Ben Joelson leads corporate security risk and resilience engagements at The Chertoff Group.
Just as much of the country was experiencing record cold and massive travel disruptions, bad actors continued physical attacks against substations. As Robert Walton reports in Utility Dive, “Six substations in the Pacific Northwest were damaged by attacks in November, and the Federal Bureau of Investigation is looking into a North Carolina firearms attack … that knocked power out to about 45,000 Duke Energy customers.” In total, including a more recent incident this month, authorities are investigating an unprecedented 13 substation attacks over a period of just several weeks.
These attacks are reminiscent of the April 2013 attack on a key Pacific Gas & Electric substation in Metcalf, California, which the California Public Utilities Commission deemed a “wake-up call” for the electric utility industry to apply closer security scrutiny to exposed infrastructure. Unfortunately, even given lessons learned from that sophisticated attack, there are several interrelated dynamics that still make securing exposed critical infrastructure difficult:
- “Last-mile” power delivery realities: While the North American Electric Reliability Corporation Critical Infrastructure Protection standards, or NERC-CIP, and federal regulators have taken important steps to safeguard key nodes of the bulk-electric system — strategic transmission assets that, if targeted, could cause significant disruption and persistent black-outs — the “hub-and-spoke” approach to power delivery means that there will always be customers at the end of a delivery line.Simply put, one or two substations can support thousands of homes and businesses (or critical customers), but not rise to a critical level under NERC-CIP regulations, which require enhanced physical and cybersecurity measures. Given the vastness of the system, regulators and operators must use a risk-based approach when deploying limited security resources. But these tiering equations often over-weight consequences or impact to the grid, and may not always incorporate site-specific vulnerabilities or threats.
- Limited response capabilities — especially in rural areas: Most electric utilities employ a mixture of proprietary and contract guard forces — but these resources tend to be concentrated around large generation plants, corporate headquarters, or critical power control facilities. Because there are 55,000+ substations in the United States placing a guard at each location is not feasible. Instead, companies rely on local law enforcement and an array of cameras and sensors to direct their response.
- Multiple single points of failure: While it’s true that some early reports, particularly in North Carolina, indicated that attacker(s) there had insider knowledge of “exactly” how to disable substations, the reality is that even hardening or shielding key areas on the site will not prevent a motivated attacker from damaging transmission stations or targeting the hundreds of thousands of miles of exposed high-voltage transmission lines. The nature of power delivery still relies on wired connection points across the country — any of which can be vulnerable to attack.
NERC-CIP and grid operators’ risk-based approach to hardening key stations and sharing loads across systems during outages or disruptions, means that a widespread, multi-state outage would almost certainly require a level of sophistication and coordination that far exceeds the one-off vandalism seen in recent weeks.
In late November, a few days before the North Carolina attack, I wrote about the importance of converging certain security functions within electric utility operators. I outlined three immediate steps that grid operators could take to defend against increasingly sophisticated threats to our grid: (1) charter a converged threat working group; (2) develop an internal risk intelligence function; and (3) incorporate threat-informed tactics when validating existing security controls. While risk can never be eliminated, only managed, there are additional steps that grid operators can take to defend against this unprecedented surge in attacks:
- Leverage random security measures to confuse adversaries. Randomized security measures are a core pillar of a counter-terrorism strategy. We used these measures at U.S. military bases at home and abroad, during the height of the Global War on Terrorism, and there are applicable lessons learned for the grid. Visible security measures — extra patrols, local law enforcement presence, additional temporary cameras, to name a few — deployed at random intervals can consistently disrupt an adversary’s planning cycle.
- Overhaul information sharing with law enforcement. Grid operators are coordinating with federal authorities right now — and the key role for federal officials, in addition to prosecuting perpetrators, is to offer connective tissue from an information and intelligence-sharing perspective. Are these attacks coordinated? Do they share similarities (e.g., targets selected, measures employed, timing)? These are the types of questions that fusion centers and law enforcement should be sharing with operators — and operators should be sharing amongst themselves.
- Dust off the Metcalf playbook. Many utilities convened working groups in the immediate aftermath of the 2013 PG&E attack in California. Now is the time to dust off security playbooks, and sharpen internal emergency response capabilities to prepare, respond and recover from a similar attack. Internal business continuity teams are often robust, and they should design real-world and table-top exercises that illuminate key roles and responsibilities and response actions/recovery time objectives, should a transmission site be targeted. Consider rural, exposed infrastructure, and NERC-CIP critical sites alike. Most companies also have a security modernization plan that aims to replace older generation security systems and equipment. Management should re-prioritize these plans, given the recent attack landscape.
- Enlist the support of the public. Everyone remembers the post-9-11 “See Something, Say Something” campaigns for suspicious activity reporting — many of which persist at airports and transportation hubs around the world. There will never be enough camera technology or random patrols to defend against every attack scenario. That said, improving public awareness and enlisting the help of citizens — to report suspicious activity to authorities or even to utility security operations centers directly — can have a considerable “force multiplier” effect for operators.
Many Americans have watched from afar as Putin weaponizes energy in Europe, resulting in unprecedented price increases for energy on the continent and a cold winter for many. It seems the U.S. could be entering our own cold winter of energy attacks — in this case not from a shifting balance of power in Europe, but from domestic threat actors’ intent on disrupting a basic aspect of modern society: reliable electricity.