. "Both of those assumptions are wrong.”
Why the grid is 'inherently vulnerable'
The U.S. electrical grid was not designed with today's complexities in mind — let alone the ability to withstand terrorist attacks.
“The power grid is inherently vulnerable because it is spread across hundreds of miles, and many key facilities are unguarded,” the report prepared for Homeland Security found. "Electric systems are not designed to withstand or quickly recover from damage inflicted simultaneously on multiple components. Such an attack could be carried out by knowledgeable attackers with little risk of detection or interdiction. Further well-planned and coordinated attacks by terrorists could leave the electric power system in a large region of the country at least partially disabled for a very long time."
Another big reason the grid is vulnerable is that it takes a long time to replace equipment — such as large boilers, turbines and transformers — underpinning the nation's critical infrastructure. It could take months or even years to replace such equipment, according to estimates.
And yet this is all old news. Policymakers, security experts and the utility industry have known about the grid security issue for the last 30 years.
Amory Lovins, chairman of the Rocky Mountain Institute, wrote in his 1982 book Brittle Power that "a few people could probably black out most of the country." The book surprised people when it came out — citing frequent instances of grid terrorism throughout the 1970s, such as transformer shootings and substation bombings — but the same debate over grid security continues today.
Whether or not you believe terrorists could realistically cause a nationwide blackout, there is little doubt the grid needs to improve its security. The question is...
Is anyone doing anything about it?
FERC, for one, is already on it.
Earlier this month, FERC directed the North American Electric Reliability Corporation (NERC) to develop reliability standards requiring bulk-power system owners and operators to address risks due to physical security threats and vulnerabilities. The new standards will target specific facilities that if damaged could lead to blackouts or other major problems.
But some, like FERC Commissioner John Norris, are worried that FERC may be overreacting. “My concern is that we don’t shift our focus and our resources,” Norris said. “The rush to do this seems to be based on a very incomplete set of facts about what happened.”
The National Academy of Sciences (NAS) has other ideas. In its report prepared for Homeland Security on terrorism and the grid, the academy noted that high-voltage transformers, like the 17 that were shot up at the PG&E substation, are of particular concern. These transformers are massive, hard to move and usually custom built. NAS recommends the U.S. make and store a set of universal transformers that could be used in emergencies.
"There are probably less than 100 critical high voltage substations on our grid in this country that need to be protected from a physical attack," former FERC Chairman Jon Wellinghoff told the Wall Street Journal. "It is neither a monumental task, nor is it an inordinate sum of money that would be required to do so."
In November, NERC held a two-day exercise to see if the grid could withstand a massive physical and cyber attack. There were more than 2,000 participants from across North America, more than twice as many as the previous exercise. No one has publicly revealed detailed results from the exercise.