This article appears to be slanted towards recent events.(December 2022) |
Electrical grid security in the United States involves the physical and cybersecurity of the United States electrical grid. The smart grid allows energy customers and energy providers to more efficiently manage and generate electricity. Similar to other new technologies, the smart grid also introduces new security concerns. [1]
The electric utility industry in the U.S. leads several initiatives to help protect the national electric grid from threats. The industry partners with the federal government, particularly the National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies. [2]
From the 2000s through to the 2020s, the security of the U.S. electrical grid has come into question. Government officials have expressed concern with the possibility of violent extremists and agents of foreign states attacking the nation's electrical grid. [3] [4] Cybersecurity is also an issue for electric grid security in the United States with financially motivated crimes being more common than terrorist ones. [5]
The North American electrical power grid is a highly connected system. The ongoing modernization of the grid is generally referred to as the "smart grid". Reliability and efficiency are two key drivers of the development of the smart grid. Another example is the ability for the electrical system to incorporate renewable energy sources such as wind power and geothermal power. One of the key issues for electric grid security is that these ongoing improvements and modernizations have created more risk to the system. As an example, one risk specifically comes from the integration of digital communications and computer infrastructure with the existing physical infrastructure of the power grid. [6]
In the 2010s and 2020s, attacks to the United States electrical grid have become more frequent, with 2022 being the year with the most attacks. [7] Since 2014, vandalism and confirmed or suspected physical attacks on electrical grid infrastructure have also been the second-largest cause of electrical disturbance events. [8]
In 2012, the National Research Council of the National Academies of Sciences, Engineering, and Medicine published a declassified report prepared in 2007 for the Department of Homeland Security that highlighted the vulnerability of the national electric grid from damage to high voltage transformers. [9]
In October 2022, the FBI published a report that described an increase in reported threats to critical infrastructure from people who espouse "racially or ethnically motivated violent extremist ideology", with an aim of creating civil disorder and inspiring further violence. [10]
In a report concerning extremist threats, the Department of Homeland Security made note of a Telegram document that gave instructions for low-tech sabotage, including attacks on electrical power stations with rifles. The document circulated among online white nationalist communities, which advocate the toppling of the U.S. government. [3] [4]
The threat of potential electrical grid cyberattacks by foreign states such as Russia has also been area of concern for electrical grid security. [11] [12]
In the U.S., the Federal Energy Regulatory Commission (FERC) is in charge of the cybersecurity standards for the bulk power system. The system includes systems necessary for operating the interconnected grid. [13] However, Ted Koppel argues that the industry has blocked any significant oversight for decades, with only minuscule fines being levied for failing to comply with relatively lax standards as of the early 2010s. [14]
Investor-owned utilities operate under a different authority, state public utility commissions. This falls outside of FERC's jurisdiction. [13]
The initiation of government oversight of the American Bulk Electric System (BES) occurred after two incidents led the government to investigate further the causes of the 1965 North East Blackout alongside another small blackout in 1967 at the Pennsylvania New Jersey Maryland (PJM) interconnection. [15] [ page needed ] These two incidents prompted US Congress to initiate legislation focused on increased oversight of the electric power system, ultimately leading to the Electric Power Reliability Act of 1967. In 1968, the National Electric Reliability Council (NERC) was formed after 12 regional organizations signed an agreement spanning the United States and parts of Canada. [15] [ page needed ] NERC is still around today, yet its name has changed a little, and it is now called the North American Electric Reliability Corporation (NERC). Shortly after this, in 1971, each region had its own Regional Reliability Council, which was in place to ensure collaboration and reliability of the BES, each having a member who served on the NERC board. [15] [ page needed ] The landscape changed in 1971 when 4 of the regionals combined to make one large region known as the Southeastern Electric Reliability Council (SERC), dropping the number of areas from 12 to 9.
In 1997, the first set of Operating and Planning Standards was approved by the NERC board, which started the implementation of certifications and standards to ensure the reliability of the American BES. [15] [ page needed ] While security and reliability efforts ramped up after the 9/11 terrorist attacks, it wasn’t until 2003 that a massive blackout occurred in the Eastern Interconnection, leaving 500,000 people without power. During the investigation, NERC determined that their reliability standards were not being upheld and revamped them by creating reliability standards that were now enforceable. [15] [ page needed ] The Reliability Standard was approved in December 2004 and became effective in April 2005.
