Terrorism and Utilities: No Longer a Black Swan
It used to be considered highly unlikely that a terrorist attack, either electronic or physical, could come close to disrupting the nation’s energy utilities infrastructure on the scale of Mother Nature, with her floods, freezing temperatures, and high-speed winds. One need only recall the devastation in 2012 that was wrought on the Mid-Atlantic states by Hurricane Sandy, where 8 million lost power, some for weeks.
The fact that US utilities have shown great resilience in restoring power under the most dire circumstances has contributed to the belief that this is one of the most reliable power systems on the planet.
Over the past few months, however, a series of disturbing news reports detailing a professional-style attack on a power station last year, as well as persistent cyber attacks against the industry, have raised concerns that the nation’s utilities are increasingly vulnerable.
The potential threat has already moved beyond the realm of the Black Swan, the term used to describe extremely rare, but highly consequential events that are difficult to anticipate and can result in truly catastrophic outcomes. Instead, a coordinated attack on utilities that destroys expensive infrastructure and results in widespread blackouts could very well be a high-probability event, given the industry’s lack of preparedness.
Indeed, unless it was the prelude for a Hollywood-style heist gone awry, a dry run for such an attack may have already occurred. But we’re only just now hearing the full details almost a year after it happened.
On April 16, 2013, around 1:30 a.m., snipers opened fire for about 20 minutes on PG&E Corp’s (NYSE: PCG) Silicon Valley transmission substation, causing 17 transformers to overheat and crash.
As evidenced by The Wall Street Journal’s thorough chronology of the attack, the operation was very different from the sort of vandalism that occurs against industry infrastructure on a semi-regular basis. About a half-hour prior to the shooting, the perpetrators cut telecommunications cables in two separate underground vaults, which knocked out nearby phone and Internet service.
Then they set up at a distance from the facility, near small piles of rocks left by an advance scout to signify the best vantage points from which to shoot. After a signal with a waved flashlight, which was caught on camera, the snipers began firing at the transformers’ oil-filled cooling systems, discharging about 100 rounds. Another wave of a flashlight signaled the end of the attack, and the gunmen disappeared into the night about a minute before police arrived.
Fortunately, quick-acting officials who oversee the grid were able to avert a blackout by rerouting power around the site, while other local power generators increased output to offset the loss. Nevertheless, the damage was extensive: It took utility workers 27 days to bring the substation back on line.
In an interview with CNN, Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission (FERC), described the operation as a “very well planned, coordinated and executed attack on a major piece of our electric grid infrastructure.” He believes the attack may have been a test run for a larger strike, possibly by terrorists. He also told the WSJ that this was “the most significant incident of domestic terrorism involving the grid that has ever occurred.”
Furthermore, the attack has shown a major weakness that the industry has known about for years but has yet to address comprehensively. The transformers that the snipers destroyed are expensive pieces of equipment, often costing millions of dollars each, and are difficult to replace. Each is custom-made and weighs up to 500,000 pounds. A 2009 Energy Department report said that “physical damage of certain system components (e.g., extra-high-voltage transformers) on a large scale … could result in prolonged outages, as procurement cycles for these components range from months to years.”
Mr. Wellinghoff told the WSJ that a FERC analysis found that if a surprisingly small number of US substations were knocked out at once, then that could be enough to destabilize the system and cause a blackout that could encompass most of the US. Given what’s at stake, he’s argued that security at electrical grid facilities is insufficient, and he’s urging Congress to give federal agencies the authority to demand improved security around electrical substations. “We need to have a national coordinated plan, and we have to have a federal agency that is in charge,” Mr. Wellinghoff said.
Hackers, EMPs and Bureaucracy
Meanwhile, in the area of cybersecurity, a similar level of unpreparedness seems to be prevalent. Over an eight-month period through May 2013, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) registered more attacks on internet-enabled SCADA systems, which monitor and control industrial and infrastructure processes, than in the previous twelve months.
According to its latest quarterly report, a total of 200 attempted intrusions were detected. The ICS-CERT said that more than half of the incidents affected the energy sector, while 17 percent targeted the manufacturing industry and 10 percent were aimed at critical telecommunications networks.
Moreover, in a 2013 Congressional report, more than a dozen utilities reported daily, constant, or frequent attempted cyber-attacks, ranging from phishing to malware infection to unfriendly probes. One utility reported that it was the target of approximately 10,000 attempted cyber-attacks each month.
The Department of Homeland Security (DHS) confirmed that hackers pose an increasing risk to electrical utilities because some control systems may be connected to the internet. A government report pointed out that “cyber-attacks are unlikely to cause extended outages, but if well-coordinated they could magnify the damage of a physical attack.” A hacker attack on the power system “could deny large regions of the country access to bulk system power for weeks or even months,” which would generate “turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists.”
Additionally, utilities’ electronic systems are also ill-prepared for threats from an electromagnetic pulse (EMP) attack. EMPs can be generated intentionally by utilizing portable equipment to produce high-power radio frequency, microwave or other electromagnetic pulses that destroy or disable electronic equipment. Such weapons can vary in size from a handheld device to a large vehicle-borne device, can be used at a distance from a target, and can penetrate walls or other obstacles–making detection and attribution of an attack to a specific source difficult.
