The Resilience of the Electric PowerDelivery System in Response to Terrorismand Natural DisastersSummary of a WorkshopDavid W. Cooke, RapporteurDivision on Engineering and Physical SciencesTHE NATIONAL ACADEMIES PRESS500 Fifth Street, NWWashington, DC 20001NOTICE: The project that is the subject of this report was approved by the Governing Board ofthe National Research Council, whose members are drawn from the councils of the NationalAcademy of Sciences, the National Academy of Engineering, and the Institute of Medicine.Support for this project was provided by BP America, GE Energy, General Motors Corporation,and Intel Corporation. Support was also provided by the National Academy of Sciencesthrough the following endowed funds created to perpetually support the work of the NationalResearch Council: Thomas Lincoln Casey Fund, Arthur L. Day Fund, W.K. Kellogg FoundationFund, George and Cynthia Mitchell Endowment for Sustainability Science, and the Frank PressFund for Dissemination and Outreach. Any opinions, findings, conclusions, orrecommendations expressed in this publication are those of the author(s) and do not necessarilyreflect the views of the organizations that provided support for the project.International Standard Book Number-13: 978-0-309-29395-2International Standard Book Number-10: 0-309-29395-2Copies of this report are available in limited supply, free of charge, from: Board on Energy andEnvironmental Systems, National Research Council, 500 Fifth Street, NW, Keck W934,Washington, DC 20001, (202) 334-3344.Additional copies of this report are available for sale from: The National Academies Press, 500Fifth Street, NW, Keck 360, Washington, DC 20001, (800) 624-6242 or (202) 334-3313,http://www.nap.edu.Copyright 2013 by the National Academy of Sciences. All rights reserved.Printed in the United States of America.The National Academy of Sciences is a private, nonprofit, self-perpetuating society ofdistinguished scholars engaged in scientific and engineering research, dedicated to thefurtherance of science and technology and to their use for the general welfare. Upon theauthority of the charter granted to it by the Congress in 1863, the Academy has a mandate thatrequires it to advise the federal government on scientific and technical matters. Dr. Ralph J.Cicerone is president of the National Academy of Sciences.The National Academy of Engineering was established in 1964, under the charter of theNational Academy of Sciences, as a parallel organization of outstanding engineers. It isautonomous in its administration and in the selection of its members, sharing with the NationalAcademy of Sciences the responsibility for advising the federal government. The NationalAcademy of Engineering also sponsors engineering programs aimed at meeting national needs,encourages education and research, and recognizes the superior achievements of engineers. Dr.C. D. Mote, Jr., is president of the National Academy of Engineering.The Institute of Medicine was established in 1970 by the National Academy of Sciences tosecure the services of eminent members of appropriate professions in the examination of policymatters pertaining to the health of the public. The Institute acts under the responsibility given tothe National Academy of Sciences by its congressional charter to be an adviser to the federalgovernment and, upon its own initiative, to identify issues of medical care, research, andeducation. Dr. Harvey V. Fineberg is president of the Institute of Medicine.The National Research Council was organized by the National Academy of Sciences in 1916 toassociate the broad community of science and technology with the Academy’s purposes offurthering knowledge and advising the federal government. Functioning in accordance withgeneral policies determined by the Academy, the Council has become the principal operatingagency of both the National Academy of Sciences and the National Academy of Engineering inproviding services to the government, the public, and the scientific and engineeringcommunities. The Council is administered jointly by both Academies and the Institute ofMedicine. Dr. Ralph J. Cicerone and Dr. C. D. Mote, Jr., are chair and vice chair, respectively, ofthe National Research Council.www.national-academies.orgPLANNING COMMITTEE FOR THE WORKSHOP ON THE RESILIENCE OF THEELECTRIC POWER SYSTEM TO TERRORISM AND NATURAL DISASTERSM. GRANGER MORGAN, NAS, 1 Carnegie Mellon University, ChairCLARK W. GELLINGS, Electric Power Research InstituteDAVID K. OWENS, Edison Electric InstituteLOUIS L. RANA, Consolidated Edison Company (retired)RICHARD E. SCHULER, Cornell UniversitySUSAN F. TIERNEY, Analysis GroupStaffPETER BLAIR, Executive Director, Division on Engineering and Physical SciencesDAVID W. COOKE, Associate Program OfficerALAN CRANE, Senior ScientistJAMES J. ZUCCHETTO, Director, Board of Energy and Environmental Systems1National Academy of Sciences.vBOARD ON ENERGY AND ENVIRONMENTAL SYSTEMSANDREW BROWN, JR., NAE, 1 Delphi Corporation, Troy, Michigan, ChairWILLIAM F. BANHOLZER, NAE, Dow Chemical Company, Midland, MichiganWILLIAM CAVANAUGH III, NAE, Progress Energy (retired), Raleigh, North CarolinaPAUL A. DeCOTIS, Long Island Power Authority, Albany, New YorkCHRISTINE EHLIG-ECONOMIDES, NAE, Texas A&M University, College StationSHERRI GOODMAN, CNA, Alexandria, VirginiaNARAIN G. HINGORANI, NAE, Independent Consultant, San Mateo, CaliforniaROBERT HUGGETT, Independent Consultant, Seaford, VirginiaDEBBIE NIEMEIER, University of California, DavisDANIEL NOCERA, NAS, 2 Massachusetts Institute of Technology, CambridgeMARGO OGE, Environmental Protection Agency (retired), McLean, VirginiaMICHAEL OPPENHEIMER, Princeton University, Princeton, New JerseyJACKALYNE PFANNENSTIEL, Independent Consultant, Piedmont, CaliforniaDAN REICHER, Stanford University, Stanford, CaliforniaBERNARD ROBERTSON, NAE, Daimler-Chrysler (retired), Bloomfield Hills, MichiganGARY ROGERS, FEV, Inc., Auburn Hills, MichiganALISON SILVERSTEIN, Consultant, Pflugerville, TexasMARK THIEMENS, NAS, University of California, San DiegoRICHARD WHITE, Oppenheimer & Company, New York CityADRIAN ZACCARIA, NAE, Bechtel Group (retired), Frederick, MarylandStaffJAMES J. ZUCCHETTO, Senior Board/Program DirectorDANA CAINES, Financial AssociateDAVID W. COOKE, Associate Program OfficerALAN CRANE, Senior ScientistK. JOHN HOLMES, Senior Program Officer/Associate DirectorLaNITA JONES, Administrative CoordinatorALICE V. WILLIAMS, Senior Program AssistantJONATHAN YANGER, Senior Project Assistant12National Academy of Engineering.National Academy of Sciences.viPrefaceThe National Research Council (NRC) released a report, Terrorism and the Electric PowerDelivery System, 1 in 2012 that analyzed the vulnerability of the electric grid to terrorist attacksand measures to reduce that vulnerability. The report had been written in 2007 for theDepartment of Homeland Security (DHS), but publication was delayed because of securityconcerns. While most of the committee’s findings were still relevant, many developmentsaffecting vulnerability had occurred in the interval. In order to expand familiarity with thereport among potential users and explore recent and future trends, a workshop was held onFebruary 27-28, 2013. The specific goals of the workshop were to discuss the committee’sresults, what had changed in recent years, and how lessons learned about the grid’s resilience toterrorism could be applied to other threats to the grid resulting from natural disasters. Theworkshop focused on five key areas: physical vulnerabilities of the grid; cybersecurity;mitigation and response to outages; community resilience and the provision of critical services;and future technologies and policies that could enhance the resilience of the electric powerdelivery system.This report is a summary of the presentations and discussions at the workshop. No effortwas made to achieve any consensus views of the participants or the planning committee. Thesummary does not contain any conclusions or recommendations on the part of the NRC or anyadvice to the government. Nor does it represent a viewpoint of the National Academies or anyof its constituent units, and no priorities are implied by the order in which the issues arepresented. The workshop was recorded, and the videos may be viewed athttp://sites.nationalacademies.org/DEPS/BEES/DEPS_081103.The workshop was made possible through the hard work and dedication of the individualswho served on the NRC Committee on Enhancing the Robustness and Resilience of FutureElectrical Transmission and Distribution in the United States to Terrorist Attack (Appendix A)as well as the invited presenters and workshop participants listed in Appendix B.Special recognition is due to Daniel Ribas at Spark Street Lighting, who provided anexcellent webcast of the workshop that was invaluable in the writing of this summary, andSheryl Bottner of the NRC’s Division on Engineering and Physical Sciences (DEPS), whofacilitated putting online both the presentations from the workshop and the webcast.The committee is grateful to Peter Blair, DEPS Executive Director, and Paul Michaels of theNRC’s Office of Security for their work with the Department of Homeland Security to release anunclassified version of the report Terrorism and the Electric Power Delivery System.This workshop summary has been reviewed in draft form by individuals chosen for theirdiverse perspectives and technical expertise, in accordance with procedures approved by theNational Research Council, 2012, Terrorism and the Electric Power Delivery System, The National AcademiesPress, Washington, D.C..1viiNRC’s Report Review Committee. The purpose of this independent review is to provide candidand critical comments that will assist the institution in making its published report as sound aspossible and to ensure that the report meets institutional standards for quality and objectivity.The review comments and draft manuscript remain confidential to protect the integrity of thereview process. The author would like to thank the following individuals for their review of thisreport:Anjan Bose, Washington State University,Paul A. DeCotis, Long Island Power Authority,Narain G. Hingorani, Independent Consultant,Paul J. Kern, The Cohen Group,Richard E. Schuler, Cornell University,Alison Silverstein, Independent Consultant, andBruce F. Wollenberg, University of Minnesota.Although the reviewers listed above have provided many constructive comments andsuggestions, they were not asked to endorse the content of the report, nor did they see the finaldraft of the report before its release. The review of this report was overseen by Chris Whipple ofEnviron. Appointed by the NRC, he was responsible for making certain that an independentexamination of this report was carried out in accordance with institutional procedures and thatall review comments were carefully considered. Responsibility for the final content of thisreport rests entirely with the author and the institution.David W. CookeRapporteurviiiContents1INTRODUCTIONOrigin of the Workshop, 1A Changing Climate, 212GRID INFRASTRUCTUREAttacking the Infrastructure, 5Natural Disasters, 6Solutions, 743CYBERSECURITY OF THE GRIDMerging of Infrasructures, 10Risk Assessment and Cybersecurity, 12Solutions, 13104RESPONDING TO OUTAGESRestoration of Power, 15Critical Services and Community Resilience, 16Solutions, 19155THE FUTURE OF THE GRIDDistributed Generation, 22The Smart Grid, 23226SUMMARY OF MAIN POINTS RAISED IN WORKSHOP DISCUSSIONS25APPENDIXESA Authorship of Terrorism and the Electric Power Delivery SystemB Workshop ParticipantsC Workshop Presentations and Discussionsix2728301IntroductionThe electric power transmission and distribution system (“the grid” 1) is an extraordinarilycomplex network of wires, transformers, and associated equipment and control softwaredesigned to transmit electricity from where it is generated, usually in centralized power plants,to commercial, residential, and industrial users. Because the U.S. infrastructure has becomeincreasingly dependent on electricity, vulnerabilities in the grid have the potential to cascadewell beyond whether the lights turn on, impacting among other basic services such as thefueling infrastructure, the economic system, and emergency services.Origin of the WorkshopIn 2007, the National Research Council (NRC) prepared a report responding to a requestfrom the Department of Homeland Security (DHS) to examine the vulnerability of the grid toterrorist attack. However, the report was classified out of concern that it might help terroriststarget the electric grid. In 2012, the NRC was able to work with the DHS to release anunclassified report, Terrorism and the Electric Power Delivery System, 2 in November 2012, just2 weeks after Hurricane Sandy impacted the northeastern United States with flooding andpower outages.Given the amount of time that had passedsince completion of the report in 2007 and itseventual release in 2012, the NRC and thecommittee wanted to ascertain whether muchhad changed during this 5-year period and toidentify possible efforts going forward.Because of the shifting context for thevulnerability of the electric power system, thefocus of the workshop was also broadened toinclude impacts from natural disasters as wellas intelligent agents. Thus, the NRC and the committee responsible for writing the 2007 reportheld a workshop on the resilience of the electric power delivery system in response to terrorismand natural disasters. The purpose was not to translate the entire report into the present, but toIt should be noted that although the grid tends to be referred to as a single unit, in fact it is comprised of threeseparate grids with few connections between them: the Eastern Interconnection, the Western Interconnection, and theTexas Interconnection.2 National Research Council, 2012, Terrorism and the Electric Power Delivery System, The National AcademiesPress, Washington, D.C.11focus on key issues relevant to making the grid sufficiently robust that it could handleinevitable failures without disastrous impact.The workshop took place at the National Academy of Sciences on February 27-28, 2013, aspart of the dissemination of the committee’s work. Ralph Cicerone, President of the NationalAcademy of Sciences, noted at the start of the workshop that new needs and desires aredeveloping in electrical power distribution, and that it is the responsibility of the NRC to ensurethat the work of the committee is as timely and relevant as possible, despite the delayed publicrelease of its report. Building on the committee’s report, the workshop focused on physicalvulnerabilities and the cybersecurity of the grid as well as ways in which communities respondto widespread outages and how to minimize these impacts. Finally, the workshop also touchedon the grid of tomorrow and how resilience can be encouraged and built into the grid in thefuture.A Changing ClimateGranger Morgan, Carnegie Mellon University (CMU), chair of the committee thatauthored Terrorism and the Electric Power Delivery System, 3 noted at the outset of the workshopthat although that report may have focused on “attacks,” 80 to 90 percent of the discussion inthe report is relevant to vulnerabilities beyond terrorism. Given the increasing probability thatsevere weather events are occurring owing to climate change, there was a great amount ofdiscussion on how to begin to assess the vulnerabilities to these nonterrorist events movingforward.David Kaufman, Federal Emergency Management Agency (FEMA), noted that planningtends to assume current capacity and further assumes that events in the future will be similar toones in the past. While this is a useful starting point, it is crucial to understand outcomes thatcan break the system. As 100-year floods become 50- or even 20-year floods, how shouldadjustments be made? According to Mr. Kaufman, even if one is able to acknowledge the risk, itis difficult to determine how to address it and who will be responsible for the costs.Gerald Galloway, University of Maryland, noted that insurance agencies are beginning torecognize that catastrophic occurrences are becoming increasingly frequent as global climatechange continues to alter weather patterns, and they are starting to factor this into their riskassessment models. While Hurricane Sandy may have been the most recent natural disaster tobroadly impact national infrastructure, he also pointed to the tsunami in Japan that led theFukushima Dai-ichi nuclear disaster in 2012 and the impact of Hurricanes Rita and Katrina onthe Gulf Coast in 2005 as catastrophic events that have led to major upheaval. In 2011 alone, Dr.Galloway noted, $55 billion in economic damage was due to weather events in the UnitedStates, with 14 events causing more than $1 billion in damage each. He said that no person orplace is immune to these events.3National Research Council, 2012, Terrorism and the Electric Power Delivery System.2FIGURE 1-1 Preliminary significant U.S. weather and climate events for 2012. SOURCE: NOAA National ClimaticData Center, State of the Climate: National Overview for Annual 2012.Patricia Hoffman, Assistant Secretary for Electricity Delivery and Energy Reliability inthe Department of Energy (DOE), also urged a broader view of climate impacts, noting thewide array of weather-related incidents just last year across the entire United States, includingwidespread drought in Texas and the Southwest, record low temperatures in the Northwest,and wildfires across the West (see Figure 1-1). Dr. Hoffman also pointed out that thousands ofweather records had been broken across the United States in the past year, and these trends arelikely to continue. Electricity generation sources have already been impacted by drought, withlow water levels forcing some power plants to reduce capacity because of limited coolingpower. Further impacts to the electricity system are anticipated. The question, according to Dr.Galloway, is whether events like Sandy can create a teachable moment for those parts of thecountry that have not yet had extensive experience with extreme weather events.Given this shifting landscape, identifying vulnerabilities in the electric power system to bothnatural disasters and terrorist attacks remains a serious challenge. Chapters 2 and 3 are focusedon physical vulnerabilities in the system and issues of cybersecurity, respectively, in order tobetter understand the threats to resilience that the electric power system faces. Chapter 4 thenaddresses how communities respond to outages, while Chapter 5 details future developmentsof the grid that impact the resilience of the system as a whole. Chapter 6 provides an overallsummary of the key points of the workshop.32Grid InfrastructureTo illustrate the complexity of the electric power delivery system, Granger Morgan, CMU,showed a diagram of a heavily interconnected system (Figure 2-1). Maintaining reliability ofsuch a network requires significant coordination of resources. Such careful balance naturallyintroduces four vulnerabilities:Large, centralized power generation sources are often highlighted as potentialtargets for terrorists since the loss of a large generator would reduce electrical capacity byhundreds of gigawatts. However, as Dr. Morgan pointed out, these sources are heavily securedagainst all but very large terrorist attacks. Natural disasters are more likely threats, and mostgenerators are susceptible to fuel disruptions.Transmission lines are easy targets for terrorists, but they are also easily replaced.However, natural disasters such as hurricanes and ice storms can also do serious damage totransmission lines.Substations, especially those with high-voltage transformers, are probably the mostvulnerable to terrorist attack because they are essential components of the transmission systemand would take a long time to replace.Control centers coordinate the operation of the grid to maintain reliability of thesystem. The loss of a control center, which is the brains of the system, can have a substantialimpact on the operations of the electric grid. Much of the vulnerability of the control center isrelated to cybersecurity threats, which will be discussed in Chapter 3.David Owens, Edison Electric Institute, noted that while much of the discussion is focusedon the bulk power system, the most common challenges are at the distribution