Utilities have considerable experience with the problems of restoring electric service after massive disruptions caused by natural events such as ice storms or hurricanes, in which damage may be widespread. Such experience would be useful in restoring service after a terrorist attack, but the aftermath of an attack is likely to be quite different from a natural disaster. Terrorists can be expected to choose targets and inflict damage in order to impose maximum disruption and make speedy restoration difficult. Major substations and transmission lines are the most likely targets. Damage to key substations could be much greater and more extensive than that caused by most natural events,1 requiring replacement of many large transformers, circuit breakers, and other equipment. Depending on the availability of spares, restoration could take weeks, months, or even longer.
Moreover, even given advance planning and preparation such as stockpiling of equipment, terrorists might compound damage by mounting a staged attack on additional or replacement facilities. After an attack, law enforcement and intelligence agencies will want to carefully study the damage in order to determine what was done and who did it. Unless prior arrangements have been carefully worked out ahead of time, the conflict between rapid restoration of service and careful study of a crime scene could result in considerable chaos and seriously delay the restoration process. Utilities and their contractors might also have to deal with a much higher level of physical, chemical, and biological threats after a terrorist attack than would be expected to arise as a consequence of any natural disruption.
Simply blowing up or knocking down a transmission tower can cause problems, but typically repairs can be done quickly. Transmission lines are most vulnerable when there are long stretches of suspension towers interspersed with only a very few dead-end or stop-loss structures.2 In such cases the destruction of a few carefully chosen towers can result in a domino effect (cascading collapse) that can bring down many kilometers of line and towers.
In most cases, restoration after a cyber attack is likely to go more rapidly than after a well-planned and well-executed physical attack. However, if software has become widely infected with a pernicious virus, it may be necessary to reinstall large numbers of systems. If timed Trojan horses or worms have infected the system, there could be recurring problems. Some cyber attacks could also result in physical damage to important components in the power system. In most cases, however, this would likely be more limited than the damage caused by an all-out physical attack. Restoration could still be slow if key replacement equipment is not readily at hand.
As noted in previous chapters, to ensure continuity of service, utilities currently incorporate various degrees of contingency design into the design and operation of generating stations, substations, and transmission and distribution systems. The purpose of contingency design is to ensure that the loss of one or more components up to a defined design level should neither result in loss of service to customers nor lead to remaining in-service equipment exceeding designed operating specifications or ratings. Utilities have generally developed contingency designs based on the failure of single pieces of equipment or of a common support structure (such as a common transmission tower) rather than damage to multiple pieces of equipment at a given location or even the loss of multiple key facilities.
For example, a large urban area substation may be designed to operate under peak load conditions even with the loss of one or two of the power transformers supplying that particular station. However, in the face of a carefully designed terrorist attack, such N-1 or N-2 design criteria are not likely to be adequate to ensure continued operation.
1One possible exception could be a very large earthquake.
2Suspension towers are designed to support the cable vertically. They have little capability to withstand horizontal loads, which are usually balanced. If an adjoining tower comes down, however, the loads are unbalanced, and a line of towers may cascade down like a row of dominos.
Thus, utilities need to develop emergency response plans. Although it is not possible to cover all possible emergency scenarios, the planning and drill process is invaluable in building a capability in responding to actual events because it provides a basic framework and foundation. The following should be considered as part of future contingency response development:
• Evaluation of existing facilities based on their criticality and development of plans for recovery in the event of the loss of all key equipment in several of these facilities (e.g., the loss of entire substations or loss for an extended period of one or several key transmission lines). Such contingency analysis should be conducted to determine the impact of this loss on other facilities.
• For new designs or upgrades, a planning/engineering process that considers how to make facilities more robust in the face of possible attack, and development of strategies to quickly restore or bypass such facilities if they sustain significant damage.
• Sharing by utilities of ideas and designs that may improve performance. Organizations such as the Edison Electric Institute (EEI) and the Association of Edison Illuminating Companies (AEIC) are excellent forums for such sharing. Benchmarking with other utilities, especially those in countries that have had experience in addressing terrorist threats and attacks, will provide valuable lessons and ideas. For example, the Infrastructure Security Initiative sponsored by the Electric Power Research Institute (EPRI) produced Counterterrorism Measures and the Protection and Restoration of an Electric Grid (EPRI, 2005a), a report that describes Israel Electric Corporation (IEC) programs and procedures for maintaining the integrity of Israel’s power transmission and distribution system, as well as related restoration efforts. However, there is a decided limit to how much special investment private utilities can be expected to make to protect against low-probability threats to every key element of their system.
To prepare for the possible need to mount a restoration of service, utilities should carefully address several important issues:
• Black-start capability (that is, the ability to supply limited amounts of power to generators and other power-system equipment before they can be brought back online);
• Line/cable charging strategies and other means of voltage and reactive power control;
• Need to disable or adjust certain protective systems, such as those for undervoltage, underfrequency, synchronization checks, and so on;
• Use of restoration panels; and
• Development of restoration policies, including islanding requirements and monitoring of voltages, frequencies, and phase angles.
In anticipation of catastrophic events leading to a system-wide blackout, utilities are required to develop plans that will enable their operators to break up the normally synchronized grid into “isolated” islands that are self-supportive. Such advanced planning can be valuable, but in the event of any specific outage, these plans will require real-time adjustments based on existing conditions, such as availability of equipment, load conditions, reactive power supply/control capability, availability of synchronizing equipment, and governing control while maintaining voltages and frequency at acceptable operating levels.
Plans for the restoration of a transmission and distribution system should consider two basic approaches. One is based on the availability of power from other external providers through tie lines. A second, or “island,” approach considers restoration of the system from generation internal to its service territory. The latter approach could be significantly strengthened with the greater deployment of various types of distributed generation, including micro-grids. Today, however, there are considerable regulatory impediments3 to the deployment of such systems, and distribution system operators typically do not have plans to make use of such resources in emergency situations.
