Physical Security Considerations for Electric Power Systems
From its earliest days, the electric power industry has been able to provide, or rapidly restore, essential services during various types of natural emergencies. Later, during World Wars I and II and the Korean War, the industry had to deal with the potential for sabotage. This sabotage threat continued at a reduced level through the Cold War, but the main physical security concerns during that period were domestic problems with vandalism, theft, and tampering. However, recent international developments have created a heightened threat to the nation’s infrastructure from terrorist attack, including the electric power supply and delivery system.
Osama bin Laden has stated that the objective of the al-Qaeda Islamic terrorist movement is to “target key sectors of the U.S. economy.”1 The so-called mastermind of the 9/11 operation, Khalid Sheik Mohammed, also stated that al-Qaeda’s goal was “to launch spectacular attacks on vulnerable symbolic targets.”2 It is evident from the various attacks carried out by terrorists groups against power systems elsewhere in the world that many such groups consider electric power systems to be on their list of potential targets.
Potential terrorist attacks against electric power systems include sabotage; physical assault; disruption of sensors, information systems, and computer networks; tampering with process safety; disruption of fail-safe systems; and indirect attacks such as disruption of water, fuel, or key personnel.
Although al-Qaeda has received the greatest attention, the U.S. Department of State lists over 42 international terrorist groups operating around the world today (Department of State, 2006, p. 83). Approximately 2,500 attacks have been conducted by such groups against transmission lines and towers in various parts of the world over the past 10 years.3 The (next most frequently attacked power transmission target for international terrorists has been substations, with more than 500 attacks over the same period.4 In Iraq, terrorist and insurgent groups have skillfully used their resources and insider contacts to repeatedly attack national power transmission, to cause both disruption and social unrest and also to steal valuable materials such as copper conductors. Similarly, terrorists have been attacking Colombia’s electrical grid at a rate of over 100 times a year.
As noted in Chapter 1, if economic damage and social disruption become primary objectives for terrorists in the United States, the electric power transmission and distribution system would be an attractive target.
POWER SYSTEM CHOKE POINTS AND VULNERABILITIES
Electric power transmission and distribution systems are susceptible to attack generally with little risk to the attacker, a fact well recognized by saboteurs and terrorists. The remote locations of many transmission power lines, substations, communications facilities, or natural gas supplies to generating facilities allow attackers to conduct their operations with little or no risk of detection. Selecting points for attack and estimating the consequences are within the capability of technically trained individuals in the terrorist community.
High-value choke points, those facilities which, if destroyed, will significantly degrade power system capabil-
1Statement by Usama Bin Ladin: Al-Jazirah Space Channel Television, Oct. 6, 2002, as quoted in Scheuer (2004), p.17.
2“Substitution for the Testimony of Khalid Sheikh Mohammed” pp. 11-14, Central Intelligence Agency [no report title, number, or date], as quoted in Lawrence Livermore National Laboratory (2006).
3From November 1, 1996, to November 1, 2006, 528 substations were attacked worldwide. This number includes substations and switchyards collocated with substations that were attacked with rocket propelled grenades (RPGs), mortars, small arms, etc., and were the targets of actual and attempted attacks. For the same 10-year period, 2,539 transmission towers were attacked worldwide (attempted attacks). Data from The Energy Incident Data Base, Robert K. Mullen, email@example.com.
4Data from Mullen; see footnote 3.
ity, are easily located either on the ground or from system maps. Detailed maps of U.S. power systems were once readily available in the public domain and on the Internet. Despite attempts to control access to such maps, they can still be easily obtained. Commercially available satellite data, as well as direct observation on the ground, can also be used to readily update and confirm system map information for potential attackers.
Facilities and equipment can be damaged or destroyed by a variety of means well known to international terrorists, surrogate agents, and special operations military forces. Physical facilities are vulnerable to mechanical intervention or from serious physical damage from stand-off attack projectiles and explosive devices. In addition some choke points on the electric systems of the modern world are vulnerable to cyber incursion. Chapter 4 discusses the cyber threat. Any attack could be considerably amplified if aided by insiders, whether voluntary or coerced. The insider issue is discussed in Chapter 5.
