Blackout! Are We Prepared to Manage the Aftermath of a Cyber-Attack or Other Failure of the Electrical Grid?

Statement of Richard J. Campbell Specialist in Energy Policy Before Committee on Transportation and Infrastructure Subcommittee on Economic Development, Public Buildings and Emergency Management U.S. House of Representatives Hearing on “Blackout! Are We Prepared to Manage the Aftermath of a Cyber-Attack or Other Failure of the Electrical Grid?” April 14, 2016 Congressional Research Service TE10008 Congressional Research Service 1 Good Morning Chairman, Ranking Member, and Members of the Subcommittee. My name is Richard Campbell. I am a Specialist in Energy Policy for the Congressional Research Service (CRS). On behalf of CRS, I would like to thank the Committee for inviting me to testify here today. My testimony will provide background on the possible consequences of a failure of the electric grid, the roles and responsibilities of the respective parties, and some of the objective challenges in the recovery efforts. I should note that CRS does not advocate policy, or take a position on specific legislation. Potential Failure of the Electric Grid The electric power grid in the United States comprises all of the power plants generating electricity, together with the transmission and distribution lines and systems which bring power to end-use customers. The grid also connects the many publicly and privately owned electric utility and other wholesale power companies in different states and regions of the United States.1 However, with changes in federal law,2 regulatory changes, and modernization of the electric power infrastructure as drivers, the grid is changing from a largely patchwork system built to serve the needs of individual electric utility companies to essentially a national interconnected system, accommodating massive transfers of electrical energy among regions of the United States. Electricity generation is vital to the commerce and daily functioning of United States. While the U.S. electric grid has operated historically with a high level of reliability, the various parts of the electric power system are all vulnerable to failure due to natural, operational, or manmade events. Electric power is generated and sent over transmission lines to substations which reduce the voltage levels for distribution to end-use customers. The cables carrying electric power to customers generally exist in an exterior or “above ground” environment largely exposed to the elements. As such, power outages can result from floods or seasonal storms which often combine the furies of wind, rain, snow, or ice. The more severe weather events can damage electric power transmission and distribution infrastructure as trees or overhanging branches fall on electricity lines. Most failures of the grid occur in local distribution systems rather than bulk power transmission systems, as the rights-of-way for transmission lines are wider, and are cleared to prevent damage from trees. The cost of weather-related power outages may range from $25 billion to $55 billion annually.3 Other impairment or failure of the grid can potentially result from attacks, terrorism, or even extremes of space weather. For example, a nuclear weapon exploded at a high altitude over the United States would cause an electromagnetic pulse which could destroy power transformers and other critical components. 4 Similarly, a severe solar storm could have damaging impacts on power transformers. Sunspots send plasma from coronal mass ejections into space, which could interact with the Earth’s magnetic field causing ground induced currents powerful enough to overload transformers. The last major solar flare 1 As of 2013, there were 189 investor-owned electric utilities, 2,013 publicly-owned electric utilities, 887 consumer-owned rural electric cooperatives, and nine federal electric utilities. American Public Power Association, U.S. Electric Utility Industry Statistics, 2015, 2 Key legislation includes the Public Utility Regulatory Policies Act of 1978 (P.L. 95-617, as amended), the Energy Policy Act of 1992 (P.L. 102-486), the Energy Policy Act of 2005 (P.L.109-58), and the Energy Independence and Security Act of 2007 (P.L. 110–140). 3 “Power outages can impact electricity consumers primarily through property loss and business disruption. This can result in lost orders, and damage to perishable goods and inventories for businesses. Power outages can critically affect manufacturing operations mainly through downtime as workers are idled, and potentially damage equipment and production processes.” CRS Report R42696, Weather-Related Power Outages and Electric System Resiliency, by Richard J. Campbell. 4 See Congressional Distribution Memorandum, Space Weather and EMP threats to the Grid, 2015, by Richard Campbell. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 2 eruption in 1989 caused blackouts in the Canadian province of Quebec. Even greater solar storms occur in cycles of approximately 100 years, with major events being recorded in 1859 and 1921.5 Much of the infrastructure which serves the U.S. power grid is aging. As of 2009, the average age of power plants was over 30 years, with most of these facilities having a life expectancy of 40 years.6 Electric transmission and distribution system components are similarly aging, with power transformers averaging over 40 years of age,7 and 70% of transmission lines being 25 years old or older,8 as of 2007. As the grid is modernized, new intelligent technologies utilizing two-way communications and other digital capabilities, are being incorporated with Internet connectivity. The “Smart Grid” refers to this evolving electric power network.9 While these advances may improve the efficiency and performance of the grid, they also increase its vulnerability to cyberattacks launched from the Internet. The potential for a major disruption or widespread damage to the nation’s power system from a large-scale cyberattack has increased focus on the cybersecurity of the grid. Modernization of many industrial control systems (ICS), in particular, Supervisory Control and Data Acquisition (SCADA) systems used by electric utilities, have also resulted in connections to the Internet.10 The increasing frequency of cyber intrusions on ICS is a concern to the electric power sector. Power production and flows on the grid are controlled remotely by a number of IC technologies. The National Security Agency reported that it has seen intrusions into IC systems by entities with the apparent technical capability “to take down control systems that operate U.S. power grids, water systems and other critical infrastructure.”11 Although there has not been a publicly-reported cybersecurity event or physical attack resulting in a large scale power outage in the United States,12 the potential for such attacks to cause a wide scale, long lasting outage cannot be dismissed. The first blackouts attributed to a cyberattack happened in the Ukraine in December 2015.13 The power outages affected approximately 225,000 customers, and are said to have originated from remote cyber intrusions at three regional electric power distribution companies. The cyberattackers targeted industrial control and operating systems at multiple central and regional facilities. The cyberattack also targeted other critical infrastructure,14 apparently in an attempt to impair recovery efforts. 5 Ibid. Massachusetts Institute of Technology, Retrofitting of Coal-Fired Power Plants for CO2 Emissions Reductions, March 23, 2009, 7 Thomas A. Prevost and David J. Woodcock, Transformer Fleet Health and Risk Assessment, Weidman Electrical Technology, IEEE PES Transformers Committee Tutorial, March 13, 2007, 8 K. Anderson, D. Furey, and K. Omar, Frayed Wires: U.S. Transmission System Shows its Age, Fitch Ratings, October 25, 2006. 9 In recognition of the need to deploy new technologies, Congress indicated its support for grid modernization in the Energy Independence and Security Act of 2007 (EISA) (P.L. 110-140). Specifically, Section 1301 of the act states: “It is the policy of the United States to support the modernization of the Nation’s electricity transmission and distribution system to maintain a reliable and secure electricity infrastructure that can meet future demand growth ... which together characterize a Smart Grid.” 10 CRS Report R43989, Cybersecurity Issues for the Bulk Power System, by Richard J. Campbell. (Hereinafter, CIBS). 11 Peter Behr, Cyberattackers have penetrated U.S. infrastructure systems -- NSA Chief, Environment & Energy Daily, November 21, 2014, 12 Steve Reilly, Bracing for a big power grid attack: ‘One is too many’, USA Today, March 24, 2015, 13 DHS - Industrial Control Systems Cyber Emergency Response team, Cyber-Attack Against Ukrainian Critical Infrastructure, Alert (IR-ALERT-H-16-056-01), February 25, 2016, 14 “In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.” Ibid. 6 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 3 A report15 released by the National Research Council (NRC) in 2012 concluded that well-informed terrorists could black out a large region of the country for weeks or even months. An event of this magnitude and duration could lead to turmoil, widespread public fear and an image of helplessness that would play directly into the hands of the terrorists. If such large extended outages were to occur during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold. The largest power system disruptions experienced to date in the United States have caused high economic impacts. Considering that a systematically designed and executed terrorist attack could cause disruptions that were even more widespread and of longer duration, it is no stretch of the imagination to think that such attacks could entail costs of hundreds of billions of dollars—that is, perhaps as much as a few percent of the U.S. gross domestic product (GDP), which is currently about $12.5 trillion.16 The NRC report further commented on the potential effects of a combined cyber and physical attack on the grid. If they could gain access, hackers could manipulate SCADA systems to disrupt the flow of electricity, transmit erroneous signals to operators, block the flow of vital