Association for Public Policy Analysis & Management

The electricity infrastructure in the United States is not only vulnerable to weather events, technical and human errors, but also malicious, intentional attacks. This vulnerability has been evident for decades; between 1970 and 2017, there has been nearly 100 suspected and confirmed physical attacks on grid infrastructure, excluding incidents of vandalism. The electricity industry has also seen an increase in cyberattacks as well, though cyberattacks are both reported on less frequently and more difficult to confirm. Given the vastness and age of the U.S. electricity infrastructure, it is difficult to maintain proper security across all of the sites. However, in light of recent attacks on the grid, there has been more of a focus from the federal government and utility operators to not only improve grid infrastructure technology, but also improve physical and cyber security of the sites, with improvements tending to start at the most vulnerable and critical locations.

One of the more publicized and costly physical attacks on the grid occurred in 2013 at the Metcalf Power Station, located in San Jose, California. This attack, which resulted in $15 million in damages and required the substation to be shut down for three while initial repairs took place, served as a catalyst for a series of attack mitigation strategies aimed at improving grid security. To prevent a similar attack from happening again, utility companies and North American Electricity Reliability Corporation (NERC) outlined a range of security improvement measures, including more robust physical barriers around key infrastructure, additional security technology and security personnel on site, and new risk mitigation audits to identify and communicate about vulnerabilities amongst sites.

This research first explores the motivating factors for grid owners and operators to invest in both physical and cyber security improvements and whether basic improvements actually help mitigate attacks. Given what is known about past attack methods and what is suspected for potential attacks, will the security improvement strategies adequately mitigate future threats? Next, compared to incidents that cause significantly damages in other critical infrastructure sectors (as defined by the Department of Homeland Security), how do policymakers respond to attacks against the electrical infrastructure sector? Is there a relationship between monetary damages and policy response? To answer these questions, attack scenarios are modeled using data from past grid attacks as well as major incidents that caused monetary damages across the other critical infrastructure sectors. Preliminary results indicate a need to consider not only past attacks against the grid when creating physical and cybersecurity improvement regulations, but also factor in what can reasonably be anticipated for future sophisticated and coordinated attack methods.