Are current security standards enough to protect power grid?
(NewsNation) — As officials continue to investigate a “targeted attack” at two Duke Energy stations in Moore County, North Carolina, many are wondering if enough is being done to protect the nation’s power grid.
The latest incident comes more than seven years after federal regulators approved minimum physical security standards for critical power stations, but experts say those conditions fell short.
“They’re simply very vague requirements,” said Jon Wellinghoff, the former head of the Federal Energy Regulatory Commission (FERC), which regulates the interstate transmission of electricity in the United States.
In April 2013, gunmen in Coyote, California, shot at 17 electrical transformers causing $15 million worth of damage. The attackers were never found, but the incident exposed a significant vulnerability in the nation’s power infrastructure.
In response, federal regulators established mandatory physical security standards in 2015. The directive required power operators to identify “critical facilities” and then develop and implement security plans to protect those facilities.
But those standards were not prescriptive and gave utility companies considerable discretion when it came to how and when they chose to secure those facilities.
Welinghoff said the recent attack in North Carolina — which left nearly 45,000 without power — appears to be a copycat of the 2013 incident in California.
“Apparently these people looked that up, determined exactly what they needed to do and went and did it,” he said.
A 2018 congressional report analyzed the impact of the 2015 security standards and determined that, while many of the requirements had been implemented, they likely fell short of what was needed.
“Although it is probably accurate to conclude that … the U.S. electric grid is more physically secure than it was five years ago, it has not necessarily reached the level of physical security needed based on the sector’s own assessments of risk,” the report found.
The report concluded that levels of physical security continued to vary widely across the electricity sector and remained “a work in progress.”
Other industry experts NewsNation spoke to echoed calls for enhanced security.
“The power companies need to be more active on the physical security side,” said Todd Keil, an associate managing director for security risk management at Kroll, who previously worked with the U.S. Department of Homeland Security (DHS).
Since the California attack, the Pacific Gas and Electric Company (PG&E) has spent $300 million on security upgrades at its facilities, the company told NewsNation. Those changes included additional lighting, cameras and walls around critical equipment.
Duke Energy continues to investigate in North Carolina and has said it plans to invest billions in upgrades that include enhanced security measures over the next decade.
Since the most recent attack, NewsNation’s reporting has revealed numerous potential vulnerabilities related to the nation’s power infrastructure. We uncovered just how easy it is to find the exact location of nearly 80,000 substations across North America — a map federal authorities believe was shared among white supremacists online.
When asked whether the physical security requirements need to be updated in response to the evolving threats, FERC said, in part: “The security and reliability of the nation’s electric grid remain our top priorities.”