Power substation attack exposes potential flaws in U.S. infrastructure security

Incident leaves regulators scrambling to address physical security standards for nation’s electric grid


One of the most damaging acts of domestic terrorism in the U.S. may have taken place on April 16, 2013, and involved targeted and deliberate damage to a Pacific Gas and Electric substation located south of San Jose, Calif.

Interest in the incident increased last month, when the Wall Street Journal released a detailed internal Federal Energy Regulatory Commission (FERC) report on the incident, including previously unreported information that phone lines to the Metcalf transmission substation were cut just before snipers shot out 17 large transformers, prompting a Flex Alert that covered much of the south San Francisco Bay Area.  

The report also speculated that taking out as few as nine substations could disable the power grid and require months to repair. 

PG&E described the incident as “vandalism,” but the assault was obviously so well planned and methodically executed that the former head of FERC recently called it “an act of terrorism.”

The immediate reaction to the WSJ report was on March 10, 2014, when FERC issued a directive to the North American Electric Reliability Corporation (NERC) to develop physical security standards that will require power grid system owners and operators to address risks due to physical security threats and vulnerabilities.

“Today's order enhances the grid’s resilience by requiring physical security for the facilities most critical to the reliable operation of the bulk-power system,” FERC Acting Chairman Cheryl LaFleur said. “It will complement the ongoing efforts of FERC and facility owners and operators to ensure the physical security of the grid.”

Since 2007, NERC has concentrated on improving and expanding information security standards and requiring owners and operators to comply with NERC CIP 002-009 (Critical Infrastructure Protection), which targets cybersecurity threats.

It was assumed that the owner/operators would have their own physical security standards in place, and that information security was the area most likely to be exploited by terrorists, whether they are domestic or international.

However, last year’s attack highlighted not only the weaknesses in physical security at a particular facility, but also that physical security controls may differ in different facilities and that the protection of the energy grid will require standardization of minimum physical security controls.

The new security standards, as ordered by FERC, include three steps:

  • Owners and operators must perform a risk assessment to identify facilities that are critical;
  • After the facilities are identified, owners must evaluate potential threats to those sites and,
  • Owners and operators must develop and implement a security plan.

The same elements have been mandated by NERC for information security, but these standards would be exclusively focused on physical security.

Maybe in another five years, FERC will mandate that these security elements should be done in concert and harmonized to provide holistic protection of the energy grid.

In the meantime, the WSJ has come under attack for publishing the results of the internal FERC report.