Whether they be cyber attacks or physical assaults on their assets, utilities have their guards up. The latest news on this front is that someone armed with a rifle caused $1 million dollars worth of damage to utility equipment in Utah, and knocked out power to 13,000 people there.
Utilities have yet to deploy new physical and cybersecurity systems on a wide scale, mostly because the threats are continually evolving in type and sophistication and because companies must budget for such unforeseen threats. But as the spotlight shines on these issues, utilities and regulators are motivated to act.
"Even now, years removed from the PG&E Metcalf shooting, we continue to see minimal physical security mitigations being implemented at substations," said Brian Harrell, a director in Navigant's energy practice and former director of the cyberthreat-sharing portal at the North American Electric Reliability Corp., in an interview with Energy Wire.
"In all likelihood, the utility would have not have been aware of the sabotage had the transformer not failed first,” he added.
The incident at the Garkane Energy Cooperative is not a one-off thing. There, Utah authorities are offering a $50,000 reward for information leading to the arrest of the suspect or suspects. Power was out for a day to those impacted. A high-profile capture and prosecution may be the best deterrent.
A couple years ago, some folks appeared out of a manhole and fired on Pacific Gas & Electric’s grid, causing $100 million in damage after destroying 17 transformers in Northern California territory.
The company will start by erecting fences that can obscure sensitive operations as well as by improving lighting and providing better physical security as well as cybersecurity. The company will also enhance its internal and external communications, and its coordination with local law enforcement.
To succeed, PG&E is bridging its information technology department with its operations unit, meaning that those who are responsible for securing the company are communicating closely with those who keep the lights on, says Siobhan MacDermott, chief information security officer for Utilidata, in an earlier interview with this writer.
The electric grid is a fat target for two reasons. First, it's a critical economic asset. A single brownout can cost as much as $10 billion, which comes in the form of direct losses as well as lost opportunities, estimates the Federal Regulatory Commission. Second, the grid is vast: Altogether, there are about 5,800 major power plants and 450,000 high-voltage transmission lines in the United States.
Because the system is now connected to the outside world through the Internet, it has been become subject to evermore attacks. Roughly 85 percent of that infrastructure is owned by private entities, which maintain that they have an inherent interest in protecting their assets from outside hazards.
For their part, utilities are already required under the Energy Policy Act of 2005 to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts.
In the age of digital communications, corporations must be on their toes to defend against not just those who want to steal their secrets but also those who want to assault their businesses. Utilities have been thrust to the front lines in this clash and are now engaged in both cyber combat and physical assaults with faceless enemies or masked gunmen. Just ask Garkane Energy Cooperative, which is the latest victim.