Among critical infrastructure sectors in the U.S., energy is perhaps the most crucial of the 16 sectors defined by the Department of Homeland Security. This sector is so vital because it provides the energy necessary to run every other critical infrastructure sector. However, the U.S. power grid, the backbone of the energy sector, is built upon an aging skeleton that is becoming increasingly vulnerable every day. Whether from terrorists or nation-states like Russia and China, the power grid is susceptible to not just physical attacks, but also to cyber intrusion as well. However, much of this threat can be mitigated if the U.S. takes the appropriate steps to safeguard the power grid and avoid a potential catastrophe in the future.
Since Sept. 11, 2001, terrorism on U.S. soil has been at the forefront of American consciousness. Critical infrastructure provides an appealing target because of the disproportionally large impact even a small attack can have on the sectors. In particular, the power grid represents a particularly lucrative target, both in terms of the ease of access and the large impact it can make. The National Research Council stated that the U.S. power grid is “vulnerable to intelligent multi-site attacks by knowledgeable attackers intent on causing maximum physical damage to key components on a wide geographical scale.” Additionally, the physical security of transmission and distribution systems is difficult due to the dispersed nature of these key components, which in turn is advantageous to attackers as it reduces the likelihood of their capture. From 2002-2012, approximately 2,500 physical attacks occurred against transmission lines and towers worldwide and approximately 500 attacks against transformer substations. Terrorists have the motivation to attack the U.S. power grid but the very nature of the grid makes it highly vulnerable. The power grid is not only at risk from physical attacks, but also nation-state cyberattacks.
One nation that has shown both the capability and intent to use attacks against critical energy infrastructure is Russia, as demonstrated in their 2015 annexation of Crimea from Ukraine. A Russian cyber threat group known as Sandworm, which used its BlackEnergy malware, attacked Ukrainian computer systems that provide remote control of the Ukraine power grid. This attack, and another in 2016, each left the capital Kiev without power, prompting cyber experts to raise concern about the same malware already existing in NATO and the U.S. power grids. In any conflict between Russia and NATO, not only would similar cyberattacks pose a threat, but so would potential physical attacks severing fuel oil and natural gas lines to Western Europe. Russia has both the capability and intent to attack critical infrastructure, particularly power grids, during future conflicts in their “hybrid warfare” approach.
Another nation that has the capability to attack critical energy infrastructure is China, representing a threat to not just the U.S. energy infrastructure but also that of our allies whose support would be vital in a major conflict. A recent NATO report highlighted this threat from China’s Belt and Road Initiative, stating that “[China’s] foreign direct investment in strategic sectors [such as energy generation and distribution] …raises questions about whether access and control over such infrastructure can be maintained, particularly in crisis when it would be required to support the military.” Like Russia, China has been active with cyber intrusions in U.S. energy infrastructure. The Mission Support Center at Idaho National Laboratory characterized these as attacks as “multiple intrusions into US ICS/SCADA [Industrial Control Systems/Supervisory Control and Data Acquisition] and smart grid tools [that] may be aimed more at intellectual property theft and gathering intelligence to bolster their own infrastructure, but it is likely that they are also using these intrusions to develop capabilities to attack the [bulk electric system], as well.” China, therefore, has both the capability and intent to conduct cyber intrusions and attacks for myriad reasons.
Another arm of this threat is the reliance the U.S. energy industry has on imports from China, especially transformers. In early 2020, federal officials seized a transformer in the port of Houston that had been imported by the Jiangsu Huapeng Transformer Company before sending it to Sandia National Laboratory in Albuquerque. Sandia is contracted by the U.S. Department of Energy for mitigating national security threats. The Wall Street Journal reported that “Mike Howard, chief executive of the Electric Power Research Institute, a utility-funded technical organization, said that the diversion of a huge, expensive transformer is so unusual – in his experience, unprecedented – that it suggests officials had significant security concerns.” Previously destined for the Washington Area Power Administration’s Ault, Colo., substation, the transformer is believed to have been seized due to “backdoor” exploitable hardware emplaced by the Chinese prior to shipment. Shortly after these events, President Trump issued Executive Order 13920, “Securing the United States Bulk-Power System,” essentially limiting the import of Chinese-built critical energy infrastructure components due to concerns about cybersecurity. Interestingly, Jiangsu Huapeng “boasted that it supported 10 percent of New York City’s electricity load.”