After reading this litany of risks, one might wonder why the industry has not taken action to protect critical infrastructure, especially in the wake of the 9/11 attacks or the 2003 Northeast Blackout.
In fact, utilities were focused on hardening the nation’s energy infrastructure against terrorism, as well as human and equipment error. And the Energy Policy Act of 2005 gave federal regulators authority to oversee energy infrastructure reliability and approve mandatory cybersecurity reliability standards.
The North American Electric Reliability Corporation (NERC), a non-governmental organization comprised of industry experts, was certified by federal regulators to develop reliability standards that include physical infrastructure. But since then, the organization has been criticized for being too slow to develop and implement physical and security standards, according to the FERC and a Congressional report.
Joseph McClelland, director of the FERC Office of Electric Reliability, told Congress last year that the procedures used by NERC, while “appropriate for developing and approving routine reliability standards … can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information.”
Nevertheless, NERC has been directed to propose reliability standards within 90 days that “address physical security risks and vulnerabilities related to the reliable operation of the bulk-power system.”
For its part, the Edison Electric Institute (EEI), the association representing investor-owned utilities, says the industry has already taken several steps to boost physical security, and companies are making additional investments in security. In a recent statement, EEI noted, “Electric companies are partnering closely with each other and with senior officials from all relevant federal and law enforcement agencies to protect the grid’s most critical assets. In the past year, the industry has partnered with DOE and DHS on a series of briefings in 10 cities around the US to bring together utility operators with local law enforcement.”
Investing in Preparedness
In the weeks following the WSJ’s detailed report on the attacks against PG&E’s substation, we heard from several subscribers who wondered what this might portend for utility stocks. One subscriber, a 90-year old, World War II veteran and survivor of the Great Depression, summarized it best: In light of these risks, what’s the best way to invest in the utilities space, and how do we determine which firms are most prepared for the possibility of a physical or cyber-attack?
Finding the answer has proved elusive and challenging, as utilities do not make their specific security initiatives available to the public, in part because such a disclosure itself would presumably compromise security, and that makes it difficult to evaluate firms’ efforts in this context.
Even last year, when Congress submitted questions to the nation’s utilities on their level of preparedness against cyber, physical and EMP assaults, shockingly, some of the biggest, well-run utilities chose not to respond, though some did. Nevertheless, a Congressional report based on the questionnaire found utilities were significantly unprepared. The May 2013 report entitled, “Electric Grid Vulnerability: Industry Response Reveals Security Gaps,” by Reps. Edward J. Markey and Henry A. Waxman, says it all.
In early March, your correspondent attended a dinner hosted by Standard & Poor’s that brought together infrastructure industry experts and players, including analysts, as well as company and private-equity executives. Though the focus of the dinner was creating public-private partnerships with the private-equity industry to fund roads, bridges and utility infrastructure, I also took the opportunity to engage with fellow attendees about how to assess utility preparedness for physical and cyber-attacks.
One lobbyist at the dinner who represents real estate investment trusts (REIT) had also worked on developing the original language for the Terrorism Risk Insurance Act (TRIA), which “provides for a transparent system of shared public and private compensation for insured losses resulting from acts of terrorism.” He reminded me that utilities are covered under the act.
Of course, I challenged him. “If there was a scenario where a utility lost billions due to a terrorist act, would that utility be made whole under TRIA?” I asked. He confirmed that utilities would be able to recover losses that result from a physical attack, assuming the government certifies it was due to an act of terrorism. However, he did note that there is concern that TRIA won’t be renewed, as it’s set to expire at the end of this year.
The RAND Corporation, the well-known think tank, recently published a report entitled, “National Security Perspectives on Terrorism Risk Insurance in the United States,” which calls for TRIA’s renewal. At present, no insurance exists for cybersecurity threats against utilities, though there is an industry effort to create a backstop similar to TRIA.
The lobbyist added that risk insurance goes a long way toward removing the need for investors to evaluate each utility’s preparedness plan. He said it would be counterproductive to do so anyway. “Just after 9/11, there were several parking garage REITs that told investors they were better prepared than hotels against a terrorist act, which was impossible to evaluate,” he said, adding there were few investors who were going to go out and count security cameras and guards. The REIT industry’s response was to develop a set of high standards of preparedness to which property owners would adhere.
Naturally, risk insurance and standard setting won’t put all investors at ease. The subscriber mentioned earlier said he still wants to see more concrete emergency-preparedness plans. Perhaps one way in which utilities can demonstrate they’ve made a good-faith effort, without compromising security by offering too many specifics, would be to periodically provide an accounting of their overall spending in this area. While throwing money at something doesn’t always prevent a problem from occurring, this is the one metric that would allow for easy comparison among industry peers.
Subscribers to Utility Forecaster get to read the full update, in which we detail the utility stocks that are likely best prepared for the possibility of a physical or cyber-attack.