Most utilities are well prepared to handle outages caused by all but the largest natural events. However, the power industry is not capable of reliable performance if major components are severely damaged on a widespread basis by deliberately planned terrorist acts or natural phenomena. Virtually no utilities are equipped or staffed to mitigate the consequences of multiple attacks against major critical components or from widespread impacts of natural phenomena like Hurricane Katrina. National security planners have devoted insufficient attention to this fact or to the fact that electricity must be produced and delivered, through highly complex technological systems, at the instant of demand, and cannot be easily stored.
Specific points of vulnerability can be better understood by considering briefly each major element of power systems: generators, substations, transmission towers, distribution components, system control centers, and customers or users.
Although this report focuses on the power delivery system, it is important to note that in some parts of the world generators have been targets of terrorist attacks. In the United States generator units and ancillary equipment are installed within a power house that is manned by operational personnel, giving them some protection. Some are inside a perimeter fence with physical security equipment and trained security forces, and others are being upgraded. However, most generating stations except nuclear plants have very limited in-place security measures which could be circumvented by expert saboteurs, and lack supporting contingency plans to coordinate with local authorities.
Security Criteria to Be Considered in Evaluating Substation Security
• Potential threat and probability of attack
• Frequency and duration of past security breaches
• Severity of damage
• Cost of breaches
• Safety hazards in the substation
• Equipment types and design
• Number and types of customers served
• Substation location
• Criticality of load
• Overall cost of facility
• Quality of service at existing substations
• Exposure to vandalism, sabotage, and terrorist attack of control houses, control equipment, and key electrical system components
Bulk Transmission Substations have unique security concerns in that they are relatively soft targets; they are vulnerable to stand-off attack as well as penetration attacks by adversaries compromising the substation’s perimeter fences. There is general agreement among security planners that key high-voltage substations are the most worrisome terrorist targets within the power transmission system. They are also difficult to protect. Their replacement parts are difficult to obtain, and damage to substations can separate customers from generation for long periods.
Box 3.1 lists security criteria that may be considered in evaluating substation security.
Transmission Lines and Towers
Transmission lines have been a desirable terrorist target in countries suffering from insurrection or civil unrest. A circuit can be temporarily disabled by fairly simple means. Shooting insulators on a tower can short a line. Severing the legs of the tower with explosives can bring it down, shorting all the lines it carries. On some transmission lines, taking out a tower can cause a domino effect, resulting in a cascade collapse of several adjacent towers.5 Taking out a tower where two lines cross can disable both circuits at once.
5Transmission lines normally consist mainly of suspension towers that are intended to support the conductors, which are under tension to minimize sagging. These towers are held in place by the conductors and require little horizontal bracing under normal conditions. If the lines break in one direction, however, the tower may be pulled down by the tension on conductors in the other direction. Thus a cascading failure of towers can occur up to a
Transmission lines are often very long and in sparsely populated areas. They make easy targets and cannot be well protected. However, they can also be repaired quickly unless there is a coordinated widespread attack. Even then, the transmission lines can be repaired almost as soon as replacement towers can be delivered. Thus transmission lines are of less concern than substations.
System Control Center(s)
Major electrical systems rely heavily on their primary system control center. Computers, telemetry, fiber, radio, and dedicated telephone lines are continuously used to monitor major system elements and transmit vital information to the control center. As discussed in Chapter 6, when routine disturbances occur, the system is designed to take certain remedial measures instantly and to automatically report these measures and conditions to the control center staff. Major disturbances often require quick decisions and reactions on the part of the staff to prevent widespread outages.
System control centers contain highly technical control and communications equipment as well as experienced system operations personnel. Any attack, such as with a vehicle bomb that would destroy or severely damage such a center, would also significantly impair the operation or restoration of a system by eliminating vital command, control, and communications (C3) functions and capabilities. In most cases there are redundant control facilities, and the system could still be operated, but C3 would be significantly degraded.
Security is very uneven across the system. Some control centers have been extensively hardened and have excellent access control and other security. Other utilities provide nominal local security for these centers that could easily be overcome by a determined attacker. Control centers could easily be sabotaged by insiders either to affect C3 loss or to support a broader system attack by outsiders.
Control centers could be a desirable terrorist target, particularly if the redundant center is also targeted. Loss of a control center would make the continued operation of the power system difficult and might cause widespread outages.