Franklin Kramer, the former Assistant Secretary of Defense for International Security Affairs, testified before a U.S. House of Representatives Energy and Commerce subcommittee during an energy and power hearing in 2011 and said that a “highly-coordinated and structured cyber, physical, or blended attack on the bulk power system, however, could result in long-term (irreparable) damage to key system components in multiple simultaneous or near-simultaneous strikes.” He added that “an outage could result with the potential to affect a wide geographic area and cause large population centers to lose power for extended periods.” Even the inclusion of features such as smart grids to the overall grid structure poses new vulnerabilities through their connectivity. Kramer stated that “such connectivity means that the distribution system could be a key vector for a national security attack on the grid.”
Power generation represents a key vulnerability of the U.S. energy infrastructure. Physical security measures vary by site and type of power plant; however, most are still limited in their security measures beyond chain-link fences, with the notable exception of nuclear power plants. The very nature of power plants does provide some physical security, with plants often residing in rural areas over large areas with multiple buildings, which makes locating and accessing critical components more difficult. While an attack on a power plant would have a large effect, it would also result in increased security at other plants. Finally, the nature of the U.S. energy grid provides the capability to provide some level of self-healing, meaning that even if a power plant were to go offline other sites can mitigate that loss and prevent cascading effects.
System Control Centers represent another key vulnerability. These centers contain not only important technical control systems, but also the personnel who operate those systems and their unique intricacies. However, like power plants, the physical security of these sites varies, ranging from minimal security to extensive hardening. Fortunately, these centers have redundant facilities that can mitigate losses to the rest of the system.
Power lines may be viewed as a key vulnerability as the most visible aspect of the transmission infrastructure, but the number of lines, ability to redirect power, coupled with the relative ease of replacement, mean that an attack on power lines is likely to be limited in both scope and duration. Therefore, while still a required part of the power infrastructure, transmission lines are not a significant vulnerability especially when other critical infrastructure sectors often have their own temporary backup power such as batteries and motor-generator sets (e.g. an on-site diesel motor running an electrical generator at a hospital).
Perhaps the most vulnerable aspect of the U.S. power grid is the high-voltage transformers that allow efficient transmission from power plants to distribution substations. Bottom line is that power generation is of no consequence if it cannot be delivered to the end user, but “there is general agreement among security planners that key high-voltage substations are the most worrisome terrorist targets within the power transmission system.” This fact is complicated in that the transformers are “difficult to protect” and “replacement parts are difficult to obtain, and damage to substations can separate customers from generation for long periods,” often taking over a year to replace under ideal conditions. As previously stated, the power industry is heavily reliant on imports for these transformers, with many coming from China. Finally, these substations are often unprotected by more than a perimeter fence, making them vulnerable to standoff and penetration attacks. The critical nature of these transformers, combined with the difficulty in manufacturing and replacing them, makes the transmission substations one of the most vulnerable aspects of the U.S. power grid.
A further vulnerability of energy infrastructure is the increased use of remote-control mechanisms to operate critical equipment and manage energy loads all the way from power generation to transmission. The more connected critical energy infrastructure is to a network, the more vulnerable it becomes to cyberattack. Kramer described the potential effects of a cyberattack in 2011, following the STUXNET attack on Iranian nuclear facilities, stating, “We have had even further confirmation of the problem of the [US power] grid’s vulnerability, as demonstrated by the STUXNET attacks. STUXNET – while not grid-directed, showed the vulnerability of control machines – which are the very type of machines upon which the grid depends for effective operation.” This vulnerability is further described by the Mission Support Center, which stated, “Growth of networks and communication protocols used throughout ICS networks pose vulnerabilities that will continue to provide attack vectors that threat actors will seek to exploit for the foreseeable future. The interoperable technologies created for a shift toward a smart grid will continue to expand the cyberattack landscape.”
As evident in the example of the seized Chinese transformer in Houston, software and networks are not the only mechanisms for cyberattacks. In fact, ICS and hardware, such as transformers, present a significant vector for cyber intrusion as well. The added danger of this vector is that ICS controls can be affected without the people monitoring even knowing. This was the case with STUXNET, where Iranian engineers could see that something abnormal was occurring but could not pinpoint the cause in time to avert destruction of the centrifuges. Thus, vectors exist for cyberattacks in the U.S. energy infrastructure from software, networks, and malware installed in imported hardware including components such as transformers.
