The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles, and many key facilities are unguarded. This vulnerability is exacerbated by the fact that the power grid, most of which was originally designed to meet the needs of individual vertically integrated utilities, is now being used to move power between regions to support the needs of new competitive markets for power generation. Primarily because of ambiguities introduced as a result of recent restructuring of the industry and cost pressures from consumers and regulators, investment to strengthen and upgrade the grid has lagged, with the result that many parts of the bulk high-voltage system are heavily stressed.
A terrorist attack on the power system would lack the dramatic impact of the attacks in New York, Madrid, or London. It would not immediately kill many people or make for spectacular television footage of bloody destruction. But if it were carried out in a carefully planned way, by people who knew what they were doing, it could deny large regions of the country access to bulk system power for weeks or even months. An event of this magnitude and duration could lead to turmoil, widespread public fear, and an image of helplessness that would play directly into the hands of the terrorists. If such large extended outages were to occur during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold.
The largest power system disruptions experienced to date in the United States have caused high economic impacts. Considering that a systematically designed and executed terrorist attack could cause disruptions that were even more widespread and of longer duration, it is no stretch of the imagination to think that such attacks could entail costs of hundreds of billions of dollars—that is, perhaps as much as a few percent of the U.S. gross domestic product (GDP), which is currently about $12.5 trillion.
Electric systems are not designed to withstand or quickly recover from damage inflicted simultaneously on multiple components. Such an attack could be carried out by knowledgeable attackers with little risk of detection or interdiction. Further well-planned and coordinated attacks by terrorists could leave the electric power system in a large region of the country at least partially disabled for a very long time. Although there are many examples of terrorist and military attacks on power systems elsewhere in the world, to date international terrorists have shown limited interest in attacking the U.S. power grid. However, that should not be a basis for complacency. Since all parts of the economy, as well as human health and welfare, depend on electricity, the results could be devastating.
This report focuses on measures that could:
1. Make the power delivery system less vulnerable to attacks,
2. Restore power faster after an attack,
3. Make critical services less vulnerable while the delivery of conventional electric power has been disrupted.
The U.S. power delivery system is remarkably complex. It is a network of substations, transmission lines, distribution lines, and other components that people can see as they drive around the country; it also includes the less visible devices that sense and report on the state of the system, the automatic and human controls that operate the system, and the intricate web of computers and communication systems that tie everything together. Enormous complexity and diversity also characterize the organizations and human systems that operate and manage the power delivery system. That complexity and diversity have become even greater in recent years as some parts of the system have been restructured while others
have not, and as the role of state and federal regulators and other oversight bodies has shifted.
Today most power is generated by large central generating stations that are located far from the customers they serve. Transformers increase the voltage so that it can be carried efficiently over long distances. Substations then reduce the voltage and carry the power into the distribution network for delivery to customers.1 Unlike trains or natural gas in pipelines, electric power cannot simply be sent via specific lines wherever dispatchers choose. Current flows through the system according to a set of physical laws. The system must be continually adjusted to keep all parts synchronized and in electrical balance. If corrections are not made immediately when imbalances occur, the result can be oscillations and other disturbances in the system that can result in a cascading failure over a wide area, as happened in the Northeast blackout of 2003.
Recent years have witnessed dramatic organizational changes in the U.S. electric power system. In some states, traditional vertically integrated companies that owned and operated the entire system from the generators to the customers’ meters have been restructured in an effort to introduce competition. However, a few states are trying to undo some of the changes, and some states may never restructure. The push by federal regulators to introduce competition in bulk power across the country also has resulted in the transmission network being used in ways for which it was not designed. There have also been shifts in the relative responsibility of state and federal regulators.
Largely as a consequence of the uncertainties introduced by these changes, incentives for investment by private firms have become mixed, with the result that the physical capabilities of much of the transmission network have not kept pace with the increasing burden that is being placed on it. Other trends are more promising. The Energy Policy Act of 2005 includes provisions to strengthen the electric grid, including provisions for the introduction of mandatory reliability standards. Although not aimed specifically at protecting the grid against terrorism, the activities initiated under this statute will—if implemented—lead to a more robust transmission system that will be better able to withstand major disruptions.
