August 13, 2005
The Terrorist and the Grid
By GREGORY S. McNEAL
Cleveland
AFTER the blackout of 2003, addressing the vulnerabilities of America's electrical grid was a top priority. Not only was the creaky system going to be repaired and restructured, its key facilities were going to be reinforced to guard against terrorism. After all, Al Qaeda documents suggest that terrorists have considered attacking the grid, which would cause chaos, wreak economic havoc, and possibly cost lives.
So here we are, nearly two years later, and is the grid safer? Sadly, no.
Terrorists could still send a nation as powerful and modernized as the United States into the dark ages for weeks.
Here's why. Our electrical grid distributes energy throughout the nation on an as-needed basis. Generators transmit power over high-voltage lines using electrical substations. These substations are controlled by an enormous computerized switching system. This system uses sophisticated and difficult-to-replace solid-state and electro-mechanical relays. The relays prevent overloads and other failures from crippling the grid's electrical equipment and transmission facilities. Herein lies the vulnerability.
The relays are housed in lightly protected buildings next to substations.
While barbed-wire fences protect the substations themselves, there is little to safeguard the switching stations. In most cases only aluminum prefabricated buildings house and protect the switching computers and relays. (There are hundreds of these stations in the United States, but some are more important than others because of the amount of energy they handle.)
To attack the grid, a terrorist need only study publicly available trade journals, which explain where new facilities are constructed. These journals document both the transmission capacity of switching stations and the geographic areas for which they are responsible. A terrorist could then disable a particular system by destroying the computers and relays housed in the poorly protected building.
An attack on one facility would likely plunge the served area into immediate darkness and, depending on the size of the substation, would cause a significant strain on the rest of the electrical grid, particularly in summer, when usage is at its peak. A coordinated attack on four or five critical sites could send much of the nation into darkness for weeks.
Consider this: it takes days to make repairs during even small-scale outages because each station has customized equipment. Faced with the damage from a coordinated attack, technicians would need weeks to find the components necessary to repair these specialized computer systems. After acquiring these components, the technicians would then face the laborious task of properly programming and rewiring the systems.
What can we do? It's not complicated: government and industry need to harden security at these lightly guarded facilities - starting with the ones that control the most power and working down from there. The energy industry is well aware of our vulnerability, but it simply hasn't done enough to bolster security because of the enormous cost of protecting critical substations.
True, security doesn't come cheap. Safeguarding federal buildings following the Oklahoma City bombings cost more than $1 billion. Securing electrical substations would cost at least as much. But the price of a nationwide outage would dwarf that figure. The Department of Homeland Security and Department of Energy must pass regulations to ensure that the energy industry protects critical substations. We must act before our enemies do.
Gregory S. McNeal is a research fellow at the Case Western Reserve University School of Law's Institute for Global Security Law and Policy.
Copyright 2005 The New York Times Company Home Privacy Policy Search Corrections XML Help Contact Us Work for Us Back to Top
----------------------------------------------------------------------------
----
August 13, 2005
Caught Up in Our Own Connections
By THOMAS HOMER-DIXON
Toronto
THE blackout that left 50 million North Americans without power two years ago tomorrow seems like something from the distant past, buried in our memories under a jumble of more recent events. And in any case, can't we assume that our engineers and systems analysts studied the event, filed their reports, and tweaked the grid so it could never happen again?
Certainly these experts learned many things and made many adjustments. But none would argue that we've eliminated the risk of another major blackout.
Our grid's fragility results from a tangle of factors - soaring electricity demand, aging power plants and sometimes-rigid bureaucracies - that will be addressed only with huge investments of money, time and political capital.
But perhaps the most important factor contributing to our continuing vulnerability is something that we rarely recognize and that's even harder to change: a belief that greater connectivity and speed in all aspects of society are always good things.
Yes, our highly connected world has given us great benefits, but it has sometimes made our technological, economic and social systems far less resilient - that is, more susceptible to sudden and catastrophic breakdown.
In the economy, competition tends to tighten the connections between us, as companies naturally want to get the jump on competitors by doing things faster and cheaper. They squeeze out waste and reduce slack in all parts of their production and distribution processes by, for instance, introducing just-in-time production systems to keep inventories to a minimum.
While greater connectivity allows companies larger profits, and gives society better ways to combine diverse ideas, skills and resources, it also harbors dangers. Most obviously, damage in one part of a system - whether it's a voltage surge in the electrical grid, a new disease in a far-off country, or the sudden devaluation of a key currency - can cascade farther and faster to other parts of the system.