With some important exceptions, many distribution circuits serve both socially critical facilities such as police stations, schools, and filling stations, together with many less critical facilities. If the supply of power were to become seriously limited, it would be highly desirable to temporarily restrict service to just critical loads. Advanced distribution automation (see Chapter 6) could make it possible to rapidly and selectively supply service to a few such key facilities. However, many systems still do not have distribution automation, and in the case of those that do, most have not been configured to facilitate such selective load shedding within a single distribution feeder. In the absence of such capabilities, reconfiguring distribution feeders to serve just a few loads would typically be a slow, labor-intensive operation (sending line crews out to open or close breakers at customer service drops), as would be restoring service to dropped customers along such feeders as power supplies once again became more plentiful.
3These impediments include informal difficulties that many distributed resources still experience when trying to connect to the utility system (Alderfer et al., 2000), interconnection rules that currently require all distributed resources to disconnect from the grid the moment any problems arise (IEEE, 2003), and laws that grant legacy utilities exclusive service territories, making the installation of small micro-grids that serve several customers difficult or impossible in much of the country (King, 2006; Morgan and Zerriffi, 2002). There is additional discussion of some of these issues in Chapter 9.
The use of emergency generators can also provide a quick and cost-effective response to restore critical loads. Many utilities have in-house emergency mobile generation or access to mobile generators through contracts with vendors. Utilities should make every effort to talk with critical customers about the importance of procuring their own backup generation to be able to respond to prolonged, unplanned outages to ensure that their critical services are available to the public in a timely manner following an attack. Utilities should also evaluate the critical loads they serve to help develop a prioritization plan for emergency generator dispatch. In addition, utilities should discuss this priority list with local governmental officials to get their input on the overall emergency response plan.
When a month-long outage hit the central business district in the city of Auckland, New Zealand, in February 1998, significant demand reduction during the restoration phase was achieved with rotating blackouts and through direct communication with customers, who were asked to remove a portion of the lamps in florescent fixtures (load reduction from 40 to 15 MW); run air conditioners on fresh air only, with reduced chiller banks and pre-cooling during off-peak hours (load reduction from 70 to 30 MW); turn off office equipment when not in use (load reduction from 25 to 20 MW); and employ various similar strategies (load reduction from 15 to 10 MW). The result was a reduction in these loads by 50 percent (Walker, 1999).
Although time-of-use meters are still rare in the United States, as they become more widespread it might be possible, with prior agreement of public utility commissions and with proper customer notification, to limit load during restoration by applying very high rates.
After any disruption that results in the physical destruction of equipment, access to replacement parts is of critical importance. Thus, for example, utilities that operate in hurricane-prone regions routinely stock large supplies of distribution poles, distribution transformers, and similar equipment and have mutual support agreements with other utilities in the event that supplies run low. Utilities also routinely provide support to each other by supplying line crews and other critical human resources in the event of such large emergencies.
The situation after a major physical terrorist attack would be similar, but the equipment needs could be quite different. Terrorists would most likely seek to destroy many large high-voltage transformers. These devices are hard to move. Most are custom designs to meet specific needs. Because such devices are very expensive, and also very reliable under normal operating conditions, most utilities have only limited numbers of spares. With few exceptions, most such transformers are no longer made in the United States, and because of large demand across the developing world, lead times at factories are very long. Thus, the greatest vulnerability in the event of terrorist physical attack on the power system will likely be securing needed replacements of high-voltage transformers.
EEI is currently spearheading the Spare Transformer Equipment Program (STEP) to catalog available spares across the industry. Over 50 utilities participated in the negotiation of a binding contract, the Spare Transformer Sharing Agreement (EEI, 2006). Any investor-owned, government-owned, or rural electric cooperative utility in the United States or Canada may participate in the program, and currently 47 utilities, representing more than 60 percent of the Federal Energy Regulatory Commission (FERC) jurisdictional transmission systems, are members. The sharing agreement provides considerable flexibility for utilities to operate and utilize assets as they normally would during the course of business, but binds utilities to share their committed transformers if an event that triggers the sharing obligations should occur. A “triggering event” is defined as an act of terrorism that destroys or disables one or more substations and results in a state of emergency as declared by the President of the United States. The Spare Transformer Sharing Agreement also provides that any participating utility may voluntarily transfer spare transformers to a participating utility or to a nonparticipating utility regardless of whether a triggering event occurs. But each participating utility that disposes of a spare transformer through “permitted transfer” is obligated to obtain a replacement transformer as soon as practical, but in no event later than 18 months after the spare transformer is disposed of. In committing spare transformers under this binding agreement, participating utilities agree to sell committed transformers to any other qualified participating utility pursuant to a properly exercised “call right” and at a set purchase price. A commitment formula utilizing “needed megavolt,” “connected megavolt,” and available spares in defined voltage classes will be utilized to determine necessary commitments for each participating utility. The needs of each participating utility will be based on the impact of losing its five most critical substations within an equipment class. The basic obligations are to:
• Obtain qualified number of spare transformers equal to its commitment;
• Replace spare transformers that are used in order to continue to meet its commitment;
• Report necessary information to calculate its commitment;
• Maintain committed spare transformers in accordance with good utility practices; and
• Qualify for certification by an executive officer that the participating utility is complying with its commitment.
In some cases, a utility participating in the Spare Transformer Sharing Agreement may need to acquire, or acquire the right to, less than a whole transformer. Such utilities may choose to join with a small group of other utilities to acquire spare transformers. The utilities working on the development of the sharing agreement recognized that a joint procurement program might be helpful to some utilities and considered creating a special, not-for-profit entity for that purpose. One example of such a program is the nonprofit Pooled Inventory Management (PIM) program. Since 1980, this program has operated to acquire, store, and maintain long-lead-time spare parts for the nuclear industry. The PIM program has agreed to pursue development of a PIM spare transformer equipment program.
Technical meetings to work out the actual design specifications and required commitments for participating utilities will be held at least annually as part of this process. Also, the North American Electric Reliability Council has a listing of spare transformers that could be made available to a utility faced with a significant loss due to terrorist activity.
Participants in STEP recognized that FERC approval would be required for transfers of transformers under the sharing agreement. Under Section 203 of the Federal Power Act of 2005, FERC must approve the sale or disposition of jurisdictional assets in excess of $10 million. To expedite the process of transfers, participants petitioned FERC and received pre-approval of the transfer of spare transformers from one utility to another in the event of a terrorist attack. In its approval, FERC also determined that the sharing arrangement is prudent, which will support participants that seek to recover the costs of participation through rate setting. FERC believes that participation in STEP will increase transmission owners” emergency recovery capabilities by providing access to more spare transformers at lower cost. Participating utilities will also be seeking similar approval from their respective state commissions to ensure that they are able to recover the costs of acquiring spare transfers under the program.
As promising as STEP may be, it alone is not sufficient to address the vulnerabilities that the United States faces in the event of a large physical attack on the high-voltage substations of the power grid. There are not enough spares available to replace all those that might be lost in a terrorist attack. Furthermore, because of their size and variations in design, sufficient spares cannot be moved rapidly enough to provide needed recovery. With this in mind, EPRI (2006) has undertaken a project to build and test a compact “restoration transformer” that would be small enough to easily transport.4 In order to reduce the size so that the device can fit into large cargo aircraft and move on trucks through underpasses, the transformer would run hot (and thus waste more energy than a conventional transformer). That would make operation too expensive for routine use, but it would allow much more rapid restoration of service than is now possible. EPRI describes the recovery transformer as:
a new type of emergency spare high-voltage network transformer that is lighter than existing transformers, smaller, easier to transport, and faster to install and energize during recovery from severe high-voltage transformer outages induced by equipment failure, weather, earthquakes, or terrorist acts.
After the terrorist attacks of September 2001, EPRI started the Infrastructure Security Initiative (EPRI 2005b), which identified the need to determine the technical feasibility of developing and testing a new high-voltage network transformer that is easier to transport and install than existing spares. The design was completed during Infrastructure Security Initiative work efforts and included tradeoff studies of capacity, impedance, and dielectric withstand strength, and voltage transformation ratios. These efforts resulted in the development of detailed specifications and electrical designs that covered a variety of North American network transformer voltages and megavolt ampere (MVA) ratings. The work also identified all mechanical components and field installation processes necessary to support the expedited transport and installation of the transformer... . Compared to existing transformers, this new type is characterized by the following:
• Cost: about 20 percent lower
• Weight: about 25 percent less
• Size: about 25 percent smaller
• Efficiency: about 99.0 percent (vs. 99.8 percent)
• Operating temperature: about 155°C (vs. 110°C)
• Installation time: about 48 hours (vs. weeks)
• Design life: 35 years
The time to install the transformer can be dramatically reduced through specialized storage and preparation-for-shipment techniques, specialized processing equipment and techniques, rapid deployment and transit, trained installation personnel, preparation of the installation site, and installation testing. Specifically, transformer condition should be carefully maintained during storage so that there are no “condition surprises” during installation. Oil monitoring systems will detect moisture and harmful chemicals to verify transformer readiness for use and conduciveness of the storage condition to immediate energizing. Prior recovery transformer work determined that careful management of relocation and reassembly is critical to reducing the total recovery time. For example, the use of draw lead or draw rod bushings (for higher current applications) will save many hours of installation time by eliminating the need to enter the transformer and reconnect primary current-carrying joints. Modularization of the cooling and oil expansion systems will reduce installation time: single cooling and oil expansion modules allow for module location at multiple storage sites and shipment and combination to serve various sizes of recovery transformers. (EPRI, 2006, p. 1)
4See also NRC (2002) and Stiegemeier and Girgis (2006).
Because the terrorist threat that any single utility faces is typically modest, even if the collective national risk is not, EPRI has had difficulty getting sufficient support from the electric power industry to move forward aggressively with this project. This is a classic case of “tragedy of the commons.” Clearly, some sharing of the costs by all of society, through support by the federal, state, and local governments, is needed. This issue is discussed further in Chapter 9.
To ensure effective management, command, and control of an emergency situation, it is imperative that an organized command structure be used. The Incident Command System (ICS)5 outlines effective management principles for control as well as the assignment of specific functions and responsibilities. This widely recognized organizational process is also used by federal, state, and local emergency response and governmental agencies. Advantages of using ICS include:
• Clear understanding of who is in charge,
• Defined roles and responsibilities for individuals,
• Improved communications with responding agencies,
• Greater sense of cooperation with outside stakeholders, and
• Overall enhanced and efficient response to emergency mitigation.
Although each utility’s process might vary slightly from the standard ICS structure in order to meet specific needs, the core functional areas should remain intact. These functions include the incident commander and his or her staff for oversight and overall control (command) in operations, planning, logistics, and administration/finance. ICS is scalable and is equally effective for managing incidents that range from simple (routine) to complex (full scale). The incident commander’s staff should also include representation in the following areas:
• Legal matters;
• Communications and media relations;
• Environmental, health, and safety issues;
• Liaison with government agencies and other involved organizations; and
• Customer outreach.
To fully integrate the use of ICS into the corporate culture, first responders should utilize it for both small- and large-scale emergencies.
While most of the focus on the impacts to utility infrastructure caused by terrorist activity has centered on the facilities that are directly associated with the generation, transmission, and distribution of electricity, the loss of other facilities should also be considered. Alternate reporting plans for corporate headquarters, dispatch centers, control rooms, work locations, and service centers are essential components of a comprehensive emergency response and business continuity planning document. Perhaps the most significant results of an attack at one of these locations would be the loss of human capital and impaired ability to coordinate operational and business activities.
The coordination of all essential services should be performed under a unified ICS structure spearheaded by local, state, or federal officials. It is at the governmental level that the overall response and restoration strategies must be developed and communicated. The overall strategy would include prioritizing the needs of all agencies. The utility should consider the following issues when preparing for an incident as well as during the response phase of an incident:
• Providing lodging for employees and outside contractors;
• Providing clean water and nonperishable food, which may include the ability to procure and stage freshwater tankers due to the potential contamination of freshwater supplies;
• Obtaining fuel to operate vehicles, equipment, and generators; and
• Providing means for employees to communicate with their families after an attack and before the employees are deployed or as they are being deployed.
Inability to communicate is a common shortfall identified by most companies during response to a large-scale natural disaster. Whether similar problems would arise after a terrorist attack would very much depend on the nature of the attack and whether other facilities were also attacked along with the power system. Of course, if power goes out across a large region, then communication can rapidly become a serious problem. Recent events have demonstrated that communications can become problematic and utilities cannot rely solely on telecommunication companies to solve their communication problems. Partnering with local emergency groups and state emergency management groups should be done to determine what systems they utilize and to what extent their systems could be used by the utilities during an emergency.
Utilities should also investigate programs that may be available to complement their communications systems by working with their local telecommunication companies to determine their involvement with the National Coordinating Center for Telecommunications (NCC). The NCC’s mission
is to assist in the initiation of national coordination, restoration, and reconstitution of national security/emergency preparedness telecommunications service or facilities in all conditions, crises, or emergencies. The telecommunications industry and the government staff work together to coordinate support for responding to national security and emergency preparedness issues and to prevent and mitigate impacts on the national telecommunications infrastructure.6 One example of federal support is the Government Emergency Telecommunications Service (GETS) system. GETS is a White House-directed emergency phone service provided by the National Communications System (NCS) in the Information Analysis and Infrastructure Protection Division of the Department of Homeland Security (DHS). GETS provides emergency access and priority processing in the local and long-distance segments of the public switched telephone network (PSTN). It is intended to be used in an emergency or crisis situation when the PSTN is congested and the probability of completing a call over normal or other alternate telecommunication means has significantly decreased.
Utilities need to look closely at their communication infrastructure and evaluate all alternate communication techniques. During a significant crisis, traditional communication systems, including cellular technology, may be shut down or become overloaded. The trunked 800-MHz radio is the current trend within the country for utility communications. The recommended standard for law enforcement, first responders, and utility emergency communications is the Association of Public Communications Officers (APCO) 25 Standard. Utilities should evaluate their own internal radio communications systems to determine that battery backup systems are in place or that generators can be made available at all communication locations, including repeater sites, to ensure that communication devices remain operative during incidents. Other options, such as satellite communications, need to be evaluated for potential backup communications in case normal communications channels become unavailable. Some utilities have even used temporary fixes such as a hovering helicopter as a relay station for communication using internal radio channels.
It should also be noted that dissimilar communication networks that do not allow emergency responders from different groups to communicate can yield disastrous results. Utilities should take the need for interoperability into account during preparations for emergency response.
The support of outside emergency and governmental agencies will be essential following an attack. One of the best investments an organization can make in emergency response planning is the development of relationships with key leaders from local governmental agencies and emergency responders. The constant nurturing of these relationships pays huge dividends for all parties involved as it results in an open environment that fosters both communication and cooperation. To build this relationship, concerted communication efforts on a regular basis are important.
For large-scale incidents, utilities typically rely on assistance from other utilities and qualified contractors to provide the necessary resources to respond to an event. In contrast to many natural events such as hurricanes, where the largest human resource need is for line crews to restore distribution systems, in the aftermath of a terrorist event, human resource needs are more likely to be for substation engineers and technicians, high-voltage-line construction crews, and perhaps also software security and restoration experts.
Typically, when extra human resources are needed, utilities first work with neighboring utilities and regional mutual assistance groups. Acceptance of pre-established rules and guidelines minimizes delays in obtaining help. In addition to local mutual assistance groups, participation in more global resource sharing networks through organizations such as the EEI and the American Gas Association is also valuable. Pre-sharing of specific information between utilities will provide those parties seeking help with a valuable resource during an emergency. Specifically, EEI has established a website to support mutual assistance activities and is developing a model mutual assistance agreement. For the most part, mutual assistance programs are generally limited to the sharing of labor and technical expertise. Recovery from deliberate destruction of utility infrastructure requires not only labor and technical expertise, but also the replacement of damaged critical infrastructure, such as transmission power transformers.
To ease the transition for visiting workers, utilities should develop a comprehensive assimilation program. This involves making sure that all visitors are provided information about the host utility’s transmission and distribution system. The host utilities should provide clear-cut direction and guidance on its work rules and expectations in order to ensure that all personnel work safely, are aware of potential hazards, and abide by the host utility’s environmental, health, and safety guidelines. The host utilities should have this information prepared in advance to minimize delays.
Host utilities also need to make detailed plans on housing and feeding visiting crews as well as providing them with knowledgeable field guides who are familiar not only with the geography of the area but also with specific work rules, site-specific hazards, and the ability to address all of the visiting crew’ concerns.
Two other factors are likely to complicate the restoration work environment after a terrorist attack. First, law enforcement agencies will likely want to treat some facilities as a
crime scene. While this is necessary and understandable, it is also important that utility personnel be able to gain early access to inspect their equipment and begin the process of planning for restoration, since any extended delay in restoration will cause large costs and further contribute to terrorists” goals of causing social and economic disruption. Thus, prior understandings need to be developed between utilities and law enforcement agencies to ensure that the objectives of adequate investigation and rapid service restoration are adequately balanced. It may be desirable to legally designate some utility personnel as emergency responders.7
The need to provide adequate protection and security for repair crews is another issue that may differentiate restoration after a terrorist attack from restoration after outages due to natural causes. Depending on the nature of the attack, responding utility personnel may need additional levels of personal protective equipment (PPE) in order to work in a contaminated environment. Utilities may need to increase security initiatives to ensure the safety of their employees during the assessment and restoration phases. All employees and contractors should have valid IDs, and these should be checked rigorously throughout the process. The utility may require assistance from federal and local law enforcement agencies to help expedite its employees” ability to report to assigned work locations. Such assistance will likely be facilitated if the utility has already trained and worked through scenarios with such agencies.
Utility employees are not experts in terrorist activities and should not underestimate potential dangers. For example, the initial attack might be designed to lure in emergency responders. Once emergency responders arrive at the scene, a second more devastating attack might be launched.
