Double threat: US grid vulnerable on two fronts

Consensus is growing that the U.S. electricity grid is vulnerable to both hacking and physical attacks, but protecting it remains a work in progress—especially given the spending that would be necessary by financially stretched utilities.

The risks have heightened the calls for officials to address potential threats before they become reality. In November, the North American Energy Reliability Corp. staged a simulated attack on the grid; meanwhile, House Energy and Commerce Committee ranking member Rep. Henry Waxman, D.-Calif., flagged the grid as "not adequately protected" from either cyber or physical attacks at a hearing in December.

Guy Crittenden | Workbook | Getty Images

M. Granger Morgan, the head of engineering and public policy at Carnegie Mellon University, told CNBC that a physical attack on the grid poses a "much greater threat" than a cyberattack. Still, he added that vulnerabilities within the technological network of the power system itself require "real and urgent attenuation."

Government regulators "have a responsibility to establish mandates to increase security," said Granger, one of the authors of a National Academy of Sciences report that outlined risks to the grid.

Meanwhile, utilities and independent system operators "have a responsibility to meet those mandates and also to do continual audits and surveillance," Granger added.

(Read more: US power grid system to undergo simulated attack)

Options include enhanced sensors that can detect breaches or unauthorized personnel, limits on the electronic pathways to external systems, and more physical surveillance.

Notable blackouts

Date Location Notable Consequences
2002PhilippinesHalf of country affected by power plant outages
2003AlgeriaEntire country affected by power plant breakdown
2003DenmarkPower to 5 million customers interrupted by a transmission line fault
2003Georgia, Eastern EuropeEntire country affected by transmission tower collapse
2003North Carolina, VirginiaPower to 2,200,200 customers interrupted by Hurricane Isabel
August 14, 2003Midwestern and northeastern United States, southeastern CanadaPower to 50 million customers interrupted; estimated social costs from $4 billion to $10 billion; massive traffic jams in New York City (U.S.-Canada, 2004)
August 30, 2003LondonPower to 410,000 customers interrupted by incorrect relay operation
September 18, 2003Tidewater region, United StatesPower to 4 million customers interrupted
September 23, 2003Denmark and SwedenPower to 4 million customers interrupted
August 24, 1992FloridaPower to 1 million customers interrupted
September 27, 2003ItalyPower to 57 million customers interrupted; at least 5 people died; 30,000 passengers stranded in trains for hours (BBC, 2003; CNN, 2003)
2004Florida, AlabamaPower to 5 million customers interrupted by Hurricanes Charley, Frances, Ivan, and Jeanne over a 6-week period
2004Kyushu, JapanPower to 1 million customers interrupted by typhoon
July 12, 2004Southern GreeceVoltage instability as a result of high power transfers into Greece; operatorinitiated load shedding unable to prevent voltage collapse; blackout a cause of additional concern due to proximity to 2004 Olympic games
2005Alabama, Florida, Louisiana, and MississippiPower to 2.2 million customers interrupted by Hurricane Katrina
2005MoscowPower to 1.5 million to 2 million customers interrupted by explosion and fire at substation
May 24, 2005MoscowPower to 4 million customers (2,500 MW) interrupted
September 12, 2005Los AngelesLarge portion of city lost power because error in substation tripped several circuit breakers

Source: Source: NAS

"If they could gain access, hackers could manipulate [control and data] systems to disrupt the flow of electricity…block the flow of vital information, or disable protective systems," says the NAS report, adding that a successful attack could "entail costs of hundreds of billions of dollars," and could render entire swaths of the country helpless to extreme weather.

In November, the Federal Energy Regulatory Commission (FERC) green-lit new reliability standards, some of which are designed to boost information sharing, security audits and contingency planning for mass power outages.

Engineers have warned for years that the nation's power grid is vulnerable to potential foul play. Even as many doubt a cyberattack alone would prove crippling, a combination of both a physical and a technological attack could wreak havoc and prove economically destabilizing.

An attack involving firearms on a San Jose, Calif.-based power station in April, initially dismissed as vandalism, has more recently seen investigators referring to a "higher level of planning and sophistication," according to a report in Foreign Policy magazine. The incident was recently referred to the Federal Bureau of Investigation.

Utility spending already stretched

Protecting the nation's power grid from threats
Protecting the nation's power grid from threats

Yet moves to create a "smart" and more secure grid are still very much a work in progress, and come at a substantial cost. Regulated U.S. utilities already spent about $70 billion on capital expenditures in 2013, according to a recent study by Moody's Investor Service. Moves to sink money into an enhanced grid that can withstand unique 21st century-challenges may cause that price tag to swell.

"The electric utility industry is facing significant financial pressure as capital spending rises with requirements to upgrade aging infrastructure," said management consulting firm Deloitte & Touche in its 2013 outlook on power and utilities.

"Capital expenditures in the U.S. over the next 20 years are expected to cumulatively total well over $3 trillion," the firm added—with the bulk of that expected to be allocated to nonsecurity related initiatives.

While power companies have ramped up investments in the grid, observers say those efforts fall short of what's needed in the long term, especially since electricity regulation is fragmented across states.

(Read more: Energy mergers, yes. Neglected grid? Probably not)

"The electric industry, largely motivated by the 2003 blackout, has undergone a huge effort to ensure the reliability of the electric grid," said Joel DeJesus, an attorney at Schiff Hardin and former official at the North American Electric Reliability Council, an industry group that focuses on regulatory policy.

"The industry is doing all it can do, but cybersecurity issues are constantly evolving," DeJesus said. "There is no 100 percent guarantee that [power] assets will be fully protected."

—By CNBC's Javier E. David

Recommended Video
Protecting the nation's power grid from threats
Protecting the nation's power grid from threats