Less obviously, as a system becomes more complex, it can become opaque to its managers. They might understand the bits and pieces they work on, but not what happens when all the bits and pieces interact together. The 2003 blackout is again a good example. Deregulation of the grid in the 1990's caused long-distance electricity sales to skyrocket, vastly increasing the connectivity and complexity of the whole electrical system. At the time of the blackout, this system included 6,000 power plants run by 3,000 utilities overseen by 142 regional control rooms.
Yet the system's technicians were often uncertain about its behavior because they were still trying to manage it using rules developed decades earlier when most power was generated reasonably close to its consumers. In this environment, as one expert said, they needed the reflexes of a"combat pilot managing an aircraft that has been badly damaged" to cope with the grid's complexity and speed. Little surprise, then, that it eventually crashed.
How can we reduce the dangers? The answers will vary from system to system, but some general principles are clear. First, we need to encourage distributed and decentralized production of vital goods like energy and food. The more power we produce with solar panels on our rooftops, the less vulnerable we'll be to energy disruptions far away. Second, we need to remember that slack isn't always waste: a manufacturing company with a large inventory may lose some money on warehousing, but it can keep running even if its suppliers are temporarily out of action. Finally, we need to be more selective about increasing the connectivity and speed of our critical systems because sometimes the costs outweigh the benefits.
These ideas fly in the face of the conventional wisdom that we should strive for ever-greater economic efficiency. And perhaps that's why politicians rarely acknowledge the importance of resilience. The evidence that they don't is as close as the nearest gas pump: today's high gasoline prices include a stiff risk premium because there's virtually no slack in the world's tightly coupled oil economy.
For decades, the United States has become increasingly exposed to disruptions of its foreign oil supply. Now the country imports nearly two-thirds of its petroleum, and 95 percent of the energy for its transport system - the backbone of its economy - comes from oil. The energy bill signed by President Bush this week does virtually nothing to address this appalling vulnerability. Clearly, it's going to take more than a blackout to make the point that in an efficient world, catastrophes can be very efficient, too.
Thomas Homer-Dixon is director of the Trudeau Center for Peace and Conflict Studies at the University of Toronto.
Copyright 2005 The New York Times Company Home Privacy Policy Search Corrections XML Help Contact Us Work for Us Back to Top
The Terrorist and the Grid
By GREGORY S. McNEAL
Cleveland
AFTER the blackout of 2003, addressing the vulnerabilities of America's electrical grid was a top priority. Not only was the creaky system going to be repaired and restructured, its key facilities were going to be reinforced to guard against terrorism. After all, Al Qaeda documents suggest that terrorists have considered attacking the grid, which would cause chaos, wreak economic havoc, and possibly cost lives.
So here we are, nearly two years later, and is the grid safer? Sadly, no.
Terrorists could still send a nation as powerful and modernized as the United States into the dark ages for weeks.
Here's why. Our electrical grid distributes energy throughout the nation on an as-needed basis. Generators transmit power over high-voltage lines using electrical substations. These substations are controlled by an enormous computerized switching system. This system uses sophisticated and difficult-to-replace solid-state and electro-mechanical relays. The relays prevent overloads and other failures from crippling the grid's electrical equipment and transmission facilities. Herein lies the vulnerability.
The relays are housed in lightly protected buildings next to substations.
While barbed-wire fences protect the substations themselves, there is little to safeguard the switching stations. In most cases only aluminum prefabricated buildings house and protect the switching computers and relays. (There are hundreds of these stations in the United States, but some are more important than others because of the amount of energy they handle.)
To attack the grid, a terrorist need only study publicly available trade journals, which explain where new facilities are constructed. These journals document both the transmission capacity of switching stations and the geographic areas for which they are responsible. A terrorist could then disable a particular system by destroying the computers and relays housed in the poorly protected building.
An attack on one facility would likely plunge the served area into immediate darkness and, depending on the size of the substation, would cause a significant strain on the rest of the electrical grid, particularly in summer, when usage is at its peak. A coordinated attack on four or five critical sites could send much of the nation into darkness for weeks.
Consider this: it takes days to make repairs during even small-scale outages because each station has customized equipment. Faced with the damage from a coordinated attack, technicians would need weeks to find the components necessary to repair these specialized computer systems. After acquiring these components, the technicians would then face the laborious task of properly programming and rewiring the systems.
What can we do? It's not complicated: government and industry need to harden security at these lightly guarded facilities - starting with the ones that control the most power and working down from there. The energy industry is well aware of our vulnerability, but it simply hasn't done enough to bolster security because of the enormous cost of protecting critical substations.
