A terrorist attack on the US power grid could be more destructive than superstorm Sandy, possibly costing hundreds of billions of dollars and leading to thousands of deaths, the National Academy of Sciences says.
While such an event probably wouldn't kill people immediately, it could cause widespread blackouts for weeks or months, according to a recently declassified report released Wednesday by the Academy. If it occurred during extreme weather, heat stress or exposure to cold may lead to "hundreds or even thousands of deaths," the authors of the study wrote.
"An event of this magnitude and duration could lead to turmoil, widespread public fear, and an image of helplessness that would play directly into the hands of the terrorists," they said.
While other entities have issued reports on electric-grid vulnerabilities, the study released today provides an unusually stark picture of what may happen if hackers, extremist groups, disgruntled employees or even energy companies themselves sabotage the nation's power network. It calls for the government to create a national inventory of portable generation equipment that can be used during such an event.
An attack "could be carried out by knowledgeable attackers with little risk of detection or interdiction," it said.
The study released by the National Academy of Sciences was sponsored by the Department of Homeland Security and completed by the National Research Council, which is part of the National Academy of Sciences. Although the report was completed in 2007, President George W. Bush's administration a year later prevented it from being distributed publicly. The panel of experts who prepared the report, believing it contained no classified information, pressed for its dissemination, and in August the the administration of President Barack Obama agreed to declassify most of the report.
National Academy of Sciences President Ralph J. Cicerone, and Charles M. Vest, president of the National Academy of Engineering, in a foreward to the report, said its key findings remain "highly relevant." The men are also chairman and vice chairman, respectively, of the National Research Council.
The U.S. electricity network consists of a complicated web of generators, high-voltage power lines, lower voltage lines that run to homes and businesses, substations and other gear to keep electricity flowing smoothly across the country. The National Academy of Engineering called the transmission and distribution system, or the grid, "the world's largest integrated machine."
Threats to the network include physical and cyber attacks on equipment that is often decades-old and lacks the technology to limit the effects of such an event, the study said.
While a hurricane or ice storm usually only takes down distribution lines that utility crews can put back up, terrorists can disable transformers, which may take years to replace, said Alan Crane, a senior scientist who worked on the report. A well-planned operation could take out several substations, he said.
"It's the multiple attacks that have the really scary consequences," Crane said. Although the probability of such a conspiracy is low, the consequences "could just be really awful."
The report raises questions about how a blackout would affect services including medical care, the water supply and the pumping of natural gas, which uses compressors powered by electricity, he said.
"Living without electricity is one thing," Crane said. "Living without water is something else."
An attack could inflict more damage than superstorm Sandy, which roared across the Eastern U.S. at the end of October, according to a statement released with the study. The storm temporarily tripped power to three nuclear reactors and caused a fourth, owned by Exelon Corp., to declare an alert.
Tens of thousands of people are still without power. The chief operating officer of the Long Island Power Authority resigned after Gov. Andrew Cuomo of New York, where 2 million homes and businesses lost electricity, ordered an investigation into the performance of the state's utility companies.
Insured losses from the disaster will probably exceed $20 billion, according to QBE Insurance Group Ltd., which had a 3.5 percent share of U.S. commercial property insurance during the second quarter.
"High-voltage transformers are of particular concern because they are vulnerable to attack, both from within and from outside the substation where they are located," according to the report. Transformers are often custom-built, difficult to transport because of their size, and made outside the U.S., meaning that the industry's inventory could be "overwhelmed by a large attack," it said.
Exacerbating the risk is the restructuring of grid ownership and oversight, begun in the 1990s to introduce more competition in the electricity marketplace, according to the study. Companies in California and regions including the Northeast and Midwest have ceded power-line network operations to independent grid authorities and compete in wholesale markets to supply electricity. Other regions, such as the Southeast have not restructured, resulting in patchwork of market systems across the United States.
"The push by federal regulators to introduce competition in bulk power across the country has also resulted in the transmission network being used in ways for which it was not designed," the study's authors wrote.
A 2005 U.S. energy law included measures to strengthen the power grid's reliability, and the Federal Energy Regulatory Commission now has the ability to issue fines as high as $1 million per day for each reliability violation.
Cyber attacks on the electric grid "are unlikely to cause extended outages, but if well coordinated they could magnify the damage of a physical attack," according to the report. Hackers could manipulate computerized systems on a network that is becoming increasingly digital, disabling security, blocking signals to operators or tampering with the buying and selling energy through markets linked by the Internet, it said.
Attackers of the grid may include terrorist groups, computer hackers, disgruntled or bored individuals, or energy companies. A 2011 report from the Electric Power Research Institute said that about $3.7 billion in investment is needed to protect the grid from cyber attacks.
Energy companies including utilities would have to increase their investment in computer security more than seven-fold to reach an ideal level of protection, according to a January survey done for Bloomberg Government by the Ponemon Institute, a data-security research firm based in Traverse City, Mich. The survey of network managers at 21 energy companies including 14 utilities found the companies would need an average annual budget of $344.6 million to stop 95 percent of their cyber threats.
The report released Wednesday recommends that the Homeland Security Department take the lead in overseeing electric-grid security, working with the Energy Department and private companies to create a stockpile of mobile reserve equipment, including transformers, for the network. It also calls for the security agency to work with the FERC, state regulators, utilities and grid operators to make sure they have "appropriate incentives" to upgrade the system.
The release of the report will speed the adoption of new technology that will better protect the grid, Cicerone and Vest said.
Utilities including American Electric Power Co. of Columbus, Ohio, have already been working together to share cyber-threat information learned from software developed by Lockheed Martin Corp.
— With assistance from Mark Chediak in San Francisco and Freeman Klopott in Albany, N.Y.