The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

It seems this might be a much bigger problem...

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents, Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 373 items added with 121,202 views
  • Dec 8, 2022
  • 378 views

 

Today, I was emailing with a reporter about my post on the North Carolina substation attacks, when I saw this article that had been linked in the Utility Dive newsletter (which I normally open as soon as it hits my inbox). It seems that NC might not have been an isolated incident after all. You should read the whole article, but IMHO the executive summary is these two paragraphs:

“Power companies in Oregon and Washington have reported physical attacks on substations using handtools, arson, firearms and metal chains possibly in response to an online call for attacks on critical infrastructure,” the memo states.

The aim, according to the memo, is “violent anti-government criminal activity.”

Another:

The department wrote that attackers would be unlikely to produce widespread, multistate outages without inside help. But its report cautioned that an attack could still do damage and cause injuries.

Of course, we’re not talking about multistate outages. A multi-day, multistate outage might be a catastrophe with loss of life, especially if there were a big city in one of those states (see Ted Koppel’s Lights Out, which very eloquently describes what would happen if there were a multistate outage that lasted more than a few days. What’s unfortunate is that Ted let someone persuade him that he should sell the book as being about the effects of a cyberattack on the grid, when exactly the same results would occur, no matter what the cause. The book is an easy read and still definitely worth it, years after it came out).

But an attack that could “do damage and cause injuries” is a good description of what just happened in NC. It certainly caused damage, and people were injured in car crashes, if for no other reason. We may hear later about people on oxygen at home, etc. that were victims as well. An extended power outage is always a big problem.

Finally:

The targets also present an increasing challenge to secure because attackers don’t always have to get as close as they did in North Carolina in order to do damage, Southers said. With the right rifle, skill and line of sight a sniper could take a shot from as far as 1,500 meters (about 4,900 feet) away.

That’s quite interesting. If line of sight is a problem (which it definitely was with the Metcalf attack), then that will require fairly big, expensive fences.

Unfortunately, as I told the reporter today, it will be impossible to prevent attacks like this without huge expenditures (unless there’s a good way to triage substations for degree of risk, which I’m not sure is the case here). One thing I suggested is that, since this is obviously a national problem, the feds should finally step in and pay for the mitigations themselves – rather than dump all the cost on the utilities and especially their ratepayers. This has been for the most part the practice so far, when it comes to both physical and cybersecurity, but it’s time to acknowledge this is a national problem.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Discussions
Mark Allen's picture
Mark Allen on Dec 14, 2022

Placing the financial burden at the federal level to better secure our grid is not, IMO, a good idea. The reasons are that not all electrical companies are the same. A common mantra in real estate is that each piece of land is unique, and indeed it is. A federal one size to fit all approach is likely to cause a lot of added expense for little return. Besides, if I don’t want my power to go out I should be able to trust my power company to take the appropriate steps to secure their infrastructure, which implies that I should (through our PUC) have the ability to influence how much will be spent. Simply moving the spending from the local to the federal only means that I will pay in a different way, and I’m likely to pay more to cover those whose actual costs to meet the goals are higher than what mine may be. Finally, who gets served first? Under a federal mandate, with the costs controlled there, it could be many years before anything is done in my locality, when through local initiatives it could be done far more efficiently and sooner. National problems do not imply a national solution with a federal takeover.

Tom Alrich's picture
Tom Alrich on Dec 19, 2022

Thanks, Mark. However, it's possible to have federal solutions that aren't one-size-fits-all. In fact, when FERC ordered what became CIP-013 in 2016, they deliberately required that it not be such a solution. Instead, the utility has to assess the supply chain cyber risks they face and develop a risk-based plan for mitigating those risks (i.e. only address the important risks). The decision on what to address is left up to the utility (this is something like what CIP-014 works, which is of course for physical security. It was developed a few years earlier, and has some rough edges that were removed in CIP-013).

The funding could be based on somebody at the federal level lining up all the risk assessments from individual utilities, then allocating funds from highest to lowest risk (with some verification that one utility wasn't calling for example the fact that the CEO doesn't have his own jet a high risk to security). And if you look at it that way, this has to be funded at the federal level, since the PUCs are only going to spend money within their state.

Julian Silk's picture
Julian Silk on Dec 14, 2022

It is easy to be torn on this.  Mark Allen makes a good point, in that there are eminent domain issues that are going to be relevant in securing the substations, and you don't want to surrender all license for eminent domain decisions to the Federal government.  (And, yes, for what it is worth, I have worked with the Federal government, and grew up with 2 parents who both did, so this is not to cast aspersions on the bureaucrats, just to worry that moving decisions away from the local level means it will take longer to get them.)  If something like credits that the Federal government could supply for local utilities securing the substations were implemented, with oversight to prevent misuse, but initial decisions being taken locally, this might meet those objections.

Tom Alrich's picture
Tom Alrich on Dec 19, 2022

I agree that the decisions on how exactly to spend the money should be made locally, with federal funding. In fact, that should be the case for almost all federal programs. However, we can't have a situation where the money is spent for a completely different purpose (like spending antipoverty funds to build a volleyball stadium, as happened in one state). But the feds are fairly good (although not perfect) at policing spending like this, so I think this is workable. It's hardly the first time something like this has been done.

The point is this is clearly a national problem. It's unfair to make the local ratepayers keep paying more for this - they're already paying a lot.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »