Americans often take for granted just how much modern life relies upon is electricity. But without power, life can go from civilized to dangerous in a matter of hours. Unfortunately, this is a reality which America’s enemies –both foreign and domestic—are constantly seeking to take advantage of.
More than 40,000 residents of Moore County NC found this out the hard way last December when unknown attackers opened fire on transformers in two substations within the local electric grid resulting in a no-notice blackout. Fortunately for North Carolina residents, power was restored relatively quickly.
The event caused the media to begin paying closer attention to the vulnerability of the grid to physical attacks – a matter which traditionally had been ignored.
The media attention spurred the Federal Energy Regulatory Commission (FERC) to order the North American Electric Reliability Corporation (NERC) to conduct a study surrounding the adequacy of the current physical security standards that are supposed to protect the grid from these types of attacks. NERC is the self-regulating non-profit “Electric Reliability Organization” designated by FERC to both develop and enforce compliance with mandated reliability standards.
When NERC released the required report in April, they declared there was no reason to expand the current physical security standard.
Cold comfort for the people of Moore County, NC.
This vignette helps to underscore three factors illustrating why the nation’s electric grid remains so vulnerable to physical attack.
The first factor is jurisdiction. FERC only regulates the “bulk power system.” The bulk power system is made up of the “transmission” part of the grid that moves electricity over large distances (often crossing state borders) and portions of the “generation” grid that produce that electricity. Left out of FERC’s oversight is the “distribution” part of the grid that brings power to homes and businesses.
The Moore County NC substation, and the power transformers shot up in the Pacific Northwest last year, were distribution transformers and therefore not addressed by the physical security standard, just because they weren’t part of “the bulk power system.”
The second factor is a physical security standard fraught with loopholes, even for the limited section of the system covered under FERC rules. The “protection standard” consists of little more than a written security plan that must be reviewed by a third party, without any requirement that this third party has expertise in physical security. And even then, the plan is applied to only those assets deemed “critical.”
The former Director of Central Intelligence Ambassador R. James Woolsey wrote a letter to FERC in May 2020 warning about these loopholes. The former Chief Information Officer of NSA described the industry’s “Critical Infrastructure Protection Standards” as a “House of Cards.” “They have served only to narrowly protect a utility’s “House” and not its “Operations,” he wrote to FERC in June 2020.
Expert power system engineers have similarly argued that the current physical protection standard enables the utilities and NERC “plausible deniability” and therefore “the nation will be facing a less reliable electric grid and more large-scale outages more frequently.” They point out how the industry uses limiting criteria of “voltage levels” and transmission line “weighted averages” that enable them to exclude many facilities from the protection standard – even if those facilities are vital to grid reliability because of their location in the highly interconnected system.
All of this points to the third factor putting the grid at risk: The fact that NERC is the organization drafting the protection standards. Because of the way NERC is organized it has essentially “stacked the deck” to ensure that the special interests of the utilities dwarfs the broader public interest when it comes to decision-making.
Frustrated with government and industry lack of focus on improving physical security, the Center for Security Policy’s Secure the Grid Coalition filed a “Petition for Rulemaking” with FERC, forcing the federal government to open a legal docket on the matter. We argued that FERC should order an “Enhanced Applicability Criteria” to the existing system of reliability standards for the Bulk Power System.
We argued that the government should require regional authorities operating the grid to use their actual operating models to designate which assets are critical and thus applicable to the standard. Industry uses these utility system engineering models every day for planning and for the reliable operation of the electric grid – to sell, buy and move electricity. Those models, we argue, are the best criteria for understanding what is “critical” and therefore what should fall under the protection standard – even if those assets are outside the “bulk power system.”
Our petition was protested by both NERC and power industry Trade Associations on procedural grounds – essentially arguing that our Coalition should have first approached NERC with a request to initiate a new Reliability Standard.
NERC argued that our petition “Fails to Demonstrate a Sufficient Change in Circumstances to Merit a Rulemaking.” “Because the Petition does not satisfy these complaint requirements, it should be dismissed,” wrote the Trade Associations.
Before FERC closed its docket on our petition, we weighed in with our own intervention, pointing out the following:
- the massive increase in physical attacks on the grid (1039 from January 2010 to March 2023 – a rate of nearly 1.5 per week – according to Department of Energy data),
- a significant increase in attack sophistication,
- that the attackers span both the economic and political landscapes,
- that our insecure southern border increases the risk of potential attacks on the grid,
- that Communist China presents the most worrisome near-term foreign threat, and
- that lead times for transformers (2-4 years) urgently underscores the need for increased protection.
Both NERC and the Trade Associations pointed to an upcoming “Joint Physical Security Technical Conference” as evidence that they are working to improve the standards.
When that conference takes place on August 10th in Atlanta, volunteer members of our Secure the Grid Coalition will be there to represent the public interest.
EDITORS NOTE: This Center for Security Policy column is republished with permission. ©All rights reserved.