information, or disable protective systems. Cyber attacks are unlikely to cause extended outages, but if well coordinated they could magnify the damage of a physical attack. For example, a cascading outage would be aggravated if operators did not get the information to learn that it had started, or if protective devices were disabled.17 Similar conclusions were reached in a 2015 report from Cambridge University and Lloyds of London, which theorized that a targeted cyberattack could leave 15 states and 93 million people from New York City to Washington, D.C. without power. The scenario estimated the total impact to the U.S. economy at between $243 billion and $1 trillion, resulting from “direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain.”18 The 2013 attack on the Metcalf substation in California further cast light on the physical vulnerabilities of the grid. After someone broke into a nearby underground vault to cut telephone cables, snipers opened fire on the substation, knocking out 17 large power transformers sending power to Silicon Valley. A blackout was averted by rerouting power around the substation, and local power plants had to produce more electricity. But it took the local utility 27 days to restore the substation. The Federal Energy Regulatory Commission’s (FERC’s) chairman at the time (Jon Wellinghoff) reportedly said that “if [the attack] were widely replicated across the country, it could take down the U.S. electric grid and black out much of the country.”19 Recovery from a well-planned cyber and physical attack on the grid could be complicated by the cost and vulnerability of critical components. While a physical attack on transmission towers to bring down power lines could cause blackouts, the strategic destruction of a number of critical high-voltage transformers 15 National Academy of Sciences, Terrorism and the Electric Power Delivery System, 2012, 16 Ibid, page 1. 17 Ibid, page 2. 18 University of Cambridge Centre for Risk Studies and Lloyds of London, Business Blackout, The insurance implications of a cyber attack on the US Power Grid, 2015, 20150708.pdf. 19 Rebecca Smith, Assault on California Power Station Raises Alarm on Potential for Terrorism, Wall Street Journal, February 5, 2014, CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 4 could cause long-lasting power outages. These transformers are very large, and difficult to move. A large scale attack may use up the limited inventory of spare units,20 and it may take months or even years to build new units. The availability of other large components, such as high-voltage circuit breakers could also hamper recovery efforts.21 Industry and Government Coordination on Recovery Efforts The electric utility industry generally prepares for power outages from weather-related events, and views the potential for a major cybersecurity attack or similar event as a low probability risk. As such, the industry seeks to balance grid security efforts and expenditures with the perceived risks. In the event of a large power outage, electric utilities often call upon other utilities via their mutual assistance agreements22 (MAAs) to help restore services. MAAs can help to reduce the duration of weather-related outages by bringing in outside resources to aid the recovery effort. If an event is severe enough to be a federally-declared disaster,23 the Department of Homeland Security’s (DHS’s) Federal Emergency Management Agency (FEMA) is empowered to provide federal assistance. FEMA’s mission is to reduce the loss of life and property and protect communities nationwide from all hazards, including natural disasters, acts of terrorism, and other man-made disasters. FEMA leads and supports the nation in a risk-based, comprehensive emergency management system of preparedness, protection, response, recovery and mitigation.24 FEMA can provide financial assistance to electric utilities to aid in disaster recovery efforts. In general, FEMA will determine a utility’s eligibility, and “will cover at least 75 percent of the repair, restoration or replacement costs for infrastructure owned by eligible applicants.”25 The electric power industry also works with the Departments of Energy and Homeland Security on a number of cyber and physical security initiatives.26 The Electricity Sub-Sector Coordinating Council 20 The electric power industry has several programs for participating companies to share spare transformer equipment. For example, “[the Edison Electric Institute’s Spare Transformer Equipment Program] requires participating utilities to maintain (or acquire) a specific number of transformers up to 500 kV to be made available to other utilities in case of a critical substation failure. Sharing of transformers is mandatory based on a binding contract subject to a ‘triggering event’—a coordinated act of deliberate, documented terrorism resulting in the destruction or disabling of a transmission substation and the declaration of a state of emergency by the President...