The U.S. electric grid, by virtue of its complexity and size, is vulnerable to both physical and cyber attacks, which have the potential to impact the United States in ways not currently imagined by many in the law enforcement profession. This article explains the threat, as well as the challenges involved in protecting the grid, and offers important tips to help law enforcement officials advocate for reforms and be prepared to respond to drastic impacts in their regions.
In October 2012, then-Defense Secretary Leon Panetta, one not known for rhetorical excess, warned that the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable as “capabilities are available in cyber to virtually cripple the country, to bring down the power grid… and to literally paralyze the country.”1 Secretary Panetta is among a growing list of distinguished leaders and experts who have expressed similar concerns about the exploitation of the United States’ vulnerable information technology infrastructure. Regardless, many law enforcement executives have yet to wrap their minds around the implications of these concerns. It is imperative that this condition change. The potential for dramatic impacts is clear. The connection to local law enforcement is equally clear.
A physical attack on a San Jose, California, power station in April 2013 gave a small taste of what Secretary Panetta envisioned. As was widely reported in mainstream media, suspects carried out an apparently well-coordinated attack on the station with a high-powered rifle following the cutting of critical fiber optic cables, which caused heavy damage, a statewide emergency alert to conserve energy, and a challenge for local police in communities in the southern portion of Silicon Valley. For several hours, 9-1-1 calls from landlines would not work, some Internet and wireless service was similarly impacted, and residents were told to go to the nearest fire station if they needed help.2
The fiber optic cable attack was similar to another incident four years earlier when tens of thousands of people in three Northern California counties in the same area lost landline, cell, and Internet service. In parts of the three counties, the attack essentially froze operations at hospitals, stores, banks, and police and fire departments that rely on 9-1-1 calls. In addition, computerized medical records, ATMs, and credit and debit card transactions were unavailable. Residents reported they couldn`t withdraw money, send text messages, check email or web sites, summon the police or ambulances or otherwise call for assistance, or check on the welfare of friends and relatives.3
These attacks demonstrated how knowledgeable individuals can cause widespread damage and potentially long-term regional impact. The degrading of the power grid or the U.S. information infrastructure would cripple a local and regional area, likely for days, if not much longer. While no one has yet been charged for the two attacks mentioned, they were conventional crimes in the sense that the damage required the physical presence of those responsible. Under any attack scenario, local law enforcement would be faced with immense, if not incalculable, challenges to provide for public safety and to address public order; however, an important additional lesson for law enforcement is that the attack methodology is changing.
Distance No Longer Matters
Advances in information technology have improved many facets of economies and personal lives. These advances have clearly enabled new capabilities and efficiencies in law enforcement, as well. But this progress has also brought significant new challenges and risks. Most importantly, it is essential that law enforcement fully understand that attacks can originate remotely in the information realm and produce the same result as attacks carried out in the physical world. Simply stated, an attack can be initiated from a computer and still cause physical damage to its target. In fact, today, an attack on critical infrastructure could be executed in 1/350 of a second from anywhere in the world.4 Technology has done away with the traditional need for criminals or terrorists to be present and have physical access to their target.
Of the many problems that confront law enforcement professionals, the criticality and resiliency of the electric grid is not likely one given much attention; at least not until law enforcement is confronted with the problems accompanying a loss of power, such as nearly occurred in California. Like other components of the U.S. critical infrastructure—banking and finance, transportation, communications, and emergency services—the electric grid is vital to the national and economic security of the United States and the well-being of its citizenry. Of these elements, the electric grid is the most important piece of the critical infrastructure because reliable service is essential to health, welfare, national security, communication, and commerce. Simply put, without electricity, the U.S. economy and way of life would be put at risk. This potential for disruption stands at a critical intersection of being a “national” issue with municipal and regional policing interests.
