60 Minutes Tackles Lack of Grid Security
On February 27, 2022, 60 Minutes Journalist Bill Whitaker reported on the disturbing lack of physical security requirements for the electric grid. Watch the full report here:
This report was produced by Graham Messick and Jack Weingart .
People interviewed:
- Jon Wellinghoff, former FERC Chairman
- Granger Morgan, Carnegie Mellon University
- Michael Mabee, GridSecurityNow.org
- Dr. Liz Sherwood-Randall, White House Homeland Security Advisor
- Anne Neuberger White House Deputy National Security Advisor, Cyber & Emerging Tech, National Security Council
One of the remarkable admissions by the government was when Dr. Sherwood-Randall said:
“In my view as the government, we can’t impose the regulations you’re suggesting.”
Exactly. The problem is that the electric utility industry is self-regulated. They do not want to add security “requirements” themselves. Meanwhile, the government thinks it does not have the authority to mandate requirements. Historically the industry fights any push for legislation giving government the authority to issue requirements.
So what needs to be done? Here is my October 28, 2021 letter to the Office of the National Cyber Director in which I outline steps that we need to immediately take:
What Congress must do at the Administration’s urging:
- Congress must enact legislation mandating that reasonably prudent actions on cybersecurity, physical security, EMP/GMD protective measures and hardening for severe weather events be taken by all entities, public or private sector, that are part of the critical electric infrastructure. These measures must be certified periodically by the Chief Executive Officer of each such critical electric infrastructure entity.[10]
- The Chief Executive Officer of each such critical electric infrastructure entity must be required to certify periodically to the Department of Energy (DOE) and the Department of Homeland Security (DHS) that they have reasonably prudent cybersecurity measures in place that have been reviewed and approved by the Chief Executive Officer of the entity.[11]
- The Chief Executive Officer of each such critical electric infrastructure entity must be required to certify periodically to DOE and DHS that they have reasonably prudent physical security measures in place that have been reviewed and approved by the Chief Executive Officer of the entity.
- The Chief Executive Officer of each such critical electric infrastructure entity must be required to certify periodically to DOE and DHS that they have reasonably prudent EMP/GMD measures in place that have been reviewed and approved by the Chief Executive Officer of the entity.
- The Chief Executive Officer of each such critical electric infrastructure company must be required to certify periodically to DOE and DHS that they have reasonably prudent extreme weather hardening measures in place that have been reviewed and approved by the Chief Executive Officer of the entity.
- There must be civil and criminal penalties for false certification or failure to submit such certifications.
- These certifications should be made available to the public as well as state and federal authorities.
Photos from the 60 Minutes shoot in Texas:
Photo Credits: 60 Minutes
Self-taught U.S. electric grid expert Mike Mabee says he is both fascinated and horrified by the grid. Based on his analysis of Department of Energy data, “in the past decade there have been over 700 physical attacks against the U.S. electric grid.” https://t.co/uQaKkYJpwv pic.twitter.com/BXBb0kh82i
— 60 Minutes (@60Minutes) February 28, 2022
Transcript of Report:
(From 60 Minutes Website)
Ukrainians are facing the prospect of massive power outages, as Russian forces fight for control of areas that house vital parts of Ukraine’s electric grid. If Moscow shuts down the grid, millions could be left without light, heat, refrigeration, water, phones and internet. The White House is monitoring our own critical infrastructure after two Department of Homeland Security warnings last month about threats to our grid. One noted Russia has proven its ability to use cyber attacks to shut down electric grids, and “compromised U.S. energy networks.” We’ve been looking at the grid for months and were surprised to learn how vulnerable it is, and how often it’s deliberately targeted. One attack, nine years ago, was a wake-up call for industry and government.
On the night of April 16, 2013, a mysterious incident south of San Jose marked the most serious attack on our power grid in history.
For 20 minutes, gunmen methodically fired at high voltage transformers at the Metcalf Power substation. Security cameras captured bullets hitting the chain link fence.
Jon Wellinghoff: They knew what they were doing. They had a specific objective. They wanted to knock out the substation.
At the time, Jon Wellinghoff was chairman of FERC, the Federal Energy Regulatory Commission, a small government agency with jurisdiction over the U.S. high voltage transmission system.