While utility personnel might not be considered emergency responders in the face of biological and chemical attacks, trained emergency responders from responsible governmental agencies may encounter a situation where the expertise of a utility employee might be required in order to respond to a situation where hazardous chemicals are present. To accomplish this objective, a utility might consider training certain employees in the use of U.S. Environmental Protection Agency (EPA) PPE Level A. Level A PPE, which consists of self-contained breathing apparatus and a totally encapsulating chemical-protective suit, provides the highest level of respiratory, eye, mucous membrane, and skin protection. These employees should only be counted on as a last resort during the initial phase of recovery from a biological or chemical attack and only for the purpose of mitigating any uncontrolled energy hazards (electrical, natural gas, steam, and so on). Another option is to work with other energy responders to train already-certified EPA Level A emergency responders to work at utility sites. This approach can be taken for their own protection, as well as for assisting in any utility-specific activities.
Utility employees typically possess a strong sense of commitment and desire to help, especially in the face of extreme duress. However, it is important to remember that injuries and death to employees, co-workers, family, and friends may occur as result of terrorist activity. Utilities may need to develop or enhance employee assistance programs that will help provide services, such as temporary shelter or housing, grief counseling, and dependent care, to ensure that employees’ basic needs are met during a crisis. Additionally, business continuity plans that address high absentee levels are an important tool to ensure that critical business activities are sustainable in the event of various possible extreme situations, including health emergencies.
The first important step in ensuring readiness for any unplanned event is preparation through the planning process. The ability to identify “what-if” scenarios and then develop appropriate response plans is key to developing a comprehensive emergency response plan. Once plans have been developed, the next step is to test their effectiveness. The best way to accomplish this objective is through the use of drills and exercises. A well-constructed drill will test the ability of personnel to respond to simulated real-life situations as well as test their understanding of the overall plan. The drill will test the ability of personnel to understand their roles and responsibilities as well as test the overall effectiveness of the plan in resolving the emergency situation. The crucial elements for a successful exercise include establishing clear objectives, providing realistic scenarios that simulate real-life conditions, and establishing expected actions or outcomes. Perhaps the most valuable component of a drill is an after-action review that allows modifications to the plan to be discussed and implemented. The drills should include representatives of agencies outside local, state, and federal.
Restoration of electric service after either a man-made or a natural disaster is a crucial element in helping the affected community to recover. In the event of a terrorist attack that causes significant damage to utility infrastructure, the utility will need to quickly develop and/or modify plans that will enable restoration of service to customers. In some cases, temporary restoration will precede initiation of a plan to institute more permanent repairs.
When faced with a terrorist attack that damages utility infrastructure, the utility should be prepared to adhere to
7In 2006, Congress passed the Safe Port Act, which the President signed into Public Law 109-347. This law, which recognizes electric utilities as “essential service providers” and instructs federal agencies to not impede their access to a damaged site or impede restoration except under exceptional circumstances, is a significant improvement. However, inasmuch as any terrorist event would be an “exceptional circumstance,” designation of a few selected utility personnel as “first responders” would be a more certain way to ensure the needed access.
the following steps before actually initiating any restoration activities:
• Accounting for all personnel. The first concern for emergency responders will be for life and safety. Having a process in place to account for all personnel is essential in order to minimize the risk to emergency responders.
• Site security. Law enforcement officials will want to immediately secure the scene to ensure that the area is safe, conduct an investigation, and gather evidence. Utilities should be prepared to work with emergency responders to ensure their safety and de-energize the facility if necessary.
• Establishment of ICS and command post. Utilities should immediately implement an ICS organizational structure and appoint an incident commander to coordinate with outside agencies. During the initial stages of an incident, the incident commander will most likely be operating within a unified command structure along with fire, police, and governmental officials.
• Site assessment. Once a damaged site has been released by law enforcement, utility personnel will be able to make initial site assessments of hazards and damage and then develop the necessary strategies and plans to remediate the site, identify PPE requirements for employees, and determine what equipment must be isolated or bypassed, and what equipment can be utilized for restoration purposes.
• Command and control. During an event that may result in severe damage and/or islanding of a system, it is imperative to establish command and control locally, such as through the use of a “mini” control center that will serve as the hub during the restoration process. “Mini” control centers not only can help support operational restoration efforts but also can provide local visible presence to emergency responders, government officials, and the public. Major substations normally can meet some of these requirements, but if a substation has been attacked, a mobile command center vehicle might be used instead. Many utilities have such vehicles.
When developing restoration plans, a utility should consider the time of year and resulting demands on its system, including the amount of load served as well as the remaining capacity of in-service equipment. Other considerations should include:
• Minimizing the effects of cascading outages
—Sections of a large power system can separate into islands as a result of cascading outages. These independent islands should have automatic and manual load-shedding capabilities in response to decreasing island frequencies.
—Islands with excess generation result in increasing frequencies and thus depend on turbine-generator governors to stabilize frequencies.
• Synchronizing isolated islands
—Islanded or isolated sections of the power system should be interconnected with larger systems to share generation reserve capacity and inertial stability.
—All regions should have synchronizing capability within substations to interconnect systems.
• Control of isolated islands
—Management of independent islands requires coordinated control of generation to maintain both frequency and voltage.
—The use of isochronous and/or advanced generation control should be reviewed by control areas.
—Methods should be developed to manage load, generation, and spinning reserve.
• Complete restoration
—In the event of a widespread power failure, restoration procedures should be specific to restoration using both external and internal generation supplies. Depending on the severity of damage to particular aspects of the transmission system and/ or specific substations and generating stations, islanding schemes may need to be developed or revised to determine which would be the easiest and most effective to implement based on the specific damage incurred.
—Specific hydroelectric and gas-turbine generators should be designated as black-start capable. Procedures should focus on restoring generation and controlling transmission system voltages.
Once the damage from a terrorist attack on the power system have been assessed, the damaged locations made secure for utility personnel to work, and replacement equipment ordered, then service restoration can begin.