The Department of Defense (DoD) has utilized the Defense Critical Infrastructure program since 2005, which is focused on “identifying key defense infrastructure assets and developing guidelines and procedures for their protection,” resulting in the Mission Assurance Strategy in 2012, which is designed for “strengthening the resiliency of DoD missions.”  While the Mission Assurance Strategy is geared toward protecting the Mission Essential Functions of the DoD, it also calls for strengthening partnerships with private industry, which accounts for over 90 percent of the critical infrastructure in the U.S. Ideally, the DoD would provide support to private industry to ensure that they are operating in a way that protects their infrastructure from threats. However, it is still incumbent on the private sector to accept and follow this guidance. While the DoD can provide support to help harden private electrical infrastructure, they cannot force private industry to take steps that will no doubt increase costs and cut into profit margins.
The National Research Council provides some potential ways to reduce physical vulnerability, including hardening substations and making them more difficult to locate, hardening control facilities, improved surveillance of critical sites and, most importantly, providing more robust physical security around transformer substations. These safeguards are the most useful in deterring attacks against multiple points of the system, but would still provide the same utility against state-sponsored covert action. Regarding a state-level overt attack, some of these mitigation measures may be useful, but much more important is the DoD’s ability to both defend the homeland as well as provide credible deterrence to nation-state actors attacking the U.S. power grid.
Some experts argue that the cyberattack threat is overexaggerated, with attacks typically limited to only causing disruption counted in days rather than weeks. Robert M. Lee, CEO of cybersecurity firm Dragos, Inc., explained that even if a cyber intruder gains access to an ICS system, they would not necessarily know what to do to cause damage. This could limit the potential destructive nature of a cyberattack by many hackers. A successful cyberattack by a nation-state like China or Russia would need to leverage ICS experts to fully manipulate the U.S. energy controls effectively. Yet Russia and China are unlikely to be “motivated to execute a cyberattack resulting in widespread damage to the U.S. power grid due to the political consequences such a hostile act would likely guarantee.” Lee addresses this fact as well, stating that, much like military cybersecurity, what is needed is active defense, which today is currently hobbled by fewer than 1,000 ICS cybersecurity experts worldwide. By training and employing more of these personnel, attacks such as STUXNET become much easier to detect and defeat. Only by expanding the defenses beyond passive measures can the U.S. energy infrastructure hope to continue to stave off future cyberattacks.
Kramer also provides potential solutions, highlighting the DoD’s use of active and passive cyber defense, in addition to offensive cyber operations, as a model that can be extended to the power sector. Kramer suggests that the DoD oversee grid security, stating, “It would seem appropriate for the DoD with the right legislative authority and under presidential guidance to help protect electric grid networks.”  Kramer supports this solution by paraphrasing an unnamed electric power company office: “I can understand why my company should be able to protect itself against cyber criminals, but why should I be expected to succeed against a major nation state cyberattack? Isn’t that what the government is supposed to do?”
The very structure of critical infrastructure in the U.S., even with much of it privatized, still provides a public necessity that must be defended. Due to the widespread public dependence on such infrastructure for not only commerce and communication, but also survival, the federal government does ultimately have the responsibility for protecting that infrastructure. However, Kramer’s argument that this is the responsibility of the DoD requires a logical leap. While the DoD oversees the defense of the nation and its people, it is not required to defend private property. Ultimately, Kramer makes an effective argument that there needs to be a top-down focus on protecting the power grid, led by the federal government. However, a more suitable mechanism for achieving this goal would be through legislation and standards throughout the electric industry that harden the power grid against cyber threats.
Another potential solution is the utilization of “microgrids,” described as a “grid architecture that could manage electricity generation and demand locally in sub-sections of the grid that could be automatically isolated from the larger grid to provide critical services even when the grid at large fails,” ideally preventing a cascading failure. These power grids would be useful in the U.S. due to both their resiliency as well as their reliability in supporting other critical infrastructure such as water, healthcare, and emergency response infrastructure. There are several disadvantages of such a power grid, including cost, increased cyber vulnerability, wider power variance, and a limited ability for self-healing. However, by incorporating microgrids as a redundancy of the main grid, mass power outages can be mitigated. While microgrids are not the perfect solution, they do provide a possible path to ensuring that catastrophic failure of the U.S. power grid does not occur.
There are multiple pathways available to harden the U.S. energy infrastructure sector from a multitude of threats; however, not taking action could leave our power grid vulnerable from cyberattack resulting in massive damage, loss of life, and severe economic impacts.
Disclaimer: The author is responsible for the content of this article. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected] Our editorial guidelines can be found here.