level, which canthen end up affecting the bulk power system. He reiterated that substations and substationtransformers are potential points of vulnerability in the system. According to John Kassakian,Massachusetts Institute of Technology (MIT), substation attacks are a problem that can causetremendous disruption, particularly if key lines are affected as in the case of a switching station.Sarah Mahmood, DHS, noted that the manufacturing lead time for a single, large transformercan be up to 18 months plus another 2-3 months to get it installed and operational. Reducingthis downtime is the motivation for DHS’s Recovery Transformer Program (RecX), which isdiscussed in great detail in Box 2-1. Joseph McClelland, Federal Energy RegulatoryCommission (FERC), noted that additional complications can arise from the specialization oftransformers such as changes in energy efficiency, which can impact interchangeability andthereby reduce the number of spare units for a particular location.4ControlcenterFIGURE 2-1 Illustration of the electric power delivery system. Substations are denoted by red ellipses. SOURCE:Adapted from graphic of Granger Morgan, Carnegie Mellon University, workshop presentation, February 27, 2013.Ultimately, any of these vulnerabilities could lead to significant outages. Daniel Bienstock,Columbia University, detailed the ways in which one part of the network can have devastatingimpacts on the rest of the system, stressing segments that may not even be in proximity to eachother. By studying the way in which small components affect the greater whole, Dr. Bienstockhopes to develop real-time control algorithms that can analyze a cascading blackout and, whileperhaps not mitigating it fully, at least identify the measures to make it less disruptive. Usingpublicly available data for the Eastern Interconnect, he was able to show how one such controlalgorithm, in conjunction with fast-acting controls, could rapidly stabilize the blackout,reducing the number of line outages from almost 6,000 to just 11 for a particular initial outage.Such a combination of controls with real-time analytics is one way to dampen the impact ofeven a widespread terrorist attack.Attacking the InfrastructureThe utilities are relatively well prepared for physical attacks on the grid infrastructure thatare dispersed, uncoordinated, and limited according to Dr. Kassakian. As William Ball,Southern Company Services, noted, restoration procedures are well documented for anunplanned line or generator outage or a case where one or even two transformers or otherequipment are affected (what are called “n-1” and “n-2” contingencies).According to Dr. Kassakian, much more challenging is the case of a widespread coordinatedattack. For instance, in the case of the 9/11 World Trade Center attack, there was a significantcommunications issue, as multiple agencies had different protocols that hindered a coordinatedresponse. Furthermore, such an attack might take place across multiple nodes in the system,5which can result in the types of cascading blackouts mentioned previously. Such attacks alsotypically occur without warning, reducing opportunities for pre-emptive mitigation strategies.Transmission lines are vulnerable to air attack in numerous ways. He also pointed out that anattack on a switching station, which serves as an interconnect between multiple lines, might bejust as disruptive as a coordinated attack.One particularly damaging and coordinated attack could utilize the threat of anelectromagnetic pulse (EMP) weapon. While there are some parallels to a geomagneticdisturbance such as the one that shut off power throughout the northern reaches of the UnitedStates and Canada on March 13, 1989, an EMP device has a far more localized and targetedimpact. Massoud Amin, University of Minnesota, and Dr. Kassakian both noted that an EMPweapon, which could be as small as a briefcase, could be used to attack the control systems ofthe grid at the same time as an attack on the physical infrastructure, thus significantlycompounding the effect of the physical attack by disabling some of the inherent balancingmechanisms in the grid. A cyberattack combined with a physical attack on the infrastructuremay have a similarly crippling effect, as is discussed in Chapter 3.Natural DisastersAs Steve Whitley, New York Independent System Operator (NYISO), noted, however,nature can launch its own devastating, widespread attack. While utilities may typically beprepared for an “n-1” or “n-2” event, Mr. Whitley noted that Hurricane Sandy was an “n-90”event. Long Island lost all ties to Connecticut and New Jersey, and New York City lost all ties toNew Jersey (Figure 2-2). Over 8 GW of generation capacity went offline, both through loss oftransmission and, more directly, through flooding, resulting in over 2 million customer outagesin the immediate aftermath.However, Mr. Whitley pointed outthat Hurricane Sandy proved that therewere a number of things that had beendone to mitigate the impacts on NYISO’scustomers. Because of the advancewarning, regular transmission linemaintenance had been cancelled, andgenerators on planned maintenanceoutages were recalled so that they couldbe immediately put to best useimmediately following the storm.Furthermore, by contacting other gridoperators in the region, it was possible FIGURE 2-2 Interconnections in the New York/New Jersey areaafter Hurricane Sandy. A red X denotes an outage. SOURCE:to coordinate possible responses toSteve Whitley, NYISO, workshop presentation, February 28,outages and ensure that everyone in the 2013.affected area could be on the same page.During the storm, Mr. Whitley noted the difficulty of maintaining integrity of theinterconnected system; however, because declining customer load coincided with a6simultaneous loss of generation capacity, it did ease efforts to maintain 60 Hz in the regions thatdid not lose power. Such regions were also helped by New York City’s requirements for localgeneration and blackstart capabilty, which is further discussed in Chapter 4. Throughout therecovery period as well, NYISO and the rest of New York’s utilities were able to operate withinpower transfer limits, and communications and computer systems worked properly throughoutthe ordeal.SolutionsMr. Whitley, in recapping the implications of the Hurricane Sandy experience for the NewYork power grid, noted that with such potential for devastation of the physical infrastructure ofthe grid in to the wake of natural disasters and terrorist attacks, it is important to recognize thepotential for lessons learned and what can be done moving forward to improve the resilience ofthe system. Above all, a frequent theme by participants was simply the importance ofplanning—communication and action protocols are critical. And Mr. Whitley quoted AbrahamLincoln: “Give me six hours to chop down a tree, and I will spend the first four sharpening theaxe.” This theme emerged across all aspects of resilience.Particular to the physical infrastructure, one major concern was the susceptibility ofsubstations to terrorist attack. Dr. Kassakian pointed to the need for additional securitymeasures and possible physical hardening beyond a simple fence to reduce substationvulnerability; a recent working group of the Institute of Electrical and Electronics Engineers(IEEE) is developing a standard for such security measures, including facility monitoring andimproved access protocols to deter intrusion. However, as Dr. Kassakian pointed out, whilesuch deterrence may limit access, it is optimal to have a system robust to substation failurebecause it is impossible to secure every facility against a physical attack.The use of a spare recovery transformer was seized upon by many in attendance as a seriousoption to reduce the vulnerability of the system to failed equipment. While the components of asubstation are relatively easily replaced, the difficulty of and lead time necessary for replacing atransformer is a hindrance that can slow down the mitigation response. Anjan Bose,Washington State University, currently on leave and serving on the Department of Energy’sGrid Tech Team, did mention that the recent rebirth of transformer manufacturing in the UnitedStates, as described by Mr. Ball, does reduce the amount of downtime a utility might expect forreplacement. However, it was the achievements of the DHS RecX program (Box 2-1) presentedby Ms. Mahmood that truly represented a significant step forward in this area. Richard Schuler,Cornell University, noted that if these transformers truly are a comparable economicinvestment, it should not be an impediment for many state commissions. He added that becausethe industry commonly subsidizes public goods, having this redundancy seems like an obviousand worthwhile investment. Jay Apt, CMU, did point out that a number of organizations at thispoint remain underinformed about the developments of the RecX program, and Dr. Aminexpressed concern about a lag of as much as 10 years for these transformers to get out toindustry given the timeline of development thus far.7BOX 2-1The Department of Homeland Security Recovery Transformer ProgramSarah Mahmood, Department of Homeland Security, described the successfuldeployment of a recovery transformer outside Houston, Texas. The RecX recoverytransformer program is designed to act as a rapidly deployable spare for a 365 kV:138kV/200 MVA transformer, reducing the amount of time for transport and installationfrom 2 or 3 months down to about a week. The key design feature is to replace the threephase transformer with three single-phase transformers. Each is smaller and weighsmuch less than a full three-phase transformer, allowing it to be delivered by truck ratherthan train or barge. While the transport of the transformer requires state permitting inadvance, the convoy design enables rapid installation by transferring its oil, coolingequipment, and other ancillary equipment (control cabinets, bushings, etc.) along withthe transformer. Part of the rapidity of installation also stems from the use of an MA65trailer, which is analogous to a Schnabel car in design and allowed for the rapidpositioning of the transformer at