For many Americans, the sabotage of the electric substations in Moore County, North Carolina, was a shock. While we do not yet know all details of the attacks, the reporting has consistently asserted that substation components were badly damaged by gunfire in what appears to be a coordinated and intentional assault. The public statements that followed declaring an emergency and instituting a curfew, and repair estimates of the outage lasting up to five days provided hints to the potential scope of the damage. While the incident is disturbing, it is certainly not without precedent. As a researcher on energy security, I have studied over 5,000 attacks on energy infrastructure worldwide, including many in the United States. While domestic attacks on electric infrastructure are not common, they do seem to be on the rise. They may not be the new normal, but we should be paying attention.
Much of the media coverage of the North Carolina attacks focused on comparisons to the 2013 attack on Pacific Gas & Electric Company’s Metcalf substation. During the Metcalf incident, the attackers used assault rifles, severely damaging ten 500-kilovolt (kV) transformers, three 230kV transformers, and six 115kV circuit breakers. This attack cost PG&E an estimated $26 million in repairs and environmental cleanup efforts. If not for the early detection and reporting, the loss of the Metcalf substation’s electric capacity could have blacked out parts of the Silicon Valley. Metcalf was not the first domestic sabotage incident involving electric infrastructure, and it would not be the last.
Attacks on U.S. Electric Infrastructure
High-voltage transmission towers were intentionally toppled in Santa Cruz, Calif., in 1990, Oregon in 2003, Oak Creek, Wis., in 2004, and again in Little Rock, Ark., in 2013. Every one of these incidents resulted in loss of power to thousands of homes and businesses and significant economic impacts to the electric utilities. Two of these attacks resulted in arrests and convictions.
After the Metcalf attack, the trend shifted to shooting at substation transformers. First in Franklin Township, Pa., in 2014, next in Kanab, Utah, in 2016, and then in Lake Worth, Fla., in 2018. In February 2022, three men were convicted in federal court of plotting to attack the U.S. power grid. Their plan was to attack various electric substations in different regions of the United States. Their neo-Nazi beliefs motivated the attack plan.
In March 2022, utility workers at the Red River Valley Rural Electric Association in Ardmore, Okla., were called to a substation where one of the transformers had been damaged by gunfire. The damage resulted in a million-dollar cost and 1,200 residents without power. The incident was relatively small in scale and only reported locally.
In July 2022, East River Electric was the target of an attack that damaged substation equipment. The Keystone Pipeline System near Huron, S.D., is powered by the targeted substation and was forced to shut down part of the system for several days while repairs were completed.
This week, CBS News reported on a “federal law enforcement memo describing similar situations across the U.S.,” presumably substation attacks, specifically in Oregon and Washington. CBS quoted the memo including the possible “physical attacks on substations using hand tools, arson, firearms and metal chains possibly in response to an online call for attacks on critical infrastructure.” If the reporting is accurate, there could be more attacks than previous known.
Domestic Extremist Groups Intent on Attacking the Grid
The Duke Energy attack in Moore County is the third reported attack this year. While it is impossible to know how many attacks go unreported, this attack frequency is concerning. However, it is not only the successful attacks that are cause for concern. Attack-related chatter from domestic violent extremist groups has been on the rise, as has the number of thwarted plots. Extremist groups use social media, chat rooms, and other platforms to share information and disseminate their ideologies. Much of the chatter has specifically encouraged attacks against substations and other components of the power grid – in some cases using the Metcalf attack as an example of how to conduct such operations. One group claimed to have detailed maps of the power grid for the Western United States. Members of another extremist group were arrested with weapons and explosives near Las Vegas in 2020. This group also had plans to attack electric substations.
In my research, I found a statistical correlation between separatist groups and a preference for energy infrastructure attacks. Many of today’s domestic right-wing and neo-Nazi domestic extremist groups have similar grievances against the government and large institutions. They embrace ideologies that seek the fall of government or current systems: a reset. The theory is that attacking the power grid is one method to bring about that change. Many extremist groups refer to this as accelerationism. Accelerationists seek to hasten the collapse of society by sparking unrest. Their ideas about bringing down the power grid are one approach to igniting this instability. There are other groups and individuals who have the desire to target electric infrastructure for a variety of reasons, but the accelerationist groups have emerged as a central threat. “We have seen a significant uptick in DVE chatter surrounding sabotage and physical attacks on distribution and transmission substations,” former DHS Assistant Secretary for Infrastructure Protection Brian Harrell told HSToday after the Moore County attacks. “The utility industry is aware of these concerns, and over the years proper investments have been made to mitigate such attacks. However, a determined adversary with insider knowledge as to what to shoot, and how to cripple key components, is difficult to stop. Therefore, the energy sector invests in resilience.”