Disruption in the supply of electric power can result from problems in any part of the system. The primary concern of this report is with power delivery. Substations and the large high-voltage transformers they contain are especially vulnerable, as are some transmission lines where the destruction of a small number of towers could bring down many kilometers of line. Terrorist attacks on multiple-line transmission corridors could cause cascading blackouts.
High-voltage transformers are of particular concern because they are vulnerable to attack, both from within and from outside the substation where they are located. These transformers are very large, difficult to move, custom-built, and difficult to replace. Most are no longer made in the United States, and the delivery time for new ones can run to months or years. The industry has made some progress toward building an inventory of spares, but these efforts could be overwhelmed by a large attack. Although easier to move and replace, other large components, such as high-voltage circuit breakers, are also a concern.
These problems are exacerbated by the current state of the transmission grid. It is aging and increasingly stressed, leaving it especially vulnerable to multiple failures following an attack. Many important pieces of equipment are decades old and lack improved technology that could help limit outages.
Modern power systems rely heavily on automation, centralized control of equipment, and high-speed communications. The most critical systems are the supervisory control and data acquisition (SCADA) systems that gather real-time measurements from substations and send out control signals to equipment, such as circuit breakers. The many other control systems, such as substation automation or protection systems, can each only control local equipment. Other online computer systems, such as energy management systems (which analyze the reliability of the system against contingencies) or market systems (which manage the buying and selling of electricity), have only an indirect impact on the grid. But all such systems are potentially vulnerable to cyber attacks, whether through Internet connections or by direct penetration at remote sites. Any telecommunication link that is even partially outside the control of the system operators is a potentially insecure pathway into operations and a threat to the grid.
If they could gain access, hackers could manipulate SCADA systems to disrupt the flow of electricity, transmit erroneous signals to operators, block the flow of vital information, or disable protective systems. Cyber attacks are unlikely to cause extended outages, but if well coordinated they could magnify the damage of a physical attack. For example, a cascading outage would be aggravated if operators did not get the information to learn that it had started, or if protective devices were disabled.
Workforce issues are critically important to maintaining a reliable supply of electricity, particularly in the event of a terrorist attack. Utility employees and contractors interact with the electric power system as managers, operators, line-crews,
1A few transmission lines operate with direct current (DC), which requires conversion from alternating current (AC) at one substation and then back again at the receiving substation. DC also is used to interconnect the four major regions in the United States and Canada because its use avoids the necessity of keeping their AC systems synchronized.
suppliers of materials and services, and users, among other roles. Although workers and managers in this industry have an outstanding record of reliable performance, even a few pernicious people in the wrong place are a potential source of vulnerability should they choose to disrupt the system.
A second issue is that, to a greater extent than in most other industries, the electricity workforce is aging, and many skilled workers and expert engineers will soon retire. As the current workforce retires, utilities may have increasing difficulty hiring sufficient qualified replacements to keep the system operating effectively and reliably and to undertake all the upgrades that are needed, let alone cope with damage from terrorist attacks. This issue requires sustained and high-level attention by both the industry and federal agencies.
The extent of the damage from an attack can be limited by a variety of means, including improving the robustness of the system to withstand normal failures; adding physical and cyber protections to key parts of the system; and designing it to degrade gracefully after catastrophic damage, leaving as many areas as possible still with power. Research and development can make particularly important contributions in these areas. Table S.1 lists examples of changes that could be made starting now and others that could become options in the long term. Many of the changes discussed in this report
|Selected Options Currently Available
|Selected Options That R&D Could Make Available
Hardening of key substations and control centers Increased physical surveillance
Addition of transmission towers that can prevent domino-like collapse
For additional examples, see Chapter 3
Improved intrusion sensors
Development of strategies to provide greater system capacity
Greater use of distributed generation and micro-grids
for additional examples, see Chapter 9
Elimination of all non-essential pathways to external systems
Use of high-quality cyber security on all links
For additional examples, see Chapter 4
Improved cyber security for sensors, communication, and control systems
Systems to monitor for. and help avoid, operator error
For additional examples, see Chapter9
Improved employee and contractor screening
Improved training for attack response
Improved planning and coordination with government (especially law enforcement)
For additional examples, see Chapter 5
Improved training simulators
Expansion of support for educational programs in power engineering that have atrophied in large part because of very limited research investment
For additional examples, see Chapter 9
|Increased system robustness and graceful degradation
A change in institutional arrangements and incentives to ensure adequate modernization of the transmission system
Greater use of high-voltage power electronic technology
Greater use of DC interconnects
Expanded and more selective demand-side management and distribution automation
For additional examples, see Chapter 6
Improved probabilistic vulnerability assessment
Improved sensors, communication, real-time analysis, and system visualization
Improved automatic control
Improved capability for islanding and self-healing
Improved energy storage
For additional examples, see Chapter 9
Expanded planning for very large outages
Designation of some utility employees as first responders.