the CenterPoint substation. In addition, the standardmodular design could be manufactured much more quickly than large custom-designedtransformers.Although the RecX recovery transformer was initially designed to be a spare thatwould be replaced after 2-3 years, extensive testing has proven the reliability andefficiency of the transformer to be comparable to a typical 365:138 transformer.Furthermore, at $7.5 million, the price of the RecX transformer is on a par with other365:138 transformers on the market ($6 million to $10 million), which means that a utilitycould consider this as part of its sparing strategy. Currently, DHS is focused on outreachto get stakeholders RecX-certified.Paul Parfomak, Congressional Research Service, remarked that there had beensignificant concern for the replacement of larger transformers, but Ms. Mahmood repliedthat the basic design for this transformer is applicable to the larger 500 kV and 765 kVclasses of transformer as well. However, because there is no longer funding for the RecXprogram, replacements for these larger transformers are not being developed at thistime. Until those transformers are designed, the highest capacity part of the transmissionsystem is still vulnerable to long-term outages. There was a further question about thesusceptibility of these transformers to attack—while Ms. Mahmood agreed that thesetransformers are just as susceptible to a physical attack as those they replaced, the RecXtransformer is slightly less susceptible to ground-induced currents and, therefore, EMPweapons.8A final strategy to improve the resilience of the physical infrastructure is improved use of asynchrophasor network, as suggested by both Dr. Bienstock and Dr. Kassakian. According toDr. Kassakian, real-time measurements ofthe grid using a synchrophasor networkcould enable better control of the load, whichis of particular concern during outagesinvolving large portions of the system. Thisis similar to the arguments of Dr. Bienstock,who illustrated the effectiveness of real-timecontrol algorithms in the case of multipleline failures. In his example, such algorithmslimited the cascading losses to 11 outagedlines and 25.5 percent yield as compared tothe case without such controls (39.3 percent lost yield and 5,959 outaged lines). However, Dr.Kassakian highlighted the complexity of the problem as well as the resources and timescalesinvolved, noting that such real-time control was only in the demonstration stage in limitedregions of the country and was not likely to be widely deployed in the near future.93Cybersecurity of the GridIn order to provide more reliable and efficient service, the electric power delivery system isincorporating an ever increasing amount of data transfer, with communications occurring overa wide array of systems. Massoud Amin, University of Minnesota, noted that the systems havebecome so intertwined that operators may forget where the data is coming from, citing ananecdote of a power plant operator who was receiving all of his commands over the internet.Granger Morgan, CMU, pointed out that while adding more points of intelligent control canadd capacity, stability, and flexibility, it also adds more entry points for cyberattack. PaulNielsen, Software Engineering Institute, CMU, asked a question about the conundrum facingutilities today: What risk are you willing to accept for capability?While the sophistication of cyberattacks is increasing, the level of technical knowledgenecessary for the attack is decreasing according to both Dr. Nielsen and Patricia Hoffman, DOE(Figure 3-1). Joseph McClelland, FERC, noted that the power sector is an increasing target forcyberattacks, both in the United States and abroad. Stressing the ubiquitous nature ofcyberattacks, Terry Boston, PJM Interconnection, recalled a common saying: “There are twotypes of people: those who’ve been attacked, and those who don’t know they’ve been attacked.”With such attacks becoming commonplace, it is crucial to understand where the underlyingvulnerabilities lie in the electric power delivery system.Merging of InfrastructuresGalen Rasche, Electric Power Research Institute (EPRI), described the new world that isemerging—just as critical infrastructure has become increasingly integrated with the electricpower system, so too has the grid become more reliant upon the communications network(Figure 3-2). An increasing number of sensors applied to the grid allows for both improvedflexibility and increasing automation. However, Mr. McClelland noted that such an increase inautomation increases the number of on-ramps for cyberattacks. And as Mr. Rasche pointed out,this increased integration with the communications infrastructure can leave the grid vulnerable,as layer upon layer of connectedness results in an increasing amount of trust placed insuppliers.The legacy systems common in transmission and distribution systems often communicatevia insecure protocols, according to Mr. Rasche. One of the biggest challenges in securing thislegacy hardware is the fact that these very protocols are created through standardsorganizations, and such processes are, by design, very slow to change. Therefore, more robustnetwork, system, and security management protocols are necessary for transmission anddistribution systems to identify the types of security faults common to antiquated hardware.10Average Intruder Knowledgepacket spoofingautomatedprobes/scanstechniques to analyze codefor vulnerabilitieswithout source codeHighAttack Sophisticationmalicious counterfeithardwarepersistent malware infiltrationemail propagation of& persistent surveillancemalicious code“stealth”/advanced scanningadaptive, high-impact,techniquessophisticatedtargeted attacks oncontrol systemscommandcritical infrastructurestargeted& controlwidespread attacks using NNTPto distribute attacksupply-chainincrease incoordinatedcompromiseswormscyber-physicalattackswidespread attacks onincrease in targetedDNS infrastructureDDoS attacksphishing & vishingmassive botnetsexecutable codeattacks (againstwidespread attacks onbrowsers)anti-forensic techniquesautomatedclient-side softwarewidespreadattackshome users targetedwidespread attacks onGUI intruderweb applicationstoolsdistributed attacktoolshijacking sessionsincrease in wide-scaleTrojan horse distributionInternet socialwidespreadengineering attacksdenial-of-serviceattacksWindows-based remotecontrollable Trojans(Back Orifice)20101990LowFIGURE 3-1 Average intruder knowledge and attack sophistication as a function of time. SOURCE: Presented at theworkshop by Patricia Hoffman, Department of Energy, February 27, 2013; from Howard Lipson, Carnegie MellonUniversity (CMU) Software Engineering Institute CERT®. Copyright 1998-2011. This CMU and Software EngineeringInstitute material is furnished on an “as-is” basis. CMU makes no warranties of any kind, either expressed orimplied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity,or results obtained from use of the material. CMU does not make any warranty of any kind with respect to freedomfrom patent, trademark, or copyright infringement.FIGURE 3-2 The communications network (top) and electric grid infrastructure (bottom) merged, with smartmetering being deployed in homes, sensors being deployed at the distribution infrastructure, and all of this beingcommunicated to users at central control facilities. SOURCE: Galen Rasche, EPRI, workshop presentation, February27, 2013.Modernized hardware and software do not necessarily offer increased protection, however.As Fred Hintermeister, North American Electricity Reliability Corporation (NERC), pointedout, supply chain security is critical to ensuring that a particular subsystem is secure, regardlessof the system or vendor. Dr. Nielsen agreed, expanding on the necessity of knowing who wrotethe software for every component of all of your partners’ systems. While this may seem a11FIGURE 3-3 High-profile cyberattacks (2010-2012), with magnification of August through December, 2012. SOURCE:Fred Hintermeister, NERC, workshop presentation, February 27, 2013.daunting task, the increasing number of attacks is pushing hard on utilities and their partners toensure that their systems are secure at every level. NERC is working with a global network ofgovernmental intelligence sources, vulnerability researchers, and others to develop productsthat specifically address emergent issues, particularly in the area of cybersecurity. A system isonly as secure as its weakest link, and it is a crucial part of established NERC procedure to pushmitigation measures out to the relevant bulk power system entities in a timely manner so thatthey may address the full chain of operations.Risk Assessment and CybersecurityGiven the prevalence of attacks (Figure 3-3), it is crucial to evaluate how best to maintainsystem integrity with minimal risk. Dr. Nielsen suggested that appropriate choice ofarchitecture can help make these trades in design by linking the business goals to system goals.Dr. Morgan noted that that separate risk assessments could be needed for natural disasters andintelligent agents. While it would be possible to evaluate which architecture is more vulnerable12than another to a given susceptibility, the probability of attack relevant to making an analyticalchoice in system architecture will be substantially different for a natural disaster than for aterrorist threat.Making such a risk assessment is difficult, according to Mr. Rasche. Because cybersecurityinvolves the meshing of two networks based on completely different expertise, it is difficult toadopt common protocols for risk analysis. Narain Hingorani, Consultant and NationalAcademy of Engineering member, and Anjan Bose, Washington State University, agreed thatcross-expertise and operator training are both significant issues at this interface. Mr.Hintermeister mentioned ongoing work in this area: The NERC Information Sharing andAnalysis Center maintains a near-real-time, grid-common operational picture to inform riskassessment and mitigation development and delivery.Diane Munns, MidAmerican Energy Company, noted that the regulatory bodies are at aparticular disadvantage when it comes to both expertise and authority. On top of this, theregulatory process itself is not well designed for cybersecurity, according to Mr. McClelland.NERC can develop standards for reliability and cybersecurity and submit them to FERC, butbecause the process is both slow and open, it is not adequate for national security purposes—ineffect, both the threat and the mitigation strategy are announced through the regulatoryprocess.Given the nature of the cyberthreat, there was significant discussion over the potential forcatastrophic damage, particularly for causing damage to the physical infrastructure. Dr. Morgancited recent work at Carnegie Mellon indicating a low probability that a hacker coulddestabilize the bulk power grid by toggling customer loads via hacked smart meters.1 However,Mr. McClelland cited both the Aurora test at Idaho National Laboratory 2 and a collaborativeproject with Lawrence Berkeley National Laboratory to identify critical frequencyvulnerabilities for customer load shedding as evidence of the sensitivity of certain aspects of thephysical infrastructure to cyberattack. 