I’m pretty sure I could fill this column each month writing about a recent widespread outage caused by the latest significant weather event. During most any week of the year, it’s typical for some part of the U.S. to be impacted by extreme weather. Electric utilities expect and, for the most part, understand their weather-related risks. They, along with many solution providers, work diligently to harden their grids and make them less vulnerable to these risks.
Of course, weather events are just one of the risks electric utilities and grid operators experience. According to PwC’s 25th Annual Global CEO Survey released in 2022, 44% of energy and utility CEOs ranked cyberthreats among their top three concerns. Utility industry executives have been talking about the dangers associated with repeated cyberattacks for years. Utilities are working with each other as well as with many outside agencies and technology providers to stay ahead of hackers and cyber terrorists. To get a better read on the significance of cyberthreats, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (housed within the Consolidated Appropriations Act of 2022) was signed into law by President Biden in March 2022. The Act requires energy companies, including electric utilities, to report and share certain information related to cyberattacks. This is a step that many experts say was overdue.
Physical attacks to the grid also are a real threat and seem to be on the rise. As I’m writing this column, reports are circulating about a near physical attack to multiple Baltimore Gas & Electric substations. The FBI uncovered the planned attack and arrested two individuals whom they called “racially or ethnically motivated” extremists. The duo intended to create a “cascading failure” that would cause major damage and take BG&E months to repair and rebuild. Their plan was to simultaneously shoot critical equipment in multiple electric substations around Baltimore to maximize the attack’s impact. The FBI made it clear that the two suspects were not simply talking about the attack, but were taking steps to carry it out.
This report of a thwarted physical attack is the latest in a string of substation attacks carried out in the past few months. Since November, there have been reports of substation attacks in Oregon, Washington State and North Carolina. While power was not interrupted in Oregon, outages did occur in Washington and North Carolina.
These types of attacks aren’t isolated to only electricity infrastructure. A man from Fort Worth, Texas, recently was sentenced to five years in prison for attempting to blow up part of the Permian Highway Pipeline near Austin in January 2022. His plan failed, and he turned himself in. According to U.S. Department of Justice records, the attack was motivated by his ideological fight against capitalism and climate change. He’d hoped to weaken Texas energy independence and negatively impact the economy.
Unfortunately, much like cyberattacks, not all physical attacks are made public, so energy infrastructure is likely more vulnerable than most of us know. According to the federal government, these types of attacks are happening more frequently. The National Terrorism Advisory System Bulletin issued by Homeland Security in June 2022, reveals that U.S. infrastructure is in a heightened threat environment. The bulletin says: “Threat actors have recently mobilized to violence due to factors such as personal grievances, reactions to current events, and adherence to violent extremist ideologies, including racially or ethnically motivated or anti-government/anti-authority violent extremism. Foreign adversaries — including terrorist organizations and nation state adversaries — also remain intent on exploiting the threat environment to promote or inspire violence, sow discord, or undermine U.S. democratic institutions.” As the presidential election gets closer (the first primary is only 11 months away), many security experts, including Homeland Security, believe we’ll see greater threats from domestic violent extremists.
Not all attacks, however, are motivated by personal grievances or extremism. The two men who vandalized substations in Washington, interrupting power to 14,000 customers on Christmas day, weren’t terrorists or politically motivated. Federal agents revealed the pair knocked out power so they could burglarize a local business, emptying its cash register while the power was out.
There were more than 55,000 substations in the U.S. in 2020, per the Department of Energy’s Office of Electricity, and I suspect that number has grown since then. In addition, there are 200,000 miles of transmission lines and nearly 6 million miles of distribution lines in the U.S. Most of the lines and the equipment attached to them are above ground and easily accessible to someone intending to cause harm. Nearly all substations are fenced and some of the larger, high-voltage substations are equipped with alarms and video surveillance, but few have bullet proof equipment or shielding to protect them from gun attacks. In addition, many are in remote areas, so even with alarms and video surveillance, it’s difficult for utilities or other authorities to stop an attack if alerted. Bulletproof shielding and equipment could help, but many substations are large, which means making them bulletproof would be costly. Undergrounding equipment can add protection, but again it is expensive. For a utility’s investment to make sense and gain approval from boards of directors and regulators, undergrounding usually must provide benefits in addition to physical security.
Protecting infrastructure from extreme weather events is difficult. Protecting it from both cyber and physical threats is just as hard, possibly more unpredictable, and infuriating. Who would have thought that two local fools would decide to vandalize several substations and disrupt power on Christmas day so they could steal money from a small business’ cash register? How could that have been lucrative? Who uses cash these days anyway?