The Ongoing Battle to Protect Critical Substation Infrastructure

You’ve seen them, though they’re not much to look at – gravel patches of dull gray poles and metal boxes strung with wires, coils, and pipes. The U.S. grid consists of around 55,000 substations, high-voltage equipment used for the generation, transmission, and distribution of electricity across the country. Usually found off to the side of some unassuming rural road or industrial park, we drive by substations each day with little thought, just some dystopian (this is the second use of dystopian in writing in my entire life.) art exhibits lining our commute. But for bad actors intent on creating chaos, substations represent something much more valuable – the perfect target.

One of substation’s primary functions is to (the main roles of substations is to) convert electricity into the correct (different) voltages that can be used by (so it can be transmitted into) our homes and businesses. Without substations, electricity cannot be measured, and voltage levels cannot be switched or regulated because the equipment is specifically designed to handle particular voltages of power. When this happens, the power goes out and cities or regions can shut down. Given its critical importance, you’d assume this infrastructure would be heavily guarded round-the-clock. Nope. Instead, substations are usually just surrounded by a chain-link fence, the security equivalent of protecting a basketball court.

Challenges Facing Substation Security

Traditionally, substation security has relied on human monitoring, a practice, which time and again proves to be a disastrous decision (that is, prone to errors and oversights). While some energy companies have (already) beefed-up their tech to allow for remote threat detection, the organization in charge of the protection and reliability of the US electric grid has been reticent to mandate new physical security requirements, citing the level of investment necessary.

In previous statements, the North American Electric Reliability Corporation (NERC) has advised, “physical security hardening of substations can be extraordinarily expensive – something as simple as a camera installation could easily run into hundreds of thousands of dollars per substation, and it’s important that the risk abated is commensurate with the capital required.”

However, given the recent spate of substation threats (see next section), there are rumblings and strong signaling from industry experts that we might be in for an update to NERC regulations soon. In the meantime, the organization contends that to truly mitigate attacks on substations requires a “risk-based approach” to determine the “necessary level of investment” based on local risk factors, regional system configuration, and the asset’s average time to recover. Meaning, rather than taking a one-size-fits-all approach to security, energy companies need to tailor their defense strategy to specific concerns.

Creating A Multi-Pronged Threat Assessment

The threats to substations are many, and varied. According to a study by Politico, physical attacks on the power grid are at their highest level since 2012, and utilities reported 60 such attacks on major grid infrastructure (in addition to two cyberattacks) during the first three months of 2023 alone. That’s more than double the number from the same period last year, and the methods of attack are increasing alongside the frequency.

In Oklahoma, thieves stripped a substation of copper, and a pair in Georgia died by electrocution after attempting to do the same. In North Carolina, about 45,000 people were left without power after gunmen attacked two substations, and criminals in Washington cut power to a town so they could rob a local business. And looming over everything is the omnipresent threat of domestic terrorism, with instances of attacks on substations rising among white supremacist groups and lone wolf bombers.

Given the diversity of these threats, experts are now advising that utilities undergo threat assessments based on specific challenges posed by their location and unique vulnerabilities. Here are a few examples of how that might look:

Addressing Substation Security by Locality

Not all substations are created equal. In rural areas, substations tend to be found in remote locations and overseen by teams with limited resources and manpower, increasing the chances of theft or vandalism. While in more densely populated urban areas, substations contend with risks that directly threaten nearby lives and livelihoods, like terrorism and crippling cyberattacks.

Utilities looking to improve/increase security in each location need to be realistic about the most pressing concerns and frontload any initial investment into tackling those challenges first. For example, the rural substation might want to implement more visible security measures (random extra patrols, local law enforcement presence, better lighting, etc.) to avoid predictable behavior that aids criminal planning. Whereas at urban substations with increased visibility, utilities might be better served developing community engagement programs to enhance security awareness. (i.e. “See Something, Say Something.”)

Addressing Substation Security by Vulnerability

As the saying goes: “Fool me once, shame on you. Fool me twice, shame on me.” While criminals are getting more creative, they’re usually not supervillains. One of the biggest weapons in a utility company’s arsenal is often their own data, a record of malicious probes and attacks made on their substations over time. By analyzing where/how attacks have occurred, utilities can design asset-specific defenses that are far more cost-efficient and effective than large scale systems. For example, the substation in Oklahoma where copper was stolen could switch to Copper Clad Steel (CCS) instead of the more valuable solid copper and hang a sign alerting would-be thieves to the absence of scrap value.

An Ounce of Prevention is Worth a Pound of Cure

The evidence is clear: substation security must be a top priority for utility companies if they wish to remain competitive, secure, and profitable. Duke Energy, one of the largest energy holding companies in the country, has clearly gotten the message, announcing late last year that it will be spending $75 billion over the next ten years to install “advanced smart technology” that monitors and detects potential problems before an outage even occurs, as well as “self-healing technology” that reduces the frequency and duration of outages. Building this intelligent grid of the future will take time, but work is already underway.

On November 14-15 this year, NERC hosted its seventh biennial grid security and resilience exercise, called GridEx VII. It’s the largest grid security exercise in North America and gives utilities a “forum to practice how they would respond to and recover from coordinated cyber and physical security threats” and incidents. The tagline from last year’s event underscores what’s at stake: “Because nearly 400 million citizens in North America are counting on us.”


Share this Post