3 Dr. Amin also suggested such potential vulnerability,though other participants commented that the Aurora experiment in particular was notindicative of a typical utility control system. Regardless of the disagreement over a potentialcausal link, however, participants from both perspectives agreed that a cyberattack combinedwith a damaged physical infrastructure would magnify the effectiveness of a terrorist threat,particularly in the event of a coordinated attack on multiple fronts.SolutionsThere are many cybersecurity actions that can be taken to reduce vulnerability to acyberattack. Most obviously, according to Dr. Amin, wireless and public internet access shouldA. Narayanan, 2012, The emerging smart grid: Opportunities for increased system reliability and potentialsecurity risks, Dissertations, Paper 138, available at http://repository.cmu.edu/dissertations/138.2 Video available at http://www.youtube.com/watch?v=fJyWngDco3g.3 J. H. Eto, J. Undrill, P. Mackin, R. Daschmans, B. Williams, B. Haney, R. Hunt, J. Ellis, H. Illian, C. Martinez, M.O’Malley, K. Coughlin, and K. Hamachi-LaCommare, 2010, Use of frequency response metrics to assess the planningand operating requirements for reliable integration of variable renewable generation, LBNL-4142E, December,available at http://certs.lbl.gov/pdf/lbnl-4142e.pdf.113be avoided at all costs. Mr. Boston suggested building the system like a nuclear secure lab,where communication is handled as an information diode that does not “shake hands” with thecomputer, so that information transfer is one-way.According to Dr. Amin, the vulnerabilities of centralized control seem to demand smaller,local system configurations. Thus, resilience may depend upon the ability to bridge top-downand bottom-up decision making in real time. This highlights the need for building securesensing, fast reconfiguration, and self-healing into the infrastructure. Mr. Rasche alsorecognized the importance of real-time analytics and integrity checking, because these systemscannot simply be taken off-line. Mr. McClelland highlighted the ongoing efforts by FERC toanticipate attacks through pattern recognition as one particular example of real-time analyticsthat can increase cybersecurity in the power system. Ms. Hoffman also acknowledged theimportance of situational awareness: Aggregating monitoring information to develop a“common operating picture” enables real-time prevention and can boost the effectiveness oftraining exercises. Such an approach should be risk-oriented and data-driven, with the databeing linked to actionable knowledge, according to Mr. Hintermeister.Tabletop exercises on the impact of cyberattacks offer an opportunity for close coordinationbetween information technology experts and power system experts, according to Mr. Rasche.Such penetration testing would be significantly improved through a common metric forcyberresilience. Assessing the vulnerability of a system is difficult, particularly in the case of azero-day, or previously unknown, vulnerability. How can one measure resilience to anunanticipated event?Because most utilities do not have an integrated security system, according to Mr. Rasche,devices tend to be upgraded in silos. A more systematic approach would allow correlatingevents across distributed power systems with the data being collected, as suggested above. Dr.Amin suggested that the industry should facilitate and encourage design of security at the startand look to include it in standards where appropriate. The certification of vendor products forcyberreadiness would essentially allow for security by default. Mr. Hintermeister pointed outthe use of NERC’s HYDRA network of subject matter experts for the technology vendor supplychain. Because reliable operation necessitates security throughout the entire supply chain, it iscrucial to approach the problem at both the hardware and software level.Mr. Boston pointed out that collaboration is key. It is important to leverage industryrelationships to share best practices andcoordinate response plans. He pointed to thebenefits of PJM Interconnections partnershipswith DHS, the University of Maryland,Boeing, and the Pacific Northwest NationalLaboratory as evidence of the way in whichshared expertise can benefit the industry.While Mr. Hintermeister agreed on the needto embrace partnerships, he stressed that it isimportant to have empathy for the partners.Everyone has a different role and different concerns, and one must be aware of those additionalrequirements.144Responding to OutagesThough much of the workshop focused on what to do to prevent future outages, Jay Apt,CMU, observed that despite the best efforts of extremely talented power engineers, blackoutswill continue to happen, which means that the resilience of the system will inevitably bedependent not just on reducing the number of outages but also on how the system responds tothem. Large blackouts can be particularly devastating and happen much more frequently than anormal distribution predicts. Therefore, Clark Gellings, EPRI, asked the central question: Howresilient is the grid to high-impact, low-frequency events?Restoration of PowerMike Adibi, IRD Corp., pointed out that the impact of a blackout exponentially increaseswith the duration of the blackout, and the duration of restoration decreases exponentially withthe availability of initial sources of power. For several time-critical loads, quick restoration(minutes rather than hours or even days) is crucial. Blackstart generators, 1 which can be startedwithout any connection to the grid, are a key element in restoring service after a widespreadoutage. These initial sources of power include pump-storage hydropower, which can take 5-10minutes to start, to certain types of combustion turbines, which take on the order of hours.According to Mr. Adibi, automated operation of these generators is more likely to be successfulthan manual operation; however, he noted that a “conservative operating philosophy” haslimited the deployment of devices enabling automatic blackstart operation.There was some question as to whether requirements of NERC for blackstart generation aresufficient. Mr. Whitley, NYISO, has found that they serve his customers well thus far.Typically, the level of blackstart operation is based on past experience; however, movingforward there may be some challenges owing to reduced reserve margins from phasing outolder generators. Mr. Adibi felt that it is not sufficient to simply set a reserve for the system butthat it is important to divide the grid into its respective subsystems and determine whetherthere is sufficient reserve for these subsystems as well.A blackstart resource is defined as “a generating unit(s) and its associated set of equipment which has theability to be started without support from the System or is designed to remain energized without connection to theremainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration planneeds for real and reactive power capability, frequency and voltage control, and that has been included in theTransmission Operator’s restoration plan.” See Glossary of Terms Used in NERC Reliability Standards.115FIGURE 4-1 Center Point Energy personnel repair a downed power line (Houston, TX, September 23,2005). Utility companies were out early to repair damage caused by Hurricane Rita. SOURCE: EdEdahl, FEMA.Beyond the challenge of generator response, there is also a concern for the distributionsystem, which was touched upon in Chapter 2. John Kassakian, MIT, pointed out that it iscrucial to think about the challenges of both restoration and repair. For a limited outage,restoration can be rapid, which will then allow sufficient time for repair to bring the system tofull operability, although there may be a challenge for subsurface cables in metropolitan areas.On the other hand, in widespread outages, restoration itself may be a significant barrier, as wasthe case in the 1965 and 2003 Northeast blackouts. Natural disasters, however, can also lead tosignificant issues of repair—after Hurricanes Rita and Katrina, full repair of the electric powersystem took several years (Figure 4-1). In the case of Hurricane Sandy, David Owens, EdisonElectric Institute, and William Ball, Southern Company Services, both pointed out that grantingfirst-responder status to the utilities enabled more rapid response than would occur undernormal conditions, which is one way to improve restoration time at the local level.Critical Services and Community ResilienceGerald Galloway, University of Maryland, pointed out that economic and social systemsare becoming increasingly interdependent. Massoud Amin, University of Minnesota, notedthat this interconnectedness is one of the major reasons the electrical grid is an attractive targetfor terrorist attack—namely, other services have become dependent on the electric powersystem. David Kaufman, FEMA, recognized that impacts of overlapping interdependencycould cascade because the supply chain for many industries has become globalized—for16example, according to Mr. Kaufman, truck production in Louisiana was shut down by