(Corrects date to 2001 from 2011 in paragraph 35)
By John Kemp
LONDON, March 10 (Reuters) - Owners and operators of high-voltage transmission lines and substations must identify critical facilities and implement a security plan to protect them from physical attack, the U.S. Federal Energy Regulatory Commission (FERC) ordered on Friday.
The instruction comes in response to a recent investigation by the Wall Street Journal into a sniper attack on the Metcalf substation near San Jose in California in April 2013. ("Assault on California power station raises alarm on potential for terrorism" Feb. 4)
That prompted a group of senior senators last month to write to FERC asking the Commission to consider whether additional reliability standards are necessary to protect the grid from physical attacks.
FERC has reacted by ordering the National American Electric Reliability Corporation (NERC) and its members to submit a new standard for approval within 90 days.
The Journal investigation highlighted the risk posed by attacks on the high-voltage transformers at main substations such as Metcalf.
The industry keeps few spares, and damaged transformers could take many months to replace owing to limited manufacturing capacity. ("Transformers expose limits of securing the power grid" March 4)
But journalists, politicians and regulators are probably focusing on the wrong threat, forcing the industry to divert precious resources away from dealing with more serious problems, such as a big geomagnetic storm.
According to FERC, critical facilities are those which if damaged or taken out of action could have a wider impact on the grid including "instability, uncontrolled separation or cascading failures".
Blowing up one or even a couple of main substations should not cause major blackouts provided that proper grid operation discipline is maintained.
By and large, the grid is designed and operated to handle the loss of a major power plant or even a major transmission line or substation, the "N-1" criterion, without loss of stability.
Power can be routed around the affected nodes because of the huge amount of redundancy built into the grid's physical architecture and operations protocols.
The idea that a lone sniper or even a small group of them could black out a sizeable portion of a state or even the country is a far-fetched fantasy.
At Metcalf, power was immediately routed around the affected substation, and grid controllers called on reserve generation to keep power flowing to customers in the affected area. The incident showed that the grid's operational plan worked exactly as intended.
The fear seems to be that a malicious attack could trigger a cascading failure over a large area similar to the August 2003 blackout.
That terrible event cut power to 50 million people in the Northeast, Midwest and neighbouring parts of Canada in a matter of minutes and left some without power for up to four days.
The blackout stemmed from overgrown trees coming into contact with a handful of high-voltage lines in the Cleveland-Akron area of Ohio.
A small local problem became a region-wide crisis because of computer failures and errors by control room staff, which led to serious violations of grid discipline and N-1 preparedness.
As a result, the control room was not aware of the mounting dangers until it was too late to do anything about them.
Since the outage, all transmission companies have been required to tighten up their plans for managing vegetation.
But the most important improvements concern better training and systems for control-room staff to improve "situational awareness" and reinforce operational discipline.
With proper discipline, it is extremely unlikely an attack on one or even a couple of major substations such as Metcalf could produce cascading power failures or widespread instability.
Even if one or two major substations are rendered inoperable, the industry carries sufficient spares to repair or replace them.
Limited stocks of high-voltage transformers and other critical equipment are kept in readiness by utilities and transmission operators to deal with the aftermath of hurricanes and can be shared through an industry-wide mutual aid system.
The real risk would come from an incident that caused damage to a dozen or more hard-to-replace transformers or transmission lines simultaneously.
If dozens of transformers went down at the same time, the lights would certainly go off. Nuclear power plants as well as coal and gas-fired generating stations would go into automatic shutdown in response to the loss of load to protect vulnerable equipment.
Power lines and substations would be disconnected by protective relays to prevent them being damaged by power surges. Electricity supplies to some customers could remain cut off for weeks or even months as replacement transformers are obtained from abroad.
Such a scenario is hard to imagine in the context of ordinary criminal activity. It would require a conspiracy on a vast scale, for which the best preparation is intelligence by the National Security Agency and Federal Bureau of Investigation.
But this is precisely what would happen in the result of a large geomagnetic storm, an electromagnetic pulse (EMP) from the air-burst detonation of a nuclear weapon, or a cyber-attack by a hostile power or a terrorist organisation.
Of those dangers, a big geomagnetic storm is certain to occur one day, though they remain rare. The precise amount of damage it would cause is a matter of controversy.
According to the U.S. government's Oak Ridge National Laboratory, a big geomagnetic storm or a burst of EMP could certainly take out dozens of high-voltage transformers and leave millions of customers without power for months. ("Electromagnetic pulse: effects on the U.S. power grid" 2010)
To his credit, one member of FERC grasped the problem. In a gentle concurrence issued on March 7, Commissioner John Norris explained his reservations.
"I remain concerned that our recent efforts ... have focused too narrowly on the need to bolster the physical security of our electric grid," Norris worried. "But I also think it is important that we continue to equally focus our efforts and our resources on other threats to our nation's grid, including cyber threats, geomagnetic disturbances, electromagnetic pulses and natural disasters."
He went on: "It appears to me that many people ... have rushed to address the need for physical security solely in response to the Metcalf incident ... But it has been well understood for decades that our nation's grid has been vulnerable to physical attack. We simply cannot erect enough barriers to protect North America's over 400,000 miles of circuit transmission and 55,000 transmission substations."
Norris expressed concern that billions of dollars would be spent, with the cost passed on to customers, on erecting physical barriers while other more serious threats go unaddressed. Investments in better communications and control equipment to make the grid smarter, more responsive and more resilient would provide much greater security.
Grid companies have already spent an enormous amount of time and money considering physical and other threats to the grid since the 2003 blackout and the 2001 attack on the World Trade Center.
NERC's Critical Infrastructure Protection Committee has issued a 77-part set of guidelines for protecting the grid against physical threats, in conjunction with the U.S. Department of Homeland Security, the National Terrorism Advisory System and the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).
The latest version of the guidelines was approved by NERC's Critical Infrastructure Protection Committee in October 2013.
But in Washington, politicians must be seen to do something. So FERC has ordered NERC to produce yet another set of paperwork.
In its order, FERC acknowledged "the number of facilities identified as critical will be relatively small". Many substations will not be deemed critical.
"We also recognise that the industry has engaged in longstanding efforts to address the physical security of its critical facilities."
In its own way, the FERC order is harmless, but it duplicates other work that has already been done and is a distraction from more pressing problems. (editing by Jane Baird)
Our Standards: The Thomson Reuters Trust Principles.