(John Kemp is a Reuters market analyst. The views expressed are his own)
By John Kemp
LONDON, Feb 17 (Reuters) - "We are concerned that voluntary measures may not be sufficient to constitute a reasonable response to the risk of physical attack on the electricity system," four senior U.S. senators wrote in a letter to regulators this month.
The letter was prompted by a Wall Street Journal investigation into a night-time sniper attack in April 2013 on the Metcalf substation in southern California which threatened to blackout power to thousands of homes ("Assault on California power station raises alarm on potential for terrorism", Feb. 4).
"Last year's sophisticated attack on the Metcalf substation in California's Silicon Valley was a wake-up call to the risk of physical attacks on the grid," Senate Majority Leader Harry Reid and his co-authors warned.
"This incident came uncomfortably close to causing a shutdown of a critical substation which could have resulted in a massive blackout in California and elsewhere in the West."
On April 16, 2013, communications were cut at a nearby underground vault and then one or more snipers proceeded to fire at the oil-filled cooling systems on the substation's transformers. As oil drained out, 17 transformers overheated and failed.
In total, the attack lasted almost an hour. It appears to have been sophisticated and well-planned - a surgical strike showing considerable knowledge of how substations work and their vulnerabilities.
More than 100 shell casings of the sort ejected by AK-47 assault rifles were found at the scene, the Journal said.
No one has been arrested or charged. Until the Journal story appeared, discussions about Metcalf had mostly occurred behind closed doors to avoid encouraging copycat actions.
Since Sept. 11, 2001, most attention has focused on cyber threats. But the Metcalf incident has dramatised the risks from physical sabotage, terrorism and criminal damage to the nation's transmission network.
CRIME, TERRORISM, SABOTAGE
Attacks on high-voltage transmission networks are not new.
Physical damage to electricity infrastructure has been a favourite weapon for militants, rebels, freedom fighters and coup plotters in many countries - including Chile, Ireland, South Africa, El Salvador and Iraq - usually involving cutting power lines or blowing them up.
But attacks on the grid have also been surprisingly common in the United States. Writing back in 1982, Amory and Hunter Lovins chronicled numerous deliberate attacks during the 1970s ("Brittle power: energy strategy for national security").
"In 1970, the key Pacific Intertie suffered at least three attacks near Lovelock, Nevada," the Lovinses wrote.
"Fourteen towers in the rugged forests of Oregon were bombed and at least six toppled in 1974 by two extortionists threatening to black out Portland unless they were paid a million dollars. Pipe bombs caused minor damage at six California towers in a single night in 1975."
In 1979-80, "bolt weevils" caused $7 million of damage to power lines in Minnesota, and snipers took pot shots at more than 8,000 glass insulators.
While most of these attacks were seen as criminal in nature at the time, many of them would now be prosecuted under definitions of terrorist activity set out in the U.S. Code (18 USC 2331 and 2332).
REGIONAL BLACKOUT RISK
Policymakers fear an attack on one or more substations or transmission lines could produce cascading power failures that would cut power supplies to a city or even a region for hours or days at a time.
In August 2003, overgrown trees came into contact with several power lines in Ohio, triggering a power failure that ultimately cut electricity to 50 million people across the Northeast United States and neighbouring parts of Canada. More than 500 power plants, including 10 nuclear generating stations, were shut down. Power was not restored for up to four days in some cases.
Experts fear sabotage, terrorism or criminal activity aimed at part of the grid could produce a similarly devastating cascade, either intentionally or inadvertently.
"A relatively small group of dedicated, knowledgeable individuals ... could bring down [the power grid supplying] almost any section of the country" or could black out a widespread network if more widely coordinated, the U.S. Department of Interior warned the Joint Committee on Defense Production of the U.S. Congress in 1977.
PROTECTING THE GRID
The grid is impossible to defend against physical threats. There are more than 200,000 miles of high voltage transmission lines (rated at 230,000 volts or higher) and more than 55,000 substations (rated at or above 100,000 volts), according to the Edison Electric Institute (EEI) and North American Electric Reliability Corporation (NERC).
Many of these assets are in remote, rural areas. "Not all those assets can be 100 percent protected against all threats," NERC wrote in its reply to the senators.
As with other forms of terrorism and organised crime, the most effective solution is pro-active intelligence gathering and law enforcement activity to prevent, disrupt and deter attacks on the electric grid before they can take place.
But the way the grid itself is managed can contribute to stability and help minimise disruption in the event of a physical attack.
Critical components of the network - power plants, transmission lines and transformers - can fail for many reasons, not just physical attack.
"The central organising principle of electricity reliability management is to plan for the unexpected," according to the expert report on the 2003 blackouts written for the U.S. and Canadian governments.
"Through years of experience, the industry has developed a network of defensive strategies for maintaining reliability based on the assumption that equipment can and will fail unexpectedly upon occasion," the report explained.
"The system must be operated at all times to ensure that it will remain in a secure condition following the loss of the most important generator or transmission facility (a 'worst single contingency'). This is called the N-1 criterion," it added.
"Because a generator or line trip can occur at any time from random failure, the power system must be operated in a preventive mode so that the loss of the most important generator or transmission facility does not jeopardize the remaining facilities in the system."
CONTROL-ROOM DISCIPLINE
The bulk power system is operated with plenty of redundancy so no single asset is critical to the wider operation of the network.
If an event occurs that means the grid is no longer N-1 stable, control-room staff must immediately call up extra generation, reduce demand or start disconnecting customers to return it to an N-1 state as quickly as possible, and in any event within 30 minutes.
In some particularly vulnerable areas, regulations require the grid to be operated in an N-2 condition, able to withstand the simultaneous loss of the two largest transmission or generation assets.
It was various computer system and control room failures which led to the violation of the N-1 criterion and the August 2003 cascade.
At Metcalf, however, the system seems to have worked. According to the Wall Street Journal: "To avoid a blackout, electric-grid officials rerouted power around the site and asked power plants in Silicon Valley to produce more electricity."
It is not possible to prevent the grid from being physically attacked by terrorists, foreign agents, criminals or protesters. There are simply too many assets, many of them in relatively isolated rural locations.
But it is possible to ensure that damage remains localised and does not affect a wider area. Proper control room procedures and situational awareness by grid operators are essential.
The same technology investments and strict grid control discipline which can prevent a recurrence of the 2003 blackout can also limit, though not eliminate, the threat from physical attacks on the grid.
Significant investments have been made in communications and data-processing technology in response to the 2003 blackout, and as part of the transition to the "smart grid" of the future, which should cut the risk of a cascading failure.
In the end, it is not possible to prevent a determined criminal, terrorist or foreign agent from cutting power supplies to at least some homes and businesses or a small town. Bolt cutters or a rifle are all that is needed.
But in a well-managed grid no attack should be able to cause cascading power failures. (Editing by David Evans)
Our Standards: The Thomson Reuters Trust Principles.