It is important that all utilities have restoration plans that can be undertaken after a blackout. Such plans must cover the entire footprint of the area served and must be reviewed periodically and revised as needed to reflect infrastructure additions and retirements within the bulk power system. Even with multiple restoration plans, the utility will still have to evaluate the extent of the blackout and the severity of the damage to equipment to determine which plan(s) will result in an orderly, quick, and safe restoration. The following three major restoration scenarios should be considered:
• System-wide blackout with minimal or no damage to major generation, transmission, and distribution infrastructure (similar to the August 2003 blackout);
• System-wide blackout as a result of widespread damage to infrastructure or control systems that will impact restoration and operation of the system; and
• Local blackout as a result of damage to a local utility infrastructure or to control systems.
Restoration priorities should reflect the criticality of system restoration infrastructure, public health and safety considerations, and the sensitivity and criticality of customer loads. For example, system restoration infrastructure comprising the power company command-and-control centers, communication sites, emergency off-site power to nuclear stations, auxiliary power to key substation and generating station facilities, and key natural gas facilities should be restored first. Major facilities that impact public health and safety, such as key 911 and emergency operation centers, major hospitals, critical water treatment plants, major airports, and urban load centers, are next. All other customer loads can be restored after that. These restoration plans and priorities need to be flexible, given that the normal supplies (substations, transmission lines, and others) for those facilities may have incurred significant damage and the restoration priority thus possibly affected. For those circumstances, alternate means of supply that differ from the normal supply may need to be considered.
After a system-wide blackout, most, if not all, of the generation will have been shut down, and so the first step in restoration is to identify essential black-start generation equipment within the affected utility’s service area. Black-start units are generators capable of starting up independently, without any connection to the bulk power system. These units involve equipment such as black-start diesel-generators which can be started on battery power and run on previously stored fuel to supply the necessary power to operate the auxiliary equipment, including the governor and excitation controls for larger units. Hydro-generators and combustion turbine-generators also can be used for black-start.8
This generation equipment is critical, since it will be needed to energize the transmission system from various system locations concurrently. Utilities must identify which generators are capable of providing this service and also if these are strategically located within the system to quickly provide the required restoration capacity. Furthermore, adequate black-start generation resources should be available throughout an RTO/ISO footprint to expeditiously restore the critical loads according to the restoration priority.
As generation becomes available and the transmission system is energized, utility operators should focus on synchronizing as much generation as possible to maintain system stability and voltage control. A small amount of load may be picked up to control voltages; however, the majority of customers should not be restored until the system has sufficient generation real-power reserves to meet the expected peak loads and reactive-power reserves to control transmission system voltages. Synchronizing with neighboring utilities is a priority because it allows reserve sharing and provides increased system stability.
Because of restructuring of the marketplace in certain parts of the nation where deregulation has occurred, the local utility may no longer own the required generation capability. To facilitate restoration efforts, utilities in both regulated and deregulated markets need to recognize the importance of black-start capability in relation to restoration efforts. Considering internal investment or encouraging others to invest in black-start capability is vital. In deregulated markets, appropriate compensation mechanisms should be implemented to ensure incentives for providing black-start capability. To the extent possible, efforts should be made to ensure that any new generation units are constructed with black-start capability.
After a blackout, operators must immediately request that all steam-based black-start units start up even if the transmission system is not yet ready for the generating unit to interconnect. This will prevent boiler pressure from dropping too far such that a longer period of time is required for the unit to be ready to interconnect.
Testing of black-start equipment must be done periodically, and a requirement should be implemented to verify that the designated units could respond within an agreed-upon time. Generation restoration start-up times vary considerably between hydroelectric units, combustion turbines, steam units, and nuclear units. Utilities should evaluate these differences and develop plans that consider these timing issues.
As the generation infrastructure ages, some existing black-start generating units are approaching retirement age. Such retiring black-start generation should be appropriately replaced.
When significant damage to utility infrastructure has occurred, the restoration process may be complicated and lengthy. Utilities should be prepared for a prolonged recovery period and extensive allocation of both human resources and funding toward these efforts. In addition to the traditional means for restoration, such as through the use of generators and mobile transformers, utilities may also need to examine other alternatives that will provide for the quickest possible
8Utilities must consider the possibility that natural gas might not be available. Terrorists could take out gas transmission lines at the same time they are attacking the electric system. Alternatively, many gas transmission compressor stations now operate on electricity; if these are in the blacked out region, they will stop, severely limiting the amount of gas that can be delivered.
restoration while establishing the groundwork for permanent restoration in the future.
The utility will need to implement and adapt any plans it already has for bypassing damaged facilities and temporarily restoring customers to service. Many operational and support groups within the company will need to be part of this temporary restoration process. Utility engineers will provide a significant role in the design of a temporary system as well as making necessary changes to the supervisory control and data acquisition (SCADA)/modeling systems to reflect the changes that will be made. Typically, temporary restoration steps will not provide the same “normal” level of contingency design that is built into permanent restoration. Therefore, all systems used to monitor the system, equipment ratings, load flow analysis programs, and alarm points may have to be modified to ensure that operators can effectively monitor and operate the system in its temporary state.
Many industry utility vendors have recognized the threat of significant damage to utility infrastructure and have introduced mechanisms for quick restoration. Utilities need to consider the implementation of emergency restoration systems that will provide them with the necessary tools to implement a quicker recovery from a terrorist attack. For example, the introduction of modular restoration structures will enable utilities to quickly support transmission lines. These structures require no special foundation, can be used at any voltage level, and can be adapted for myriad suspension designs, angles, or tensions. The erection of transmission towers, installation of necessary hardware, and stringing of conductors requires significant logistical support and resources. The use of helicopters and large cranes, as well as the expertise of the employees, is critical to the rebuilding of transmission towers.
Various operational methodologies could enable utilities to restore service in a quick and efficient manner:
• Bypassing at the transmission/switching station level. Utilities should examine all potential operating scenarios, including the worst-case scenario of bypassing the entire facility. In order to bypass a particular station, temporary poles or towers could be used. In some cases, this might involve the use of transmission lines at voltages lower than those they are normally rated for in order to match the voltage ratings of equipment at the stations normally supplied by the bypassed station. For example, consider the loss of a substation receiving power at 345 kV, where the voltage is reduced to 138 kV for distribution. If the transmission line supplying power to the damaged substation is still intact, it could still carry power, but only at 138 kV. The power it could carry would be considerably reduced, but in an emergency that would still be very useful.