For additional examples, see Chapter 7
|Development and stockpiling of restoration transformers and other key equipment of long leadtime Improved assessment and planning tools For additional examples, see Chapter 9
|Maintenance of critical services while grid power is disrupted
Use of robust systems such as light-emitting diode (LED) traffic lights with trickle charge batteries
Co-location of generation with critical loads such as pumps for water supply
Comprehensive contingency planning
Avoidance of cross-dependencies (e.g., backup power for cell phone sites; gas rather than electric pumps on gas pipelines)
For additional examples, see Chapter 8
Massively distributed architectures
Improved energy storage
could convert an attack that today could cause a blackout over a wide region of the country into one that would do less damage to the electric system and leave the system in a better position to accommodate the damage that does occur. Cascading failures could be limited, and many areas within a blacked-out region could maintain power because they could isolate themselves from the failing grid and maintain a balance of generation and demand within their borders.
Physical protection of critical facilities includes hardened enclosures for key transformers, improved electronic surveillance, and system tools that can identify physical and control system problems and potential incidents. Such measures may deter as well as blunt an attack.
Cyber security is best when interconnections with the outside world are eliminated. When interconnections are unavoidable, best practices for security must apply. Wireless communications within substations is a particular concern.
The risk of insider-assisted attacks can be reduced by strengthening background checks for new and existing employees and contractors. If subversive or disaffected workers can be identified, attackers will lose a major potential advantage. Training operators and other workers to recognize and react to attacks or other major disruptions will be helpful in limiting the extent of outages and further damage during a cascading failure. System simulators are likely to be very useful in this endeavor. In the long term, supporting engineering and other technical education will help to maintain the availability of the necessary skills in the workforce.
Even if terrorist attacks were not a concern, the transmission system should be modernized and upgraded to handle the increasing flow of power. A robust, modern system could ride out disturbances that would cause major problems to today’s stressed system. The new operating standards being prepared by the electric industry and its reliability organizations under the Energy Policy Act of 2005 (EPAct) will help, but EPAct doesn’t directly grant authority to order upgrades in the physical system. Industry, the Federal Energy Regulatory Commission (FERC), the Department of Energy (DOE), and state public utility commissions are aware of such needs, but building new transmission lines and other delivery enhancements is expensive and difficult. Upgrading sensors and controls can allow more power to flow on existing lines, which will help under some conditions. The terrorist threat suggests that additional upgrades may be important to reduce major outages. Current standards are met if no significant outage occurs following the failure of one major line or certain related double outages. Damage by terrorists could greatly exceed this level. A higher standard would be to maintain reliability when two major related failures occur, known as an N - 2 event, which, in most cases, would entail additional costs. Improving the information flow to operators and the tools they can use to analyze and react to disturbances also would help prevent outages from cascading.
In the longer term, changes to the configuration of the power system could have dramatic impacts on its vulnerability. Among these, increasing generation within or close to major load centers, expanded use of distributed resources (co-generation, micro-grids) with associated automatic control, and the successful development and deployment of storage technology would help limit cascading failures and leave islands of power within a blacked-out region.
After an attack, an electric utility’s main focus will be on restoring power to its customers. Many of the steps to be taken would be similar to those taken in response to a major natural disaster, such as a hurricane: that is, identify the damage, clean it up, repair equipment, and restore power. However, there are also important differences. Unlike hurricanes, terrorists may strike with no warning and selectively destroy the most important facilities, such as major substations. Some of the lost equipment may take months or even years to replace. Unless prior arrangements have been worked out, law enforcement officers might exclude utility workers from the crime scene while they investigate, delaying assessment of the damage and restoration activities. In addition, utility workers might be subjected to unexpected risks, such as chemical contamination.
