Electrical grid security in the United States involves the physical and cybersecurity of the United States electrical grid. The smart grid allows energy customers and energy providers to more efficiently manage and generate electricity. Similar to other new technologies, the smart grid also introduces new security concerns.[1]
The electric utility industry in the U.S. leads several initiatives to help protect the national electric grid from threats. The industry partners with the federal government, particularly the National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.[2]
From the 2000s through to the 2020s, the security of the U.S. electrical grid has come into question. Government officials have expressed concern with the possibility of violent extremists and agents of foreign states attacking the nation's electrical grid. Cybersecurity is also an issue for electric grid security in the United States with financially motivated crimes being more common than terrorist ones.[3]
The North American electrical power grid is a highly connected system. The ongoing modernization of the grid is generally referred to as the "smart grid". Reliability and efficiency are two key drivers of the development of the smart grid. Another example is the ability for the electrical system to incorporate renewable energy sources such as wind power and geothermal power. One of the key issues for electric grid security is that these ongoing improvements and modernizations have created more risk to the system. As an example, one risk specifically comes from the integration of digital communications and computer infrastructure with the existing physical infrastructure of the power grid.[4]
In the 2010s and 2020s, attacks to the United States electrical grid have become more frequent, with 2022 being the year with the most attacks.[5] Since 2014, vandalism and confirmed or suspected physical attacks on electrical grid infrastructure have also been the second-largest cause of electrical disturbance events.[6]
In 2012, the National Research Council of the National Academies of Sciences, Engineering, and Medicine published a declassified report prepared in 2007 for the Department of Homeland Security that highlighted the vulnerability of the national electric grid from damage to high voltage transformers.[7]
In October 2022, the FBI published a report that described an increase in reported threats to critical infrastructure from people who espouse "racially or ethnically motivated violent extremist ideology", with an aim of creating civil disorder and inspiring further violence.[8]
In a report concerning extremist threats, the Department of Homeland Security made note of a Telegram document that gave instructions for low-tech sabotage, including attacks on electrical power stations with rifles. The document circulated among online white nationalist communities, which advocate the toppling of the U.S. government.[9] [10]
The threat of potential electrical grid cyberattacks by foreign states such as Russia has also been area of concern for electrical grid security.[11] [12]
In the U.S., the Federal Energy Regulatory Commission (FERC) is in charge of the cybersecurity standards for the bulk power system. The system includes systems necessary for operating the interconnected grid.[13] However, Ted Koppel argues that the industry has blocked any significant oversight for decades, with only miniscule fines being levied for failing to comply with relatively lax standards as of the early 2010's.[14]
Investor-owned utilities operate under a different authority, state public utility commissions. This falls outside of FERC's jurisdiction.
The initiation of government oversight of the American Bulk Electric System (BES) occurred after two incidents led the government to investigate further the causes of the 1965 North East Blackout alongside another small blackout in 1967 at the Pennsylvania New Jersey Maryland (PJM) interconnection. These two incidents prompted US Congress to initiate legislation focused on increased oversight of the electric power system, ultimately leading to the Electric Power Reliability Act of 1967. In 1968, the National Electric Reliability Council (NERC) was formed after 12 regional organizations signed an agreement spanning the United States and parts of Canada.[15] NERC is still around today, yet its name has changed a little, and it is now called the North American Electric Reliability Corporation (NERC). Shortly after this, in 1971, each region had its own Regional Reliability Council, which was in place to ensure collaboration and reliability of the BES, each having a member who served on the NERC board. The landscape changed in 1971 when 4 of the regionals combined to make one large region known as the Southeastern Electric Reliability Council (SERC), dropping the number of areas from 12 to 9.
In 1997, the first set of Operating and Planning Standards was approved by the NERC board, which started the implementation of certifications and standards to ensure the reliability of the American BES. While security and reliability efforts ramped up after the 9/11 terrorist attacks, it wasn’t until 2003 that a massive blackout occurred in the Eastern Interconnection, leaving 500,000 people without power. During the investigation, NERC determined that their reliability standards were not being upheld and revamped them by creating reliability standards that were now enforceable. The Reliability Standard was approved in December 2004 and became effective in April 2005.
The Energy Policy Act 2005 was finalized and signed into law in August 2005. Section 215 authorized the Federal Energy Reliability Commission to certify and provide oversight of one Electric Reliability Organization responsible for the mandatory enforcement of the NERC Reliability standards. NERC then applied to FERC for certification in April 2006 and was certified in July 2006. In 2007, NERC provided regional delegation for enforcement to eight regional entities: Florida Reliability Coordinating Council; Midwest Reliability Organization; Northeast Power Coordinating Council: Cross Border Regional Entity, Inc.; Reliability First Corporation; SERC Reliability Corporation; Southwest Power Pool, Inc.; Texas Reliability Entity, a division of ERCOT; and Western Electricity Coordinating Council. This led to what is now known as the NERC Critical Infrastructure Protection Standards being approved by FERC in June of 2007. As of 2024, there are six regional entities, including the Midwest Reliability Organization, Reliability First, Northeast Power Coordinating Council, Texas Reliability Entity, Western Electricity Coordinating Council, and the SERC Reliability Corporation. Since their creation, these regional entities have ensured the reliability and security of the American BES by enforcing the mandatory NERC CIP standards. Throughout the years, the standards have evolved to meet the changing threat landscape of cyber and the risks facing the operational side of the BES yet continue towards the same mission of maintaining the security and reliability of the BES.
In his 2015 book, Ted Koppel argues that all utilities, but especially smaller ones, do not truly air-gap their operations from the internet, leaving significant attack surfaces.
