Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 1
Summary The electric power delivery system that carries electricity Electric systems are not designed to withstand or quickly from large central generators to customers could be severely recover from damage inflicted simultaneously on multiple damaged by a small number of well-informed attackers. The components. Such an attack could be carried out by knowl- system is inherently vulnerable because transmission lines edgeable attackers with little risk of detection or interdiction. may span hundreds of miles, and many key facilities are Further well-planned and coordinated attacks by terrorists unguarded. This vulnerability is exacerbated by the fact that could leave the electric power system in a large region of the power grid, most of which was originally designed to the country at least partially disabled for a very long time. meet the needs of individual vertically integrated utilities, is Although there are many examples of terrorist and military now being used to move power between regions to support attacks on power systems elsewhere in the world, to date the needs of new competitive markets for power generation. international terrorists have shown limited interest in attack- Primarily because of ambiguities introduced as a result of ing the U.S. power grid. However, that should not be a basis recent restructuring of the industry and cost pressures from for complacency. Since all parts of the economy, as well as consumers and regulators, investment to strengthen and human health and welfare, depend on electricity, the results upgrade the grid has lagged, with the result that many parts could be devastating. of the bulk high-voltage system are heavily stressed. This report focuses on measures that could: A terrorist attack on the power system would lack the dramatic impact of the attacks in New York, Madrid, or 1. Make the power delivery system less vulnerable to London. It would not immediately kill many people or make attacks, for spectacular television footage of bloody destruction. But 2. Restore power faster after an attack, if it were carried out in a carefully planned way, by people 3. Make critical services less vulnerable while the who knew what they were doing, it could deny large regions delivery of conventional electric power has been of the country access to bulk system power for weeks or even disrupted. months. An event of this magnitude and duration could lead to turmoil, widespread public fear, and an image of helpless- THE NATURE OF THE PROBLEM ness that would play directly into the hands of the terrorists. If such large extended outages were to occur during times of The U.S. power delivery system is remarkably complex. extreme weather, they could also result in hundreds or even It is a network of substations, transmission lines, distribution thousands of deaths due to heat stress or extended exposure lines, and other components that people can see as they drive to extreme cold. around the country; it also includes the less visible devices The largest power system disruptions experienced to date that sense and report on the state of the system, the automatic in the United States have caused high economic impacts. and human controls that operate the system, and the intri- Considering that a systematically designed and executed cate web of computers and communication systems that tie terrorist attack could cause disruptions that were even more everything together. Enormous complexity and diversity also widespread and of longer duration, it is no stretch of the characterize the organizations and human systems that oper- imagination to think that such attacks could entail costs of ate and manage the power delivery system. That complexity hundreds of billions of dollars--that is, perhaps as much as and diversity have become even greater in recent years as a few percent of the U.S. gross domestic product (GDP), some parts of the system have been restructured while others which is currently about $12.5 trillion. 1
OCR for page 2
2 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM have not, and as the role of state and federal regulators and of line. Terrorist attacks on multiple-line transmission cor- other oversight bodies has shifted. ridors could cause cascading blackouts. Today most power is generated by large central generating High-voltage transformers are of particular concern stations that are located far from the customers they serve. because they are vulnerable to attack, both from within and Transformers increase the voltage so that it can be carried from outside the substation where they are located. These efficiently over long distances. Substations then reduce the transformers are very large, difficult to move, custom-built, voltage and carry the power into the distribution network and difficult to replace. Most are no longer made in the for delivery to customers.1 Unlike trains or natural gas in United States, and the delivery time for new ones can run pipelines, electric power cannot simply be sent via specific to months or years. The industry has made some progress lines wherever dispatchers choose. Current flows through the toward building an inventory of spares, but these efforts system according to a set of physical laws. The system must could be overwhelmed by a large attack. Although easier be continually adjusted to keep all parts synchronized and in to move and replace, other large components, such as high- electrical balance. If corrections are not made immediately voltage circuit breakers, are also a concern. when imbalances occur, the result can be oscillations and These problems are exacerbated by the current state of the other disturbances in the system that can result in a cascad- transmission grid. It is aging and increasingly stressed, leav- ing failure over a wide area, as happened in the Northeast ing it especially vulnerable to multiple failures following an blackout of 2003. attack. Many important pieces of equipment are decades old Recent years have witnessed dramatic organizational and lack improved technology that could help limit outages. changes in the U.S. electric power system. In some