The Energy Policy Act 2005 was finalized and signed into law in August 2005. Section 215 authorized the Federal Energy Reliability Commission to certify and provide oversight of one Electric Reliability Organization responsible for the mandatory enforcement of the NERC Reliability standards. [15] [ page needed ] NERC then applied to FERC for certification in April 2006 and was certified in July 2006. In 2007, NERC provided regional delegation for enforcement to eight regional entities: Florida Reliability Coordinating Council; Midwest Reliability Organization; Northeast Power Coordinating Council: Cross Border Regional Entity, Inc.; Reliability First Corporation; SERC Reliability Corporation; Southwest Power Pool, Inc.; Texas Reliability Entity, a division of ERCOT; and Western Electricity Coordinating Council. [15] [ page needed ] This led to what is now known as the NERC Critical Infrastructure Protection Standards being approved by FERC in June of 2007. As of 2024, there are six regional entities, including the Midwest Reliability Organization, Reliability First, Northeast Power Coordinating Council, Texas Reliability Entity, Western Electricity Coordinating Council, and the SERC Reliability Corporation. [16] Since their creation, these regional entities have ensured the reliability and security of the American BES by enforcing the mandatory NERC CIP standards. [16] Throughout the years, the standards have evolved to meet the changing threat landscape of cyber and the risks facing the operational side of the BES yet continue towards the same mission of maintaining the security and reliability of the BES. [16]
In his 2015 book, Ted Koppel argues that all utilities, but especially smaller ones, do not truly air-gap their operations from the internet, leaving significant attack surfaces. [14]
In 2016, members of the Russian hacker organization "Grizzly Steppe" infiltrated the computer system of a Vermont utility company, Burlington Electric, exposing the vulnerability of the nation's electric grid to attacks. The hackers did not disrupt the state's electric grid, however. Burlington Electric discovered malware code in a computer system that was not connected to the grid. [17]
As of 2018, two evolutions are taking place in the power economic sector. These evolutions could make it harder for utilities to defend from a cyber threat. First, hackers have become more sophisticated in their attempts to disrupt electric grids. "Attacks are more targeted, including spear phishing efforts aimed at individuals, and are shifting from corporate networks to include industrial control systems." [18] Second, the grid is becoming more and more distributed and connected. The growing "Internet of Things" world could make it so that every device could be a potential vulnerability. [18]
As of 2006, over 200,000 miles of transmission lines that are 230 kV or higher existed in the United States. The main problem is that it is impossible to secure the whole system from terrorist attacks. The scenario of such a terrorist attack, however, would be minimal because it would only disrupt a small portion of the overall grid. For example, an attack that destroys a regional transmission tower would only have a temporary impact. The modern-day electric grid system is capable of restoring equipment that is damaged by natural disasters such as tornadoes, hurricanes, ice storms, and earthquakes in a generally short period of time. This is due to the resiliency of the national grid to such events. "It would be difficult for even a well-organized large group of terrorists to cause the physical damage of a small- to moderate-scale tornado." [19]
Today the utility industry is advancing cybersecurity with a series of initiatives. They are partnering with federal agencies. The goal is to improve sector-wide resilience to both physical and cyber threats. The industry is also working with National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies. [20]
In 2017, electric companies spent $57.2 billion on grid security. [21]
In September 2018, Brien Sheahan, chairman and CEO of the Illinois Commerce Commission and a member of the U.S. Department of Energy (DOE) Nuclear Energy Advisory Committee, and Robert Powelson, a former Federal Energy Regulatory Commission (FERC) commissioner, wrote in a published piece in Utility Dive that cyberthreats to the national power system require stronger national standards and more collaboration between levels of government. Recent to their article, the U.S. Department of Homeland Security confirmed that Russian hackers targeted the control room's of American public utilities. The electric distribution system has become more and more networked together and interconnected. Critical public services depend on the system: water delivery, financial institutions, hospitals, and public safety. To prevent disruption to the network, Sheahan and Powelson recommended national standards and collaboration between federal and state energy regulators. [22]
Some utility companies have cybersecurity-specific practices or teams. Baltimore Gas and Electric conducts regular drills with its employees. It also shares cyber-threat related information with industry and government partners. Duke Energy put together a corporate incident response team that is devoted to cybersecurity 24 hours a day. The unit works closely with government emergency management and law enforcement. [13]
Some states have cybersecurity procedures and practices: [13]