Although detailed restoration plans cannot be formulated until specific damage is identified and the extent of an outage determined, advance planning can greatly speed the process of recovery. This is a well-established tenet in the industry. Utilities and transmission operating entities can—and do—make contingency plans. In preparing for a possible terrorist attack, they should set up an incident command system, establish good communications with government agencies, and reach agreements as to responsibilities and authority over various aspects of the restoration. Further work to address any specific issues that might arise in a terrorist incident is critical. Designating utility workers as first responders would improve their access to damaged substations and other facilities to assess the damage. Drills should be conducted for plausible scenarios of destruction to ensure that plans are adequate.
Key equipment, especially large power transformers, can be backed up with spares. The Edison Electric Institute (EEI) is developing the Spare Transformer Equipment Program (STEP), which will make spare transformers available in case of emergency. These transformers are very expensive, and not many spares are available. Transformers are also very large, heavy, and difficult to move. A major attack could quickly exhaust the inventory, and the world has limited manufacturing capacity. A promising solution is to develop, manufacture, and stockpile a family of universal recovery transformers that would be smaller and easier to move. These would be less efficient than those normally operated and so would only be for temporary use, but they could drastically reduce the delay before the electric system is back in full operation. Emergency backup policies also should be imple-
mented for other key equipment such as large bushings and circuit breakers, which could take many weeks to replace.
Utility restoration workers need adequate food, water, fuel for vehicles, and other essentials that may not otherwise be available during an extended outage. Communication networks also may degrade or fail in an extended outage, and it is essential that utilities have backup systems available that can be operated without grid power.
In addition, utilities and transmission operators should ensure that sufficient generating plants have black-start capability. This is provided by units that can be started with no offsite power available, a likely situation in a widespread blackout.
Society is becoming ever more dependent on electric power. While system owners and operators should do all that they reasonably can to ensure that their systems are able to withstand anticipated assaults from natural and human sources, there are practical limits to how much these highly distributed systems can be hardened. Even without the threat of terrorism, there is a risk of occasional power outages, some of which will have large spatial scale and may last for many hours or even days. Terrorism increases the probable extent and duration of such outages and could cause them to occur at particularly inconvenient or damaging moments.
Since the complete elimination of all possible modes of failure is simply not feasible, an important design objective (in addition to resilience and the ability to rapidly restore the system after a problem occurs) should be the ability to sustain critical social services while an outage persists. Thus, in addition to strengthening the grid, society should also focus on identifying critical services and developing strategies to keep them operating in the event of power outages—be they accidental or the result of terrorist attack.
Strategies for managing an extended outage will require detailed planning and preparation to ensure that critical facilities can continue to operate, either from the remaining grid or from emergency power systems. Metropolitan areas with high demand and high reliance on transmission to deliver power from distant generating stations should be of particular concern in this regard. Critical facilities (such as hospitals) often have emergency backup power generation capability, but some of these are only intended to operate for several days. An extended outage could easily exhaust the supply of fuel. Many critical service providers have no emergency power at all.
Although it is not reasonable to expect federal support for all local and regional planning efforts, the Department of Homeland Security (DHS) and/or the DOE should each initiate and fund several model demonstration assessments at the level of cities, counties, and states. These assessments should systematically examine a region’s vulnerability to extended power outages and develop cost-effective strategies that can be adopted to reduce or, over time, eliminate such vulnerabilities. Building on the results of these model assessments, DHS should develop, test, and disseminate guidelines and tools to assist other cities, counties, states, and regions to conduct their own assessments and develop plans to reduce their vulnerabilities to extended power outages. To facilitate these activities, public policy and legal barriers to communication and collaborative planning will need to be addressed.
At a national level, DHS should perform, or assist other federal agencies to perform, additional systematic assessment of the vulnerability of national infrastructure, such as telecommunications and air traffic control, in the face of extended and widespread loss of electric power, and then develop and implement strategies to reduce or eliminate vulnerabilities. Part of this work should include an assessment of the available surge capacity for large mobile generation sources. Such an assessment should include an examination of the feasibility of utilizing alternative sources of temporary power generation to meet emergency generation requirements (as identified by state, territorial, and local governments, the private sector, and nongovernmental organizations) in the event of a large-scale power outage of long duration.
