There are more than 55 000 transmission substations in the United States, but an attack on less than 10 could plunge the entire nation into darkness, according to a study by the Federal Energy Regulatory Commission (FERC) that was obtained by the Wall Street Journal.
According to people familiar with the report, the Wall St. Journal reported that just nine substations could take down the transmission grid for the entire country. Currently there are no regulations that require protection for key substations, but that could change.
Earlier this month, FERC directed the North American Electric Reliability Corporation (NERC) to develop reliability standards for grid operators to address physical security threats.
“Today's order enhances the grid’s resilience by requiring physical security for the facilities most critical to the reliable operation of the Bulk-Power System,” FERC Acting Chairman Cheryl LaFleur said in a statement. “It will complement the ongoing efforts of FERC and facility owners and operators to ensure the physical security of the grid.”
The order has three steps: owners and operators must perform a risk assessment to identify facilities that are critical; once those facilities are identified owners must evaluate potential threats to those sites and then they must develop and implement a security plan.
The focus is protecting the transmission substations from a physical attack, which could be just as damaging as a cyber attack. Last April, snipers targeted a Pacific Gas & Electric substation in California, which did not cause an outage, but did raise questions about the vulnerabilities of the grid.
"There are probably less than 100 critical high voltage substations on our grid in this country that need to be protected from a physical attack," former FERC chairman Jon Wellinghoff told the Wall Street Journal in an email. "It is neither a monumental task, nor is it an inordinate sum of money that would be required to do so."
The steps sound easy enough, but many seemingly simple procedures were not in place to prevent the 2003 blackout, or the cascading outage in Southern California in 2011. There are many more tools and data sources to help identify outages, but a lack of planning and the novelty of the technology means that it is not always leveraged by grid operators.
In some ways, protecting against a physical attack may be easier than protecting against a cyber attack. Since the grid was first built, utilities have been physically protecting facilities, where as cyber threats are a more recent development that utilities are less familiar with addressing. A recent survey from Utility Dive found that cyber security was on the bottom of a list of pressing challenges for utilities, with grid reliability only somewhere in the middle.
Better coordination between utilities and grid operators will be key in preventing cascading outages in the future. FERC and NERC are evaluating whether mandatory reliability standards may be necessary to physically protect the grid, and the government agencies are also encouraging more cooperation between utilities to address grid vulnerabilities.
The new standards for critical transmission substations are due from NERC in June.