Extremists keep trying to trigger mass blackouts — and that’s not even the scariest part

Source: By CATHERINE MOREHOUSE, Politico • Posted: Monday, September 11, 2023

Extremist groups are among those targeting the electricity network, exposing the reporting gaps between the state and federal agencies that oversee its security.

Workers work on equipment at the West End Substation.
The U.S. is on pace to meet or exceed last year’s record of 164 major cyber and physical attacks to the power grid. | Karl B DeBlaker/AP Photo

Maryland’s top utility regulator was watching the news one February morning when a headline blindsided him: Two suspects with neo-Nazi ties had been charged with plotting to take down Baltimore’s power grid.

Jason Stanek, the then-chair of the state’s Public Service Commission, said Maryland regulators were “caught flat-footed,” not hearing a word from law enforcement before the news broke — or in the months afterward. Federal prosecutors have alleged the defendants were driven by “racially motivated hatred” to try to cut power to hundreds of thousands of people in the state’s largest city, which has a predominantly Black population.

Adding to the difficulties, no single agency keeps a complete record of all such incidents. But the attacks they know about have regulators and other power experts alarmed:

— Utilities reported 60 incidents they characterized as physical threats or attacks on major grid infrastructure, in addition to two cyberattacks, during the first three months of 2023 alone, according to mandatory disclosures they filed with the Department of Energy. That’s more than double the number from the same period last year. DOE has not yet released data past March.

— Nine of this year’s attacks led to power disruptions, the DOE records indicate.

— The U.S. is on pace to meet or exceed last year’s record of 164 major cyber and physical attacks.

— And additional analyses imply that the true number of incidents for both 2022 and 2023 is probably even higher. POLITICO’s analysis found several incidents that utilities had reported to homeland security officials but did not show up in DOE data.

According to a report on grid security compiled by a power industry cyber clearinghouse, obtained by POLITICO, a total of 1,665 security incidents involving the U.S. and Canadian power grids occurred last year. That count included 60 incidents that led to outages, 71 percent more than in 2021.

While that report does not break down how many of those incidents occurred in which country, the U.S. has a significantly larger grid, serving 145 million homes and businesses, with nearly seven times Canada’s power-generating capacity.

Law enforcement officials have blamed much of the rise in grid assaults on white nationalist and far-right extremists, who they say are using online forums to spread tactical advice on how to shut down the power supply.

Concerns about the attacks have continued in recent months, with incidents including a June indictment of an Idaho man accused of shooting two hydroelectric stations in the state.

But law enforcement officers investigating alleged plots against the grid don’t necessarily alert the Energy Department or other regulatory bodies.

“We have no idea” how many attacks on the grid are occurring, said Jon Wellinghoff, a former chair of the Federal Energy Regulatory Commission, which regulates the U.S. electric grid. “It looks like they’re escalating if you look at the data. But if you don’t have enough data, you can’t discern patterns and proactively work to stop these things from happening.”

Wellinghoff was FERC’s chair when an unknown sniper attacked a Pacific Gas and Electric substation in San Jose, Calif., in 2013 — an incident regulators have described as a “wake-up call” on the electricity supply’s vulnerability to sabotage.

Last year’s record number of physical and cyber disruptions to the U.S. power system included several incidents that captured public attention, such as a December shooting attack against two North Carolina substations that left 45,000 people without power for four days. The state’s medical examiner has blamed the attack for the death of an 87-year-old woman who died after her oxygen machine failed, ruling it a homicide. Nobody has been charged.

“There is no doubt there’s been an uptick over the last three years in the amount of incidents and also the severity of the incidents,” said Manny Cancel, senior vice president at the North American Electric Reliability Corp., the nonprofit body in charge of setting reliability standards for the bulk power system. He is also CEO of its Electricity Information Sharing and Analysis Center, which gathers and analyzes data from power companies.

Cancel said NERC has “seen two pretty substantial increases” in incidents coinciding with the 2020 and 2022 election cycles.

Grid attacks that led to power outages increased 71 percent from 2021 to 2022, totaling 55 incidents in 2022, according to a NERC briefing to utilities that POLITICO obtained. That increase was primarily due to a rise in gunfire assaults against critical infrastructure.

The largest outage reported from a physical attack early this year — which occurred in March in Carson City, Nev. — affected more than 11,000 people, according to DOE data.

But the state Public Utilities Commission was not aware of any outage due to an attack occurring that day, spokesperson Peter Kostes told POLITICO by email. That’s even though state regulations require utilities to contact the commission within four hours of a significant outage.

The state’s largest utility, NV Energy, said in a statement that it had reported the incident to local law enforcement “as soon as we learned about this incident … so we can continue to increase our resilience against ongoing threats to the energy industry.” A spokesperson for the utility did not respond to multiple requests for comment on whether it had informed the commission.

Federal regulations also require utilities to report cyber or physical attacks to DOE, including physical attacks that cause “major interruptions or impacts” to operations.

They must also tell the department about disruptions from weather or other causes that meet certain criteria, such as those that cut off service to more than 50,000 customers for at least an hour, an uncontrolled loss of more than 200 megawatts of power, or a utility voluntarily shutting more than 100 megawatts, according to an Energy Department spokesperson. The spokesperson provided the information on the condition that they not be identified by name.

The Energy Department’s records don’t include at least seven reported physical assaults last year and this year that the Department of Homeland Security and the affected utilities said caused substantive economic damage or cut off power to thousands of customers. POLITICO found these incidents by cross-checking the department’s data against warnings issued by DHS and the FBI’s Office of the Private Sector.

DOE said the incidents may not meet its reporting thresholds.

Several of the incidents missing from DOE’s data involved clear physical attacks, based on other agencies’ descriptions. But the utilities involved said they did not report the incidents to the department because the attacks did not affect the kind of major equipment that could lead to widespread, regional power failures.

One of the incidents not found in DOE’s records cut off power to about 12,000 people for roughly two hours in Maysville, N.C., after a shooting damaged a substation in November, according to a DHS report. The FBI’s investigation into the incident is ongoing, according to the intelligence agency.

The utility affected by the incident, Carteret-Craven Electric Cooperative, reported the incident to NERC’s Electricity Information Sharing and Analysis Center, but didn’t report the attack to DOE because it was a “distribution-level” incident, said Melissa Glenn, a spokesperson for the utility. That means the outages caused by the damage would have been limited to local power customers and not lead to the wider blackouts federal regulators are most concerned with.