Electrical substations, the Achilles’ heel of America’s vulnerable energy grid
Electrical substations, the Achilles’ heel of America’s vulnerable energy gridJamie McIntyre
December 16, 01:00 AM December 16, 01:00 AM
In February, the marquee CBS News program 60 Minutes aired a story on the vulnerability of America’s energy grid to terrorism and cyberattacks. But the show, however inadvertently, may have served as inspiration or even a “how-to guide” for domestic extremists bent on sowing chaos.
For the segment, CBS correspondent Bill Whitaker interviewed Jon Wellinghoff, a former chairman of the Federal Energy Regulatory Commission, about his investigation into the 2013 attack in San Jose, California, in which unknown gunmen fired high-powered rifles into transformers at the Metcalf power substation.
STATE-SPONSORED HACKERS TARGET UKRAINE
Wellinghoff described how the attackers had surveilled the site ahead of time, marking firing positions with piles of rocks. And then in the dead of night, after cutting off communications from the substation, they pumped more than 90 rounds into the most vulnerable part of the facility, the cooling fins, causing 17 of 21 large transformers to overheat and shut down.
The CBS report included a close-up photo showing exactly what the cooling fins looked like.
Now, more than nine months later, Wellinghoff suspects what happened to two Duke Energy substations in Moore County, North Carolina, on Dec. 3, plunging more than 45,000 customers into darkness, was likely a “copycat” attack.
“Apparently, they did use high-powered rifles, multiple rounds into the infrastructure … so they probably hit the cooling fins of the transformers to basically allow the oil to leak out, which is exactly what [the attackers] did in San Jose,” Wellinghoff told CNN. “It mimics precisely what happened in San Jose in April of 2013. They, in fact, left very quickly prior to law enforcement coming, so it would indicate that they would have had some communication available in monitoring police channels — and marking positions with rocks is exactly what we found in our investigation in San Jose as well.”
The Moore County Sheriff’s Office has found no evidence supporting early speculation that the sabotage was an effort to shut down a local drag show, and law enforcement instead has been focused on domestic extremists.
In a bulletin to private industry issued 11 days before the incident, the FBI warned of a threat of attacks on critical infrastructure by those who espouse “racially or ethnically motivated violent extremist ideology” and are hoping to “cause societal collapse and a subsequent race war.”
“We know through doctrine, through planning documents that have been posted online and prior convictions and admissions of guilt by far-right extremists, including white supremacists, that this is part of their plan,” said Christopher Krebs, director of cybersecurity for the Department of Homeland Security during the Trump administration.
“They intend to target the grid, take communities offline, create civil unrest,” he said in a CNN interview.
In February, three men fitting that extremist profile pleaded guilty to a plot to attack power substations in three different regions of the country “in furtherance of white supremacist ideology,” according to a Justice Department release.
“The plan was to attack the substations, or power grids, with powerful rifles. The defendants believed their plan would cost the government millions of dollars and cause unrest for Americans in the region,” according to court documents. “They had conversations about how the possibility of the power being out for many months could cause war, even a race war, and induce the next Great Depression.”
While the electrical grid is vulnerable to extreme weather events, such as the freak winter storm that shut down the Texas energy grid in 2021, or sophisticated cyberattacks, such as the 2020 SolarWinds attack that inserted malware into the software supply chain, the more clear and present danger is from physical attacks, which require “very little expertise,” said Michael Mabee, a self-styled energy expert who has made it his mission to sound the alarm.
“Physical attack against the electric grid is a very, very low-tech attack. It could be perpetrated by domestic terrorists, a foreign government, or basically anybody who wanted to cause damage and destruction,” he told CNN.
“Since 2010, there have been 919 physical attacks against the U.S. electric grid in the United States,” Mabee said. “And there’s absolutely no requirement whatsoever that the electric grid as a whole protects itself from these threats. … And as we have just seen in North Carolina, it is a very, very real threat. People die as a result of power outages, as we saw in Texas in 2021, where 250 people died from literally a two-day power outage caused by the weather.”
While the motive for the North Carolina attack remains under investigation, the vulnerability of the nation’s 55,000 electrical substations, many in remote locations protected by little more than a rudimentary chain link fence, has been known and ignored for decades.
The threat to U.S. electrical grid from “acts of war, sabotage, and terrorism” was outlined in a 1981 Government Accountability Office report, which included a recommendation that “appropriate plans” for security be mandated by Congress that was never implemented.
“In 2020, I filed a complaint with the federal government about the lack of physical security to the electric grid, and as part of the complaint, I mapped out through Google Maps part of the electric grid and substations,” Mabee said. “We’re talking about over 3,000 different companies, both public and private sector, that are involved in the generation, transmission, and distribution of electric power. So that’s 3,000 barn doors we have to guard from all of these threats.”
Some experts, including Wellinghoff, who is now CEO of GridPolicy Consulting, believe it’s past time to require energy companies to up their game.
“We need stricter regulations,” he argued. “We need regulations directly written by regulators and not the industry. And we need to ensure that they have some very simple, inexpensive ways to stop these attacks from happening and that is easy to do.”
Others, including Krebs, the former Trump administration cyber official, think the government needs to intensify law enforcement efforts as a deterrence.
“I find it hard to believe that energy companies should be responsible for shelling out hundreds of millions of dollars to protect from a bunch of crackpots who are trying to bring down society,” Krebs said. “We need the collar and the perp walk to send a strong message to the community to these people that are planning these events that we’re not going to tolerate it.”
On its website, the Cybersecurity and Infrastructure Security Agency, the agency Krebs led until November 2020, lists 16 “critical infrastructure sectors,” everything from dams to financial services to healthcare to agriculture to communications, but energy is the mother of them all.
“The electric grid is the most critical of our critical infrastructures,” Mabee said. “We have 16 critical infrastructures. … All 16 depend on the electric grid. So, it is the Achilles’ heel.”