The Threat of Terrorism on Utility Infrastructure
We spend much of our time thinking about emergency preparedness in the context of natural disasters like Hurricane Sandy, but there’s definitely more out there to be prepared for, not the least of which is terrorism.
Terrorism is as old as time. It’s a tactic designed to leverage highly visible, shocking attacks to paralyze entire populations with fear. In the U.S., terrorism started to emerge as a visible problem in the late 1970s, but it took the horrible events of 9/11 to really focus America’s attention on this threat – especially as it relates to radical Islamic groups.
Unfortunately, according to people who are experts on such things, utilities are high on the list of potential terrorist targets. Additionally, utility infrastructure tends to be relatively old, making it even more vulnerable. For example:
- The electric T&D infrastructure in the U.S. averages 45 years old
- Over 50% of nation’s power plants are more than 30 years old
- About 50% of the nation’s natural gas pipelines are more than 60 years old
- Municipal water infrastructure averages 70-100 years old
Clearly, these infrastructures were not built with today’s security threats in mind. That said, utilities are definitely taking steps to help minimize the risk and magnitude of an act of terrorism on utility infrastructure – whether from a cyber security breach, or a physical attack on a utility’s assets.
How Utilities are at Risk of Terrorism
First, make no mistake – any terrorist attack on utility infrastructure has the potential to be absolutely catastrophic. There are many ways terrorist groups could attack utility infrastructures, including but not limited to:
- Deploying a multi-pronged attack that targets multiple substations, high voltage transformers, transmission towers, control centers and/or power plants in a specific region or nationwide.
- Sabotaging one or more plant cooling towers to disperse biological or chemical agents.
- Releasing a biological or chemical agent into the water supply – roughly 15% of the nation’s water utilities serve 75% of the population.
- Destroying critical water pumping stations and dams.
- Placing destructive devices in the sewer systems beneath buildings or city streets causing a collapse of roads and adjacent structures.
- Destroying a series of major oil refineries or pipelines.
- Deploying cyber-security attacks on internet-enabled SCADA systems to disable certain infrastructure processes.
- Sending large-scale electromagnetic pulses through the electrical system designed to cause damage to downstream electronic equipment and components.
And this is not just a theoretical list, attacks have already happened – and have been happening for years. For example, in April 2013, terrorist snipers fired about 100 rounds into a PG&E substation, causing 17 transformers to overheat. Afterward, it took workers almost a month to get the substation back online. And overseas, terrorist organizations have been linked to 2,500 attacks on transmission lines or towers, and at least 500 on substations, from 1996 to 2006, according to the Electric Power Research Institute.
How Utilities are Coping
Regulatory bodies like FERC are focused on bolstering the protection of U.S. energy assets from terrorist acts, but even in the absence of regulatory mandates, utilities are already working on improving terrorism security.
One increasingly common approach is for utilities to hire something akin to a security guru, the role of which is generally to serve as the internal security expert and make decisions designed to fortify the protection of physical and virtual assets. This could include things like:
- Reducing SCADA system vulnerability through stronger oversight, more detailed security guidelines, or new control system technologies.
- Implementing physical buffer zone protocols around critical assets – such as road barriers, random vehicle inspections, or enhanced surveillance systems.
- Bolstering security as it relates to employees and vendors by tightening pre-employment screening criteria or implementing more stringent check-in protocols.
- Broadening the organization’s emergency planning training strategies to encompass terrorist scenarios.
Another increasingly common tactic involves the formalization of a process to conduct security assessments as a regular course of business. A comprehensive assessment will address physical and cyber security, SCADA and distributed control systems, communications security, grid security, distribution security, generation security, and biological/chemical issues. Some utilities – especially rural electric coops – have taken this a step further and have collaborated with other utilities to share in the cost and have a security assessment conducted on a number of facilities at the same time.
The Bottom Line on Utility Terrorism
Although natural disasters get most of the headlines when it comes to utility service disruptions, a coordinated, planned terrorist attack on utility infrastructure has the potential to dwarf these events in terms of degree of magnitude. Consider an attack on high voltage transformers. Each one of these costs millions of dollars to build, weighs up to 500,000 pounds, and can take months to make. If several of these assets were destroyed simultaneously, large portions of the U.S. could be without power for many months. In the final analysis, there is only one conclusion we can draw: terrorism needs to be embedded into the culture of utility emergency preparedness as much as – if not more than – natural disasters.