Protecting “The World’s Largest Integrated Machine”
The U.S. electric grid is composed of approximately 1,950 companies that generate electricity and transmit it across more than 200,000 miles of high-voltage lines and thousands of companies that distribute the transmitted electricity to consumers. “The National Academy of Engineering called the grid the world’s largest integrated machine and a central part of the greatest engineering achievement of the 20th century, [the] electrification of modern society.”5 Since it was originally designed to allow local companies to service local needs, it is noteworthy that “more than 90 percent of the U.S. power grid is privately owned and regulated by the states, making it challenging for the federal government to address potential vulnerabilities to its operation and, perhaps especially its vulnerability to terrorist [and other modern] attacks.”6
The first question law enforcement should ask is, how vulnerable is the electric grid in the United States to a cyber attack? In 2006, the Department of Energy’s Idaho National Laboratory’s “Aurora” test demonstrated that an attacker could remotely initiate a cyber intrusion through the Internet, hack into the control system of a 27-ton electric generator connected to the grid, and send commands that would cause the generator to self-destruct. Researchers performing the test were able to remotely change the operating cycle of the generator, sending it out of control.7
More than eight years after the Aurora test, the North American Electric Reliability Corporation (NERC), the organization responsible for proposing standards to protect and enhance the reliability of the electric grid, including cybersecurity standards, still has not proposed any reliability standard to remedy the Aurora vulnerability. One reason is that NERC’s Critical Infrastructure Protection standards apply only to assets identified by the utilities themselves as “critical.” In December 2008, NERC sponsored a self-certification of critical assets and critical cyber assets survey, only 29 percent of owners and operators of electric generation companies acknowledged possession of even a single critical asset.8 Hence, regardless of the serious implications of the Aurora vulnerability, if the individual utilities claim they have no critical assets, they cannot be compelled by NERC to make the investment necessary to fix the deficiency.
Nonetheless, many industry respondents to a 2013 questionnaire of utilities submitted by U.S. Congressmen Edward J. Markey and Henry A. Waxman reported “daily,” “constant,” or “frequent” attempted cyber attacks. One stated it was the target of approximately 10,000 attacks each month. More than one company said it was under a “constant state of attack” from malware distributed by entities seeking to gain access to internal operating systems.9 With attacks acknowledged at this level, clearly intruders view the targets as worthy of continued intrusion efforts.
In September 2011 testimony, all five commissioners of the Federal Energy Regulatory Commission (FERC)—an independent agency that regulates the interstate transmission of electricity, natural gas, and oil—agreed the threat of a cyber attack on the grid was the top threat to electricity reliability in the United States. They said they needed additional legal authority to mandate remediation of vulnerabilities in the grid.10
Independently, the grid’s vulnerability was further corroborated by a 2007 National Academy of Sciences report, declassified and released in November 2012, which found that physical damage by terrorists to large transformers could disrupt power to large regions of the United States and could take months to repair.11
In January 2013, then-FERC chairman, Jon Wellinghoff, active in bringing wider attention to the San Jose attack, warned that the U.S. power system is vulnerable to cyber attacks and reiterated no entity has legal permission to intervene to defend it. He stated, “I have no effective enforcement authority, and I’ve said this for six years now … I’ve also said I don’t care who has the authority, but Congress should give someone the authority.”12
In January 2013, the Defense Science Board, a distinguished group of experts who advise the U.S. Department of Defense, released a report concluding that a cyber attack had “the potential of existential consequences.” This means a threat to the existence of the United States. It stated, “The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio or fuel … Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods.”13
On February 12, 2013, U.S. President Obama signed Executive Order 13636, Improving Critical Infrastructure Cybersecurity, creating a voluntary cybersecurity framework to reduce threats to the critical U.S. infrastructure. Only an act of Congress, however, can result in additional statutory authority to mandate fixes for cyber vulnerabilities. To date, Congress has not granted that authority.
Unfortunately, many informed stakeholders and cyber thought leaders believe there will be no mandate or fix until the United States is shocked by the predicted “cyber-Pearl Harbor” event. Though clearly not of Pearl Harbor proportions, the Los Angeles Timessaid that the April 2013 “attack on the transformers caused considerable damage and came dangerously close to knocking out power in Silicon Valley.”14 As agreement is reached on a path forward, it is important that law enforcement learn from the California attacks, just as those who would do us harm have done.
What This Threat Means to Local Law Enforcement Leaders
While legislation and system fixes are important areas of concern for, but beyond the immediate scope of, local law enforcement, local officials must begin to prepare themselves to manage the risks associated with physical attacks and cyber attacks. The authors recommend the following action items:
- Participate in local or state cyber task forces, even on a part-time basis. Leaders should obtain a Secret-level clearance from the local Federal Bureau of Investigations (FBI) office so that they can be briefed on current and potential threats.
- Get an individual or regional briefing by the FBI, Department of Homeland Security fusion center, or other federal or state officials with investigative jurisdiction for cyber violations to become familiar with their assessment of the nature of any threat to communities, what assistance to expect from them and what assistance they expect from local law enforcement. Obtain a list of key infrastructure in the region. InfraGuard (www.infraguard.org) is an excellent platform for information and collaboration.