From the transmission substation networked medium-voltage lines and substations carry the power to all the users “downstream” from the transmission system. Distribution components are more numerous and of lower capacity than transmission system components, and spare parts are generally in greater supply. Storms take an annual toll on distribution systems. Utilities are prepared for such emergencies and often pool their resources to aid each other in restoring service. Targeting of distribution system components can cause troublesome outages, but the magnitude of the problems will usually be more manageable than those resulting from attacks on the “upstream” transmission systems or generation stations, unless of course they are targeted at disrupting supply to a critical facility in conjunction with some other attack.
Other Collective Targets
Other targets, although not system choke points, can be key terrorist targets. These include:
• Key personnel. Hostage taking usually places the attacker at greater risk than does the mere destruction of facilities or equipment. However, it should not be overlooked by security planners as a tactic historically employed when coercive control is desired. Contingency plans, security awareness training, and timely threat briefings for key personnel have proven effective in these situations.
• Major materiel yards. Central supply points, and sites where major repair vehicles and high-voltage spare components are stored, present valuable targets. Although such sites have a lower priority, security plans could include responses to the potential for attacks on these sites.
• Customers (Users). From heavy industries to households, the entire North American societal infrastructure is dependent in varying degrees on the reliable functioning of these electrical systems. As users’ demands fluctuate moment-by-moment, generation must be increased or decreased to keep all elements of the system and the demand in precise balance. Attacking individual consumer electrical facilities would have limited overall impact on society, unless those facilities constituted part of a coordinated attack on targets such as chemical facilities or facilities providing essential community services.
Countermeasures to attacks on physical infrastructure such as substations include improved security engineering techniques, such as calculations of blast effects; the use of hardened construction; and calculation of minimum standoff ranges for threat weapons. Along with site hardening, new and improved surveillance equipment to allow rapid identification of and response to attacks could be installed at critical facilities. These improved electronic surveillance technologies include point vibration sensors, leaky coaxial cable sensors, seismic disturbance and electrostatic field disturbance sensors, microphonic cable, and microstain fiber option sensing systems (a new technology for perimeter protection) that could be employed as appropriate at sites depending on the level of threat and risk present.
dead-end tower (which is self-supporting even under one-sided tension) or a corner tower (which is used when the transmission line must make a turn, resulting in asymmetric loadings on the tower).
A capability for locking and controlling manhole covers remotely, and for monitoring at points of access to underground utility systems in urban cores, would help protect key distribution lines. Today, when underground access points are secured (e.g., for a visit of a head of state or other major event), it is typically by welding and/or bolting the covers shut. This current labor-intensive case-by-case approach both increases the likelihood that the system will not be secured as often as it should be, and increases the likelihood that key access points will be overlooked.
Improved and expanded security systems would be useful in protecting key underwater cable systems. This could include multi-zone motion detection, automatic alarmed calls, live and recorded video transmission, remote control via use of information technology, and simultaneous streaming video transmission to operation centers. Some newer cables are now well protected, but some older cables still need attention.
Highly critical facilities require perimeter protection systems—including cameras, sensors, intrusion devices, access controls, lighting, fencing, buffer zone security, and so on—that are specifically tailored to the substation environment described in Box 3.1.
The DHS is currently working with industry security officials to build cooperation with local law enforcement in order to map out potential attacker approach and egress routes as part of the DHS Buffer Zone Protection Plan effort.
Electric power providers in other countries have been challenged to restore service, especially when transformers at substations have been attacked. The availability of spare parts at remote areas, site access for needed repairs, and transportation of heavy, large-load high-voltage transformers to the sites all complicate the recovery process. These issues are discussed further in Chapter 7.
In assessing vulnerability, repair and restoration capabilities must also be considered. Electric utility systems have an outstanding record of reliability due to facilities’ maintenance policies and ability to restore or bypass common outages quickly. The pooling of equipment and manpower contributes greatly to this record. Experience has proven that a vulnerability-risk analysis is applicable to any power system. The degree of risk is balanced against past ability to repair equipment and restore service in an acceptable length of time. Personnel and equipment inventories for making repairs are maintained to meet historic requirements. Many of these issues are discussed at greater length in Chapter 7.
Replacement of damaged equipment following a multi-site coordinated attack on major components could take many months or, in absolute worst cases, several years. For example, substation and generator step-up transformers can require as much as 12 to 16 months to manufacture even under ideal conditions. Transporting, installing, and testing them can take several more months. The availability of special transportation equipment itself could pose serious delays. Utilities have enough skilled personnel and equipment under their control for smaller emergencies, but having the skills required to safely repair a severe multi-site attack on electrical equipment requires extensive planning, the availability of spare equipment, and activation of already-in-place mutual aid agreements. Recent regional natural disasters have also pointed out that there is a clearly defined need for state and federal government support and coordination in recovery and restoration efforts.