• Bypassing at the distribution substation level. Temporary restoration plans should be developed to address the restoration of service to customers and the associated load supplied by a particular distribution substation. There are several options that utilities will need to consider in the development of their plans. When looking at alternate supply options, utility engineers need to evaluate spare capacity at alternate supply locations to ensure that this equipment is capable of picking up the load(s) from the station that must be bypassed.
• Customer load normally capable of being supplied from alternate substation. Some utilities have radial distribution systems capable of being supplied by a minimum of two alternate sources. This can be accomplished through the use of an auto-loop system or an automatic transfer scenario. Ideally, in order to diversify the supply, the normal and alternate supplies should be provided from two different source substations in order to ensure continuity of service in the event of the loss of an entire substation.
• Customer load normally supplied from the same substation. In these cases, utility engineers must identify how to segment the load so that it can either be picked up in its entirety by an alternate source or so that it is “cut up” into various portions that can be picked up by different stations. For radial overhead systems, this may be as easy as performing field switching to isolate and segment the load and restore service accordingly. It is more complex for an underground network system. If multiple secondary networks are affected by the loss of an entire distribution substation, a sequence of carefully considered steps must be made in order to switch out feeders from a nearby network and connect them to the distribution feeders whose normal supply has been destroyed.
• Mobile generation. Another alternative is mobile generation, which can be used to supply load directly from the source or at the customer’s premises. Mobile generators can be important for responding to a significant wide-scale power outage.
• Distributed generation. Increased use of distributed generation and renewable power alternatives can also provide viable alternate supply sources.
• Mobile transformers and switchgear. If a utility can quickly reestablish a transmission supply and gain access to distribution feeder supply exit cables, the use of mobile transformers and switchgear is a viable alternative. This option will also require additional space, not only to site this equipment but also to ensure it does not interfere with the rebuilding of the permanent station.
A critical yet often overlooked aspect of power system restoration is public communications. Timely communica-
tion of accurate information is essential to successful resolution of a crisis. During a crisis, however, engineers and operators must focus on the technical aspects of the job at hand and can find it difficult to make others aware of their plans and objectives during the restoration efforts. If communication is lacking, however, even well-developed restoration plans and restoration efforts can be perceived by the public as failures.
In general, the public is more receptive to being told bad news regarding a situation than to being kept uninformed or misinformed. Some members of the public, for example, may have developed their own contingency plans, including plans for self-evacuation or relocation, and must be able to make decisions based on accurate and timely information from government agencies, emergency responders, and utilities that provide critical services. Agencies, too, must be able to adjust their plans based on information supplied by utilities.
It is therefore imperative that all utilities have a well-thought-out crisis communication plan developed and carried out by people within the utility who have responsibility for communicating with government officials, news media, and the public. Crisis communication should:
• Describe the channels to be used to communicate information;
• Summarize clearly and concisely the incident and its impact on the utility infrastructure and its workforce;
• Project with reasonable accuracy what can be expected and when, ensuring that the information communicated is based on input from operations people and not on some notion of what the public wants to hear; and
• Provide regular updates with quantitative results and information on any unexpected changes.
Personnel assigned to the development of crisis communication plans should be well versed in other companies” public communications success and failures. Case studies of specific incidents should be reviewed. Utility company personnel assigned to communications during a crisis should be well trained in crisis management and public speaking. In addition, it is important that communication flow is channeled through a central point to promote the dissemination of accurate information. The ICS structure addresses this issue through the appointment of a communicator who works very closely with the incident commander.
Depending on the extent of the damage to utility infrastructure, restoration of service could take weeks or months. Stakeholders are more likely to be understanding if they are kept informed and up to date. Credibility and trust are difficult to gain and easy to lose. A utility will build trust and credibility by openly communicating with emergency responders, governmental officials and agencies, community leaders, customers, and the general public.
Finding 7.1 The main difference between a terrorist attack and a major natural disaster is that terrorists could selectively target key equipment, especially large transformers. Instead of days to weeks, full restoration of electric power could take months to years following a well-planned, well-executed terrorist attack.
Finding 7.2 The risk of terrorism to the nation’s electric system as a whole is significant, but the probability of attack faced by any individual utility is low. Therefore it is neither realistic nor equitable to expect utilities or states to undertake all the needed equipment development and stockpiling without federal assistance. This is particularly true for the design, development, and manufacture and stockpiling of a set of high-voltage restoration transformers. While the utility industry, through the Edison Electric Institute, is working to build the Spare Transformer Equipment Program (STEP),the number of spare transformers that might be available is much smaller than the number that a large terrorist attack could destroy.
Finding 7.3 Analysis of vulnerabilities and planning for restoration of power after an attack are essential. Plans must cover a variety of attacks, be easily understood, and be specific to the operating utility infrastructure.
Finding 7.4 Strong and streamlined working relationships between utilities, federal and state governments, and law enforcement agencies are essential if utilities are to rapidly evaluate damaged equipment and implement plans for restoration of electric service to customers after a terrorist attack.
Finding 7.5 Greater use of distribution automation and demand-side management, as well as greater deployment of distributed generation and planning for the use of these facilities in the event of contingencies, hold considerable potential to reduce the vulnerability of the existing power system. Most of the needed technology already exists. Progress depends primarily on appropriate state regulatory and legislative initiatives.
Finding 7.6 All major incidents should be followed by a lessons-learned review of the entire incident to ensure that all weaknesses and deficiencies are identified and addressed.
Finding 7.7 Policies to balance risk communication and privacy/nondissemination of information require further investigation and research. Among the basic questions are how much information to communicate, to whom, under what threat levels, when, and how. Issues include approaches for maintaining openness, and the mechanics of disseminat-
ing evolving information to the public in view of potential legal ramifications and the responsibility to limit information available to terrorists. A key consideration is avoiding over-reactions by informing the public while providing the highest level of protection to the nation.
