Securing the Grid Against More Than the Cyberthreat

On Capitol Hill, there are indications that Congress will take another crack at passing cybersecurity legislation in the next couple of months, with the Senate expected to take up legislation to be offered by the Senate Intelligence Committee—legislation that would facilitate cybersecurity information sharing between the intelligence community and private sector.

Tackling the cyberthreat will go a long way toward protecting our critical infrastructure, including arguably the most critical piece of that infrastructure: the electric grid that powers our way of life. While addressing the cyberthreat, however, we cannot afford to let our guard down on other equally present—and perhaps even more catastrophic—threats to the grid that have yet to receive the same level of badly needed attention.

To be sure, the cyberthreat to our electric grid is real and growing. Late last year, Adm. Michael Rogers, head of both the National Security Agency and U.S. Cyber Command, warned that China, and possibly other countries, have the ability to shut down the U.S. electric grid with a cyberattack. Recently, the Office of the Director of National Intelligence (ODNI) issued its report indicating that cyberattacks are the greatest danger to U.S. national security, noting for example that “Russian cyberactors” are developing the ability to infiltrate electric power grids and other critical infrastructure components. Notably, the ODNI has concluded for now that a single catastrophic cyberattack on our critical infrastructure is less likely than “a series of low-to-moderate level cyberattacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”

A threat that does have the capacity to produce catastrophic results for our electric grid in a single instance is that of an electromagnetic pulse (EMP) attack. As the federal government has acknowledged, our electrical grid is vulnerable to an EMP attack from a nuclear device delivered by a ballistic missile detonated outside the atmosphere, which would release immense levels of electromagnetic energy that would take down our grid for an extended period. There are indications that China and Russia already have such a capability, and North Korea is likely not far behind.

A similar effect can be produced in nature by major solar flaring, or geomagnetic disturbances (GMD); we narrowly missed being hit by a solar storm in 2012 that could have had catastrophic consequences for our grid, and scientists put the likelihood of such an event hitting earth at 12 percent over the next decade (about the same chance of a major earthquake striking California).

But worryingly, the electric grid remains highly vulnerable to even low-tech physical assaults that can cause widespread power failure. In April 2013, a group of individuals came very close to causing a major blackout in Silicon Valley when they broke into a PG&E substation near San Jose, Calif., and after cutting several underground fiber-optic cables, opened fire with high-powered rifles on 17 high-voltage transformers. Described at the time as an act of “vandalism,” almost a year later, the former chairman of the Federal Energy Regulatory Commission (FERC) referred to it the incident as “the most significant incident of domestic terrorism involving the grid that has ever occurred,” although none of the assailants ever have been arrested or even identified.

Almost a year after the PG&E attack, police discovered a makeshift incendiary device placed next to a 50,000-gallon diesel tank at a power station in Nogales, Ariz. Though authorities at the time said that those responsible did not realize that a diesel tank would be difficult to ignite, there was acknowledgement that the would-be attackers had “working knowledge” of the tank, and that 30,000 customers would have been affected had there been an explosion. Again, no suspects have been identified or apprehended thus far.

Increasingly, policymakers are beginning to recognize that a cyberattack is not the only threat to the grid. Rep. Trent Franks, R-Ariz., recently reintroduced the Critical Infrastructure Protection Act (CIPA), focused on ensuring that the Department of Homeland Security is factoring EMP and GMD events into its threat assessments with respect to U.S. electrical infrastructure. Passed unanimously by the House in the last Congress, CIPA tackles a critical component of what ought to be an all-hazards approach to hardening our electric grid against a range of threats.

The electric grid is seriously vulnerable, but not just to hackers. Our approach to securing this most critical of our critical infrastructure should flow from that understanding.