True, security doesn't come cheap. Safeguarding federal buildings following the Oklahoma City bombings cost more than $1 billion. Securing electrical substations would cost at least as much. But the price of a nationwide outage would dwarf that figure. The Department of Homeland Security and Department of Energy must pass regulations to ensure that the energy industry protects critical substations. We must act before our enemies do.
Gregory S. McNeal is a research fellow at the Case Western Reserve University School of Law's Institute for Global Security Law and Policy.
Copyright 2005 The New York Times Company Home Privacy Policy Search Corrections XML Help Contact Us Work for Us Back to Top
----------------------------------------------------------------------------
----
August 13, 2005
Caught Up in Our Own Connections
By THOMAS HOMER-DIXON
Toronto
THE blackout that left 50 million North Americans without power two years ago tomorrow seems like something from the distant past, buried in our memories under a jumble of more recent events. And in any case, can't we assume that our engineers and systems analysts studied the event, filed their reports, and tweaked the grid so it could never happen again?
Certainly these experts learned many things and made many adjustments. But none would argue that we've eliminated the risk of another major blackout.
Our grid's fragility results from a tangle of factors - soaring electricity demand, aging power plants and sometimes-rigid bureaucracies - that will be addressed only with huge investments of money, time and political capital.
But perhaps the most important factor contributing to our continuing vulnerability is something that we rarely recognize and that's even harder to change: a belief that greater connectivity and speed in all aspects of society are always good things.
Yes, our highly connected world has given us great benefits, but it has sometimes made our technological, economic and social systems far less resilient - that is, more susceptible to sudden and catastrophic breakdown.
In the economy, competition tends to tighten the connections between us, as companies naturally want to get the jump on competitors by doing things faster and cheaper. They squeeze out waste and reduce slack in all parts of their production and distribution processes by, for instance, introducing just-in-time production systems to keep inventories to a minimum.
While greater connectivity allows companies larger profits, and gives society better ways to combine diverse ideas, skills and resources, it also harbors dangers. Most obviously, damage in one part of a system - whether it's a voltage surge in the electrical grid, a new disease in a far-off country, or the sudden devaluation of a key currency - can cascade farther and faster to other parts of the system.
Less obviously, as a system becomes more complex, it can become opaque to its managers. They might understand the bits and pieces they work on, but not what happens when all the bits and pieces interact together. The 2003 blackout is again a good example. Deregulation of the grid in the 1990's caused long-distance electricity sales to skyrocket, vastly increasing the connectivity and complexity of the whole electrical system. At the time of the blackout, this system included 6,000 power plants run by 3,000 utilities overseen by 142 regional control rooms.
Yet the system's technicians were often uncertain about its behavior because they were still trying to manage it using rules developed decades earlier when most power was generated reasonably close to its consumers. In this environment, as one expert said, they needed the reflexes of a"combat pilot managing an aircraft that has been badly damaged" to cope with the grid's complexity and speed. Little surprise, then, that it eventually crashed.
How can we reduce the dangers? The answers will vary from system to system, but some general principles are clear. First, we need to encourage distributed and decentralized production of vital goods like energy and food. The more power we produce with solar panels on our rooftops, the less vulnerable we'll be to energy disruptions far away. Second, we need to remember that slack isn't always waste: a manufacturing company with a large inventory may lose some money on warehousing, but it can keep running even if its suppliers are temporarily out of action. Finally, we need to be more selective about increasing the connectivity and speed of our critical systems because sometimes the costs outweigh the benefits.
These ideas fly in the face of the conventional wisdom that we should strive for ever-greater economic efficiency. And perhaps that's why politicians rarely acknowledge the importance of resilience. The evidence that they don't is as close as the nearest gas pump: today's high gasoline prices include a stiff risk premium because there's virtually no slack in the world's tightly coupled oil economy.
For decades, the United States has become increasingly exposed to disruptions of its foreign oil supply. Now the country imports nearly two-thirds of its petroleum, and 95 percent of the energy for its transport system - the backbone of its economy - comes from oil. The energy bill signed by President Bush this week does virtually nothing to address this appalling vulnerability. Clearly, it's going to take more than a blackout to make the point that in an efficient world, catastrophes can be very efficient, too.
Thomas Homer-Dixon is director of the Trudeau Center for Peace and Conflict Studies at the University of Toronto.
Copyright 2005 The New York Times Company Home Privacy Policy Search Corrections XML Help Contact Us Work for Us Back to Top