[and in] 2012, NERC initiated its Spare Equipment Database program intended to serve as a tool to ‘facilitate timely communications between those needing long-lead time equipment damaged in a [high impact, low frequency] event and those equipment owners who may be able to share existing equipment being held as spares by their organization.’” See CRS Report R43604, Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations, by Paul W. Parfomak. 21 NAS. 22 Edison Electric Institute, Understanding the Electric Power Industry’s Response and Restoration Process, May 2014, 23 “[The] Robert T. Stafford Disaster Relief and Emergency Assistance Act, Public Law 100-707, signed into law November 23, 1988; amended the Disaster Relief Act of 1974, Public Law 93-288. It created the system in place today by which a presidential disaster declaration of an emergency triggers financial and physical assistance through the Federal Emergency Management Agency (FEMA). The Act gives FEMA the responsibility for coordinating government-wide relief efforts.” See 24 Federal Emergency Management Agency, FEMA, FEMA B-653, July 2008, 25 Edison Electric Institute, Federal Disaster Assistance and Utilities, 2014, 26 See CIBS, page 16. CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 5 (ESCC) is the principal liaison between the federal government and the electric power sector. It represents the electricity sub-sector (as part of the Energy Critical Infrastructure sector)27 under DHS’s National Infrastructure Protection Plan (NIPP).28 The ESCC draws its membership from all segments of the electric utility industry, and is led by three chief executive officers – one each from the American Public Power Association, the Edison Electric Institute, and the National Rural Electric Cooperative Association.29 Among its activities, the ESCC coordinates industry and government efforts on grid security, guides infrastructure investments and R&D for critical infrastructure protection, seeks to improve threat information sharing and processes with public- and private-sector stakeholders, and coordinates cross sector activities with other critical infrastructure sectors. The bulk electric power system has mandatory and enforceable standards for cybersecurity. The Energy Policy Act of 2005 (EPACT) (P.L. 109-58) gave the Federal Energy Regulatory Commission authority over the reliability of the grid, with the power to approve mandatory cybersecurity standards proposed by the Electric Reliability Organization (ERO). Currently, the North American Electric Reliability Corporation (NERC) serves as the ERO. NERC therefore proposes reliability standards for critical infrastructure protection (CIP) which are updated considering the status of reliability and cybersecurity concerns for the grid. FERC recently added mandatory and enforceable physical security requirements to its critical infrastructure protection standards.30 The electric utility industry also conducts a biennial grid security and emergency response exercise (GridEx) in which electric power and other stakeholders respond to simulated cyber and physical attacks. The most recent exercise, GridEx III took place on November 18-19, 2015, and involved 364 organizations from across North America.31 In the event of a wide-scale power outage caused by a major attack or a disaster, electric utility efforts to restore power would likely have to be augmented by state and federal resources. Given the potential for damage to the nation’s economy from a major attack on the grid, some might suggest a greater focus on recovery is needed and should become as much a part of a grid security strategy as the efforts to secure the system. NERC has essentially agreed, saying in its GridEx III report that severe emergency situations may require greater coordination with states and the federal government to identify physical risks to 27 The Energy Critical Infrastructure sector includes the electricity, petroleum, and natural gas subsectors. Department of Homeland Security, Critical Infrastructure Sectors, 2015, 28 Department of Homeland Security, National Infrastructure Protection Plan, October 27, 2015, 29 Edison Electric Institute, Electric Subsector Coordinating Council, March 2015, 30 However, these rules largely do not apply to distribution system utilities which are subject to mostly state regulation. FERC Order No. 773 establishes a “bright-line” threshold essentially considering all transmission facilities and related facilities operating at 100 kilovolts or above to be part of the bulk electric power system. As such, these facilities are subject to the applicable NERC reliability standards. 