The revelation this week that a group of people attacked a power station in California last spring is forcing a reassessment of what may be the most frightening threat to the nation’s electricity grid. Before the news broke, most utility executives were worried about cyberattacks. But the Wall Street Journal reported Tuesday that the attack on the Metcalf power station near San Jose in April was much more conventional:
Within half an hour, snipers opened fire on a nearby electrical substation. Shooting for 19 minutes, they surgically knocked out 17 giant transformers that funnel power to Silicon Valley. A minute before a police car arrived, the shooters disappeared into the night.
Jon Wellinghoff, who was chairman of the Federal Energy Regulatory Commission at the time of the attack, believes the United States must do more to protect this critical infrastructure or risk a more serious blow to the electricity grid that could damage the economy for months. Wellinghoff, who is now a partner at the law firm Stoel Rives, talked to The Washington Post and elaborated on his comments to the Journal.
Steven Mufson: How serious was this incident?
John Wellinghoff: This was a very well-planned, coordinated, very well executed major physical attack on an important part of our electric grid infrastructure. Why? No one knows. And there’s no evidence but for [rounds] from an AK-47-type rifle picked up with no fingerprints and no DNA. It had to be a group of individuals, highly trained and motivated to aggressively attack a critical piece of our electricity infrastructure. Whatever you call it, it is important to understand that our physical infrastructure has this vulnerability, and this vulnerability needs to be addressed.
SM: Isn’t it difficult to protect our vast electricity infrastructure?
JW: We can prioritize by looking at the most critical interconnects. FERC had done this to look at priority substations and look at the ones that are most critical. We don’t have to look at the thousands of little ones. Let’s start looking at the ones that if a coordinated attack were successful it could take out the entire network.
SM: How many critical ones are there? Hundreds? Thousands?
JW: It’s easily feasible. It’s less than 100. It’s not thousands.
SM: Generally when people talk about grid security they talk about cybersecurity?
JW: This side of it -- the physical side – is much more critical. It can cause much more damage with a lot less sophisticated equipment than can be done with cyber. Yes, you could sit with a laptop in an East bloc country, but the level of sophistication needed to have a widespread outage occur and have one that would be persistent over a substantial period of time is more difficult with cyber. If you supplement it with bullets and deer rifle rounds, you could put these transformers out for six months or more… then an entire interconnect would be out of power for that period of time. That’s what caused us to be so concerned. We had been studying this prior to the event.
SM: I get the sense that you believe that the Department of Homeland Security was not alarmed enough about this?
JW: I can only refer to the spokesman from Homeland Security who said that it was the utilities’ responsibility to protect their infrastructure. I think it’s a national responsibility because there are national impacts to the grid going out for six months.
SM: Is there any special reason to worry about nuclear facilities?
JW: That’s not really the issue. The Nuclear Regulatory Commission has the authority to order [reactor] owners to undertake very specific security measures. Each reactor has at least 10 guards with automatic weapons. High-voltage substations, even those most critical, have no guards, armed or unarmed, and are only guarded by a chain link fence.
SM: What next?
JW: There needs to be follow-up in Congress and the agencies… We need to give an agency the ability to give a mitigation plan and act on that plan to give owners of infrastructure the requirement to do something. Right now, there is no federal agency that has that authority. With the exception of the NRC and nuclear power plants, there is nobody who can tell a privately owned investor-owned utility, 'Hhere are security measures, and you must do this.