Electric Infrastructure Protection Is Challenging
Electric utilities are faced with a complex challenge to protect a system that is immense and spread out over the entire country, including in many remote areas. The system has over 55,000 substations, 600,000 miles of high-voltage transmission lines and 5.5 million miles of local distribution lines. Much of the system was built decades ago without security measures factored into the original design.
Aside from the size and complexity of the power grid, there is the expense of building and maintaining robust security countermeasures in every facility. Installing high walls, surveillance cameras, high-technology sensors and deploying armed security guards at every facility comes at a significant cost. Ultimately, this cost will be paid by the consumer, so utility companies walk a delicate line between security investments and maintaining reasonable rates for their customers. This dilemma is usually managed through a risk-based security approach. Security investments are based on the criticality of the facility or asset. In plain terms, disruptions to larger substations with a potential systemic impact to the grid are the biggest concern. These vulnerabilities are where much of the security technology and personnel are focused. Even relatively simple security measures come at a cost, which is then multiplied by hundreds of substations for most large utility companies.
The North Carolina attacks will certainly stimulate new conversations in the industry regarding risk, cost, and appropriate security measures. Risk-ranking methodologies for individual facilities will be re-examined and new, creative approaches will be explored. I suspect there may even be new government regulations to address the risk.
Reducing the Risk and Protection of the Grid
There are some security countermeasures that can be initiated immediately. If the cost of security guards is prohibitive at every facility, utilities can use randomized mobile patrols or rotate guards intermittently to cover multiple locations. Surveillance cameras at every location may by expensive, but the use of mobile surveillance platforms and unmanned aerial systems can be better methods for covering multiple locations. Critical components in the facility can be concealed and protected with hardened barriers to minimize damage from gunfire. Even the design of the facility can be altered to conceal components, thereby making it difficult to shoot at them from perimeter fencing. Lighting can be improved, and vegetation can be removed to limit areas where perpetrators can conceal themselves. Electric utilities should seek to utilize the Defense-in-Depth strategy, where security controls are layered to deter, detect, and delay an attack. This approach increases the probability that the attack will be thwarted, or the impacts will be reduced.
Utility companies can develop better partnerships with local law enforcement agencies to provide augmented patrols. Police officers in many jurisdictions do not have adequate training to patrol substations and other equipment. They may not even know where or how to access the substations located in their town. Utility companies can provide tours and training on substation hazards, and they can explain who should be in the facility and who should not. Communication between police dispatch and utility company security operations centers can be improved. Local police departments are frequently an untapped resource. Utilities should have dedicated law enforcement liaisons to work with police departments on training and familiarization.
Utility companies can institute programs to build a better security culture among non-security employees. When employees know what to look for and are empowered to report suspicious behavior, there are opportunities to disrupt attacks before they begin. Many attackers scout locations ahead of time to plan their attack. Some take photos and video of the location or test security by attempting entry. Attentive employees working at the facility are the best defense against this type of pre-attack planning activity.
In locations where more advanced security systems are already installed, equipment should be tested and maintained regularly, including surveillance cameras, access systems, and sensors. Security personnel should periodically test security measures by attempting to penetrate the facility, called red-team testing. Security policies and procedures should be regularly updated.
Use of Intelligence
Utilities can develop in-house intelligence analysis capabilities to evaluate emerging threats well ahead of attacks. Electric infrastructure security teams can leverage information sharing and analysis centers provided by industry, resources from the departments of Energy and Homeland Security, or even local fusion centers managed by state and local law enforcement agencies. Useful intelligence can be disseminated through threat bulletins to company employees and local law enforcement to warn of possible attacks. Enhanced, regular information sharing and communication between utility security operations centers and operational grid control and switching centers can alert employees of suspicious behavior at specific sites or unusual electrical activity on the grid that might indicate equipment damage.
Response and Recovery
Not every attack can be prevented. Utility companies can be resilient to attacks by maintaining a state of readiness in the instance where a successful attack damages equipment and disrupts electric service. Emergency response training and plans are crucial in these incidents. Employees should be trained and participate in exercises, so they are ready to act when an attack occurs. Business continuity plans should be up to date to ensure that critical systems or backup measures remain in service while the disruption is in progress. This includes automatic contingencies that are practiced ahead of an incident.
Rapid restoration of power and recovery to minimize impacts are critical aspects of the strategy. This kind of resilience is facilitated with redundant circuits and readily available spare components for quick replacement. When restoration of power and recovery efforts are efficiently and quickly undertaken, the potential impacts of the crisis can be mitigated.
As the investigation continues in North Carolina, we will learn more. Hopefully, the perpetrators of the attacks will be brought to justice. Inevitably, there will be many discussions between government and industry leadership about improvements to security, response, and resilience. Industry professionals do not have to wait for those discussions to act. We can work on solutions at the local level with resources we already have at our disposal. Unfortunately, in today’s environment, it is likely that future attacks will occur. The indicators suggest that Moore County will not be the last attack.