Bill Whitaker: You were concerned enough that you flew out there?
Jon Wellinghoff: That’s correct. And I took two other individuals who train special forces, U.S. special forces. They train people to actually attack infrastructure.
And what the former commandos found looked familiar. They discovered the attackers had reconnoitered the site and marked firing positions with piles of rocks. That night they broke into two underground vaults and cut off communications coming from the substation.
Jon Wellinghoff: Then they went from these vaults, across this road, over into a pasture area here. There were at least four or five different firing positions.
Bill Whitaker: No real security?
Jon Wellinghoff: There was no security at all, really.
They aimed at the narrow cooling fins, causing 17 of 21 large transformers to overheat and stop working.
Jon Wellinghoff: They hit them 90 times, so they were very accurate. And they were doing this at night, with muzzle flash in their face.
Someone outside the plant heard gunfire and called 911. The gunmen disappeared without a trace about a minute before a patrol car arrived. The substation was down for weeks, but fortunately PG&E had enough time to reroute power and avoid disaster.
Bill Whitaker: If they had succeeded, what would’ve happened?
Jon Wellinghoff: Could’ve brought down all of Silicon Valley.
Bill Whitaker: We’re talking Google, Apple; all these guys–
Jon Wellinghoff: Yes, yes. That’s correct.
Bill Whitaker: Who do you think this could have been?
Jon Wellinghoff: I don’t know. We don’t know if they were a nation state. We don’t know if they were domestic actors. But it was somebody who did have competent people who could in fact plan out this kind of a very sophisticated attack.
The grid is a sprawling target. There are actually three in the U.S.: the eastern, western and Texas has its own. Most of us rarely notice substations. There are 55,000 across the country, each housing transformers, the workhorses of the grid. Inside these massive metal boxes, raw electricity is converted to higher or lower voltages.
Should a transformer explode, like this one in Manhattan during Superstorm Sandy, the system is designed to trigger a localized, grid-preserving blackout. But if several sections of the grid go down at the same time, the shutdowns can cascade like dominoes. That’s what set off the great Northeast Blackout in 2003, leaving 45 million Americans without power. A few months before the assault on Metcalf, Jon Wellinghoff of FERC commissioned a study to see if a physical attack on critical transformers could trigger cascading blackouts.
Bill Whitaker: Knock out the entire grid?
Jon Wellinghoff: That’s correct.
Bill Whitaker: How many would it take to knock out putting the entire country in a blackout?
Jon Wellinghoff: Less than 20.
The report was leaked to the Wall Street Journal. It found the U.S. could suffer a coast-to-coast blackout if saboteurs knocked out just nine substations.
Bill Whitaker: You are relaying this in a very measured way. I would think this would be quite alarming.
Jon Wellinghoff: It was alarming. There’s no question. It is alarming.
After the Metcalf attack, FERC pressed the utilities to harden defenses at their most critical substations – erect walls and sensors to prevent similar attacks – there’s now a wall around Metcalf. But many substations remain vulnerable targets, like one we found in southern California that serves more than 300,000 customers – huge transformers protected by a chain link fence.
Dr. Granger Morgan: Anybody who knows about power systems knows that the, the grid is physically spread all over the countryside. There are a lot of places that are vulnerable.
Dr. Granger Morgan is a Carnegie Mellon University professor of engineering who chaired three National Academy of Sciences reports on the power grid for the U.S. government – the most recent in 2021. An earlier report on terrorism was classified for five years.
Dr. Granger Morgan: We simply made a strong case that the grid was physically very vulnerable.
Bill Whitaker: Why was there a specific report on terrorism and the grid?
Dr. Granger Morgan: There were concerns about the possibility that a terrorist organization could attack the grid. And around the world there have been a fair number of attacks on grids.
Dr. Granger Morgan: In the report we did on the resilience of the power system we did argue that we needed an organization, probably DOE and Department of Homeland Security, to systematically look at all the kinds of vulnerabilities we have and then begin to figure out who could address each. In terms of resilience issues, there’s nobody in charge. I mean, there’s no single entity that has responsibility for everything.