In December 2018, U.S. Senators Cory Gardner and Michael Bennet introduced legislation intended to improve grid security nation-wide. The bills would create a $90 million fund that would be distributed to states to develop energy security plans. The legislation would also require the U.S. Energy Department to identify any vulnerabilities to cyberattacks in the nation's electrical power grid. [23]
In March 2019, Donald Trump issued an executive order that directed federal agencies to prepare for attacks involving an electromagnetic pulse. [24] In May 2020, he issued an executive order that bans the use of grid equipment manufactured by a foreign adversary. [25] [26]
The Electricity Subsector Coordinating Council (ESCC) is the main liaison organization between the federal government and the electric power industry. Its mission is to coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. The ESCC is composed of electric company CEOs and trade association leaders from all segments of the industry. Its federal government counterparts include senior administration officials from the White House, relevant cabinet agencies, federal law enforcement, and national security organizations. [16]
In March and April of 1975, a "closely guarded" Pacific Gas and Electric substation was bombed twice in two separate incidents, knocking out power to more than 22,000 customers. The New World Liberation Front (NWLF) took credit for these attacks. [27]
On 31 December 1975, an electrical substation in Seattle, Washington was bombed by the George Jackson Brigade. [28]
Multiple attacks on electrical infrastructure were carried out by Jason Woodring in Central Arkansas between August and October 2013. Woodring attacked power lines and an electrical tower near Cabot, a switching station in Scott, and power lines and poles in Jacksonville. [29] [30] [31] [32]
Metcalf sniper attack | |
---|---|
Location | Coyote, California, U.S. |
Date | April 16, 2013 12:58 – 1:50 a.m. (PDT) |
Target | PG&E Metcalf substation |
Attack type | Sabotage |
Weapons | 7.62×39mm rifles |
On April 16, 2013, an attack was carried out on Pacific Gas and Electric Company's Metcalf transmission substation in Coyote, California, near the border of San Jose. The attack, in which gunmen fired on 17 electrical transformers, resulted in more than $15 million worth of equipment damage, but it had little impact on the station's electrical power supply. [33] [34] [35]
In 2016 a Utah man attacked a substation with a rifle. He was convicted and sentenced to federal prison. Court documents indicated that he had planned to attack other stations as well. [36] [30] [32] [31]
In 2016, members of the Russian hacker organization Grizzly Steppe infiltrated the computer system of a Vermont utility company, Burlington Electric, but did not disrupt the state's electric grid. Burlington Electric discovered malware code in a computer system that was not connected to the grid. [37]
On November 11, 2022, an electrical distribution substation belonging to Carteret-Craven Electric Cooperative in North Carolina was damaged by vandals. The damage resulted in the loss of electrical power to more than 12,000 residents. [38] [39] [40] [41]
At least six attacks were carried out against electrical infrastructure in the Pacific Northwest in late November, 2022. Two of the incidents involved firearms. [42]
Moore County substation attack | |
---|---|
Location | Moore County, North Carolina, U.S. |
Date | December 3, 2022 c. 7:00 p.m. (EST) |
Target | Duke Energy substations |
Attack type | Sabotage |
Weapons | Firearms |
Deaths | 1 |
On 3 December 2022, a shooting attack was carried out on two electrical distribution substations located in Moore County, North Carolina, United States. Damage from the attack left up to 40,000 residential and business customers without electrical power. Initial estimates were that up to four days could be required to fully restore power in the area. A state of emergency and corresponding curfew were enacted by local government officials in the wake of the incident. [43]
Four power substations in the Tacoma, Washington area were vandalized on the morning of December 25, 2022. At one point, over 14,000 were without power. [44] The damage has been estimated at $3 million to repair, and is expected to take up to three years to complete. [45]
Two men with previous criminal records of thefts were arrested on January 3, with the reported motive being to cut the power to serve as part of a wider plan to burglarize several businesses in the area. [45] [46]
The North American Electric Reliability Corporation (NERC) is a nonprofit corporation based in Atlanta, Georgia, and formed on March 28, 2006, as the successor to the North American Electric Reliability Council. The original NERC was formed on June 1, 1968, by the electric utility industry to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America. NERC's mission states that it "is to assure the effective and efficient reduction of risks to the reliability and security of the grid".
The electric power industry covers the generation, transmission, distribution and sale of electric power to the general public and industry. The commercial distribution of electric power started in 1882 when electricity was produced for electric lighting. In the 1880s and 1890s, growing economic and safety concerns lead to the regulation of the industry. What was once an expensive novelty limited to the most densely populated areas, reliable and economical electric power has become an essential aspect for normal operation of all elements of developed economies.
Southern California Edison (SCE), the largest subsidiary of Edison International, is the primary electric utility company for much of Southern California. It provides 15 million people with electricity across a service territory of approximately 50,000 square miles.
