(John Kemp is a Reuters market analyst. The views expressed are his own)
By John Kemp
LONDON, March 14 Simultaneous attacks on just nine substations could black out the entire United States, according to a report in the Wall Street Journal, based on a confidential study by energy regulators.
"A small number of the country's substations play an outsize role in keeping power flowing across large regions," the Journal explained ("U.S. risks national blackout from small-scale attack", March 12).
On a hot summer day, when the generation and transmission system is stretched to its limits, knocking out just nine of the 55,000 substations on the transmission system could cause cascading power failures that would leave the country without electricity for weeks or even months.
The Journal has not published the list of 30 critical substations examined in the study.
Nonetheless, the leak has drawn a fierce rebuke from the Federal Energy Regulatory Commission (FERC) and the top Republican on the Senate Energy and Natural Resources Committee.
"Publication ... of sensitive information about the grid undermines the careful work done by professionals who dedicate their careers to providing the American people with a reliable and secure grid," FERC complained.
"While there may be value in a general discussion of the steps we take to keep the grid safe, the publication of sensitive material about the grid crosses the line from transparency to irresponsibility, and gives those who would do us harm a roadmap to achieve malicious designs," the commission added.
Senator Lisa Murkoswki was even more blunt. "Whoever is the source of this leak - and it appears to be someone with a great deal of access to highly sensitive, narrowly distributed FERC documents - is clearly putting our nation at risk. If his or her actions are not illegal, they should be."
The concerns revealed by the leak are not new. Professionals have been expressing similar worries about the vulnerability of highly interconnected energy systems for electricity, natural gas and oil since at least the 1970s.
"The United States has reached the point where a few people could probably black out most of the country," Amory and Hunter Lovins wrote in 1982.
"A small group could shut off three-fourths of the natural gas to the eastern U.S. in one evening without leaving Louisiana," they observed ("Brittle power: energy strategy for national security").
The vulnerability of the power grid and the gas distribution system to a coordinated cyber attack was even one of the central plot features of the 2007 film "Live Free or Die Hard" starring Bruce Willis.
The grid's interconnectedness is both its greatest strength and greatest weakness.
"The size, complexity, pattern and control structure of these electrical machines make them inherently vulnerable to large-scale failures," the Lovinses wrote.
"Complex energy devices were built and linked together one by one without considering how vulnerable a system this process was creating."
When each city or region had its own generating plant and distribution system, the effects of any failure were localised.
But the nationwide grid is a single machine (or really three semi-autonomous ones because the United States has three largely separate regional grids).
Once power plants and transmission systems were linked together, it was possible for a single fault to propagate or cascade across a much larger area, even in the worst instance a whole region.
COUPLING AND COMPLEXITY
Several features of the grid and other modern energy systems make them vulnerable to large-scale failure.
The grid is highly interconnected. It is also tightly coupled, in the sense that failure of one component dramatically increases the potential for failure of others.
Finally, the grid is a complex, dynamic and non-linear system. There are many branching paths and feedback loops that can magnify small errors in unexpected ways. Small initial problems can quickly generate escalating disturbances ("Normal accidents: living with high-risk technologies", Charles Perrow, 1984 and 1999).
The August 2003 blackout demonstrated just how interconnected, tightly coupled and non-linear the system really is.
Contact between a couple of power lines and overgrown trees in Ohio resulted in a cascading power failure that blacked out power to 50 million people in the Northeast, Midwest and neighbouring parts of Canada in under five minutes.
If a couple of trees can take out power to 50 million people on a moderately hot summer afternoon, it comes as no surprise that dedicated saboteurs could cut power nationwide by simultaneously destroying as few as nine key substations.
But the grid also has some important features that make it more secure and resilient than this worst-case scenario suggests.
RESILIENCY AND SECURITY
The physical structure of the grid (its "topology") and flow of power (active and reactive) across the network from generating stations along transmission lines to customers, via step-up and step-down transformers, and the regulation of aspects of power quality such as voltage and frequency, is enormously complex.
Power flows vary according to the time of day, season, temperature and maintenance schedules. In theory, the entire country could be blacked out by destroying as few as nine substations, but it would not always be the same ones. There are dozens, perhaps as many as 100, which could be critical in different conditions.
To bring down the grid, a saboteur would need to understand exactly how power was flowing around it in real time, which nodes were critical at that particular moment. If a non-critical node is attacked, grid controllers have an opportunity to re-route power through other transmission lines and transformers.
That explains why FERC is so angry about the leak. Regulators and grid operators conduct lots of scenario planning to identify system vulnerabilities, not just from sabotage but from equipment failures, tree contacts, and a host of other problems.
Confidentiality is critical. Uncertainty about how power flows around the network is one of its strongest protections. FERC fears that leaks could provide would-be saboteurs with a route map on how to identify critical nodes in the network under certain scenarios and focus their attacks in a way that maximises the danger.
PLANNING FOR FAILURE
Former FERC chairman Jon Wellinghoff told the Wall Street Journal: "There are probably less than 100 critical high-voltage substations on our grid in this country that need to be protected from a physical attack. It is neither a monumental task, nor is it an inordinate sum of money that would be required to do so."
But this is arguably the wrong focus, or at least an incomplete one. The most effective way to protect complex interconnected systems is to make them less tightly coupled so one component can fail safely without damaging others, leaving the system overall in a safe condition.
"De-coupling" or "defence in depth" is already central to the protection of high-risk systems such as nuclear power plants, nuclear weapons, chemical plants and aircraft.
It is simply not possible to give an absolute guarantee that individual components or sub-systems will not fail. So, complex and high-risk systems are planned from the outset with failure in mind.
Complex and dangerous systems are designed with many independent sub-systems and redundant safety features on the assumption some components will fail but should leave others functioning.
In general, serious accidents occur when sub-systems turn out not to be as independent as their designers thought, or when personnel ignore safe operating procedures.
Similar safety protections are built into the design and operation of the grid. Controllers conduct thousands of computer simulations to identify risk factors and prepare for contingencies.
In the case of the power grid, the solution is not just, or mainly, to protect critical substations from physical attack. It is also to make them less critical to the operation of the network by building in more redundancy.
Hundreds of professionals are involved through the North American Electric Reliability Corporation's Critical Infrastructure Protection Committee (CIPC), its Reliability Issues Steering Committee (RISC) and similar organisations.
Hardening critical substations can only ever be a very small part of the solution. Physical attacks are only one of the serious threats the grid faces. Others include equipment failure, operational errors and solar storms, any of which could be just as dangerous.
The grid's greatest security lies in making it more flexible and less tightly coupled, as well as careful but confidential system planning to ensure the network is able substantially to survive even a simultaneous attack. (Editing by Dale Hudson)