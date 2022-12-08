



The recent attack on two North Carolina substations that knocked out power to thousands of people has raised concerns about the safety standards of the country’s power grid and its many power plants, which have faced greatest threats in recent years.

Outside of weather, suspected and confirmed physical attacks on power grid infrastructure have been the leading cause of power disruption events since 2014 when, in response to an attack in California the previous year, private companies that operate power plants have been required to increase safety standards, according to an NBC News analysis of public Department of Energy reports.

Nearly 600 power emergency incidents and disruptions were caused by suspected and confirmed physical attacks and vandalism on the power grid during those nine years, according to reports. There were 106 incidents of attack or vandalism from January through August 2022, which is the latest tracking data from the Department of Energy. Of the years reviewed by NBC News, 2022 is the first to reach triple digits and it only contains eight months of data.

The incidents, which are self-reported by power companies to the federal government, provide little to no details about what happened. But experts said they could range from theft of copper wire to planned assaults aimed at causing power outages, as is suspected to have happened in North Carolina.

The significance of this blackout in North Carolina in the midst of a bitterly cold winter should not be underestimated, it’s a big deal, said Neil Chatterjee, who served as chairman of the Federal Energy Regulatory Commission, or FERC, under the Trump administration. We need to be aware of this and take physical security and cybersecurity seriously. We can do some things in terms of standards and other approaches to strengthen and protect our critical energy infrastructure.

Duke Energy restored power to all of its North Carolina customers Wednesday night, four days after 45,000 customers were left in the dark after what officials said was an intentional and coordinated attack on two substations in the county of Moore. Moore County Sheriff Ronnie Fields said the motive for the attack was not known. It is also unclear what kind of protective measures were in place to prevent such an assault.

Jeff Brooks, a spokesman for Duke Energy, declined to provide details on site security measures, but described the company’s security approach as robust.

We have multiple layers of protection on our critical systems on the grid that help us monitor and respond to disruptions, he said. And so what we were doing now is certainly focused on the restaurant business, but there will certainly be lessons learned from that that we will incorporate into our plans going forward.

In response to the attack, a senior Department of Energy official said the agency convened a call on Monday that included Deputy Energy Secretary David Turk, 30 CEOs from across the power sector, officials from Duke Energy and officials and investigators from the FBI, Department of Homeland Security, the White House and the National Security Council.

They discussed the attack and industry leaders were told to be on high alert and report any incidents that could be considered threatening.

Until we start to connect some dots, we really need to see: where is this trend? What’s going on? said the official. There was a real call to say that we need to step forward and share this information while remaining vigilant.

Vague rules or a risk-based approach?

The current standard was adopted in 2014 and requires utilities to create risk, threat and vulnerability assessments and a physical security plan for each plant, all of which must be verified by a third party. However, it does not oblige them to apply concrete or site-specific security measures.

Adrienne Lotto, senior vice president of network security, technical and operations services at the American Public Power Association, a utility advocacy group, said the current standard is working well because it is tailored to site-specific risks. She added that the utility industry has also responded to threats from a best practice perspective.

Using a risk-based approach, the industry tends to focus, and rightly so, on assets that have high impact or high risk to the bulk power system, she said.

Residents fill containers with gas just outside the affected area where a severe attack on critical infrastructure knocked out power to many people around Southern Pines, North Carolina on December 5, 2022.Karl B DeBlaker / AP

But others don’t believe the current standard is working well. Critics said they thought it was a vague set of rules that gave electric utility companies a lot of leeway, rather than creating mandatory, enforceable safety measures.

Jon Wellinghoff, who was named FERC chairman during the Obama administration, said the standards are extremely vague and non-prescriptive because they don’t require things like block walls or cameras.

They simply say that companies must identify which parts of their infrastructure are essential and then each utility makes the decision as to which parts of its infrastructure it wants to be subject to the standards, he said. “Then they have to create a plan to protect them and that plan can be basically anything that conforms to the vague outlines of the standards.

The senior Department of Energy official said the North Carolina substation was not considered high impact because damage was not believed to have caused an outsized effect.

It was a low-impact substation, and therefore it has a different set of requirements in terms of its physical security measures it would use, the official said. We will work with Duke to really understand and assess the situation in terms of the security measures in place and that will inform the dialogue on what we could change.

Safety standards last underwent a major change after a coordinated gun attack at a transmission substation outside San Jose, California in 2013 raised concerns about to a massive weakness in the US electrical system.

Those who coordinated the assault, known as the Metcalf sniper attack, remain at large. They created several firing positions and cut off communications from the power station before firing on 17 transformers, threatening a major blackout. PG&E, the power company, was able to redirect power to affected areas, but the attack could have caused a blackout that would have included all of Silicon Valley, said Wellinghoff, who was then FERC chairman. .

Pathways to a new normal

Those who want a new security standard said there remained significant bureaucratic headwinds against such a proposal.

After the Northeast blackout in 2003, Congress passed the Energy Policy Act of 2005. This act caused federal regulators to look to an electrical reliability organization to develop and enforce reliability standards for power grids. transmission of the country. The view is that industry expertise would lend itself to creating strong reliability standards, while federal regulator FERC would approve standards created by the organization.

Since 2006, the North American Electric Reliability Corporation has overseen the task of creating reliability standards, but critics say this process has effectively allowed industry to set its own rules and undermined any power of FERC to act as a regulator.

The North American Electric Reliability Corporation, a nonprofit organization originally created by the electrical industry, said it created safety requirements based on risk, rather than a one-size-fits-all approach.

“The assets in North Carolina were not individually deemed critical to the network, and the recent attack did not create an uncontrolled or cascading outage, which the standards are designed to protect against,” said Kimberly Mielcarek. , spokesperson for the group. “However, it raises the question of whether an event that affects multiple non-critical assets needs to be considered that collectively can have an impact beyond the failure of a single asset.”

Mielcarek added that industry expertise is the best way “to ensure that our standards are technically sound and don’t cause unintended network consequences.” FERC, she noted, can order the organization to write a standard if it deems it necessary.

For those who want greater action, however, the only way forward may be an act of Congress, Wellinghoff said.

Encouraging people to do things is not enough, he says. You have to give someone the power to do something, you have to give someone the power to write a rule, to put it in place and to demand that it be implemented, to monitor it and to apply it.

But Chatterjee said he wasn’t sure a significant change in the standard was needed. He said private companies are effectively encouraged to act for fear that an attack will affect stock prices. He said simple solutions, such as adding concrete walls rather than chain-link fences, could be a big step forward.

“We need to be confident that these players know what they need to do to protect their systems, he said. Standards are part of that, but they’re not the end in themselves.

CORRECTION (December 7, 2022, 9:24 PM ET): An earlier version of this article incorrectly listed the last name of a former chairman of the Federal Energy Regulatory Commission. He’s Neil Chatterjee, not Chatterly.

