IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How Vulnerable Is America’s Power Grid?

The Metcalf incident is a wake-up call for better critical infrastructure protection.

America’s hooked on electricity. When we flip a switch, or often just walk into a room, the lights come on. We assume electricity will always be available to warm and cool our homes, prepare food, pump gasoline and power-up our fast-growing Internet of Things — from mobile devices to accessing data in the cloud.

Nevertheless, most of us think we know what it means to occasionally lose power. Personal stories from the Northeast Blackout of 2003 to major ice storms to Superstorm Sandy are not uncommon.

But is America really ready if the electric grid goes down?

Despite the fact that many scary storms have caused serious hardships, the resulting power outages typically lasted less than a few weeks for only a small section of the country. What if a deliberate attack on U.S. critical infrastructure caused power outages for many weeks or even months over a much wider area?  

How vulnerable is the grid?

For decades, electric industry experts have said the power grid is redundant and safe from attack. Up until April 2013, major physical or cyberattacks against the grid were seen mainly as exciting movie themes, but largely dismissed as unlikely by most industry experts.  

But a sophisticated physical attack on a Pacific Gas & Electric Co. power station in Metcalf, Calif., early on April 16, 2013, changed the assessment of our power grid’s vulnerability.  

According to American Thinker magazine, “The attackers apparently first slipped into an underground vault and expertly severed six AT&T fiber-optic telecommunication lines in a way that would make repair difficult. ... Then, a half hour later, the snipers began firing at the power station, destroying 17 giant transformers and six circuit breakers.”

What was the result of the attack? The Metcalf power station was down for 27 days and had damages estimated at $15.4 million. Fortunately the power supply to Silicon Valley was not disrupted because other power sources were used to make up for the loss.

As Peggy Noonan pointed out in her Wall Street Journal article: “Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission, said the attack ‘was the most significant incident of domestic terrorism involving the grid that has ever occurred.’ If the attack were replicated around the country, it could take down the entire electrical grid.”

But the most unnerving part of this story is that no suspects have been named in the case, and the overall incident is being called vandalism by law enforcement officials.

Sen. Chuck Schumer of New York wants to see additional security enhancements at power plants following the Metcalf incident. Schumer is asking for the Department of Homeland Security to work with the Federal Energy Regulatory Commission to create security standards that Congress would manage. He wrote a letter to the agencies asking officials to consider such standards.

How should CIOs respond?

So what’s to be done by public-sector CIOs and other government officials? There are numerous potential scenarios regarding cyber- and physical attacks harming the grid. Here are three steps to consider:

  1. Read and implement actions from the Framework for Improving Critical Infrastructure Cybersecurity. Take appropriate steps to ensure that protections are in place for your enterprise. Utilize available federal, state and local resources to ensure that projects are in place to strengthen key government asset protections, utilizing the “Identify, Protect, Detect, Respond and Recover” approaches.
  2. (Re) examine your disaster recovery and backup power options for key systems and data centers. Are your generators and uninterruptible power supplies tested and in working order? What is covered by backup power? Are fuel provisions in place to cover emergencies? Run drills and exercises to test your people, processes and technology.
  3. Work with the utilities and public service commissions in your region to ensure that information sharing is occurring and best practices are being implemented. Establish protocols using a model similar to Michigan’s Cyber Disruption Response Strategy to coordinate across public and private entities.
A final thought: Gen. George S. Patton once said, “Prepare for the unknown by studying how others in the past have coped with the unforeseeable and the unpredictable.”

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.