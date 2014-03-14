(John Kemp is a Reuters market analyst. The views expressed are
his own)
By John Kemp
LONDON, March 14 Simultaneous attacks on just
nine substations could black out the entire United States,
according to a report in the Wall Street Journal, based on a
confidential study by energy regulators.
"A small number of the country's substations play an outsize
role in keeping power flowing across large regions," the Journal
explained ("U.S. risks national blackout from small-scale
attack", March 12).
On a hot summer day, when the generation and transmission
system is stretched to its limits, knocking out just nine of the
55,000 substations on the transmission system could cause
cascading power failures that would leave the country without
electricity for weeks or even months.
The Journal has not published the list of 30 critical
substations examined in the study.
Nonetheless, the leak has drawn a fierce rebuke from the
Federal Energy Regulatory Commission (FERC) and the top
Republican on the Senate Energy and Natural Resources Committee.
"Publication ... of sensitive information about the grid
undermines the careful work done by professionals who dedicate
their careers to providing the American people with a reliable
and secure grid," FERC complained.
"While there may be value in a general discussion of the
steps we take to keep the grid safe, the publication of
sensitive material about the grid crosses the line from
transparency to irresponsibility, and gives those who would do
us harm a roadmap to achieve malicious designs," the commission
added.
Senator Lisa Murkoswki was even more blunt. "Whoever is the
source of this leak - and it appears to be someone with a great
deal of access to highly sensitive, narrowly distributed FERC
documents - is clearly putting our nation at risk. If his or her
actions are not illegal, they should be."
NETWORK VULNERABILITIES
The concerns revealed by the leak are not new. Professionals
have been expressing similar worries about the vulnerability of
highly interconnected energy systems for electricity, natural
gas and oil since at least the 1970s.
"The United States has reached the point where a few people
could probably black out most of the country," Amory and Hunter
Lovins wrote in 1982.
"A small group could shut off three-fourths of the natural
gas to the eastern U.S. in one evening without leaving
Louisiana," they observed ("Brittle power: energy strategy for
national security").
The vulnerability of the power grid and the gas distribution
system to a coordinated cyber attack was even one of the central
plot features of the 2007 film "Live Free or Die Hard" starring
Bruce Willis.
The grid's interconnectedness is both its greatest strength
and greatest weakness.
"The size, complexity, pattern and control structure of
these electrical machines make them inherently vulnerable to
large-scale failures," the Lovinses wrote.
"Complex energy devices were built and linked together one
by one without considering how vulnerable a system this process
was creating."
When each city or region had its own generating plant and
distribution system, the effects of any failure were localised.
But the nationwide grid is a single machine (or really three
semi-autonomous ones because the United States has three largely
separate regional grids).
Once power plants and transmission systems were linked
together, it was possible for a single fault to propagate or
cascade across a much larger area, even in the worst instance a
whole region.
COUPLING AND COMPLEXITY
Several features of the grid and other modern energy systems
make them vulnerable to large-scale failure.
The grid is highly interconnected. It is also tightly
coupled, in the sense that failure of one component dramatically
increases the potential for failure of others.
Finally, the grid is a complex, dynamic and non-linear
system. There are many branching paths and feedback loops that
can magnify small errors in unexpected ways. Small initial
problems can quickly generate escalating disturbances ("Normal
accidents: living with high-risk technologies", Charles Perrow,
1984 and 1999).
The August 2003 blackout demonstrated just how
interconnected, tightly coupled and non-linear the system really
is.
Contact between a couple of power lines and overgrown trees
in Ohio resulted in a cascading power failure that blacked out
power to 50 million people in the Northeast, Midwest and
neighbouring parts of Canada in under five minutes.
If a couple of trees can take out power to 50 million people
on a moderately hot summer afternoon, it comes as no surprise
that dedicated saboteurs could cut power nationwide by
simultaneously destroying as few as nine key substations.
But the grid also has some important features that make it
more secure and resilient than this worst-case scenario
suggests.
RESILIENCY AND SECURITY
The physical structure of the grid (its "topology") and flow
of power (active and reactive) across the network from
generating stations along transmission lines to customers, via
step-up and step-down transformers, and the regulation of
aspects of power quality such as voltage and frequency, is
enormously complex.
Power flows vary according to the time of day, season,
temperature and maintenance schedules. In theory, the entire
country could be blacked out by destroying as few as nine
substations, but it would not always be the same ones. There are
dozens, perhaps as many as 100, which could be critical in
different conditions.
To bring down the grid, a saboteur would need to understand
exactly how power was flowing around it in real time, which
nodes were critical at that particular moment. If a non-critical
node is attacked, grid controllers have an opportunity to
re-route power through other transmission lines and
transformers.
That explains why FERC is so angry about the leak.
Regulators and grid operators conduct lots of scenario planning
to identify system vulnerabilities, not just from sabotage but
from equipment failures, tree contacts, and a host of other
problems.
Confidentiality is critical. Uncertainty about how power
flows around the network is one of its strongest protections.
FERC fears that leaks could provide would-be saboteurs with a
route map on how to identify critical nodes in the network under
certain scenarios and focus their attacks in a way that
maximises the danger.
PLANNING FOR FAILURE
Former FERC chairman Jon Wellinghoff told the Wall Street
Journal: "There are probably less than 100 critical high-voltage
substations on our grid in this country that need to be
protected from a physical attack. It is neither a monumental
task, nor is it an inordinate sum of money that would be
required to do so."
But this is arguably the wrong focus, or at least an
incomplete one. The most effective way to protect complex
interconnected systems is to make them less tightly coupled so
one component can fail safely without damaging others, leaving
the system overall in a safe condition.
"De-coupling" or "defence in depth" is already central to
the protection of high-risk systems such as nuclear power
plants, nuclear weapons, chemical plants and aircraft.
It is simply not possible to give an absolute guarantee that
individual components or sub-systems will not fail. So, complex
and high-risk systems are planned from the outset with failure
in mind.
Complex and dangerous systems are designed with many
independent sub-systems and redundant safety features on the
assumption some components will fail but should leave others
functioning.
In general, serious accidents occur when sub-systems turn
out not to be as independent as their designers thought, or when
personnel ignore safe operating procedures.
Similar safety protections are built into the design and
operation of the grid. Controllers conduct thousands of computer
simulations to identify risk factors and prepare for
contingencies.
In the case of the power grid, the solution is not just, or
mainly, to protect critical substations from physical attack. It
is also to make them less critical to the operation of the
network by building in more redundancy.
Hundreds of professionals are involved through the North
American Electric Reliability Corporation's Critical
Infrastructure Protection Committee (CIPC), its Reliability
Issues Steering Committee (RISC) and similar organisations.
Hardening critical substations can only ever be a very small
part of the solution. Physical attacks are only one of the
serious threats the grid faces. Others include equipment
failure, operational errors and solar storms, any of which could
be just as dangerous.
The grid's greatest security lies in making it more flexible
and less tightly coupled, as well as careful but confidential
system planning to ensure the network is able substantially to
survive even a simultaneous attack.
