Malicious Attacks on Electric Grid Facilities Over-Reported

Turn to the nation's most objective and informative daily environmental news resource to learn how the United States and key players around the world are responding to the environmental...

By Llewellyn Hinkes-Jones

The incidence of sabotage and vandalism to the U.S. electric grid might be less severe than data reported to the federal government suggest, a Bloomberg BNA data analysis shows.

A high-profile attack on the Metcalf substation in San Jose, Calif., during an upswing in reported attacks to the Department of Energy in the last seven years led to new Federal Energy Regulatory Commission security regulations for electric grid facilities as well as various proposals in Congress to prevent future attacks.

But cases of sabotage and vandalism may have been over-reported to the Energy Department because the reporting requirement was unclear. Many of these reports simply involved petty theft, and few led to any loss of power. The potential over-reporting calls into question whether the risk of a physical attack was overestimated as members of President Donald Trump’s Cabinet raise alarms about grid reliability.

An April memo from Energy Secretary Rick Perry called for a study of grid reliability related to energy subsidies. And Environmental Protection Agency Administrator Scott Pruitt recently warned that the draw-down on coal is making the energy grid more vulnerable to infrastructure attacks in a TV interview June 6. The EPA did not respond to requests to clarify how diminishing fuel diversity might lead to an attack on infrastructure.

Separate data compiled by the North American Electric Reliability Corporation (NERC) list fewer incidence of malicious acts than cases of overgrown vegetation, and it was ranked the lowest in terms of outage risk.

Flood of Reported Attacks

Bloomberg BNA analyzed data from the Energy Department’s OE-417 forms for Electric Disturbance Events, which go back to 2002, as well as numbers on outage causes published in NERC’s State of Reliability reports.

According to Energy Department regulations, OE-417 reporting is mandatory for any electrical incident that crosses reporting thresholds. FERC regulations requires reporting of all non-recovery and disturbance control events to NERC.

The Energy Department forms classified as malicious acts as those that contained the words “sabotage” or “vandalism” as their event type. NERC classified malicious acts in a similar manner.

In 2010, the Energy Department changed its reporting requirements for Form OE-417 to add a secondary category for vandalism. The new category included lower-threshold events such as cutting of locks and fences.

As a result of the change, there were 116 incidents listed as a variation of sabotage or vandalism in 2011 alone and between 40 to 90 each year since.

Yet only 20 of those malicious events since 2011 led to any demand loss to customers. Prior to 2011, there were only two incidents in the DOE data in total.

Some of the incidents in the period since 2011 were high-profile. One was a 2013 arson attack on Arkansas electrical facilities. Another involved individuals using high-powered rifles to damage transformers in 2013 at Pacific Gas and Electric Co.'s Metcalf Transmission Substation in near San Jose, which supplies power to Silicon Valley.

The Arkansas attacks were eventually tied to a single individual who was sentenced to 15 years in prison in 2015.

No suspects or motives were ever identified in the Metcalf attack. Power was maintained, but the incident prompted industry critics and lawmakers to call for tougher standards.

FERC and NERC developed new standards in 2014 that would require physical security for critical facilities. Owner-operators within the bulk power system must identify critical facilities that could be at risk, evaluate any potential threats, and implement security plans.

Physical Security vs. Cybersecurity

Gavin Bade, editor at Utility Dive, an electricity sector trade publication, told Bloomberg BNA that “security is already paramount” in the industry, whether or not the incidents are common or not.

“The numbers won’t decrease their priorities,” he said by phone.

A 2017 report from Industry Dive, the publisher of Utility Dive, listed security issues as dominating the concerns of utility operators.

Mike Hyland, senior vice president of engineering at the American Public Power Association, told Bloomberg BNA that the industry has moved from a culture of reliability to a culture of safety in the 1960s and ‘70s, to the current focus on security.

Jessica Matlock, director of government and external affairs with the Snohomish County Public Utility District in Washington state, told Bloomberg BNA that they are hardening their security regardless of the underlying motivation.

Bade added that cybersecurity is probably driving the conversation. “It’s something that utility operators don’t totally understand all of the risks for,” he added.

NERC’s State of Reliability report for 2016 lists an increasing number of cybersecurity events, but none that resulted in loss of load.

Energy Department data lists about 20 cybersecurity attacks or events since 2003, but so far there have yet to be any cybersecurity attacks leading to a power outage in the U.S.

In December 2016, malicious software was found on a laptop at a Vermont electric utility. But the risks were downgraded after reports that the laptop was not connected to the power grid at the time. A 2015 cyberattack took down a quarter of Ukraine’s electric grid.

Prajit Ghosh, head of power and renewables research for the Americas at the risk analysis firm Wood Mackenzie, told Bloomberg BNA that a smart electric grid—one that is more connected and has more access points for various generation sources and sensors across the whole transmission system—could add reliability and security to the system, but it also complicates the picture.

“More access points opens up the potential for more hacks into the grid at critical points,” he added. “It comes with a lot of baggage.”

Hyland said that electric utilities see the benefits to a digital overlay for control and reporting, but it adds a new threat vector into the mix.

“There needs to be air-gaps in the system to keep supervisory control and data acquisition (SCADA) systems separate from email systems and the outside world,” he added.

Difference from NERC Standards

Martin Coyne, a communication director with NERC, told Bloomberg BNA that NERC requirements differ from those of the Energy Department. He declined to comment further.A Bloomberg BNA analysis of their requirements shows that NERC has no category for lower-level vandalism, and the organization avoids any description of events as “sabotage” since such a determination is difficult to make without the expertise of law enforcement officials.

Data from NERC show fewer than 10 malicious incidents of sabotage or vandalism per year since 2009, with vegetation overgrowth being a larger cause of concern. Just one malicious event was recorded in 2015. Weather-related incidents, particularly lightning, remain the largest cause of major outages, according to both DOE and NERC data sets, with human error, failed equipment, and excess load further behind.

A representative for FERC and the FBI declined to comment on the data for this story. A representative from DOE did not respond to a request for comment.

The Metcalf attack and a general heightened focus on grid security prompted the creation of a 2015 Congressional Research Service report on the risks of a coordinated attack on multiple high-voltage transformer units.

According to the report, such an attack could have catastrophic consequences, but has yet to occur. Otherwise, vandals and careless hunters are the most common cause of malicious attacks.

Washington State Copper Thefts

The Energy Department’s numbers show that a large portion of physical attacks—deliberate attacks or sabotage that disrupt system operations or had the intent to harm the national security of the United States, according to the DOE—took place in Washington state (15 percent) with many of them occurring at the Commonwealth Edison Collins substation near Tacoma, Wash.

But Detective Ed Troyer with the Pierce County Sheriff’s department, whose jurisdiction contains the Collins substation, told Bloomberg BNA that all criminal incidents at the facility were related to copper theft to sell at scrap metal yards, something that was common during the methamphetamine epidemic in the state.

Troyer added that there hasn’t been a report at the location since, potentially due to stricter enforcement of scrap metal recycling and the methamphetamine trade plus increased security at the facility.

Christine Gleason, a spokeswoman with Tacoma Power—the utility that oversees the Collins substation—told Bloomberg BNA that they may have been over-reporting because the original Energy Department reporting language was fairly ambiguous.

“We took a very conservative approach and filled out reports for every instance of cut or stolen ground wires,” she said. She added that the utility now is reporting less ever since the language was clarified.

To contact the reporter on this story: Llewellyn Hinkes-Jones in Washington at

To contact the editor responsible for this story: Paul Hendrie at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Environment & Energy Report