- Develop a stronger understanding of the cyberthreat to public utilities.
- Immediately notify federal authorities in the event of an attack or suspicious event. Any report of suspicious activity through federal agencies is fed to a central point for investigation and action to identify patterns. Notifying the federal system also helps ensure that federal evidence and investigative resources can be committed to the event. Local evidence collection efforts may not anticipate the needs of a broader investigation.
- Develop and train on a local or regional plan to manage disorder and economic or other disruptions, including the basic means by which residents contact law enforcement in an emergency. Natural disaster planning models have processes for distributed 9-1-1 access points staffed by trained volunteers with radio capabilities independent of affected infrastructures.
- Raise this issue through state or national associations. Ask them to advocate to the region’s U.S. congressional delegation regarding the need for a greater sense of urgency in taking constructive legislative steps necessary to ensure the resiliency of the electric grid and other vulnerable components of critical U.S. infrastructure.
The U.S. intelligence community was widely criticized for not “connecting the dots” and anticipating the 9/11 terrorist attacks. The 9/11 Commission characterized it as a lack of imagination. The necessary imagination has been engaged—and the dots have been connected—on the vulnerability of the electric grid and other critical infrastructure to both physical and cyber attacks. Mindful of the consequences of the attack and degraded communications in Northern California described above, law enforcement executives and their communities would be well served to better understand the implications of both a traditional attack, as well as one of a new world where a criminal attack could be initiated from a computer in 1/350 of a second from anywhere in the world.♦
1 Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of Cyberattack on U.S.,” The New York Times, October 11, 2012, http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all&_r=0 (accessed February 22, 2013).
2 Rebecca Smith, “Assault on California Power Station Raises Alarm on Potential for Terrorism: April Sniper Attack Knocked Out Substation, Raises Concern for Country’s Power Grid,” The Wall Street Journal, February 5, 2014, http://www.wsj.com/news/articles/SB10001424052702304851104579359141941621778?mod=WSJ_hpp_MIDDLENexttoWhatsNewsForth (accessed December 11, 2014)
3 Nanette Asimov, Ryan Kim and Kevin Fagan, “Sabotage Attacks Knock Out Phone Service: Access Severed for Hundreds of Thousands,” SFGate, April 10, 2009, http://www.sfgate.com/bayarea/article/Sabotage-attacks-knock-out-phone-service-3245380.php (accessed December 11, 2014).
4 Daniel Yergin, The Quest: Energy, Security, and the Remaking of the Modern World (New York, NY: The Penguin Press, 2011), 279.
5 National Research Council, Terrorism and the Electric Power Delivery System (Washington, D.C.: National Academy of Sciences, 2012), vii.
7 Staff of Representatives Edward J. Markey and Henry A. Waxman, House Natural Resources Committee and House Energy and Commerce Committee, Electric Grid Vulnerability: Industry Responses Reveal Security Gaps (Washington D.C.: May 21, 2013), 4, http://democrats.energycommerce.house.gov/sites/default/files/documents/Report-Electric-Grid-Vulnerability-2013-5-21.pdf (accessed December 11, 2014).
8 Ibid., 6–7.
9 Ibid., 8.
10 Ibid., 6.
11 National Research Council, Terrorism and the Electric Power Delivery System, 1.
12 Zack Colman, “Official: Congress Must Establish Electric Grid Cybersecurity Authority,” Energy and Environment, The Hill, September 5, 2012, http://thehill.com/policy/energy-environment/247635-obama-official-congress-must-give-someone-electric-grid-cybersecurity-authority (accessed December 5, 2013).
13 Defense Science Board Task Force on Resilient Military Systems and the Advanced Cyber Threat, Resilient Military Systems and the Advanced Cyber Threat (Defense Science Board, Office of the Under Secretary of Defense for Acquisition, Technology and Logistics, January 2013), 5, http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf (accessed December 11, 2014).
14 Evan Halper, “Can Crime Fighting Technology Be Used to Secure Power Stations?” Los Angeles Times, February 21, 2014, http://articles.latimes.com/2014/feb/21/nation/la-na-nn-power-plants-security-technology-20140221 (accessed February 27, 2014).
Please cite as:
Scott R. Seaman and Richard W. Held, “Preparing for the Cyberthreat: The Vulnerability of the U.S. Electric Grid,” The Police Chief 82 (January 2015): web only, http://www.policechiefmagazine.org/preparing-for-the-cyberthreat-the-vulnerability-of-the-u-s-electric-grid.