states, traditional vertically integrated companies that owned and Cyber Vulnerability operated the entire system from the generators to the custom- ers' meters have been restructured in an effort to introduce Modern power systems rely heavily on automation, competition. However, a few states are trying to undo some centralized control of equipment, and high-speed com- of the changes, and some states may never restructure. The munications. The most critical systems are the supervisory push by federal regulators to introduce competition in bulk control and data acquisition (SCADA) systems that gather power across the country also has resulted in the transmission real-time measurements from substations and send out network being used in ways for which it was not designed. control signals to equipment, such as circuit breakers. The There have also been shifts in the relative responsibility of many other control systems, such as substation automation state and federal regulators. or protection systems, can each only control local equipment. Largely as a consequence of the uncertainties introduced Other online computer systems, such as energy management by these changes, incentives for investment by private firms systems (which analyze the reliability of the system against have become mixed, with the result that the physical capabil- contingencies) or market systems (which manage the buying ities of much of the transmission network have not kept pace and selling of electricity), have only an indirect impact on with the increasing burden that is being placed on it. Other the grid. But all such systems are potentially vulnerable to trends are more promising. The Energy Policy Act of 2005 cyber attacks, whether through Internet connections or by includes provisions to strengthen the electric grid, including direct penetration at remote sites. Any telecommunication provisions for the introduction of mandatory reliability stan- link that is even partially outside the control of the system dards. Although not aimed specifically at protecting the grid operators is a potentially insecure pathway into operations against terrorism, the activities initiated under this statute and a threat to the grid. will--if implemented--lead to a more robust transmission If they could gain access, hackers could manipulate system that will be better able to withstand major disruptions. SCADA systems to disrupt the flow of electricity, transmit erroneous signals to operators, block the flow of vital infor- mation, or disable protective systems. Cyber attacks are Physical Vulnerability unlikely to cause extended outages, but if well coordinated Disruption in the supply of electric power can result from they could magnify the damage of a physical attack. For problems in any part of the system. The primary concern of example, a cascading outage would be aggravated if opera- this report is with power delivery. Substations and the large tors did not get the information to learn that it had started, high-voltage transformers they contain are especially vulner- or if protective devices were disabled. able, as are some transmission lines where the destruction of a small number of towers could bring down many kilometers Personnel Vulnerability 1A few transmission lines operate with direct current (DC), which re- Workforce issues are critically important to maintaining a quires conversion from alternating current (AC) at one substation and then reliable supply of electricity, particularly in the event of a ter- back again at the receiving substation. DC also is used to interconnect the rorist attack. Utility employees and contractors interact with four major regions in the United States and Canada because its use avoids the necessity of keeping their AC systems synchronized. the electric power system as managers, operators, line-crews,
OCR for page 3
SUMMARY 3 suppliers of materials and services, and users, among other REDUCING RISKS roles. Although workers and managers in this industry have an outstanding record of reliable performance, even a few Reduce Vulnerability pernicious people in the wrong place are a potential source The extent of the damage from an attack can be limited of vulnerability should they choose to disrupt the system. by a variety of means, including improving the robustness of A second issue is that, to a greater extent than in most the system to withstand normal failures; adding physical and other industries, the electricity workforce is aging, and many cyber protections to key parts of the system; and designing skilled workers and expert engineers will soon retire. As the it to degrade gracefully after catastrophic damage, leaving current workforce retires, utilities may have increasing dif- as many areas as possible still with power. Research and ficulty hiring sufficient qualified replacements to keep the development can make particularly important contributions system operating effectively and reliably and to undertake in these areas. Table S.1 lists examples of changes that could all the upgrades that are needed, let alone cope with damage be made starting now and others that could become options from terrorist attacks. This issue requires sustained and high- in the long term. Many of the changes discussed in this report level attention by both the industry and federal agencies. TABLE S.1 Examples of Options for Minimizing Vulnerability Selected Options Currently Available Selected Options That R&D Could Make Available Physical vulnerability Hardening of key substations and control centers Improved intrusion sensors Increased physical surveillance Development of strategies to provide greater system Addition of transmission towers that can prevent capacity domino-like collapse Greater use of distributed generation and micro-grids For additional examples, see Chapter 3 For additional examples, see Chapter 9 Cyber vulnerability Elimination of all non-essential pathways to external Improved cyber security for sensors, communication, and systems control systems Use of high-quality cyber security on all links Systems to monitor for, and help avoid, operator error For additional examples, see Chapter 4 For additional examples, see