The head of Maryland’s main utility regulatory agency was reading the news on a morning in February when he was taken aback by a headline: Two individuals with connections to neo-Nazi groups had been arrested for allegedly planning to sabotage Baltimore’s power system.
According to Jason Stanek, who was the chair of Maryland’s Public Service Commission at the time, regulators were unprepared and had not received any information from law enforcement before or after the news broke. Federal prosecutors claim that the defendants were motivated by racially charged hatred when attempting to shut off power to a large number of residents in the state’s biggest city, which has a mostly Black community.
The FBI chose not to provide a statement regarding their interaction with the Maryland commission. However, Stanek’s situation is frequently encountered.
A study conducted by POLITICO using government data and input from twelve experts in security, extremism, and electricity has uncovered that there has been a significant increase in attacks on the power grid across the country. However, inadequate communication between law enforcement and state and federal regulators has resulted in many officials being unaware of the true magnitude of this threat. This has also hindered efforts to protect the power network.
In addition to the challenges, there is no one organization that maintains a comprehensive record of all these occurrences. However, the reported attacks have raised concerns among regulators and other experts in the field of power.
According to required reports submitted to the Department of Energy, utility companies documented 60 instances of physical threats or attacks on significant power grid systems, as well as two cyberattacks, in the first quarter of 2023. This is a substantial increase from the previous year’s numbers and data for the months following March has not yet been made available by the DOE.
According to records from the DOE, nine power outages were caused by attacks that occurred this year.
The United States is projected to reach or surpass the number of 164 significant cyber and physical attacks recorded last year.
Additional investigations suggest that the actual number of occurrences in 2022 and 2023 is very likely even greater. According to POLITICO’s examination, a number of incidents that utility companies had disclosed to authorities in homeland security were not reflected in the data from the Department of Energy.
In June, a man from Idaho was charged with shooting two hydroelectric stations in the state.
However, law enforcement officials looking into potential threats against the power grid may not always inform the Department of Energy or other regulatory agencies.
According to Jon Wellinghoff, a past leader of the Federal Energy Regulatory Commission responsible for overseeing the U.S. electric grid, the number of grid attacks is unknown. However, based on available data, it appears that these attacks are increasing in severity. Without sufficient data, identifying patterns and taking preventive measures is difficult.
In 2013, during Wellinghoff’s tenure as FERC chair, a mysterious sniper targeted a substation belonging to Pacific Gas and Electric in San Jose, California. This event was deemed a “wake-up call” by regulators, highlighting the vulnerability of the electricity supply to deliberate sabotage.
In December, a shooting occurred at two substations in North Carolina, causing a power outage for 45,000 individuals lasting four days. The state’s medical examiner determined that the attack resulted in the death of an 87-year-old woman whose oxygen machine stopped working. The death was ruled a homicide, but no one has been arrested or charged for the attack.
Manny Cancel, the senior vice president of the North American Electric Reliability Corp., a nonprofit organization responsible for setting reliability standards for the bulk power system, stated that there has been a noticeable increase in the number and severity of incidents over the past three years. Cancel also serves as the CEO of the Electricity Information Sharing and Analysis Center, which collects and evaluates data from power companies.
NERC reported two significant upticks in incidents during the 2020 and 2022 election periods.
According to a report from 2019, there was a 71% increase in grid attacks resulting in power outages between 2021 and 2022, with a total of 55 incidents occurring in 2022.
Briefing from NERC to utility companies. that POLITICO obtained. That increase was primarily due to a rise in gunfire assaults against critical infrastructure.
According to DOE data, the biggest disruption caused by a physical attack this year was in March in Clark County, Nevada, and it impacted over 11,000 individuals.
According to spokesperson Peter Kostes, the state Public Utilities Commission did not receive any reports of an attack causing an outage on that day. However, state regulations mandate that utilities must inform the commission of any major outages within four hours.
The biggest energy company in the state, NV Energy, released a statement stating that they had notified the authorities as soon as they became aware of the incident. This was done in order to enhance their ability to handle and prevent potential threats to the energy sector. Despite multiple requests for comment, a spokesperson for the company did not provide any information on whether the commission had been informed.
Federal regulations mandate that utilities must inform the Department of Energy (DOE) of any cyber or physical attacks, including those that result in significant disruptions or impacts to operations.
They must also tell the department about disruptions from weather or other causes that meet certain criteria, such as those that cut off service to more than 50,000 customers for at least an hour, an uncontrolled loss of more than 200 megawatts of power, or a utility voluntarily shutting more than 100 megawatts, according to an Energy Department spokesperson. The spokesperson provided the information on the condition that they not be identified by name.
The records of the Energy Department do not contain information on seven reported physical attacks in the past two years that resulted in significant economic harm or power outages for thousands of customers, according to both the Department of Homeland Security and the affected utilities. POLITICO discovered these occurrences by comparing the department’s data with alerts issued by DHS and the FBI’s Office of the Private Sector.
The Department of Energy stated that the events may not reach the required level for reporting.