Mike Mabee: The U.S. electric grid is the largest machine in the history of mankind. It is a marvel of modern engineering. No one person owns or controls it. It’s actually 3,000 different companies, both public and private sector, that own or operate little pieces of the electric grid.
Mike Mabee is an Iraq war vet, a former cop and a self-taught grid security expert. By day he works for the government. In his spare time, he uncovers public information electric utilities would rather not see the light of day and publishes them on a website called “Grid Security Now.” He is both fascinated and horrified by the grid.
Mike Mabee: I think everybody needs to be as alarmed as I am. We’ve had disasters in the past but they’ve generally always been regional in scale. What we’ve never had is a national-scale blackout, which is completely possible under some known threats such as the cyber threat, the physical security threat, or even extreme weather. And the U.S. public is completely unprepared to survive without the electric grid for any period of time whatsoever.
So when he moved to Texas two years ago, he prepared for the worst, installing solar, wind and battery power.
Mike Mabee: The whole system’s 48 volts.
Mabee’s family survived last winter’s deadly storm, hundreds of Texans perished.
Mike Mabee: And the deaths were largely due to hypothermia, carbon monoxide poisoning because when people got cold they would do things like go into their car in the garage to try to stay warm.
Mabee has become a thorn in the side of the federal government and utility companies.
Mike Mabee: I filed a complaint about supply chain cybersecurity. I filed a complaint about physical security. I filed a complaint about the Texas blackout.
Bill Whitaker: The government and the industry. They think you’re an annoyance?
Mike Mabee: I’ve been termed a “grid security gadfly,” which I wear that as a badge of honor.
One frequent target: the Department of Energy. Mabee told us the grid information the DOE puts out is confusing and dispersed. He said he spends hours trying to make sense of it all.
Bill Whitaker: 38%? That’s a lot.
Mike Mabee: So in the past decade, there have been over 700 physical attacks against the U.S. electric grid.
Many are copy cats of the Metcalf assault. In 2016, an eco terrorist in Utah shot up a large transformer, triggering a blackout. He said he’d planned to hit five substations in one day to shut down the West Coast. In 2020, the FBI uncovered a white supremacist plot called “lights out” to simultaneously attack substations around the country.
Dr. Liz Sherwood-Randall: We’re seeing planning to disable the delivery of power to the American people.
Dr. Liz Sherwood-Randall is President Biden’s homeland security advisor. We met with her and Anne Neuberger, deputy national security advisor for cyber. They told us the administration’s infrastructure plans should help secure the grid, but acknowledge the threats are real.
Dr. Liz Sherwood-Randall: We have physical threats to the grid. We have natural threats to the grid. We have cyber threats to the grid.
Bill Whitaker: You said that you’ve been talking to private utility companies around the country about the potential for a cyber attack. What are you telling them?
Anne Neuberger: We’re sharing with them some of the context regarding how Russia and other countries use cyber in crisis or conflict. We’ve actively downgraded intelligence. We’ve taken any information we have about malicious software or tactics that the Russian government has used, shared that with the private sector with very practical advice of how to protect against it.
Bill Whitaker: Isn’t the problem that when it comes to the grid, there’s nothing like the FAA or the Food and Drug Administration or the Securities and Exchange Commission? There’s no one overall agency overseeing these, you said, 3,000 different utilities across the country?
Dr. Liz Sherwood-Randall: We don’t have one system. We have several grids. We also have individual energy ecosystems in regions and states. And that’s part of our strength because the resources for energy are different in different regions. And we have to acknowledge that we’re not going to have a one-size-fits-all system.
Bill Whitaker: You call it one of our strengths. But it also seems to be one of our vulnerabilities.
Dr. Liz Sherwood-Randall: Well, in my view, we can’t impose the regulations that would– you would be suggesting as a federal government. We can set standards and we are setting standards in a variety of arenas.
Dr. Granger Morgan: What we need at this point is to get the White House to put all the key players together in a room to identify the biggest vulnerabilities and then take steps to reduce them.
Bill Whitaker: I’m surprised that’s not being done.
Dr. Granger Morgan: It has not been done. And it needs to happen now.
Produced by Graham Messick. Associate producer, Jack Weingart. Broadcast associates, Emilio Almonte and Eliza Costas. Edited by Craig Crawford.
Photo Credits: 60 Minutes