Government entities need to provide incentives (e.g., grants, fee-based awards, taxes, regulation) to support incremental costs associated with public and private sector risk prevention and mitigation efforts to reduce the societal impact of an extended grid outage. Such incentives could include incremental funding for those aspects of systems that provide a public good but no private benefit and the development and implementation of building codes or ordinances that require alternative or backup sources of electric power for key facilities.
There are many technologies and strategies that could be employed to make the power system more robust in the face of terrorist attack, make service restoration more timely after an attack, and continue the provision of critical services while the power is out. The best way to make needed changes affordable, and to develop new, even more effective and affordable approaches, is through research. Chapter 9 of this report discusses the current state of research for electric power, along with a set of recommendations for addressing research needs and developing related strategies.
The research that is needed to address the problems of terrorism is, for the most part, the same as the research that would address the broad problems faced by the transmission and distribution grid. The recovery transformer noted above is one of the few exceptions of terror-specific technologies that should be pursued. For example, the advanced computational system under development to improve control of flows on the grid also would be very useful in minimizing a cas-
cading failure after a terrorist attack. The committee reached this conclusion in part from an informal questionnaire the committee developed and distributed to leading technical experts in the field. This questionnaire identified a variety of potential short- and long-term R&D needs for transmission and distribution. Respondents were asked to prioritize needs first for the industry as a whole and then strictly in terms of reducing vulnerability to terrorism. With a few exceptions, the research needs in the two cases were identical.
The committee is very concerned that the level of actual investment in power system research is currently much smaller than it should be as measured according to a variety of societal metrics. However, agreeing on institutional arrangements that can significantly increase the levels of nongovernmental research investment in this field has been a persistent problem. Chapter 9 discusses one possible strategy, but the committee was unable to reach a unanimous view on how best to resolve this problem.
The level of protection for and resiliency of the electric power grid against terrorist attacks needs to increase. However, the level of security that is economically rational for most infrastructure operators will be less than the level that is optimal from the perspective of the collective national interest. Therefore, the DHS should develop a coherent plan to address the incremental cost of upgrading and protecting critical infrastructure to that higher level.
In the specific context of electric power delivery, the Department of Homeland Security should:
• Recommendation 1 Take the lead and work with the DOE and with relevant private parties to develop and stockpile a family of easily transported high-voltage recovery transformers and other key equipment. Although the expected benefits to the nation of such a program are difficult to quantify, they would certainly be many times its cost if the transformers are needed (see Chapters 3, 6, and 9).
• Recommendation 2 Work to promote the adoption of many other technologies and organizational changes, identified in this report, that could reduce the vulnerability of the power delivery system and facilitate its more rapid restoration should an attack occur (see Chapters 6 and 7).
• Recommendation 3 Work with the power industry to better clarify the role of power system operators after terrorist events through the development of memoranda of understanding and planned and rehearsed response programs that include designating appropriate power-system personnel as first responders (see Chapters 7 and 8).
• Recommendation 4 Offer assistance to the Federal Energy Regulatory Commission, to state public service commissions, and to other public and private parties in finding ways to ensure that utilities and transmission operators have appropriate incentives to accelerate the process of upgrading power delivery and eliminating its most obvious vulnerabilities (see Chapter 6).
• Recommendation 5 Work with the Department of Energy and the Office of Management and Budget to substantially increase the level of federal basic technology research investment in power delivery. The committee notes that (1) much of what is needed has the nature of a “public good” that the private sector will not develop on its own; (2) current levels of research investment are woefully inadequate; and (3) most of the system’s vulnerabilities to terrorism are integrally linked to other more general problems and vulnerabilities of the system and cannot be resolved in isolation (see Chapter 9).
• Recommendation 6 Take the lead in initiating planning at the state and local level to reduce the vulnerability of critical services in the event of disruption of conventional power supplies, and offer pilot and incremental funding to implement these activities where appropriate (see Chapter 8).
• Recommendation 7 Develop a national inventory of portable generation equipment that can be used to power critical loads during an extended outage. Explore public and private strategies for building and maintaining an adequate inventory of such equipment (see Chapter 8).