In April of 2013, unknown parties used a high-powered rifle to shoot out seventeen transformers at a San Jose substation—but only after cutting the fiber optic cables alerting 911 emergency centers.
A prescient 2007 report by the National Academy of Sciences foresaw this grid attack, but the report’s release was suppressed by security classification at the Department of Homeland Security. Only recently has the national media begun to cover the San Jose substation attack and its implications for national security.
Most Americans probably don't know that standards for protection of electric grid facilities against terrorist attack are set not by the federal government, but by an electric power industry consortium located in Atlanta, Georgia -- the North American Electric Reliability Corporation or “NERC,” as it is called by industry insiders.
NERC had spent years developing a standard for physical protection of transformer substations, but this effort was cancelled after the San Jose attack. For NERC and the electric utilities that control its governance, avoiding regulation looks to be more important than protecting against terrorists.
In November of last year, NERC sponsored its second voluntary “GridEx” grid security exercise.
Southern California Edison, Pacific Gas and Electric, and other major utilities nationwide simulated cyber and physical attacks on the electric grid. In the make-believe world of GridEx II, Internet service and telecommunications among electric utilities and their control centers worked perfectly throughout the simulated three-day exercise.
In the real world, utilities are dependent on commercial telecommunications equipment with on-site backup power that will be depleted within a few hours. GridEx II and other industry “work-around procedures” serve as expedient substitutes for the hard work of developing needed federal grid regulation.
In 1965 and again in 2003, regional blackouts hit the Northeastern United States, causing deaths and severe economic disruption. At the time of the 2003 Northeast Blackout, regulation of electric grid reliability was purely voluntary.
Constituents pressured Congress to act, but electric utilities, concerned about their bottom lines, resisted formation of a federal regulator. In a compromise with industry, Congress converted a pre-existing trade association, the North American Electric Reliability Council, into a self-regulatory organization with the power to both set and enforce grid standards.
NERC remained a private corporation, governed by the vote of its membership. And as before, its membership consists mostly of private electric utility companies. In fact, seventy percent of NERC members are electric utilities.
One would expect that electric utilities would be reluctant to impose grid protection standards on themselves, especially when those standards might reduce profits and increase liability.
The NERC track record since designation as a self-regulatory organization in 2006 has borne this out. Even the simplest standards take years to develop and approve.
For example, an errant tree branch was one cause of the 2003 Northeast Blackout affecting 50 million people, but NERC took ten years to approve a standard for tree-trimming.
On more complicated standards, such as those for cyber security, NERC inserts technical loopholes and questionable self-exemptions. For example, a 2011 NERC survey found that three-quarters of large electric generation plants—those with capacity over 300 megawatts—exempted themselves from cyber security standards. The current tenuous cyber-protection standards took forty-three months to write and approve.
In 2012, the persistent authors of the initially classified National Academy of Sciences report, “Terrorism and the Electric Power Delivery System,” succeeded in obtaining its declassification. Page 1 states: “A terrorist attack on the power system would lack the dramatic impact of the attacks in New York, Madrid, or London.…But if it were carried out in a carefully planned way, by people who knew what they were doing, it could deny large regions of the country access to bulk system power for weeks or even months.”
California is the heart of America’s high-tech industry, filled with data centers that need highly reliable grid power. Local businesses and homes cannot tolerate an electricity transmission system vulnerable to outages lasting “weeks or months.”
Last April’s transformer substation attack in San Jose demonstrates that terrorist threats to the grid are real and that voluntary standards are insufficient.
Californians and the entire country need a federal regulator that will mandate electric grid security, not a private consortium controlled by the interests of its electric utility members.
Dr. George H. Baker is Professor Emeritus, James Madison University and directed the JMU Institute for Infrastructure and Information Assurance.
Thomas S. Popik is chairman of the Foundation for Resilient Societies.