A regional transmission organization (RTO) in the United States is an electric power transmission system operator (TSO) that coordinates, controls, and monitors a multi-state electric grid. The transfer of electricity between states is considered interstate commerce, and electric grids spanning multiple states are therefore regulated by the Federal Energy Regulatory Commission (FERC). The voluntary creation of RTOs was initiated by FERC in December 1999. The purpose of the RTO is to promote economic efficiency, reliability, and non-discriminatory practices while reducing government oversight.
Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
Power system protection is a branch of electrical power engineering that deals with the protection of electrical power systems from faults through the disconnection of faulted parts from the rest of the electrical network. The objective of a protection scheme is to keep the power system stable by isolating only the components that are under fault, whilst leaving as much of the network as possible in operation. The devices that are used to protect the power systems from faults are called protection devices.
Infrastructure security is the security provided to protect infrastructure, especially critical infrastructure, such as airports, highways rail transport, hospitals, bridges, transport hubs, network communications, media, the electricity grid, dams, power plants, seaports, oil refineries, liquefied natural gas terminals and water systems. Infrastructure security seeks to limit vulnerability of these structures and systems to sabotage, terrorism, and contamination.
The Western Electricity Coordinating Council (WECC) promotes Bulk Electric System (BES) reliability for the entire Western Interconnection system. WECC is the Regional Entity responsible for compliance monitoring and enforcement. In addition, WECC provides an environment for the development of Reliability Standards and the coordination of the operating and planning activities of its members as set forth in the WECC Bylaws.
Southwest Power Pool (SPP) manages the electric grid and wholesale power market for the central United States. As a regional transmission organization, the nonprofit corporation is mandated by the Federal Energy Regulatory Commission to ensure reliable supplies of power, adequate transmission infrastructure and competitive wholesale electricity prices. Southwest Power Pool and its member companies coordinate the flow of electricity across approximately 60,000 miles of high-voltage transmission lines spanning 14 states. The company is headquartered in Little Rock, Arkansas.
The smart grid is an enhancement of the 20th century electrical grid, using two-way communications and distributed so-called intelligent devices. Two-way flows of electricity and information could improve the delivery network. Research is mainly focused on three systems of a smart grid – the infrastructure system, the management system, and the protection system. Electronic power conditioning and control of the production and distribution of electricity are important aspects of the smart grid.
Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."
Smart grid policy in the United States refers to legislation and other governmental orders influencing the development of smart grids in the United States.
On April 16, 2013, an attack was carried out on Pacific Gas and Electric Company's Metcalf transmission substation in Coyote, California, near the border of San Jose. The attack, in which gunmen fired on 17 electrical transformers, resulted in more than $15 million worth of equipment damage, but it had little impact on the station's electrical power supply.
The electrical power grid that powers Northern America is not a single grid, but is instead divided into multiple wide area synchronous grids. The Eastern Interconnection and the Western Interconnection are the largest. Three other regions include the Texas Interconnection, the Quebec Interconnection, and the Alaska Interconnection. Each region delivers power at a nominal 60 Hz frequency.
On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War (2014-present) and is attributed to a Russian advanced persistent threat group known as "Sandworm". It is the first publicly acknowledged successful cyberattack on a power grid.
Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kyiv, the capital, off power for one hour and is considered to have been a large-scale test. The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.
Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.
A regional entity (RE) in the North American power transmission grid is a regional organization representing all segments of the electric industry: electric utilities, federal agencies, independent power producers, power market operators, and end-users of the energy. North American Electric Reliability Corporation (NERC) delegates to REs authority to enforce reliability standards, collectively REs, together with NERC, are known as an "ERO Enterprise".
Power resilience refers to a company's ability to adapt to power outages. Frequent outages have forced businesses to take into account the "cost of not having access to power" in addition to the traditional "cost of power". Climate-related issues have intensified the attention on energy sustainability and resilience. In the United States, electric utility firms have registered over 2500 significant power outages since 2002, with almost half of them attributed to weather events, including storms, hurricanes, and other unspecified severe weather occurrences. These incidents often lead to significant economic losses.
Once a cyberattack has been initiated, certain targets need to be attacked to cripple the opponent. Certain infrastructures as targets have been highlighted as critical infrastructures in times of conflict that can severely cripple a nation. Control systems, energy resources, finance, telecommunications, transportation, and water facilities are seen as critical infrastructure targets during conflict. A new report on the industrial cybersecurity problems, produced by the British Columbia Institute of Technology, and the PA Consulting Group, using data from as far back as 1981, reportedly has found a 10-fold increase in the number of successful cyber attacks on infrastructure Supervisory Control and Data Acquisition (SCADA) systems since 2000. Cyberattacks that have an adverse physical effect are known as cyber-physical attacks.