Physical security practices for the electric utility industry have been stagnant for years. The April 16, 2013 assault on Pacific Gas and Electric Company's Metcalf Transmission Substation was the first widely publicized attack on a substation in the United States. Attacks on other industries have also occurred, for example, the communications center bombing in Nashville in December 2020.
The electric utility industry should not wait until the next assault occurs to harden physical security at critical facilities. No one knows where, when, or how great an impact the next assault will have on the electric power grid. By emulating the physical security practices of the Department of Defense (DoD), the electric utility industry can be prepared for any future attacks on its critical infrastructure.
Our last post Protecting Our Electric Power System from Attack compared physical security standards of the electric power industry, implemented by the North American Electric Reliability Corporation (NERC), to those of the nuclear power industry. In this post, we will explore the physical security practices of the DoD to those required by NERC.
NERC’s Physical Security Considerations
Electric utilities harden their physical security at critical facilities to comply with NERC Reliability Standard CIP 14-2, Physical Security. The goal of this standard is to identify and protect transmission substations and associated primary control centers. The primary concern is a physical attack that could end in one of three undesirable results: system instability, uncontrolled grid separation, or cascading outages within an Interconnection. The recovery time varies for each of these events.
Electric utilities assume that hardened perimeter fences provide a high degree of security. The hope is that a perimeter barrier system with anti-cut and anti-climb properties, and anti-ram and anti-dig features, is sufficient. The goal is to prevent a potential threat from accessing a critical facility. But this isn’t nearly enough.
DoD’s Physical Security Considerations
The DoD developed the Unified Facilities Criteria (UFC) to protect facilities and personnel, assuming terrorists and other intruders will be armed and dangerous. UFC establishes security and antiterrorism design criteria that are the basis for facility designs.
UFC criteria include assets to be protected, threats to those assets, levels to which those assets are to be protected against threats, and design constraints imposed by facility users. UFC also provides a risk management process for evaluating costs and protection options, and accounts for the costs of providing applicable levels of threat protection.
The DoD considers aggressor tactics that include:
Moving and stationary vehicle bombs.
Hand delivered devices.
Indirect and direct fire weapons.
Forced and covert entry.
Airborne and waterborne attack.
Both the DoD and electric utilities base their requirements on experience and threat assessments provided by local police officers, state police, and intelligence agencies. The key difference is that the DoD assumes an attack is likely, and prepares accordingly.
In contrast, electric utilities assume that an attack is unlikely because very few facilities have been attacked in the preceding 10 years. Additionally, when a past catastrophic failure occurred inside a substation, due to an attack or other occurrence, electric utilities have been able to restore power to all customers in under 24 hours. Making this assumption leaves electric utilities vulnerable to more severe attacks because they are unprepared.
History Repeats Itself
When the history of tragic events is studied, it is evident that copycats continue to commit atrocities in growing numbers after the initial event. For example, the first U.S. airplane hijacking occurred in 1961. Following that, the number of such incidents grew during the 1960s, with 40 attempts made in 1969.
Warning signs flashed red for years before threats were acknowledged and preventive measures are implemented. Eventually, a tipping point was reached, and safeguards were implemented. And then, true to the past, safety became an afterthought for most Americans until 9/11, after which the improved security cycle started anew.
Electric utilities must learn from the safety protocol considerations and experiences of other industries if they are to weather an inevitable attack on critical infrastructure. The electric power grid is vulnerable to attack unless updates are made to the physical security standards protecting critical infrastructure. Electric utilities should not wait until the tipping point to implement updates to physical security. And these improvements can’t be one-time updates. They need to be continually reevaluated and updated.
It is unknown when the next major attack will be. Depending on the scale of the attack, it could create anything from a minor power outage to a multi-state blackout. Electric utilities won’t know exactly how long it will take to restore power until the attack occurs; it could be days, weeks, or even months.
Necessary Updates to Physical Security
First, electric utilities must implement wide area blackout assessment strategies that combine short circuit study data and load recovery models. These tools identify critical substations where a disgruntled employee or a group of saboteurs could create a wide area blackout, interrupting the flow of electric power to more than one million customers.
Prescient provides wide area blackout risk assessments as part of our services. Contact us to schedule an assessment. Assessments can determine the potential for a wide area blackout that originates at a 345 KV, 500 KV or 765 KV substation. When the risk is known, the amount of hardening that is required can be established.
Next, electric utilities should emulate UFC guidelines for aggressor tactics and facility security. Some substations are so critical that a single saboteur can interrupt the flow of power to a major metropolitan area. Physical security at these substations should be upgraded immediately.
Like a Trampoline
The electric power grid can be compared to a trampoline where the mat bends and bounces when a person jumps. If a trampoline mat is stretched to the point that it tears, the result will be a dangerous fall for the jumper.
Like a trampoline, the electric power grid can stretch and rebound. And, like a trampoline, there is a point where systemic failure occurs. The difference is that trampoline weight limits are displayed on tags, whereas electric power grid limits are hidden in models that change with time, day, year, and season.
Fortunately, tools are available to analyze power grid collapse. These tools are essential when determining the level of power system security required.
Enhance Physical Security Standards with Risk Assessments
Electric utilities need to enhance their security so that they are on par with the security protocols developed by the DoD. To be clear, the DoD does not oversee the physical security protocols for electric utilities. Perhaps the Department of Homeland Security, rather than NERC, should be tasked with overseeing the physical security protocols for electric utilities.
In the meantime, Prescient performs power system security assessments that can identify vulnerabilities in physical security at critical grid infrastructure. Prescient understands power system design, operation, protection, and DoD security protocols. Our staff has worked in energy control centers, developed FIDVR models (fault-induced delayed voltage recovery), and designed and installed perimeter security systems at nuclear power plants.