In 2016, members of the Russian hacker organization "Grizzly Steppe" infiltrated the computer system of a Vermont utility company, Burlington Electric, exposing the vulnerability of the nation's electric grid to attacks. The hackers did not disrupt the state's electric grid, however. Burlington Electric discovered malware code in a computer system that was not connected to the grid.[16]
As of 2018, two evolutions are taking place in the power economic sector. These evolutions could make it harder for utilities to defend from a cyber threat. First, hackers have become more sophisticated in their attempts to disrupt electric grids. "Attacks are more targeted, including spear phishing efforts aimed at individuals, and are shifting from corporate networks to include industrial control systems."[17] Second, the grid is becoming more and more distributed and connected. The growing "Internet of Things" world could make it so that every device could be a potential vulnerability.
As of 2006, over 200,000 miles of transmission lines that are 230 kV or higher existed in the United States. The main problem is that it is impossible to secure the whole system from terrorist attacks. The scenario of such a terrorist attack, however, would be minimal because it would only disrupt a small portion of the overall grid. For example, an attack that destroys a regional transmission tower would only have a temporary impact. The modern-day electric grid system is capable of restoring equipment that is damaged by natural disasters such as tornadoes, hurricanes, ice storms, and earthquakes in a generally short period of time. This is due to the resiliency of the national grid to such events. "It would be difficult for even a well-organized large group of terrorists to cause the physical damage of a small- to moderate-scale tornado."[18]
Today the utility industry is advancing cybersecurity with a series of initiatives. They are partnering with federal agencies. The goal is to improve sector-wide resilience to both physical and cyber threats. The industry is also working with National Institute of Standards and Technology, the North American Electric Reliability Corporation, and federal intelligence and law enforcement agencies.[19]
In 2017, electric companies spent $57.2 billion on grid security.[20]
In September 2018, Brien Sheahan, chairman and CEO of the Illinois Commerce Commission and a member of the U.S. Department of Energy (DOE) Nuclear Energy Advisory Committee, and Robert Powelson, a former Federal Energy Regulatory Commission (FERC) commissioner, wrote in a published piece in Utility Dive that cyberthreats to the national power system require stronger national standards and more collaboration between levels of government. Recent to their article, the U.S. Department of Homeland Security confirmed that Russian hackers targeted the control room's of American public utilities. The electric distribution system has become more and more networked together and interconnected. Critical public services depend on the system: water delivery, financial institutions, hospitals, and public safety. To prevent disruption to the network, Sheahan and Powelson recommended national standards and collaboration between federal and state energy regulators.[21]
Some utility companies have cybersecurity-specific practices or teams. Baltimore Gas and Electric conducts regular drills with its employees. It also shares cyber-threat related information with industry and government partners. Duke Energy put together a corporate incident response team that is devoted to cybersecurity 24 hours a day. The unit works closely with government emergency management and law enforcement.
Some states have cybersecurity procedures and practices:
In December 2018, U.S. Senators Cory Gardner and Michael Bennet introduced legislation intended to improve grid security nation-wide. The bills would create a $90 million fund that would be distributed to states to develop energy security plans. The legislation would also require the U.S. Energy Department to identify any vulnerabilities to cyberattacks in the nation's electrical power grid.[22]
In March 2019, Donald Trump issued an executive order that directed federal agencies to prepare for attacks involving an electromagnetic pulse.[23] In May 2020, he issued an executive order that bans the use of grid equipment manufactured by a foreign adversary.[24] [25]
The Electricity Subsector Coordinating Council (ESCC) is the main liaison organization between the federal government and the electric power industry. Its mission is to coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. The ESCC is composed of electric company CEOs and trade association leaders from all segments of the industry. Its federal government counterparts include senior administration officials from the White House, relevant cabinet agencies, federal law enforcement, and national security organizations. [26]
In March and April of 1975, a "closely guarded" Pacific Gas and Electric substation was bombed twice in two separate incidents, knocking out power to more than 22,000 customers. The New World Liberation Front (NWLF) took credit for these attacks.[27]
On 31 December 1975, an electrical substation in Seattle, Washington was bombed by the George Jackson Brigade.[28]
Multiple attacks on electrical infrastructure were carried out by Jason Woodring in Central Arkansas between August and October 2013. Woodring attacked power lines and an electrical tower near Cabot, a switching station in Scott, and power lines and poles in Jacksonville.[29] [30] [31] [32]
See main article: Metcalf sniper attack.
In 2016 a Utah man attacked a substation with a rifle. He was convicted and sentenced to federal prison. Court documents indicated that he had planned to attack other stations as well.[33] [30] [32] [31]
In 2016, members of the Russian hacker organization Grizzly Steppe infiltrated the computer system of a Vermont utility company, Burlington Electric, but did not disrupt the state's electric grid. Burlington Electric discovered malware code in a computer system that was not connected to the grid.[34]
On November 11, 2022, an electrical distribution substation belonging to Carteret-Craven Electric Cooperative in North Carolina was damaged by vandals. The damage resulted in the loss of electrical power to more than 12,000 residents.[35] [36] [37] [38]
At least six attacks were carried out against electrical infrastructure in the Pacific Northwest in late November, 2022. Two of the incidents involved firearms.[39]
See main article: Moore County substation attack.
Four power substations in the Tacoma, Washington area were vandalized on the morning of December 25, 2022. At one point, over 14,000 were without power.[40] The damage has been estimated at $3 million to repair, and is expected to take up to three years to complete.
Two men with previous criminal records of thefts were arrested on January 3, with the reported motive being to cut the power to serve as part of a wider plan to burglarize several businesses in the area.[41] [42]