Some of the incidents not included in DOE’s data were confirmed to be physical attacks according to descriptions from other agencies. However, the utilities responsible stated that they did not notify the department because the attacks did not impact crucial equipment that could trigger widespread power outages in the region.
A substation in Maysville, N.C. was damaged by a shooting in November, causing a power outage for approximately 12,000 individuals for two hours. This incident was not documented by the DOE but was reported by the DHS. The FBI is currently investigating the matter.
Carteret-Craven Electric Cooperative, the company affected by the incident, informed NERC’s Electricity Information Sharing and Analysis Center about it. However, they did not report the attack to DOE because it was considered a “distribution-level” incident. According to Melissa Glenn, a representative for the utility, this means that the power outages caused by the damage would have only affected local customers and were not significant enough to cause larger-scale blackouts, which is the main concern for federal regulators.
The Department of Homeland Security stated that in July 2022, a substation operated by East River Electric Cooperative, which serves the Keystone oil pipeline in South Dakota, was shot at during the late hours of the night. This incident, which was not reported to the Energy Department, resulted in over $1 million worth of damage and led to a decrease in pipeline operations while repairs were being made.
The East River co-op spokesperson, Chris Studer, stated that the utility notified local law enforcement about the incident, and the FBI was also involved. The incident was also reported to NERC and its E-ISAC, as well as other regional grid agencies. However, it was not reported to DOE as the attack did not impact the bulk power system.
In an email, Brian Harrell, a previous assistant secretary for infrastructure protection at the Department of Homeland Security, mentioned that utilities are required to report to multiple agencies which can create a confusing and disjointed process. He proposed that reporting should be simplified and streamlined through NERC’s E-ISAC.
He stated that the lack of consistency is not the utility’s fault and it implies that the numbers may not fully represent the situation.
The grid experts stated that these gaps in data clearly show a lack of comprehension about which organizations utilities are required to report to and at what time.
According to Jonathon Monken, a grid security expert from Converge Strategies, utilities may be exploiting a “loophole” in the definition of “critical infrastructure.” Monken, who previously held a role as senior director for system resilience at PJM Interconnection, the largest power market in the country, believes this may be the case.
Monken stated that there are various methods to comply with DOE regulations, but according to his interpretation of the rule, utilities must disclose any interruptions in operations resulting from a physical attack.
According to him, the data you gathered suggests that companies are still not complying with mandatory reporting, which is concerning.
A former official from FERC, who requested to remain anonymous due to the sensitivity of the issue, stated that the commission did not receive any notifications from law enforcement regarding the planned and executed attacks that occurred last year. This lack of information impedes agencies’ ability to effectively respond to such events.
A representative for FERC refused to provide a statement regarding the commission’s interactions with law enforcement.
However, Cancel supported the actions of government agencies in addressing these incidents. He suggested that federal investigators may have had valid intelligence purposes for not involving FERC and state utility agencies in the matter.
The speaker, who is not a lawyer or law enforcement agent, mentioned that there was an ongoing criminal investigation. They believe that the authorities did not want to bring attention to it and potentially risk the investigation’s credibility.
The FBI spokesperson did not directly address the criticisms in an email, but stated that the agency considers cybersecurity to be a collaborative effort. The individual requested that the statement be credited to the bureau.
The FBI strongly recommended that utility company leaders participate in security training led by intelligence agents last month. This is to ensure that they are aware and prepared for any potential threats from malicious individuals.
“The assistance of our colleagues is crucial,” stated Matthew Fodor, the deputy assistant director of the FBI’s counterterrorism division, during an extensive FERC technical conference on August 10th. He acknowledged the limited resources that pose challenges for both organizations, with the Department of Energy being the most experienced in this matter.
There are numerous possible targets for those who attack the electricity supply, such as power substations and smaller yet crucial components of utility infrastructure. These smaller pieces are often left vulnerable due to the lack of federal regulations mandating their protection.
According to a briefing from NERC in February, almost half of the 4,493 attacks between 2020 and 2022 were aimed at substations, making them the primary targets for those responsible during that time frame.
According to researchers and federal security officials, extremist messaging boards and other online sources provide instructions for conducting these types of attacks. These resources may include maps of key access points to the grid and tips gathered from past incidents such as the attack in North Carolina.
The Maryland electricity regulator, Stanek, expressed his disappointment with the lack of cooperation and communication between federal and state law enforcement in their handling of the supposed scheme in Baltimore. The case, which is being heard in U.S. District Court in Maryland, does not have a trial date set yet.
The Public Service Commission of Maryland is responsible for maintaining a reliable power grid in the state. According to Stanek, regulators must be kept up-to-date on potential threats to the system in order to collaborate with other agencies in the event of a successful attack.
Simultaneously, he joked that perhaps he was more content remaining unaware.
Stanek commented that the FBI report contains many vibrant and significant pieces of information. He then took a moment to reflect, stating that if he had received this information beforehand as a regulator, he would have had trouble sleeping and would have shared it with trusted sources within the state government.
“Maybe the government did us a favor by withholding this information until the situation was resolved,” he stated.