The recent attack on two North Carolina substations, which power thousands of people, has raised concerns about safety standards for the nation’s power grid and its numerous power plants, which have faced greater threats in recent years.
Aside from weather, suspected and confirmed physical attacks on power grid infrastructure have been the largest cause of electrical outages since 2014, when private companies operating power plants were required to raise security standards in response to an attack in California the previous year. according to an NBC News analysis of Department of Energy public reports.
Nearly 600 electrical emergencies and outages were caused in those nine years by suspected and confirmed physical attacks and vandalism on the power grid, the reports show. From January through August 2022, there have been 106 assault or vandalism incidents, which is the latest data from the Energy Department. Of the years reviewed by NBC News, 2022 is the first to reach triple digits and it contains only eight months of data.
The incidents, which are reported to the federal government by energy companies themselves, provide little to no detail about what happened. But experts said they could range from copper wire theft to planned attacks aimed at causing power outages, as is suspected to have happened in North Carolina.
“The significance of this outage in North Carolina in the middle of a very cold winter should not be underestimated — it is a major problem,” said Neil Chatterjee, who chaired the Federal Energy Regulatory Commission, or FERC, during the Trump administration. . “We need to be aware of this and take physical security and cybersecurity seriously and there are things we can do in terms of standards and other approaches to strengthen and protect our critical energy infrastructure.”
Duke Energy restored power to all of its North Carolina customers Wednesday night, four days after 45,000 customers were left in limbo after what officials said was a deliberate and coordinated attack on two Moore County substations. Moore County Sheriff Ronnie Fields has said a motive for the attack is not known. It is also not clear what kind of protective measures were in place to prevent such an attack.
Jeff Brooks, a Duke Energy spokesperson, declined to provide details about the sites’ security measures, but described the company’s security approach as “robust.”
“We have multiple layers of protection on our critical systems on the grid that help us monitor and then respond when we have disruptions,” he said. “And so what we’re doing now is certainly focused on the restoration activity, but we’ll certainly take lessons from this that we’ll incorporate into our plans going forward.”
In response to the attack, a senior Department of Energy official said the agency issued a call on Monday with Deputy Energy Secretary David Turk, 30 CEOs from across the power industry, Duke Energy officials, and FBI Department officials and investigators. of Homeland Security, the White House and the National Security Council.
They discussed the attack and industry executives were told to be alert and to report any incidents that could be considered threatening.
“Until we start connecting some dots, we really need to see: Where is this trending? What’s going on?” the official said. “There was a real call to say we should go ahead and share that information, while also staying vigilant.”
Vague rules or risk-driven?
The current standard was adopted in 2014 and requires energy companies to create risk, threat and vulnerability assessments, as well as a physical security plan for each station, all of which must be verified by a third party. However, it does not oblige them to pursue concrete or specific security measures on each site.
Adrienne Lotto, the senior vice president of grid security, technical and operational services at American Public Power Association, an advocacy group for energy companies, said the current standard works well because it is tailored to the specific risks in each location. She added that the utilities sector has also responded to the threats from a best practice perspective.
“Using a risk-based approach, the industry tends, and rightly so, to focus on those assets that have a high impact or high risk to the bulk electrical system,” she said.
But others don’t believe the current standard works well. Critics said they believe it is a vague set of rules that gives electric companies a great deal of leeway, rather than creating the required, enforceable safeguards.
Jon Wellinghoff, who was named chairman of FERC during the Obama administration, said the standards are “extremely vague” and “not prescriptive” since they don’t require things like block walls or cameras.
“They’re just saying that the companies need to identify what parts of their infrastructure are critical and then each utility company makes that decision about what parts of their infrastructure they want to put below standards,” he said. “Then they have to make a plan to protect them and that plan can basically be anything that meets the broad, vague outlines of the standards.”
The senior Department of Energy official said the North Carolina substation was not considered a major impact because damage to it was not believed to have caused an excessive impact.
“This was a low-impact substation and so it has different requirements when it comes to the physical security measures it would use,” the official said. “We’re going to work with Duke to really understand and assess the situation in terms of what safety measures were in place and that will inform the dialogue about what we could change.”
Security standards last saw a major change after a coordinated gun attack on a transmission station outside of San Jose, California, in 2013 sparked concerns about a massive weakness in the US electrical system.
Those who coordinated the attack, known as the Metcalf sniper attack, remain at large. They created multiple firing positions and cut power station communications before firing on 17 transformers, threatening a major blackout. PG&E, the power company, was able to redirect power to the affected areas, but the attack could have caused a blackout that would have encompassed all of Silicon Valley, said Wellinghoff, who served as FERC president at the time.
Paths forward for a new standard
Those who want a new security standard said there are still significant bureaucratic headwinds against such a proposal.
After the 2003 Northeast blackout, Congress passed the Energy Policy Act of 2005. That law caused federal regulators to turn to an “electrical reliability organization” to develop and enforce reliability standards for the nation’s transmission networks. The view is that the industry’s expertise would lend itself to creating strong reliability standards, while the federal regulator FERC would approve the standards the organization sets.
Since 2006, the North American Electric Reliability Corporation has overseen the task of creating reliability standards, but critics say this process has effectively allowed the industry to make its own rules and any power from FERC to act as a regulatory body , has undermined.
The North American Electric Reliability Corporation, a nonprofit organization originally founded by the electric power industry, said it created security requirements based on risk, rather than a one-size-fits-all approach.
“The North Carolina assets were not individually considered critical to the grid, and the recent attack did not cause an uncontrolled or cascading outage, which the standards are designed to protect against,” said Kimberly Mielcarek, a spokesperson for the group. “However, this does raise the question of whether it is necessary to assess an event affecting several non-critical assets that collectively could have an impact beyond the failure of a single asset.”
Mielcarek added that industry expertise is the best way “to ensure that our standards are technically correct and have no unintended consequences for the power grid.” FERC, she noted, can direct the organization to produce a standard if it deems it necessary.
However, for those who want more action, the only way forward could be an act of Congress, Wellinghoff said.
“Encouraging people to do things doesn’t get it done,” he said. “You have to give someone the authority to actually do something. You have to give someone the authority to write an ordinance, make it and require it to be enforced, oversee it and enforce it.”
But Chatterjee said he wasn’t sure if a significant standard change would be necessary. He said private companies are effectively encouraged to trade for fear that an attack could affect stock prices. He said simple solutions, such as adding concrete walls instead of chain link fences, could be a big step forward.
“We have to trust that these actors know what to do to protect their systems,” he said. “Standards are part of it, but they’re not everything.”
CORRECTION (December 7, 2022, 9:24 PM ET): An earlier version of this article misrepresented the last name of a former chairman of the Federal Energy Regulatory Commission. He’s Neil Chatterjee, not Chatterly.