Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 1
Summary
The electric power delivery system that carries electricity Electric systems are not designed to withstand or quickly
from large central generators to customers could be severely recover from damage inflicted simultaneously on multiple
damaged by a small number of well-informed attackers. The components. Such an attack could be carried out by knowl-
system is inherently vulnerable because transmission lines edgeable attackers with little risk of detection or interdiction.
may span hundreds of miles, and many key facilities are Further well-planned and coordinated attacks by terrorists
unguarded. This vulnerability is exacerbated by the fact that could leave the electric power system in a large region of
the power grid, most of which was originally designed to the country at least partially disabled for a very long time.
meet the needs of individual vertically integrated utilities, is Although there are many examples of terrorist and military
now being used to move power between regions to support attacks on power systems elsewhere in the world, to date
the needs of new competitive markets for power generation. international terrorists have shown limited interest in attack-
Primarily because of ambiguities introduced as a result of ing the U.S. power grid. However, that should not be a basis
recent restructuring of the industry and cost pressures from for complacency. Since all parts of the economy, as well as
consumers and regulators, investment to strengthen and human health and welfare, depend on electricity, the results
upgrade the grid has lagged, with the result that many parts could be devastating.
of the bulk high-voltage system are heavily stressed. This report focuses on measures that could:
A terrorist attack on the power system would lack the
dramatic impact of the attacks in New York, Madrid, or 1. Make the power delivery system less vulnerable to
London. It would not immediately kill many people or make attacks,
for spectacular television footage of bloody destruction. But 2. Restore power faster after an attack,
if it were carried out in a carefully planned way, by people 3. Make critical services less vulnerable while the
who knew what they were doing, it could deny large regions delivery of conventional electric power has been
of the country access to bulk system power for weeks or even disrupted.
months. An event of this magnitude and duration could lead
to turmoil, widespread public fear, and an image of helpless-
THE NATURE OF THE PROBLEM
ness that would play directly into the hands of the terrorists.
If such large extended outages were to occur during times of The U.S. power delivery system is remarkably complex.
extreme weather, they could also result in hundreds or even It is a network of substations, transmission lines, distribution
thousands of deaths due to heat stress or extended exposure lines, and other components that people can see as they drive
to extreme cold. around the country; it also includes the less visible devices
The largest power system disruptions experienced to date that sense and report on the state of the system, the automatic
in the United States have caused high economic impacts. and human controls that operate the system, and the intri-
Considering that a systematically designed and executed cate web of computers and communication systems that tie
terrorist attack could cause disruptions that were even more everything together. Enormous complexity and diversity also
widespread and of longer duration, it is no stretch of the characterize the organizations and human systems that oper-
imagination to think that such attacks could entail costs of ate and manage the power delivery system. That complexity
hundreds of billions of dollars--that is, perhaps as much as and diversity have become even greater in recent years as
a few percent of the U.S. gross domestic product (GDP), some parts of the system have been restructured while others
which is currently about $12.5 trillion.
1
OCR for page 2
2 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM
have not, and as the role of state and federal regulators and of line. Terrorist attacks on multiple-line transmission cor-
other oversight bodies has shifted. ridors could cause cascading blackouts.
Today most power is generated by large central generating High-voltage transformers are of particular concern
stations that are located far from the customers they serve. because they are vulnerable to attack, both from within and
Transformers increase the voltage so that it can be carried from outside the substation where they are located. These
efficiently over long distances. Substations then reduce the transformers are very large, difficult to move, custom-built,
voltage and carry the power into the distribution network and difficult to replace. Most are no longer made in the
for delivery to customers.1 Unlike trains or natural gas in United States, and the delivery time for new ones can run
pipelines, electric power cannot simply be sent via specific to months or years. The industry has made some progress
lines wherever dispatchers choose. Current flows through the toward building an inventory of spares, but these efforts
system according to a set of physical laws. The system must could be overwhelmed by a large attack. Although easier
be continually adjusted to keep all parts synchronized and in to move and replace, other large components, such as high-
electrical balance. If corrections are not made immediately voltage circuit breakers, are also a concern.
when imbalances occur, the result can be oscillations and These problems are exacerbated by the current state of the
other disturbances in the system that can result in a cascad- transmission grid. It is aging and increasingly stressed, leav-
ing failure over a wide area, as happened in the Northeast ing it especially vulnerable to multiple failures following an
blackout of 2003. attack. Many important pieces of equipment are decades old
Recent years have witnessed dramatic organizational and lack improved technology that could help limit outages.
changes in the U.S. electric power system. In some states,
traditional vertically integrated companies that owned and
Cyber Vulnerability
operated the entire system from the generators to the custom-
ers' meters have been restructured in an effort to introduce Modern power systems rely heavily on automation,
competition. However, a few states are trying to undo some centralized control of equipment, and high-speed com-
of the changes, and some states may never restructure. The munications. The most critical systems are the supervisory
push by federal regulators to introduce competition in bulk control and data acquisition (SCADA) systems that gather
power across the country also has resulted in the transmission real-time measurements from substations and send out
network being used in ways for which it was not designed. control signals to equipment, such as circuit breakers. The
There have also been shifts in the relative responsibility of many other control systems, such as substation automation
state and federal regulators. or protection systems, can each only control local equipment.
