The US electric reliability watchdog and the power sector said Thursday that they are working with federal authorities and within the industry to shore up security in the face of a recent federal bulletin about potential threats to private sector utilities.
The Department of Homeland Security issued the bulletin on Tuesday.
That’s scary. Not that the utility sector is on a heightened alert and doing something about it but that the need is there to do so. The watchdog in this case is the North American Electric Reliability Corporation (NERC), which oversees the reliability and adequacy of bulk power transmission in North America (meaning the the U.S., Canada and a bit of Mexico).
Interestingly, NERC and the Department of Energy released a report last month on just this subject.
The report examines three high-impact, low-frequency risks in detail: coordinated cyber, physical, or blended attacks; pandemic illness; and Geomagnetic Disturbances (GMD) and Electromagnetic Pulse (EMP) events. These risks are rare, and in some cases have never occurred. Certain protections and mitigations are already in place to address these risks, and the study released today will help the electric sector, public utility commissions, and the federal government to further prepare for these potential risks.
The report itself can be found here. There are a number of proposals for ensuring the safety of the grid. The first one seems germane to the DHS bulletin:
The U.S. DOE and Department of Homeland Security (DHS) and appropriate government authorities in Canada should work together to establish clearer and more direct lines of communication and coordination with the electric sector. Focus should be given to improving the timely dissemination of information concerning impending threats and specific vulnerabilities, and on the provision of information with sufficient engineering depth for private sector
entities to evaluate and deploy suggested mitigations.
And that appears to be what has happened in the current instance. The rest of the proposals are well worth reading (in fact, the entire report is interesting.)
Beyond what DHS and NERC have done, several utilities have responded. Here, for example, is Progress Energy:
“It’s something, obviously, we take very seriously,” Progress Energy spokesman Mike Hughes said Thursday morning.
He adds that Progress conducts thorough background checks on all employees, including contract employees, and continues to monitor workers throughout their stay with the company. Some are subjected to psychological examinations.
As for physical protection, Progress, and indeed all nuclear energy facilities, have ramped up security measures, Hughes said, to include more security personnel and better physical barriers to prevent a break in.
And NEI’s response:
Nuclear Energy Institute spokesman Steven Kerekes said that "US nuclear energy facilities have in place a comprehensive security structure -- strengthened after the 9/11 terrorist attacks -- that includes extensive background checks even for temporary employees who would be authorized to work within a plant's 'protected area.' This includes a criminal history review conducted by the FBI."
The DHS guidance "illustrates the ongoing vigilance applied in this area even though, as the DHS notes, there is no specific, credible intelligence of an imminent threat to private sector utilities," Kerekes said.
You can see that the threat here regards the possibility of an inside attack.
"We knew about insider threats and we do have mechanisms in place whether cyber, physical or personnel related," said Ed Legge, spokesman for the Edison Electric Institute, the Washington lobby for IOUs [investor owned utilities]. "We tend to have employee redundancy as much as physical redundancy. We have groups of people running the grid versus one guy at any one time and groups of people protecting it as well."
NEI has a section of its web site devoted to plant security and a fact sheet that provides good information about the subject. Here’s a bit detailing the history of a nuclear facility’s security profile:
Congress also responded to public concern over nuclear plant security by including in the Energy Policy Act of 2005 several provisions that increase security requirements or capabilities. As part of the bill, the NRC was directed to officially increase the scope of the design basis threat. It also requires plants to fingerprint and conduct background checks of their employees.
The bill also allowed the NRC to authorize security officers to carry certain advanced weaponry. In addition, the bill increased federal penalties for sabotage and for bringing unauthorized weapons on to a nuclear power plant site.
Many industry security elements are considered “safeguards” information, which means they are controlled on a “need-to-know” basis. Clearly, plant protection capabilities and response strategy should be controlled and protected from public disclosure to avoid compromises that might benefit a potential adversary.
As Kerekes said above, this was all responsive to the terrorist attacks on September 11, 2001, initially targeting “a suicidal, well-trained paramilitary force, armed with automatic weapons and explosives and intent on forcing its way into a nuclear power plant to commit radiological sabotage.” It’s rather sad that such a scenario describes both the world we live in and a bad straight-to-cable action movie. But there it is.
The notion of an insider helping the attacking force was considered originally, so this is not a more recent concern, but the later revision takes account of what DHS is now warning about: an insider who can do considerable damage without help from the outside.
As the bit above makes clear, some of the strategies put in place are not known publically, but what is known is that nuclear energy plants vastly ramped up their security protocols after 2001 and took account of potential insider subversion along the way.
I’m sure this is all true of utilities in general – especially since NERC and its regulatory wing, the Federal Energy Regulatory Commission (yes, they’re NERC and FERC), interact with other energy generators as well as nuclear facilities (though the NRC can be said to take the lead on such issues in the case of nuclear plants).
So, is this DHS bulleting worrying? Sure it is – one would be foolish not to worry. But is the energy sector, and specifically the nuclear energy sector, utterly without recourse? No – it’s well prepared to deal – and harshly! – with anyone who tries to disrupt the flow of electricity.
On a less alarming note, let’s just say: It’s hot outside! Really hot in many parts of the country, including in Washington, D.C. And let’s allow that nuclear energy facilities are well-positioned to keep movie theater, bowling alleys and your home nicely crisp and cool:
U.S. reactors, on average, posted a capacity factor of 95.3 percent during the week of July 16-22. Capacity factor is the ratio of the actual electric output of a power plant over a period of time and its output if it had operated at full capacity the entire time. In other words, most nuclear energy facilities were operating around the clock throughout the week.
In fact, only three reactors were down last week. Now, we’re sure that our coal and wind and etc. cousins are doing their bit, but one of the great benefits of nuclear energy is that its facilities can achieve such a high capacity factor for as long as summer lasts (and beyond). If you want, you can keep up with capacity factors on a daily basis because the NRC posts it here for you to peruse.
We would ask you to let us know when it droops to 36 percent (the average capacity factor of wind power), but then we’d never hear from you. Stay cool!