It has taken many years to engineer and build the nation’s electric power systems. It is likely that reconstructing them after widespread, intelligently planned damage will require many months of highly skilled effort, assuming that the capability exists to manufacture or acquire the requisite components. The U.S. domestic ability to manufacture these components has eroded and moved offshore over the past 30 years, and is not likely to return without government action to bring manufacture of critical equipment back to the United States. Chapter 8 elaborates further on system restoration and the need for a critical parts inventory, particularly power transformers.
Since our modern society is almost totally dependent on electrical systems, the widespread loss of choke points on systems that serve clusters of key defense bases, critical infrastructure assets, and major metropolitan areas would have a very detrimental effect. Pumping of potable water, sewage, and irrigation water; sewage treatment; food and fuel supply and storage; refrigeration; medical facilities, prisons, banking, communications, refineries, shipping, transportation, commerce, and home/commercial life-support systems (heating, ventilation, and air conditioning) all depend on a continuously operating power supply in an interoperable system. Should these interoperable critical infrastructures cease to function for an unacceptable length of time, the consequences to national security, public health and safety, and the economy would be huge.
The federal government is concerned about the existing level of domestic electric power system vulnerability primarily because of the threat posed by international terrorists. The White House has provided briefings to industry on its concerns. The DHS has been organizing relationships with industry. Efforts to integrate national security considerations into electrical system reliability planning continue to evolve, and the utility industry is integrating low-cost security measures to strengthen bulk power supply systems, particularly those that serve key national defense or critical infrastructure assets. These efforts are coordinated through the North American Electric Reliability Council (NERC) or the newly created Electric Reliability Organization (ERO).
Various organizations and agencies involved in homeland defense have been in the process of identifying the thousands of critical infrastructure assets across the nation that must be protected. An objective is to develop plans to ensure that critical infrastructure assets have adequate security for continued functioning. Planners must realize that no matter how well protection plans for critical infrastructure perform, when the day of emergency arrives, all of those infrastructure assets are dependent on electric energy.
A new dimension of “national security reliability” is being used in the planning for reliability of the electric power industry. The North American Electric Reliability Council, with the Federal Energy Regulatory Commission (FERC) providing the regulatory support stipulated in the reliability provision of the Energy Policy Act of 2005, is leading the effort. Additional support is provided through industry groups, such as the Electric Power Research Institute (EPRI) and the Edison Electric Institute (EEI). Industry is also working closely with various federal government agencies, such as the Department of Homeland Security (DHS), Department of Energy (DOE), Department of Defense (DOD), Department of Justice (DOJ), Department of Transportation (DOT), Federal Bureau of Investigation (FBI), DOD’s Technical Support Working Group (TSWG), and the National Security Council (NSC). It is important that these efforts be well coordinated to avoid conflicts in recovery and restorations efforts.
New security protocols and mitigation measures are currently being developed and adopted through cooperation between government and industry to provide protection against the current terrorist threat. Examples of these are provided in Box 3.2. Pilot projects involve advanced security technologies that include digital CCTV, fiber optics, smart cards, and biometric IDs and card keys, as well as fencing design and manufacturing improvements.
Efforts have also been made toward understanding interdependencies, and how the power industry fits into the national critical infrastructure framework. Regional inter-dependency exercises have been conducted to consider the resiliency of utilities, the water supply, telecommunications, oil and gas, banking, financial services, and so on.
POST 9/11 POWER INDUSTRY PHYSICAL SECURITY ENHANCEMENTS
Many physical changes have been made and security enhancements implemented since the attacks on the World Trade Center. These include an increased awareness of the need to be more cautious with regard to access to information and facilities as well as to ensure that employees and contractors are not likely collaborators with terrorists. Box 3.3 lists the steps that most utilities have now taken to limit access to facilities and information. In addition, electric power industry security personnel have begun to develop a set of technical physical security skills and practices of the kind listed in Box 3.4.