Largely as a consequence of the uncertainties introduced Other online computer systems, such as energy management
by these changes, incentives for investment by private firms systems (which analyze the reliability of the system against
have become mixed, with the result that the physical capabil- contingencies) or market systems (which manage the buying
ities of much of the transmission network have not kept pace and selling of electricity), have only an indirect impact on
with the increasing burden that is being placed on it. Other the grid. But all such systems are potentially vulnerable to
trends are more promising. The Energy Policy Act of 2005 cyber attacks, whether through Internet connections or by
includes provisions to strengthen the electric grid, including direct penetration at remote sites. Any telecommunication
provisions for the introduction of mandatory reliability stan- link that is even partially outside the control of the system
dards. Although not aimed specifically at protecting the grid operators is a potentially insecure pathway into operations
against terrorism, the activities initiated under this statute and a threat to the grid.
will--if implemented--lead to a more robust transmission If they could gain access, hackers could manipulate
system that will be better able to withstand major disruptions. SCADA systems to disrupt the flow of electricity, transmit
erroneous signals to operators, block the flow of vital infor-
mation, or disable protective systems. Cyber attacks are
Physical Vulnerability
unlikely to cause extended outages, but if well coordinated
Disruption in the supply of electric power can result from they could magnify the damage of a physical attack. For
problems in any part of the system. The primary concern of example, a cascading outage would be aggravated if opera-
this report is with power delivery. Substations and the large tors did not get the information to learn that it had started,
high-voltage transformers they contain are especially vulner- or if protective devices were disabled.
able, as are some transmission lines where the destruction of
a small number of towers could bring down many kilometers
Personnel Vulnerability
1A few transmission lines operate with direct current (DC), which re- Workforce issues are critically important to maintaining a
quires conversion from alternating current (AC) at one substation and then reliable supply of electricity, particularly in the event of a ter-
back again at the receiving substation. DC also is used to interconnect the rorist attack. Utility employees and contractors interact with
four major regions in the United States and Canada because its use avoids
the necessity of keeping their AC systems synchronized.
the electric power system as managers, operators, line-crews,
OCR for page 3
SUMMARY 3
suppliers of materials and services, and users, among other REDUCING RISKS
roles. Although workers and managers in this industry have
an outstanding record of reliable performance, even a few Reduce Vulnerability
pernicious people in the wrong place are a potential source
The extent of the damage from an attack can be limited
of vulnerability should they choose to disrupt the system.
by a variety of means, including improving the robustness of
A second issue is that, to a greater extent than in most
the system to withstand normal failures; adding physical and
other industries, the electricity workforce is aging, and many
cyber protections to key parts of the system; and designing
skilled workers and expert engineers will soon retire. As the
it to degrade gracefully after catastrophic damage, leaving
current workforce retires, utilities may have increasing dif-
as many areas as possible still with power. Research and
ficulty hiring sufficient qualified replacements to keep the
development can make particularly important contributions
system operating effectively and reliably and to undertake
in these areas. Table S.1 lists examples of changes that could
all the upgrades that are needed, let alone cope with damage
be made starting now and others that could become options
from terrorist attacks. This issue requires sustained and high-
in the long term. Many of the changes discussed in this report
level attention by both the industry and federal agencies.
TABLE S.1 Examples of Options for Minimizing Vulnerability
Selected Options Currently Available Selected Options That R&D Could Make Available
Physical vulnerability Hardening of key substations and control centers Improved intrusion sensors
Increased physical surveillance Development of strategies to provide greater system
Addition of transmission towers that can prevent capacity
domino-like collapse Greater use of distributed generation and micro-grids
For additional examples, see Chapter 3 For additional examples, see Chapter 9
Cyber vulnerability Elimination of all non-essential pathways to external Improved cyber security for sensors, communication, and
systems control systems
Use of high-quality cyber security on all links Systems to monitor for, and help avoid, operator error
For additional examples, see Chapter 4 For additional examples, see Chapter 9
Personnel vulnerability Improved employee and contractor screening Improved training simulators
Improved training for attack response Expansion of support for educational programs in power
Improved planning and coordination with engineering that have atrophied in large part because of
government (especially law enforcement) very limited research investment
For additional examples, see Chapter 5 For additional examples, see Chapter 9
Increased system robustness and A change in institutional arrangements and incentives Lower-cost undergrounding
graceful degradation to ensure adequate modernization of the Improved probabilistic vulnerability assessment
transmission system Improved sensors, communication, real-time analysis, and
Greater use of high-voltage power electronic system visualization
technology Improved automatic control
Greater use of DC interconnects Improved capability for islanding and self-healing
Expanded and more selective demand-side Improved energy storage
management and distribution automation For additional examples, see Chapter 9
For additional examples, see Chapter 6
Accelerated restoration Expanded planning for very large outages Development and stockpiling of restoration transformers
Designation of some utility employees as first and other key equipment of long leadtime
responders. Improved assessment and planning tools
For additional examples, see Chapter 7 For additional examples, see Chapter 9
Maintenance of critical services Use of robust systems such as light-emitting diode Massively distributed architectures
while grid power (LED) traffic lights with trickle charge batteries Improved energy storage
is disrupted Co-location of generation with critical loads such as For additional examples, see Chapters 8 and 9
pumps for water supply
Comprehensive contingency planning
Avoidance of cross-dependencies (e.g., backup
power for cell phone sites; gas rather than electric
pumps on gas pipelines)
For additional examples, see Chapter 8
OCR for page 4
4 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM
could convert an attack that today could cause a blackout ability. Among these, increasing generation within or close
over a wide region of the country into one that would do to major load centers, expanded use of distributed resources
less damage to the electric system and leave the system in a (co-generation, micro-grids) with associated automatic
better position to accommodate the damage that does occur. control, and the successful development and deployment of
Cascading failures could be limited, and many areas within storage technology would help limit cascading failures and
a blacked-out region could maintain power because they leave islands of power within a blacked-out region.
could isolate themselves from the failing grid and maintain
a balance of generation and demand within their borders.
Expedite Restoration
Physical protection of critical facilities includes hardened
enclosures for key transformers, improved electronic surveil- After an attack, an electric utility's main focus will be
lance, and system tools that can identify physical and control on restoring power to its customers. Many of the steps to be
system problems and potential incidents. Such measures may taken would be similar to those taken in response to a major
deter as well as blunt an attack. natural disaster, such as a hurricane: that is, identify the dam-
Cyber security is best when interconnections with the age, clean it up, repair equipment, and restore power. How-
outside world are eliminated. When interconnections are ever, there are also important differences. Unlike hurricanes,
unavoidable, best practices for security must apply. Wireless terrorists may strike with no warning and selectively destroy
communications within substations is a particular concern. the most important facilities, such as major substations.
The risk of insider-assisted attacks can be reduced by Some of the lost equipment may take months or even years
strengthening background checks for new and existing to replace. Unless prior arrangements have been worked out,
employees and contractors. If subversive or disaffected law enforcement officers might exclude utility workers from
workers can be identified, attackers will lose a major poten- the crime scene while they investigate, delaying assessment
tial advantage. Training operators and other workers to rec- of the damage and restoration activities. In addition, utility
ognize and react to attacks or other major disruptions will be workers might be subjected to unexpected risks, such as
helpful in limiting the extent of outages and further damage chemical contamination.
during a cascading failure. System simulators are likely to Although detailed restoration plans cannot be formulated
be very useful in this endeavor. In the long term, supporting until specific damage is identified and the extent of an outage
engineering and other technical education will help to main- determined, advance planning can greatly speed the process
tain the availability of the necessary skills in the workforce. of recovery. This is a well-established tenet in the industry.
Even if terrorist attacks were not a concern, the transmis- Utilities and transmission operating entities can--and do--
sion system should be modernized and upgraded to handle make contingency plans. In preparing for a possible terror-
the increasing flow of power. A robust, modern system could ist attack, they should set up an incident command system,
ride out disturbances that would cause major problems to establish good communications with government agencies,
today's stressed system. The new operating standards being and reach agreements as to responsibilities and authority over
prepared by the electric industry and its reliability organiza- various aspects of the restoration. Further work to address
tions under the Energy Policy Act of 2005 (EPAct) will help, any specific issues that might arise in a terrorist incident
but EPAct doesn't directly grant authority to order upgrades is critical. Designating utility workers as first responders
in the physical system. Industry, the Federal Energy Regula- would improve their access to damaged substations and other
tory Commission (FERC), the Department of Energy (DOE), facilities to assess the damage. Drills should be conducted
and state public utility commissions are aware of such needs, for plausible scenarios of destruction to ensure that plans
but building new transmission lines and other delivery are adequate.
enhancements is expensive and difficult. Upgrading sen- Key equipment, especially large power transformers, can
sors and controls can allow more power to flow on existing be backed up with spares. The Edison Electric Institute (EEI)
lines, which will help under some conditions. The terrorist is developing the Spare Transformer Equipment Program
threat suggests that additional upgrades may be important (STEP), which will make spare transformers available in
to reduce major outages. Current standards are met if no case of emergency. These transformers are very expensive,
significant outage occurs following the failure of one major and not many spares are available. Transformers are also
line or certain related double outages. Damage by terrorists very large, heavy, and difficult to move. A major attack could
could greatly exceed this level. A higher standard would be quickly exhaust the inventory, and the world has limited
to maintain reliability when two major related failures occur, manufacturing capacity. A promising solution is to develop,
known as an N 2 event, which, in most cases, would entail manufacture, and stockpile a family of universal recovery
additional costs. Improving the information flow to operators transformers that would be smaller and easier to move. These
and the tools they can use to analyze and react to disturbances would be less efficient than those normally operated and so
also would help prevent outages from cascading. would only be for temporary use, but they could drastically
In the longer term, changes to the configuration of the reduce the delay before the electric system is back in full
power system could have dramatic impacts on its vulner- operation. Emergency backup policies also should be imple-
OCR for page 5
SUMMARY 5
mented for other key equipment such as large bushings and extended power outages and develop cost-effective strategies
circuit breakers, which could take many weeks to replace. that can be adopted to reduce or, over time, eliminate such
Utility restoration workers need adequate food, water, fuel vulnerabilities. Building on the results of these model assess-
for vehicles, and other essentials that may not otherwise be ments, DHS should develop, test, and disseminate guidelines
available during an extended outage. Communication net- and tools to assist other cities, counties, states, and regions to
works also may degrade or fail in an extended outage, and it conduct their own assessments and develop plans to reduce
is essential that utilities have backup systems available that their vulnerabilities to extended power outages. To facilitate
can be operated without grid power. these activities, public policy and legal barriers to communi-
In addition, utilities and transmission operators should cation and collaborative planning will need to be addressed.
ensure that sufficient generating plants have black-start At a national level, DHS should perform, or assist other
capability. This is provided by units that can be started with federal agencies to perform, additional systematic assess-
no offsite power available, a likely situation in a widespread ment of the vulnerability of national infrastructure, such as
blackout. telecommunications and air traffic control, in the face of
extended and widespread loss of electric power, and then
develop and implement strategies to reduce or eliminate vul-
Reduce Vulnerability of Critical Services in the Event of
nerabilities. Part of this work should include an assessment
Outages
of the available surge capacity for large mobile generation
Society is becoming ever more dependent on electric sources. Such an assessment should include an examina-
power. While system owners and operators should do all tion of the feasibility of utilizing alternative sources of
that they reasonably can to ensure that their systems are able temporary power generation to meet emergency generation
to withstand anticipated assaults from natural and human requirements (as identified by state, territorial, and local
sources, there are practical limits to how much these highly governments, the private sector, and nongovernmental orga-
distributed systems can be hardened. Even without the threat nizations) in the event of a large-scale power outage of long
of terrorism, there is a risk of occasional power outages, duration.
some of which will have large spatial scale and may last for Government entities need to provide incentives (e.g.,
many hours or even days. Terrorism increases the probable grants, fee-based awards, taxes, regulation ) to support
extent and duration of such outages and could cause them incremental costs associated with public and private sector
to occur at particularly inconvenient or damaging moments. risk prevention and mitigation efforts to reduce the societal
Since the complete elimination of all possible modes of impact of an extended grid outage. Such incentives could
failure is simply not feasible, an important design objective include incremental funding for those aspects of systems that
(in addition to resilience and the ability to rapidly restore the provide a public good but no private benefit and the develop-
system after a problem occurs) should be the ability to sus- ment and implementation of building codes or ordinances
tain critical social services while an outage persists. Thus, in that require alternative or backup sources of electric power
addition to strengthening the grid, society should also focus for key facilities.
on identifying critical services and developing strategies to
keep them operating in the event of power outages--be they
THE IMPORTANCE OF INVESTMENT IN RESEARCH
accidental or the result of terrorist attack.
Strategies for managing an extended outage will require There are many technologies and strategies that could
detailed planning and preparation to ensure that critical be employed to make the power system more robust in the
facilities can continue to operate, either from the remain- face of terrorist attack, make service restoration more timely
ing grid or from emergency power systems. Metropolitan after an attack, and continue the provision of critical ser-
areas with high demand and high reliance on transmission vices while the power is out. The best way to make needed
to deliver power from distant generating stations should be changes affordable, and to develop new, even more effective
of particular concern in this regard. Critical facilities (such and affordable approaches, is through research. Chapter 9 of
as hospitals) often have emergency backup power generation this report discusses the current state of research for electric
capability, but some of these are only intended to operate power, along with a set of recommendations for addressing
for several days. An extended outage could easily exhaust research needs and developing related strategies.
the supply of fuel. Many critical service providers have no The research that is needed to address the problems of
emergency power at all. terrorism is, for the most part, the same as the research that
Although it is not reasonable to expect federal support would address the broad problems faced by the transmission
for all local and regional planning efforts, the Department and distribution grid. The recovery transformer noted above
of Homeland Security (DHS) and/or the DOE should each is one of the few exceptions of terror-specific technologies
initiate and fund several model demonstration assessments that should be pursued. For example, the advanced computa-
at the level of cities, counties, and states. These assessments tional system under development to improve control of flows
should systematically examine a region's vulnerability to on the grid also would be very useful in minimizing a cas-
OCR for page 6
6 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM
cading failure after a terrorist attack. The committee reached changes, identified in this report, that could reduce
this conclusion in part from an informal questionnaire the the vulnerability of the power delivery system and
committee developed and distributed to leading technical facilitate its more rapid restoration should an attack
experts in the field. This questionnaire identified a variety of occur (see Chapters 6 and 7).
potential short- and long-term R&D needs for transmission · Recommendation 3 Work with the power industry
and distribution. Respondents were asked to prioritize needs to better clarify the role of power system opera-
first for the industry as a whole and then strictly in terms of tors after terrorist events through the development
reducing vulnerability to terrorism. With a few exceptions, of memoranda of understanding and planned and
the research needs in the two cases were identical. rehearsed response programs that include designating
The committee is very concerned that the level of actual appropriate power-system personnel as first respond-
investment in power system research is currently much ers (see Chapters 7 and 8).
smaller than it should be as measured according to a vari- · Recommendation 4 Offer assistance to the Federal
ety of societal metrics. However, agreeing on institutional Energy Regulatory Commission, to state public ser-
arrangements that can significantly increase the levels of vice commissions, and to other public and private
nongovernmental research investment in this field has been parties in finding ways to ensure that utilities and
a persistent problem. Chapter 9 discusses one possible strat- transmission operators have appropriate incentives to
egy, but the committee was unable to reach a unanimous view accelerate the process of upgrading power delivery
on how best to resolve this problem. and eliminating its most obvious vulnerabilities (see
Chapter 6).
· Recommendation 5 Work with the Department of
WHAT SHOULD THE DEPARTMENT OF HOMELAND
Energy and the Office of Management and Budget
SECURITY DO?
to substantially increase the level of federal basic
The level of protection for and resiliency of the electric technology research investment in power delivery.
power grid against terrorist attacks needs to increase. How- The committee notes that (1) much of what is needed
ever, the level of security that is economically rational for has the nature of a "public good" that the private
most infrastructure operators will be less than the level that sector will not develop on its own; (2) current levels
is optimal from the perspective of the collective national of research investment are woefully inadequate; and
interest. Therefore, the DHS should develop a coherent plan (3) most of the system's vulnerabilities to terrorism
to address the incremental cost of upgrading and protecting are integrally linked to other more general problems
critical infrastructure to that higher level. and vulnerabilities of the system and cannot be
In the specific context of electric power delivery, the resolved in isolation (see Chapter 9).
Department of Homeland Security should: · Recommendation 6 Take the lead in initiating plan-
ning at the state and local level to reduce the vulner-
· Recommendation 1 Take the lead and work with the ability of critical services in the event of disruption
DOE and with relevant private parties to develop and of conventional power supplies, and offer pilot and
stockpile a family of easily transported high-voltage incremental funding to implement these activities
recovery transformers and other key equipment. where appropriate (see Chapter 8).
Although the expected benefits to the nation of such a · Recommendation 7 Develop a national inventory
program are difficult to quantify, they would certainly of portable generation equipment that can be used
be many times its cost if the transformers are needed to power critical loads during an extended outage.
(see Chapters 3, 6, and 9). Explore public and private strategies for building and
· Recommendation 2 Work to promote the adop- maintaining an adequate inventory of such equipment
tion of many other technologies and organizational (see Chapter 8).