theearthquake in Japan, which halted the supply of a particular mineral needed for metallic paint.Thus, evaluating resilience in response to a power outage goes far beyond the electric powersector.Resilience and RiskAccording to a recent NRC report, 2 resilience is “the ability to prepare and plan for, absorb,recover from, or more successfully adapt to actual or potential adverse events.” Dr. Apt notedthat the services critical to a community are diverse, including elevators, subways, trafficsignals, police stations, cell phone towers, grocery stores, ATMs, and gas stations. JosephMcClelland, FERC, pointed out that not only does the electric power system feed into theseservices, but in some cases it is reliant on these systems as well. For instance, with a shift ingeneration fuel from coal to natural gas, the energy sector is increasingly reliant on the naturalgas pipeline infrastructure; with events like the Telvent compromise in 2012 3 and the Shamooncyberattack in 2012 4 in Saudi Arabia and Qatar, resilience to terrorism and natural disaster forthe electric power system involves both upstream and downstream dependencies. The naturalgas system may be particularly stressed during the winter when it is being used for heating,making the system especially vulnerable to attack. As Susan Tierney, Analysis Group, LLC,pointed out, it is important to view the electric power delivery system in an integrated way:How are the systems of governance and communities of interest affected by the operation of thegrid?Because risk cannot be completelyeliminated, residual risk must be effectivelymanaged according to Dr. Galloway. Muchof the work in this area has tended to bebased on anecdotal response, and there wassignificant discussion at the workshop onhow to organize these responses in acontrolled, systemic way. Currently, acommunity finds out it is vulnerable when astorm hits, which is obviously suboptimal.Mr. Kaufman agreed, noting that currentmodels of risk assessment are based largely on historical record. Given the shifting environmentof the electricity delivery system and the interdependencies among a number of infrastructures,National Research Council, 2012, Disaster Resilience: A National Imperative, The National Academies Press,Washington, D.C.3 Telvent Canada is a company that provides remote administration and monitoring tools for the energy sector.In September 2012, the company discovered that its internal firewall and security system had been breached by aChinese hacking group.4 Shamoon is a computer virus capable of transmitting information about the files of the infected computer aswell as deleting all data from the hard drive. It was first used on August 15, 2012, by hackers from a group called theCutting Sword of Justice in an attack on Saudi Arabia’s national oil company, Aramco. It was also suspected in a latercyberattack on a large liquefied natural gas company in Qatar, RasGas.217this methodology not only likely underestimates today’s risks, but it is also grossly inadequatefor future projects. Miles Keogh, National Association of Regulatory Utility Commissioners,pointed out that there is always a component of residual risk to be managed, and it is crucial forregulators to determine precisely where such risk may be acceptable. Ways of identifying andprioritizing such risk were, however, not discussed at the workshop.Coordination and EngagementMr. Kaufman acknowledged that there is a tremendous amount of ongoing effort toimprove community resilience; however, how to engage regulators and other interested partiesis unclear. At the community level, planning tends to occur at the “last mile of distribution,”which Mr. Kaufman found appropriate, but on a broader regional scale, the “strategic capacity,”or “wholesale,” level of planning is not filling in. According to Dr. Tierney, there is a significantamount of siloing that restricts the engagement of the relevant regulatory authorities. In a recentdiscussion of community resilience to power outages in Massachusetts, she observed that therewas a quick segmentation into things like emergency generators, responsive backup, and thelike.Various agencies are involved in these issues, but to date it is unclear who is ultimatelyresponsible for coordination and response, which was the central focus of the Massachusettsplanning meeting attended by Dr. Tierney. The agencies might include state emergencymanagement offices; state energy offices, who handle issues such as fuel coordination andwaivers for moving product; the public utility commission, which is a rate-setting body; theutilities themselves; fuel operators, which are an unregulated community; standards-settingbodies for reliability at both the federal and local levels (FERC and NERC, respectively); andDHS, which includes FEMA. Mr. Kaufman discussed the role of FEMA in response toHurricane Sandy to illustrate current federal efforts (Box 4-1).Despite the breadth of these actors, none of them have any authority except to enlist theinvolvement of institutions such as hospitals, banks, and police and fire departments, all ofwhich provide critical services for the community. Thus, according to Dr. Tierney, it is difficultto determine what an appropriate role for governance is: How do we think about offeringencouragement for participation, and what is a prudent role for the utilities and the utilitycommissioners? An added complication with any engagement is that much of the informationnecessary to make good decisions is classified and/or proprietary, but any such decisionmaking needs to be made in the public domain. While there is some agreement to engage in thisprocess under the idea of adaptation, particularly in response to natural disasters and climatechange, Dr. Tierney found it problematic to disseminate the best practices for outreach to therelevant parties.SolutionsGiven the broad scope of resilience, there are a number of areas where action can be taken toimprove future responses to natural disasters and terrorist attacks. Patricia Hoffman, DOE,18BOX 4-1Responding to a Crisis: Hurricane SandyDavid Kaufman, Federal Emergency Management Agency, discussed recentgovernment involvement in response to Hurricane Sandy as an illustration of the currentlevel of community engagement. FEMA was involved in two major issues in response toSandy, the fuel sector and the power sector. In the case of fuel, Mr. Kaufman noted thatFEMA was largely responding to developing symptoms instead of addressing a centralcause. This led to a focus on how fuel is distributed to the marketplace. In the case ofpower, FEMA convened calls with major utilities in impacted areas. The agency alsomobilized federal military air assets to fly crews to impact areas, though this was a smallfraction of the overall utility response. Mr. Kaufman found that because of FEMA’slimited resources, government response was meant not as the main actor but as anaccelerant to engage the relevant local groups such as utilities and other serviceproviders. The question then becomes what these relevant industries need fromgovernment in order to meet local demand and to then build resilience in those systems.noted that improvements to facilities related to industries that interact with the electric powersystem could provide increased resilience. Establishing standards and guidelines for fuelsfacilities, revising current building and rehabilitation codes, and developing alternative systemconfigurations for critical facilities all harden the infrastructure, which could improve resilienceto widespread outages. Fred Hintermeister, NERC, noted that the electric power industry is theonly industry (apart from nuclear) with mandatory and enforceable critical infrastructureprotection standards.Dr. Galloway stressed a proactive approach as well, noting that building resilience will bemore effective in reducing losses of life, property, and economic productivity than other currentapproaches. This was discussed at length in the NRC report Disaster Resilience: A NationalImperative. 5 Dr. Galloway cited an example from Cedar Rapids, Iowa—in 2008, the town wasable to evacuate quickly in response to an unforeseen flood due to the years of preparation forevacuation that it had practiced out of fear of an accident in a nearby nuclear plant. Whilecommunity resilience does begin with strong local capacity, Dr. Galloway emphasized that atop-down “culture of resilience” approach could address some of the issues of consistency andcoordination (Box 4-2). Policies designed to improve national resilience must also take the longterm view to help avoid short-term expedients that can diminish resilience. For example, somepolicies allow levees to be rebuilt only to the same level as before they were damaged, but notto be improved.Ms. Hoffman cautioned that a national resilience policy should not mean “one size fitsall”—each area of the country has its own strengths and its own risks. Mr. Kaufman agreed,5National Research Council, 2012, Disaster Resilience: A National Imperative.19BOX 4-2Characteristics of a Resilient Nation in 2030Individuals and communities are their own first line of defense against disasters.National leadership in resilience exists throughout federal agencies andCongress.Community-led resilience efforts receive federal, state, and regional investmentand support.Site-specific risk information is readily available, transparent, and effectivelycommunicated.Zoning ordinances are enacted and enforced. Building codes and retrofitstandards are widely adopted and enforced.A significant proportion of post-disaster recovery is funded through privatecapital and insurance payouts.Insurance premiums are risk based.Community coalitions have contingency plans to provide service particularly tothe most vulnerable populations during recovery.Post-disaster recovery is accelerated by infrastructure redundancy and upgrades.SOURCE: National Research Council, 2012, Disaster Resilience: A National Imperative, The NationalAcademies Press, Washington, D.C.challenging the common notion that massive disasters primarily occur along the coasts.According to Mr. Kaufman, the most expensive issue FEMA has been dealing with lately