31 “The electricity industry participants included chief executives from investor and publicly owned utilities, cooperatives, and independent system operators from the U.S. and Canada. The U.S. federal and state governments were represented by senior officials from various departments and agencies. In addition, approximately 70 individuals associated with the participants attended the tabletop as observers to provide feedback.” Observers included the White House; National Security Council; Department of Energy; Department of Homeland Security, including Federal Emergency Management Agency; Department of Defense, including U.S. Cyber Command, U.S. Northern Command, North American Aerospace Defense Command; National Security Agency; Federal Bureau of Investigation; and the National Guard. North American Electric Reliability Corporation, Grid Security Exercise - GridEx III, March 2016, (Hereinafter, GridExIII). CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 6 electricity facilities, and to identify cyber risks in addressing malware on control systems before recovery efforts could begin.32 Congress included provisions to give the U.S. Department of Energy (DOE) new authority to order electric utilities and NERC to implement emergency security actions in the “Fixing America’s Surface Transportation Act” (FAST; P.L. 114-94).33 DOE is designated as the lead sector specific agency for cybersecurity for the Energy sector.34 Section 61004 of FAST also requires DOE (in consultation with FERC, NERC, and electrical infrastructure operators) to develop a plan for storing spare large power transformers and emergency mobile substations which can be quickly deployed to replace damaged large power transformers and substations which serve grid-critical functions.35 Areas for Further Congressional Consideration In any discussion of extended power outages, two prominent themes emerge—preparation and recovery. If utilities are aware of an impending storm or weather-related event which may cause outages, they are expected to make preparations for restoration of services in as timely a manner as possible. Recovery from any such event will depend on the severity of the storm and the resulting damage. Recovery can be hastened, and the amount of damage to electric power infrastructure can be minimized, if good maintenance, restoration, organization, and communications strategies are followed on an ongoing basis. However, a coordinated, major cyber and physical attack on the electric grid would severely test the ability of the nation to recover, especially as plans for such a recovery are currently in progress. The electric utility industry generally bases its response to the potential for such events based on the perceived risks. The industry relies on the federal government to share relevant, real-time intelligence on risks from terrorism or cybersecurity threats, communicating the quality of threat information in a timely manner so it can respond appropriately. Improvements in threat/risk assessment would aid this process. A focus on recovery would have to consider the mutual dependence and implications to other critical infrastructure (especially communications systems)36 of an electric grid failure, and how quickly such impacts could proliferate if not planned for in advance. Congress may consider how the grid of the future will address cyber and physical security concerns, as more distributed generation is incorporated. The U.S. electric grid is evolving. Incorporating elements to increase system resiliency as it develops will aid in reducing the vulnerability of the system. NERC itself concluded in its report on GridEx III that, after a major grid disruption, restarting generation and energizing transmission and distribution systems would be a first priority. Restoring service to communications systems, oil and gas, water supply/treatment and hospital customers would be a secondary priority. Electric power systems may be operating at reduced levels of service and reliability 32 Ibid. Page 15. Section 61003 of FAST creates a new section 215A of the Federal Power Act, that following a written determination by the President, authorizes DOE to order utilities, the North American Electric Reliability Corporation (NERC), and Regional Entities to implement emergency security measures for up to 15 days at a time. 34 The energy sector is one of 16 critical infrastructure sectors identified in Presidential Policy Directive-21 (PPD-21), Critical Infrastructure Security and Resilience. Sector specific agencies are designated with specialized expertise in those critical infrastructure sectors that are tasked with various roles and responsibilities for their respective sectors, as specified in PPD-21 (i.e., development of sector-specific plans, coordination with the Department of Homeland Security, and incident management responsibilities). 35 Paul Parfomak, Electric Grid Physical Security: Recent Legislation, CRS Insight IN10425, 2016. 36 “[PPD-21] identifies energy and communications systems as uniquely critical due to the enabling functions they provide across all critical infrastructure sectors.” The White House, Presidential Policy Directive—Critical Infrastructure Security and Resilience, Presidential Policy Directive / PPD-21, February 12, 2013, 33 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 7 for an extended period at such a time. Congress may consider how planning for subsequent restoration of services would proceed to ensure that all civilian communities are kept informed, and treated as equitably as possible in disaster recovery efforts. Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material. CRS TESTIMONY Prepared for Congress ————————————————————————————————— TE10008