Chapter 9 Personnel vulnerability Improved employee and contractor screening Improved training simulators Improved training for attack response Expansion of support for educational programs in power Improved planning and coordination with engineering that have atrophied in large part because of government (especially law enforcement) very limited research investment For additional examples, see Chapter 5 For additional examples, see Chapter 9 Increased system robustness and A change in institutional arrangements and incentives Lower-cost undergrounding graceful degradation to ensure adequate modernization of the Improved probabilistic vulnerability assessment transmission system Improved sensors, communication, real-time analysis, and Greater use of high-voltage power electronic system visualization technology Improved automatic control Greater use of DC interconnects Improved capability for islanding and self-healing Expanded and more selective demand-side Improved energy storage management and distribution automation For additional examples, see Chapter 9 For additional examples, see Chapter 6 Accelerated restoration Expanded planning for very large outages Development and stockpiling of restoration transformers Designation of some utility employees as first and other key equipment of long leadtime responders. Improved assessment and planning tools For additional examples, see Chapter 7 For additional examples, see Chapter 9 Maintenance of critical services Use of robust systems such as light-emitting diode Massively distributed architectures while grid power (LED) traffic lights with trickle charge batteries Improved energy storage is disrupted Co-location of generation with critical loads such as For additional examples, see Chapters 8 and 9 pumps for water supply Comprehensive contingency planning Avoidance of cross-dependencies (e.g., backup power for cell phone sites; gas rather than electric pumps on gas pipelines) For additional examples, see Chapter 8
OCR for page 4
4 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM could convert an attack that today could cause a blackout ability. Among these, increasing generation within or close over a wide region of the country into one that would do to major load centers, expanded use of distributed resources less damage to the electric system and leave the system in a (co-generation, micro-grids) with associated automatic better position to accommodate the damage that does occur. control, and the successful development and deployment of Cascading failures could be limited, and many areas within storage technology would help limit cascading failures and a blacked-out region could maintain power because they leave islands of power within a blacked-out region. could isolate themselves from the failing grid and maintain a balance of generation and demand within their borders. Expedite Restoration Physical protection of critical facilities includes hardened enclosures for key transformers, improved electronic surveil- After an attack, an electric utility's main focus will be lance, and system tools that can identify physical and control on restoring power to its customers. Many of the steps to be system problems and potential incidents. Such measures may taken would be similar to those taken in response to a major deter as well as blunt an attack. natural disaster, such as a hurricane: that is, identify the dam- Cyber security is best when interconnections with the age, clean it up, repair equipment, and restore power. How- outside world are eliminated. When interconnections are ever, there are also important differences. Unlike hurricanes, unavoidable, best practices for security must apply. Wireless terrorists may strike with no warning and selectively destroy communications within substations is a particular concern. the most important facilities, such as major substations. The risk of insider-assisted attacks can be reduced by Some of the lost equipment may take months or even years strengthening background checks for new and existing to replace. Unless prior arrangements have been worked out, employees and contractors. If subversive or disaffected law enforcement officers might exclude utility workers from workers can be identified, attackers will lose a major poten- the crime scene while they investigate, delaying assessment tial advantage. Training operators and other workers to rec- of the damage and restoration activities. In addition, utility ognize and react to attacks or other major disruptions will be workers might be subjected to unexpected risks, such as helpful in limiting the extent of outages and further damage chemical contamination. during a cascading failure. System simulators are likely to Although detailed restoration plans cannot be formulated be very useful in this endeavor. In the long term, supporting until specific damage is identified and the extent of an outage engineering and other technical education will help to main- determined, advance planning can greatly speed the process tain the availability of the necessary skills in the workforce. of recovery. This is a well-established tenet in the industry. Even if terrorist attacks were not a concern, the transmis- Utilities and transmission operating entities can--and do-- sion system should be modernized and upgraded to handle make contingency plans. In preparing for a possible terror- the increasing flow of power. A robust, modern system could ist attack, they should set up an incident command system, ride out disturbances that would cause major problems to establish good communications with government agencies, today's stressed system. The new operating standards being and reach agreements as to responsibilities and authority over prepared by the electric industry and its reliability organiza- various aspects of the restoration. Further work to address tions under the Energy Policy Act of 2005 (EPAct) will help, any specific issues that might arise in a terrorist incident but EPAct doesn't directly grant authority to order upgrades is critical. Designating utility workers as first responders in the physical system. Industry, the Federal Energy Regula- would improve their access