Today, I was emailing with a reporter about my post on the North Carolina substation attacks, when I saw this article that had been linked in the Utility Dive newsletter (which I normally open as soon as it hits my inbox). It seems that NC might not have been an isolated incident after all. You should read the whole article, but IMHO the executive summary is these two paragraphs:
“Power companies in Oregon and
Washington have reported physical attacks on substations using handtools,
arson, firearms and metal chains possibly in response to an online call for
attacks on critical infrastructure,” the memo states.
The aim, according to the memo, is
“violent anti-government criminal activity.”
Another:
The department wrote that attackers
would be unlikely to produce widespread, multistate outages without inside
help. But its report cautioned that an attack could still do damage and cause
injuries.
Of course, we’re not talking about
multistate outages. A multi-day, multistate outage might be a catastrophe with
loss of life, especially if there were a big city in one of those states (see
Ted Koppel’s Lights Out, which very eloquently describes what would
happen if there were a multistate outage that lasted more than a few days. What’s
unfortunate is that Ted let someone persuade him that he should sell the book
as being about the effects of a cyberattack on the grid, when in fact exactly the same results
would occur, no matter what the cause. The book is an easy read and still definitely
worth it, years after it came out).
But an attack that could “do damage
and cause injuries” is a good description of what happened in NC. It certainly
caused damage, and people were injured in car crashes, if for no other reason. We
may hear later about people on oxygen at home, etc. that were victims as well.
An extended power outage is always a big problem.
Finally:
The targets also present an
increasing challenge to secure because attackers don’t always have to get as
close as they did in North Carolina in order to do damage, Southers said. With
the right rifle, skill and line of sight a sniper could take a shot from as far
as 1,500 meters (about 4,900 feet) away.
That’s quite interesting. If line
of sight is a problem (which it definitely was with the Metcalf attack), then
that will require fairly big, expensive fences.
Unfortunately, as I told the
reporter today, it will be impossible to prevent attacks like this without huge
expenditures (unless there’s a good way to triage substations for degree of
risk, which I’m not sure is the case here). One thing I suggested is that,
since this is obviously a national problem, the feds should finally step in and
pay for the mitigations themselves – rather than dump all the cost on the
utilities and especially their ratepayers. This has been for the most part the
practice so far, when it comes to both physical and cybersecurity, but it’s
time to acknowledge this is a national problem.
P.S. After I wrote the above post, I prepared a summary of my ideas for the reporter, but she never used it. Here is what I wrote:
Physical attacks on power substations are almost impossible
to prevent. The biggest reason is that substations are deliberately located as
far as possible from concentrations of people like cities and towns, although
that can never be completely avoided. They also have to be open to the air,
since transformers generate huge quantities of heat that need to be dissipated.
It’s certainly possible to have guards, walls, cameras, high-bandwidth
communications, etc. at every substation. However, the cost of that would be
huge and would have to be borne by the ratepayers. In some cases, like
substations that serve military bases or hospitals, the cost may be justified.
What was most disturbing about the North Carolina attacks
was that the attackers were able to cause a widespread, prolonged outage. Those
should never occur anywhere in the US, although they’re unavoidable in huge
events like hurricanes. The grid is supposed to have enough redundancy that,
even if one or two substations or generating plants are taken out, nobody will
lose power at all – or if they do, it will be brief and/or confined to a
relatively small area. That obviously wasn’t the case with these attacks, and
that will probably be the subject of the inevitable investigations by state and
federal regulators.
The news that just broke about substations in Washington State and Oregon having been attacked in a similar fashion by extremist groups raises the question whether the North Carolina attacks were just the tip of the spear. If this is really a national problem, I think the federal government should step in to help power utilities create an appropriate level of physical hardening in most substations, or at least those above a certain threshold of criticality. In addition, changes may need to be made to the power system itself, to prevent any more successful attacks from causing widespread or prolonged outages.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment