could convert an attack that today could cause a blackout over a wide region of the country into one that would do less damage to the electric system and leave the system in a better position to accommodate the damage that does occur. Cascading failures could be limited, and many areas within a blacked-out region could maintain power because they could isolate themselves from the failing grid and maintain a balance of generation and demand within their borders.
Physical protection of critical facilities includes hardened enclosures for key transformers, improved electronic surveillance, and system tools that can identify physical and control system problems and potential incidents. Such measures may deter as well as blunt an attack.
Cyber security is best when interconnections with the outside world are eliminated. When interconnections are unavoidable, best practices for security must apply. Wireless communications within substations is a particular concern.
The risk of insider-assisted attacks can be reduced by strengthening background checks for new and existing employees and contractors. If subversive or disaffected workers can be identified, attackers will lose a major potential advantage. Training operators and other workers to recognize and react to attacks or other major disruptions will be helpful in limiting the extent of outages and further damage during a cascading failure. System simulators are likely to be very useful in this endeavor. In the long term, supporting engineering and other technical education will help to maintain the availability of the necessary skills in the workforce.
Even if terrorist attacks were not a concern, the transmission system should be modernized and upgraded to handle the increasing flow of power. A robust, modern system could ride out disturbances that would cause major problems to today’s stressed system. The new operating standards being prepared by the electric industry and its reliability organizations under the Energy Policy Act of 2005 (EPAct) will help, but EPAct doesn’t directly grant authority to order upgrades in the physical system. Industry, the Federal Energy Regulatory Commission (FERC), the Department of Energy (DOE), and state public utility commissions are aware of such needs, but building new transmission lines and other delivery enhancements is expensive and difficult. Upgrading sensors and controls can allow more power to flow on existing lines, which will help under some conditions. The terrorist threat suggests that additional upgrades may be important to reduce major outages. Current standards are met if no significant outage occurs following the failure of one major line or certain related double outages. Damage by terrorists could greatly exceed this level. A higher standard would be to maintain reliability when two major related failures occur, known as an N - 2 event, which, in most cases, would entail additional costs. Improving the information flow to operators and the tools they can use to analyze and react to disturbances also would help prevent outages from cascading.
In the longer term, changes to the configuration of the power system could have dramatic impacts on its vulnerability. Among these, increasing generation within or close to major load centers, expanded use of distributed resources (co-generation, micro-grids) with associated automatic control, and the successful development and deployment of storage technology would help limit cascading failures and leave islands of power within a blacked-out region.
After an attack, an electric utility’s main focus will be on restoring power to its customers. Many of the steps to be taken would be similar to those taken in response to a major natural disaster, such as a hurricane: that is, identify the damage, clean it up, repair equipment, and restore power. However, there are also important differences. Unlike hurricanes, terrorists may strike with no warning and selectively destroy the most important facilities, such as major substations. Some of the lost equipment may take months or even years to replace. Unless prior arrangements have been worked out, law enforcement officers might exclude utility workers from the crime scene while they investigate, delaying assessment of the damage and restoration activities. In addition, utility workers might be subjected to unexpected risks, such as chemical contamination.
Although detailed restoration plans cannot be formulated until specific damage is identified and the extent of an outage determined, advance planning can greatly speed the process of recovery. This is a well-established tenet in the industry. Utilities and transmission operating entities can—and do—make contingency plans. In preparing for a possible terrorist attack, they should set up an incident command system, establish good communications with government agencies, and reach agreements as to responsibilities and authority over various aspects of the restoration. Further work to address any specific issues that might arise in a terrorist incident is critical. Designating utility workers as first responders would improve their access to damaged substations and other facilities to assess the damage. Drills should be conducted for plausible scenarios of destruction to ensure that plans are adequate.
Key equipment, especially large power transformers, can be backed up with spares. The Edison Electric Institute (EEI) is developing the Spare Transformer Equipment Program (STEP), which will make spare transformers available in case of emergency. These transformers are very expensive, and not many spares are available. Transformers are also very large, heavy, and difficult to move. A major attack could quickly exhaust the inventory, and the world has limited manufacturing capacity. A promising solution is to develop, manufacture, and stockpile a family of universal recovery transformers that would be smaller and easier to move. These would be less efficient than those normally operated and so would only be for temporary use, but they could drastically reduce the delay before the electric system is back in full operation. Emergency backup policies also should be imple-