to damaged substations and other tory Commission (FERC), the Department of Energy (DOE), facilities to assess the damage. Drills should be conducted and state public utility commissions are aware of such needs, for plausible scenarios of destruction to ensure that plans but building new transmission lines and other delivery are adequate. enhancements is expensive and difficult. Upgrading sen- Key equipment, especially large power transformers, can sors and controls can allow more power to flow on existing be backed up with spares. The Edison Electric Institute (EEI) lines, which will help under some conditions. The terrorist is developing the Spare Transformer Equipment Program threat suggests that additional upgrades may be important (STEP), which will make spare transformers available in to reduce major outages. Current standards are met if no case of emergency. These transformers are very expensive, significant outage occurs following the failure of one major and not many spares are available. Transformers are also line or certain related double outages. Damage by terrorists very large, heavy, and difficult to move. A major attack could could greatly exceed this level. A higher standard would be quickly exhaust the inventory, and the world has limited to maintain reliability when two major related failures occur, manufacturing capacity. A promising solution is to develop, known as an N 2 event, which, in most cases, would entail manufacture, and stockpile a family of universal recovery additional costs. Improving the information flow to operators transformers that would be smaller and easier to move. These and the tools they can use to analyze and react to disturbances would be less efficient than those normally operated and so also would help prevent outages from cascading. would only be for temporary use, but they could drastically In the longer term, changes to the configuration of the reduce the delay before the electric system is back in full power system could have dramatic impacts on its vulner- operation. Emergency backup policies also should be imple-
OCR for page 5
SUMMARY 5 mented for other key equipment such as large bushings and extended power outages and develop cost-effective strategies circuit breakers, which could take many weeks to replace. that can be adopted to reduce or, over time, eliminate such Utility restoration workers need adequate food, water, fuel vulnerabilities. Building on the results of these model assess- for vehicles, and other essentials that may not otherwise be ments, DHS should develop, test, and disseminate guidelines available during an extended outage. Communication net- and tools to assist other cities, counties, states, and regions to works also may degrade or fail in an extended outage, and it conduct their own assessments and develop plans to reduce is essential that utilities have backup systems available that their vulnerabilities to extended power outages. To facilitate can be operated without grid power. these activities, public policy and legal barriers to communi- In addition, utilities and transmission operators should cation and collaborative planning will need to be addressed. ensure that sufficient generating plants have black-start At a national level, DHS should perform, or assist other capability. This is provided by units that can be started with federal agencies to perform, additional systematic assess- no offsite power available, a likely situation in a widespread ment of the vulnerability of national infrastructure, such as blackout. telecommunications and air traffic control, in the face of extended and widespread loss of electric power, and then develop and implement strategies to reduce or eliminate vul- Reduce Vulnerability of Critical Services in the Event of nerabilities. Part of this work should include an assessment Outages of the available surge capacity for large mobile generation Society is becoming ever more dependent on electric sources. Such an assessment should include an examina- power. While system owners and operators should do all tion of the feasibility of utilizing alternative sources of that they reasonably can to ensure that their systems are able temporary power generation to meet emergency generation to withstand anticipated assaults from natural and human requirements (as identified by state, territorial, and local sources, there are practical limits to how much these highly governments, the private sector, and nongovernmental orga- distributed systems can be hardened. Even without the threat nizations) in the event of a large-scale power outage of long of terrorism, there is a risk of occasional power outages, duration. some of which will have large spatial scale and may last for Government entities need to provide incentives (e.g., many hours or even days. Terrorism increases the probable grants, fee-based awards, taxes, regulation ) to support extent and duration of such outages and could cause them incremental costs associated with public and private sector to occur at particularly inconvenient or damaging moments. risk prevention and mitigation efforts to reduce the societal Since the complete elimination of all possible modes of impact of an extended grid outage. Such incentives could failure is simply not feasible, an important design objective include incremental funding for those aspects of systems that (in addition to resilience and the ability to rapidly restore the provide a public good but no private benefit and the develop- system after a problem occurs) should be the ability to sus- ment and implementation of building codes or ordinances tain critical social services while an outage persists. Thus, in that require alternative or backup sources of electric power addition to strengthening the grid, society should also focus for key facilities. on identifying critical services and developing strategies to keep them operating in the event of power outages--be they THE IMPORTANCE OF INVESTMENT IN RESEARCH accidental or the result of terrorist attack. Strategies for managing an extended outage will require There are many technologies and strategies that could detailed planning and preparation to ensure that critical be employed to make the power system more robust in the facilities can continue to operate, either from the remain- face of terrorist attack, make service restoration more timely ing grid or from emergency power systems. Metropolitan after an attack, and continue the provision of critical ser- areas with high demand and high reliance on transmission vices while the power is out. The best way to make needed to deliver power from distant generating stations should be changes affordable, and to develop new, even more effective of particular concern in this regard. Critical facilities (such and affordable approaches, is through research. Chapter 9 of as hospitals) often have emergency backup power generation this report discusses the current state of research for electric capability, but some of these are only intended to operate power, along with a set of recommendations for addressing for several days. An extended outage could easily exhaust research needs and developing related strategies. the supply of fuel. Many critical service providers have no The research that is needed to address the problems of emergency power at all. terrorism is, for the most part, the same as the research that Although it is not reasonable to expect federal support would address the broad problems faced by the transmission for all local and regional planning efforts, the Department and distribution grid. The recovery transformer noted above of Homeland Security (DHS) and/or the DOE should each is one of the few exceptions of terror-specific technologies initiate and fund several model demonstration assessments that should be pursued. For example, the advanced computa- at the level of cities, counties, and states. These assessments tional system under development to improve control of flows should systematically examine a region's vulnerability to on the grid also would be very useful in minimizing a cas-
OCR for page 6
6 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM cading failure after a terrorist attack. The committee reached changes, identified in this report, that could reduce this conclusion in part from an informal questionnaire the the vulnerability of the power delivery system and committee developed and distributed to leading technical facilitate its more rapid restoration should an attack experts in the field. This questionnaire identified a variety of occur (see Chapters 6 and 7). potential short- and long-term R&D needs for transmission · Recommendation 3 Work with the power industry and distribution. Respondents were asked to prioritize needs to better clarify the role of power system opera- first for the industry as a whole and then strictly in terms of tors after terrorist events through the development reducing vulnerability to terrorism. With a few exceptions, of memoranda of understanding and planned and the research needs in the two cases were identical. rehearsed response programs that include designating The committee is very concerned that the level of actual appropriate power-system personnel as first respond- investment in power system research is currently much ers (see Chapters 7 and 8). smaller than it should be as measured according to a vari- · Recommendation 4 Offer assistance to the Federal ety of societal metrics. However, agreeing on institutional Energy Regulatory Commission, to state public ser- arrangements that can significantly increase the levels of vice commissions, and to other public and private nongovernmental research investment in this field has been parties in finding ways to ensure that utilities and a persistent problem. Chapter 9 discusses one possible strat- transmission operators have appropriate incentives to egy, but the committee was unable to reach a unanimous view accelerate the process of upgrading power delivery on how best to resolve this problem. and eliminating its most obvious vulnerabilities (see Chapter 6). · Recommendation 5 Work with the Department of WHAT SHOULD THE DEPARTMENT OF HOMELAND Energy and the Office of Management and Budget SECURITY DO? to substantially increase the level of federal basic The level of protection for and resiliency of the electric technology research investment in power delivery. power grid against terrorist attacks needs to increase. How- The committee notes that (1) much of what is needed ever, the level of security that is economically rational for has the nature of a "public good" that the private most infrastructure operators will be less than the level that sector will not develop on its own; (2) current levels is optimal from the perspective of the collective national of research investment are woefully inadequate; and interest. Therefore, the DHS should develop a coherent plan (3) most of the system's vulnerabilities to terrorism to address the incremental cost of upgrading and protecting are integrally linked to other more general problems critical infrastructure to that higher level. and vulnerabilities of the system and cannot be In the specific context of electric power delivery, the resolved in isolation (see Chapter 9). Department of Homeland Security should: · Recommendation 6 Take the lead in initiating plan- ning at the state and local level to reduce the vulner- · Recommendation 1 Take the lead and work with the ability of critical services in the event of disruption DOE and with relevant private parties to develop and of conventional power supplies, and offer pilot and stockpile a family of easily transported high-voltage incremental funding to implement these activities recovery transformers and other key equipment. where appropriate (see Chapter 8). Although the expected benefits to the nation of such a · Recommendation 7 Develop a national inventory program are difficult to quantify, they would certainly of portable generation equipment that can be used be many times its cost if the transformers are needed to power critical loads during an extended outage. (see Chapters 3, 6, and 9). Explore public and private strategies for building and · Recommendation 2 Work to promote the adop- maintaining an adequate inventory of such equipment tion of many other technologies and organizational (see Chapter 8).