Examples of Security Protocols and Mitigation Measures Intended to Provide Protection Against Current Terrorist Threats
• Utility coordination and information exchange programs in place at the North American Electric Reliability Council and the Edison Electric Institute
• Development of new risk assessment methodologies
• Risk-awareness management principles and practices in use by utility consultants
• Security vulnerability assessments
• Implementation of security upgrades and transitioning from security enhancements to comprehensive programs
• Recovery planning
• Security outreach programs including exchanges of best practices
• Top-to-bottom emergency plan reviews and updates
• Review and updating of mutual support agreements
• Improvement of security engineering of substations and control centers
Steps Taken by Most U.S. Utilities to Limit Access to Facilities and Information
• Requiring positive ID for all personnel visiting facilities
• Instituting access controls for all pedestrians and vehicles passing through entrance gates
• Hiring additional security officers
• Increasing the frequency of facility security checks
• Increasing aircraft patrols of transmission lines
• Increasing liaison relationships among local law enforcement, the FBI, and the National Guard
• Upgrading security policy and procedures
• Updating employee security and emergency response guides
• Developing new gate designs and standards
• Developing industry-wide baseline of security standards
• Conducting employee security awareness training
• Instituting a “no tours of the facility” policy
• Reviewing all internal and external Web pages and materials for information that could be used by terrorists
Examples of Technical Physical Security Skills and Practices Being Developed and Implemented by Electric Power Industry Security Personnel
• Protecting system technical operations
• Gaining familiarity with the latest risk and vulnerability analysis systems
• Ensuring the physical security of equipment and systems
• Providing perimeter protection including fences, lights, gates and access controls, entrance and equipments locks, protection force fencing, electronic security systems, video surveillance systems, and building alarm systems
• Physically protecting telecommunications systems
• Streamlining security command-and-control systems
• Working with the National Incident Management System
• Conducting contingency planning
• Accessing intelligence sources and sharing local information
• Forming liaisons with local law enforcement organizations
• Initiating tactical planning of response operations
• Planning for exercise/implementation of defensive operations during heightened alert periods
• While the electric power transmission and distribution systems are resilient and are designed for rapid restoration after failure caused by natural and accidental events, they are vulnerable to intelligent multi-site attacks by knowledgeable attackers intent on causing maximum physical damage to key components on a wide geographical scale. A few natural events, such as large hurricanes and ice storms, pose similar challenges, although in those cases some of the system components, such as high-voltage transformers (that are most difficult to replace or restore), are less likely to be damaged.
• Electric power transmission and distribution systems are vulnerable to attack generally with little risk to the attacker. As most systems are currently configured and operated, attackers can conduct their operations without detection. Because the transmission and distribution systems are by their nature inherently distributed, it is very difficult to completely protect all key components, or to harden them against possible attack.
• However, there are steps that could be taken to reduce the vulnerability of critical components. These include:
—A variety of design and engineering steps to harden substation sites and make key components less vulnerable to physical attack. These include further hardening of control facilities; selective use of walls and roofs at substations (especially in built-up areas and at high-consequence facilities in remote areas); and hardened enclosures for key transformers.
—Improved integrated electronic surveillance that uses sensor and monitoring equipment, along with information-processing equipment, to allow rapid identification of and response to multi-site attacks.
—System tools that can identify and localize physical and control system problems and potential incidents. These are further discussed in Chapter 6.
—Greater use of robust self-supporting towers for both transmission lines and communication systems. This includes more frequent use of dead-end towers in transmission lines that use guide towers, as well as integrated communication and power towers and self-supporting microwave towers.
• Substations are the most critical choke points, followed by control centers. For these facilities there is a need to develop specific physical security equipment such as cameras, sensors, intrusion devices, access controls, improved lighting and perimeter security fencing, buffer zone security, and surveillance of approaches, as well as a greater human presence and upgrades in protection force training and response, all of which would be used to decrease vulnerability.
• Improved personnel-related security measures are needed, including better screening of employees, better access control, more realistic simulations and security training, programs to reduce the threat to key workers from biological and other attacks with weapons of mass destruction, and upgraded capability to deal with the insider threats. Details on these and other personnel issues are provided in Chapter 5.
Lawrence Livermore National Laboratory. 2006. “The Jericho Option: Al-Qa’ida and Attacks on Critical Infrastructure.” UCRL-SR-224072, June.
Scheuer, Michael. 2004. Imperial Hubris. London: Brassey’s.
U.S. Department of State. 2006. “Country Reports on Terrorism 2005.” Washington, April.