Recommendation 7.1 The Department of Energy and the Department of Homeland Security should fund the research, development, manufacture, and deployment of stocks of compact, easily transported, high-voltage restoration transformers for use in temporary recovery following the loss of several to many regular transformers.
Recommendation 7.2 Utilities and federal, state, and local governments, and law enforcement agencies should develop official memoranda of understanding (MOUs). These MOUs should spell out each party’s responsibilities before, during, and immediately following a deliberate destruction of utility equipment that leads to a disruption of electric service; provide a clear understanding of who is in charge; and explain how decisions will be reached in dealing with potential tensions between crime scene investigation and timely service restoration as well as unanticipated contingencies. The MOUs should also help to ensure the appropriate allocation of resources, and address concerns about potential government seizure of utility supplies and equipment during catastrophic events,9 which can seriously hinder prompt utility restoration of electric service.
Recommendation 7.3 State and federal law or regulations should be modified to:
• Recognize utilities as essential service providers so that relevant utility employees can be trained and legally designated as first responders to deal with attacks on the power system.
• Provide utilities, when needed, with temporary exemptions from laws that restrict their use of equipment, access to roads, materials, supplies, and other critical elements for restoration of electric service to essential loads, including those that have an impact on public health and safety.
• Ensure that state regulatory agencies support prudent efforts by utilities to commit and acquire the necessary resources for service restoration and provide reasonable assurance for recovery of these costs.
Recommendation 7.4 The Department of Homeland Security and the Edison Electric Institute should jointly develop programs and offer training for key utility personnel to respond to both conventional security threats and potential chemical/biological attacks on the electric infrastructure. The training should provide increased awareness of the possible threats, through risk assessments, and provide specific training for the use of protection equipment, detection and sensor equipment, and emergency decontamination procedures. Existing drills and restoration procedures must be expanded to address the potential for biological or chemical attacks that would disrupt electric operations and infrastructures.
Recommendation 7.5 The Department of Homeland Security with the Department of Energy and the electric reliability organization should work with utilities that have not yet done so to:
• Establish a team reporting to top management that coordinates physical, cyber, and operations security through comprehensive plans that clearly define what is expected of security personnel before, during, and after a deliberate destructive act; identifies the technologies and strategies to be used to continuously monitor critical company facilities; and establishes an Incident Command System and designates an incident commander to work with outside agencies.
• Examine their internal radio communications systems to determine that battery backup systems and portable generators are in place to ensure that all communication devices will remain operational during a crisis. Because traditional communication systems may become unavailable during a destructive attack on the electric system, options such as satellite communications should be evaluated (and periodically tested) for potential use as backup communication. In addition, the ERO could help ensure that neighboring utilities and operators have compatible communications systems.
• Assess black-start capabilities in their systems under the assumption that major physical disruption of the transmission system can occur, develop appropriate contingency plans, and test both the plans and the equipment on a regular basis.
• Assess the potential for the cascading collapse of long stretches of transmission line, and, where appropriate, include offsetting towers at various intervals or reinforcing or upgrading towers at more frequent intervals along the line.
Recommendation 7.6 State legislatures should change utility law to explicitly allow micro-grids with distributed generation. IEEE should revise its standards to include the appropriate use of islanded distributed generation and micro-grid resources for local islanding in emergency recovery operations. Utilities should reexamine and, if necessary, revise their distribution automation plans and capabilities in
9For example, during Hurricane Katrina there were efforts by some government entities to commandeer some utility communication systems and fuel supplies.
light of the possible need to selectively serve critical loads during extended restoration efforts. Public utility commissions should consider the potential emergency restoration benefits of distribution automation when they review utility applications involving such investments.
Alderfer, R., T. Starrs, and M. Eldridge. 2000. Making Connections: Case Studies of Interconnection Barriers and Their Impact on Distributed Power Projects. NREL Report NREL/SR-200-28053. Golden, Colo.: National Renewable Energy Laboratories.
EEI (Edison Electric Institute). 2006. Section 203 Application and Petition for Declaratory Order from the Federal Energy Regulatory Commission Docket Nos. EC 06-140-000 and EL 06-86-000. Available at http://www.eei.org/about_EEI/advocacy_activities/Federal_Energy_Regulatory_Commission/060718FamaFercSpareTransformers.pdf, accessed October 2007.
EPRI (Electric Power Research Institute). 2005a. Counterterrorism Measures and the Protection and Restoration of an Electric Grid. Infrastructure Security Initiative. Palo Alto, Calif.: EPRI. October 30.
EPRI. 2005b. “Emergency Communications Phase 1 ISI Report. Infrastructure Security Initiative.” Palo Alto, Calif.: EPRI. September 30.
EPRI. 2006. “Recovery Transformer—A Prototype Factory Build and Test Project.” Available at http://www.epriweb.com/public/000000000001014534.pdf.
IEEE (Institute of Electrical and Electronic Engineers). 2003. P-1547: IEEE Standard for Interconnecting Distributed Resources with Electric Power Systems. IEEE Standard 1547-2003. New York: IEEE. Approved June 12.
King, D.E. 2006. “Electric Power Micro-grids: Opportunities and Challenges for an Emerging Distributed Energy Architecture.” Ph.D. Thesis, Department of Engineering and Public Policy, Carnegie Mellon University, Pittsburgh, Pa.
Morgan, M.G., and H. Zerriffi. 2002. “The Regulatory Environment for Small Independent Micro-Grid Companies.” Electricity Journal 15(9): 52–57.
NRC (National Research Council). 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism. Washington, D.C.: The National Academies Press.
Stiegemeier C., and R. Girgis. 2006. “Rapidly Deployable Recovery Transformers.” IEEE Power and Energy Magazine 4(2): 38–45.
Walker, J. 1999. “Auckland Light Out from Failure to Recovery (Power System Disturbance).” Proceedings of the 21st International Telecommunications Energy Conference. PI 3-1. Copenhagen, June 6–9. New York: IEEE.