isflooding, but then many of those same areas have successively been dealing with drought. Anysuch plan should thus recognize that these are systemic issues.A number of attendees noted how better data sharing could play a role in enhancingcommunity resilience. Dr. Galloway felt that a significant amount of relevant data is hiddenfrom the public, and that it was important to rethink what data is truly worth classification. Mr.Ball did note that the discussions in the power sector are often by necessity going on “below theradar” in a classified setting. Dr. Galloway felt that such data issues can inhibit the ability ofworkers on the ground to communicate results effectively to decision-makers so that they canbe aggregated in a meaningful way. Although they may be useful, tabletop exercises often maynot actually handle the underlying problems. Dr. Tierney stressed that the open sharing of bestpractices would offer significant aid to those areas that have not yet been hit.Mr. Gellings suggested that it may be possible to leverage new technologies to ensure thecontinuation of essential missions, even after the grid has failed. One example cited was a lightemitting-diode traffic light paired with photovoltaics and battery storage, which would allowtraffic lights to operate even without a connection to the bulk power system. Photovoltaicscould also be used to provide solar chargers for cell phones, thus improving the resilience of thecommunications system, which is obviously heavily reliant on the electric power system.20According to Mr. Gellings, breaker panels are currently being designed that could respond to aphotovoltaic array, enabling a customer to select which panels are turned on in a home and rundirectly from the photovoltaic array when the system is disconnected from the grid.Granger Morgan, CMU, also stressed the potential impacts of distributed generation andmicrogrids. For example, in the case of heavily distributed generation, if there were ways toprioritize and select which customers toservice, it would be possible to bring onlinethrough the distribution system just thosecomponents that are critical, such as policestations, ATMs, gas stations, or maybe evenschools. Although this approach may not beeffective in the case of a natural disaster thatdisables the distribution circuit (e.g.,Hurricane Sandy), Dr. Morgan argued that insome scenarios at least part of thedistribution circuit remains intact, capacity that could be used to make critical services far moreresilient. This capability is discussed in further detail in Chapter 8 of Terrorism and the ElectricPower Delivery System. 6National Research Council, 2012, Terrorism and the Electric Power Delivery System, The National AcademiesPress, Washington, D.C.6215The Future of the GridTechnologies discussed at the workshop could shape the electric grid in coming years. ClarkGellings, EPRI, noted that integrating new and existing technologies could address the issuesof prevention, recovery, and survivability. Much of this focus is on distributed generation andsmart grid technologies. David Owens, Edison Electric Institute, suggested that an importantissue is how to ensure reliability, safety, and fairness, particularly in light of increasingrenewable portfolio standards and public policy driving much of the emphasis on distributedgeneration.Distributed GenerationMr. Owens noted that distributed generation can offer stability but will require increasedcoordination. Currently, utilities look at very discrete customers with distributed powersources, but moving forward there is the potential for a much wider deployment of distributedgeneration, which could pose a challenge for reliability and safety as power flow becomes atwo-way street. Mr. Gellings recognized that such change will be inevitable—the question is notwhether more connection is going to happen but how best to adapt when it does (Figure 5-1).FIGURE 5-1 Operational evolution of the grid, showing a historical diagram of the typical grid structure from 1978 to2001 (left) compared to the evolving grid structure incorporating microgrids (right). SOURCE: Adapted by Newportfrom the California Institute for Energy and Environment and presented by David Owens, Edison Electric Institute,February 27, 2013.22One audience participant asked why, if distributed generation is such a certainty, there isnot currently a wider deployment of microgrids. Granger Morgan, CMU, pointed to issueswith interconnections as well as evolving IEEE standards related to the issue of islanding;additional resilience is one of the benefits of amicrogrid, but utilities are also concernedabout safety issues with a partially activatedsystem, according to Mr. Owens. There isalso significant concern about funding andcost recovery—Mr. Owens pointed out thatwhile there is an increased interest inimprovements to the distribution system,much of the investment is falling on theutilities to ensure reliability and eliminatevulnerabilities associated with increased useof distributed generation. It is difficult to fairly account for these additional costs, many ofwhich are coming under review by FERC and state PUCs. Mr. Owens cited net metering as oneparticular case that does not adequately account for the fact that a customer’s renewablegeneration from rooftop solar, for example, is not equivalent to power generated by the grid.John Kassakian, MIT, also pointed to renewable portfolio standards as a key cost burden beingplaced unfairly on utilities through public policy. Dr. Morgan noted that one policy prohibitingthe existence of microgrids in some areas of the country involved exclusive service territoryrules 1 and suggested examining the loosening of such rules to allow modest-size microgrids.Because of an increasing focus on distributed sources of generation, energy storage is aparticular issue of concern. Patricia Hoffman, DOE, pointed to work with Southern CaliforniaEdison on an 8-MW Li-ion battery-based storage plant to complement a Tehachapi Pass windfarm as an example of ongoing research in this arena, noting that the evolving grid systemneeds to be thought about holistically.The Smart GridMuch of what has enabled distributed generation is related to smart grid technologies.Anjan Bose, Washington State University, noted that smart metering allows for considerationof distributed load as well as distributed generation. Dr. Bose suggested that the data currentlybeing collected needs to feed into control systems. Mr. Owens pointed out that legacydistribution systems will have to be redeveloped to support such bi-directional and variablepower flows safely and reliably.In addition to greater real-time control, smart grid technologies can be used to reduce loadthrough demand response. Ms. Hoffman pointed to a number of examples of utilities that haveused smart grid technologies successfully. On the customer side, Oklahoma Gas and ElectricK. Twaite, 2012, Monopoly money: Reaping the economic and environmental benefits of microgrids inexclusive utility service territories, Vermont Law Review 35:975-998, available at http://lawreview.vermontlaw.edu/files/2012/02/twaite.pdf.123was able to implement time-of-use and variable peak/critical peak pricing to reduce peak loadby 30 percent. On the distribution side, automated circuit switches and sensor equipmentimplemented by the Electric Power Board of Chattanooga are estimated to have reducedcustomer outage minutes by 40 percent. And on the transmission side, 18 transmission ownerswithin the Western Electricity Coordinating Council are installing and connecting 341 powermanagement units and 62 power distribution centers to modernize transmission in the WesternInterconnection. According to Ms. Hoffman, such implementation can enable a truly activedistribution system that can be managed cost-effectively through a broad selection oftechnologies.246Summary of Main Points Raised in Workshop DiscussionsSpeakers and other participants discussed many interesting aspects of the committee’sresults, what has changed in recent years, and how lessons learned about the grid’s resilience toterrorism could also be applied to threats from natural disasters. This chapter recaps pointsmade by individuals at the workshop; none of the following statements should be construed asconsensus findings, conclusions, or recommendations.Many workshop participants observed that Terrorism and the Electric Power DeliverySystem is still relevant, although various participants identified notable developments sincethe report was written including a growing sophistication of cyber-attacks, improvement in theavailability of replacement transformers, increased recognition of the significance of severalhigh-profile natural disasters, and increased use of intermittent renewable energy technologies.There have been several high-profile natural disasters since the report was published.Although the report was written to address resilience of the power grid to terrorism, manysimilarities with resilience to natural disasters were identified by workshop participants. Asnoted, the apparently increasing frequency and severity of natural disasters are a further reasonthat reducing the vulnerability of the grid will be beneficial.The risk of outages, whether from terrorism or natural causes, cannot be eliminated, butsome participants suggested ways that their frequency, extent, and duration could be reducedby making the system more robust, and the effects of catastrophes mitigated by advanceplanning and preparation.Industry participants, notably, advanced the view that the vulnerability of large powertransformers at substations is still a major concern. Some noted that the loss of even one at asubstation could incapacitate the substation until a replacement could be supplied, which couldtake months. Participants identified progress made by the Department of Homeland Securitytoward a standardized design recovery transformer but continued to express concern about theissue, observing that advanced planning can significantly reduce recovery time following aterrorist attack or major disaster such as Hurricane Sandy.Some participants observed that improved instrumentation and controls over powerflow on the grid could reduce the extent of outages as well as facilitate the integration ofrenewable energy sources.Cyberattacks have become more frequent and more sophisticated since the report waswritten, and some participants noted that, as control of the grid becomes increasingly dispersed,the ability to resist and respond to cyber threats could depend on an increasing use of real-time1National Research Council, 2012, Terrorism and the Electric Power Delivery System, The National AcademiesPress, Washington, D.C.125analytics, a secure supply chain, and redundant control centers. They observed, however, thatall components of the control system must be built with high security, or the security of theentire system may be compromised. A number of workshop presentations that recappedongoing efforts by NERC and the National Institute of Standards and Technology to develop aframework for supply chain security prompted some participants to conclude that while theseefforts are beneficial overall, such efforts do not necessarily address how to identify key riskfactors given a diverse set of system configurations.The workshop discussion of recent natural disasters such as Hurricanes Katrina andSandy have exposed how crucial the electric power delivery system is for providing basic needssuch as medical services and fuel. One participant suggested that understanding the threatsposed by natural disasters and terrorist attacks requires a holistic view of risk assessment forboth the grid and those sectors which rely on its services. Other participants noted thatimproving the resilience of critical service providers such as banks, gas stations, or hospitalsmay not fall directly within the electric power system’s purview, but such projects may provetoo costly for many industries to undertake on their own.Numerous workshop participants expressed concern over the depth of technicalexpertise available to many regulatory bodies, particularly as it pertains to cybersecurity andthe range technical challenges affecting the performance of the power grid have developed inrecent years, and the pace at which they are appearing. They observed that, without clearmetrics for cybersecurity, in particular, it is difficult for regulatory agencies to understand thetypes of risk associated with different configurations and architectures of control systems andthe value of protective measures.Workshop on the Resilience of Electric Power System to Terrorism and Natural DisastersNational Academy of Sciences, Washington, DCFebruary 27-28, 201326Appendix AAuthorship of Terrorism and theElectric Power Delivery SystemCommittee on Enhancing the Robustness and Resilience of Future ElectricTransmission and Distribution in the United States to Terrorist AttackM. Granger Morgan, NAS, 1 Carnegie Mellon University, ChairMassoud Amin, University of MinnesotaEdward V. Badolato, 2 Integrated Infrastructure Analytics, Inc.William O. Ball, Southern Company ServicesAnjan Bose, NAE, 3 Washington State UniversityClark W. Gellings, Electric Power Research InstituteMichehl R. Gent, North American Electric Reliability Corporation (retired)Diane Munns, MidAmerican Energy CompanySharon L. Nelson, State of Washington Attorney General’s Office (retired)David K. Owens, Edison Electric InstituteLouis L. Rana, Consolidated Edison Company (retired)B. Don Russell, Jr., NAE, Texas A&M UniversityRichard E. Schuler, Cornell UniversityPhilip R. Sharp, Resources for the FutureCarson Taylor , NAE, Bonneville Power Administration (retired)Susan F. Tierney, Analysis Group, LLCVijay Vittal, NAE, Arizona State UniversityPaul Whitstock, Marsh, Inc.StaffAlan Crane, Study DirectorDuncan Brown, Senior Program OfficerHarrison T. Pannella, Senior Program Officer (until July 2007)James J. Zucchetto, Director, Board on Energy and Environmental SystemsPenelope Gibbs, Senior Program AssociateNational Academy of Sciences.The committee notes with regret Edward Badolato’s death in November 2008.3 National Academy of Engineering.1227Appendix BWorkshop ParticipantsInvited SpeakersMike Adibi, IRD Corp.Jay Apt, Carnegie Mellon UniversityDaniel Bienstock, Columbia UniversityTerry Boston, PJM InterconnectionGerry Galloway, University of MarylandFred Hintermeister, North American Energy Reliability CorporationPatricia Hoffman, Department of EnergyJohn Kassakian, Massachusetts Institute of TechnologyDavid Kaufman, Federal Emergency Management AgencyMiles Keogh, National Association of Regulatory Utility CommissionersSarah Mahmood, Department of Homeland SecurityJoseph McClelland, Federal Energy Regulatory CommissionPaul Nielsen, Software Engineering InstituteGalen Rasche, Electric Power Research InstituteSteve Whitley, New York Independent System OperatorCommittee on Enhancing the Robustness and Resilience of Future ElectricTransmission and Distribution in the United States to Terrorist AttackMassoud Amin, University of MinnesotaWilliam Ball, Southern Company ServicesAnjan Bose, Washington State UniversityClark Gellings, Electric Power Research InstituteM. Granger Morgan, Carnegie Mellon UniversityDiane Munns, MidAmerican Energy CompanyDavid Owens, Edison Electric InstituteRichard Schuler, Cornell UniversityCarson Taylor, Bonneville Power Administration (retired)Susan F. Tierney, Analysis Group, LLCVijay Vittal, Arizona State UniversityPaul Whitstock, Marsh, Inc.28Workshop AttendeesMaria Amodio, ITTAPaul Beaton, National Academy of SciencesGerald Blazey, Office of Science and Technology PolicyJohn Bobrowich, Wisconsin Energy Research ConsortiumMark Bryfogle, Anlage ResearchMichelle Dallafior, Department of EnergyJonathan DeVilbiss, U.S. Energy Information AdministrationTammy Dickinson, Office of Science and Technology PolicyIris Ferguson, Department of CommerceLouise Fickel, Department of EnergySue Gander, National Governors AssociationMichael Gilmore, U.S. Government Accountability OfficeSherri Goodman, CNABarbara Granito, National Academy of SciencesSharon Grant, Carnegie Mellon UniversityCharles Gray, National Association of Regulatory Utility CommissionersTom Henneberg, Boeing BDS Ventures / Boeing EnergyNarain Hingorani, Consultant and National Academy of Engineering memberMichael Hsieh, Defense Advanced Research Projects AgencyKatie Jereza, Energetics, Inc.Henry Kilpatrick, EconpolicyLeanne Kuehnle, Federal Energy Regulatory CommissionVincent Le, Federal Energy Regulatory CommissionMark Lively, Utility Economic EngineersA.J. Maltenfort, i_SW CorporationEllory Matzner, Institute for Defense Analysis-Science and Technology Policy InstituteEd May, ItronLamine Mili, Virginia Polytechnic Institute and State UniversityPaul Mohler, Law Offices of Paul B. Mohler PLCPaul Parfomak, Congressional Research ServiceBarbara Pope, The National AcademiesChris Schepis, House Committee on Homeland SecurityJulian Silk, University of Maryland-University CollegeTerrell Smith, The National AcademiesAndrea Spring, Federal Energy Regulatory CommissionSam Taylor, National Academy of SciencesR. Cornell Teague, House Appropriations Committee-Homeland SecurityMitzi Wertheim, Naval Postgraduate SchoolGreg Wilshusen, U.S. Government Accountability OfficeOrhan Yildiz, U.S. Energy Information Administration29Appendix CWorkshop Presentations and DiscussionsWEDNESDAY, FEBRUARY 27, 2013WelcomeRalph Cicerone, President, National Academy of SciencesPeter Blair, Executive Director, Division on Engineering and Physical Sciences, NationalResearch CouncilReview of Terrorism and the Electric Power Delivery SystemGranger Morgan, Carnegie Mellon University (NRC Panel Chair) - PresentationCurrent and Future Needs for the Electric Power Delivery SystemPanel DiscussionMassoud Amin, University of Minnesota (cyber security needs) - PresentationDavid Owens, Edison Electric Institute (physical infrastructure needs) - PresentationJay Apt, Carnegie Mellon University (mitigation and restoration) - PresentationSue Tierney, Analysis Group (resilience and critical services)DOE: A Key Partner in Ensuring a More Resilient and Secure Electric Power Delivery SystemPatricia Hoffman, Department of Energy - PresentationWhat Is Industry’s Role Moving Forward?Fred Hintermeister, North American Electric Reliability Corporation - PresentationCyber Security NeedsUnderstanding Critical Cyber VulnerabilitiesPanel DiscussionGalen Rasche, Electric Power Research Institute - PresentationPaul Nielsen, Software Engineering InstituteTerry Boston, PJM Interconnection - PresentationOpen Discussion on Cyber Security of the GridModerated by Massoud Amin, University of Minnesota - Presentation30THURSDAY, FEBRUARY 28, 2013Welcome and IntroductionGranger Morgan, Carnegie Mellon University (NRC Panel Chair)Physical VulnerabilityThe Future of the Electric GridJohn Kassakian, Massachusetts Institute of Technology - PresentationThe DHS transformer programSarah Mahmood, Department of Homeland Security - Presentation followed by Q&AOpen Discussion on the Physical Vulnerability of the GridModerated by David Owens, Edison Electric InstituteMitigation and RestorationPower Disruptions in the United States and Improving Restoration of ServicePanel DiscussionDaniel Bienstock, Columbia University - PresentationSteve Whitley, NYISO - PresentationMike Adibi, IRD Corp. - PresentationOpen Discussion on Mitigation and ResponseModerated by Jay Apt, Carnegie Mellon UniversityResilience and Critical ServicesReducing Risk and Increasing National ResiliencePanel DiscussionGerry Galloway, University of Maryland (NRC Committee on Disaster Resilience) PresentationDavid Kaufman, DHS/Federal Emergency Management AgencyOpen Discussion on ResilienceModerated by Sue Tierney, Analysis Group31What Can We Do to Move Forward?(Q&A following each speaker)The Regulatory EnvironmentJoseph McClelland, Federal Energy Regulatory CommissionHow Policy Will Shape Utilities Moving ForwardMiles Keogh, National Association of Regulatory Utility CommissionersOpen Discussion on Policy OptionsModerated by Granger Morgan, Carnegie Mellon University (NRC Panel Chair)Research and Development OpportunitiesClark Gellings, Electric Power Research Institute - PresentationClosing RemarksGranger Morgan, Carnegie Mellon University (NRC Panel Chair)32