A POLITICO analysis of federal data and interviews with a dozen security, extremism and electricity experts revealed that despite a record surge in attacks on the grid nationwide, communication gaps between law enforcement and state and federal regulators have left many officials largely in the dark about the extent of the threat. They have also hampered efforts to safeguard the power network.
Adding to the difficulties, no single agency keeps a complete record of all such incidents. But the attacks they know about have regulators and other power experts alarmed:
— Utilities reported 60 incidents they characterized as physical threats or attacks on major grid infrastructure, in addition to two cyberattacks, during the first three months of 2023 alone, according to mandatory disclosures they filed with the Department of Energy. That’s more than double the number from the same period last year. DOE has not yet released data past March.
— Nine of this year’s attacks led to power disruptions, the DOE records indicate.
— The U.S. is on pace to meet or exceed last year’s record of 164 major cyber and physical attacks.
— And additional analyses imply that the true number of incidents for both 2022 and 2023 is probably even higher. POLITICO’s analysis found several incidents that utilities had reported to homeland security officials but did not show up in DOE data.
According to a report on grid security compiled by a power industry cyber clearinghouse, obtained by POLITICO, a total of 1,665 security incidents involving the U.S. and Canadian power grids occurred last year. That count included 60 incidents that led to outages, 71 percent more than in 2021.
While that report does not break down how many of those incidents occurred in which country, the U.S. has a significantly larger grid, serving 145 million homes and businesses, with nearly seven times Canada’s power-generating capacity.
Law enforcement officials have blamed much of the rise in grid assaults on white nationalist and far-right extremists, who they say are using online forums to spread tactical advice on how to shut down the power supply.
Concerns about the attacks have continued in recent months, with incidents including a June indictment of an Idaho man accused of shooting two hydroelectric stations in the state.
But law enforcement officers investigating alleged plots against the grid don’t necessarily alert the Energy Department or other regulatory bodies.
“We have no idea” how many attacks on the grid are occurring, said Jon Wellinghoff, a former chair of the Federal Energy Regulatory Commission, which regulates the U.S. electric grid. “It looks like they’re escalating if you look at the data. But if you don’t have enough data, you can’t discern patterns and proactively work to stop these things from happening.”
Wellinghoff was FERC’s chair when an unknown sniper attacked a Pacific Gas and Electric substation in San Jose, Calif., in 2013 — an incident regulators have described as a “wake-up call” on the electricity supply’s vulnerability to sabotage.
Last year’s record number of physical and cyber disruptions to the U.S. power system included several incidents that captured public attention, such as a December shooting attack against two North Carolina substations that left 45,000 people without power for four days. The state’s medical examiner has blamed the attack for the death of an 87-year-old woman who died after her oxygen machine failed, ruling it a homicide. Nobody has been charged.
“There is no doubt there’s been an uptick over the last three years in the amount of incidents and also the severity of the incidents,” said Manny Cancel, senior vice president at the North American Electric Reliability Corp., the nonprofit body in charge of setting reliability standards for the bulk power system. He is also CEO of its Electricity Information Sharing and Analysis Center, which gathers and analyzes data from power companies.
Cancel said NERC has “seen two pretty substantial increases” in incidents coinciding with the 2020 and 2022 election cycles.
Grid attacks that led to power outages increased 71 percent from 2021 to 2022, totaling 55 incidents in 2022, according to a NERC briefing to utilities that POLITICO obtained. That increase was primarily due to a rise in gunfire assaults against critical infrastructure.
The largest outage reported from a physical attack early this year — which occurred in March in Carson City, Nev. — affected more than 11,000 people, according to DOE data.
But the state Public Utilities Commission was not aware of any outage due to an attack occurring that day, spokesperson Peter Kostes told POLITICO by email. That’s even though state regulations require utilities to contact the commission within four hours of a significant outage.
The state’s largest utility, NV Energy, said in a statement that it had reported the incident to local law enforcement “as soon as we learned about this incident … so we can continue to increase our resilience against ongoing threats to the energy industry.” A spokesperson for the utility did not respond to multiple requests for comment on whether it had informed the commission.
Federal regulations also require utilities to report cyber or physical attacks to DOE, including physical attacks that cause “major interruptions or impacts” to operations.
They must also tell the department about disruptions from weather or other causes that meet certain criteria, such as those that cut off service to more than 50,000 customers for at least an hour, an uncontrolled loss of more than 200 megawatts of power, or a utility voluntarily shutting more than 100 megawatts, according to an Energy Department spokesperson. The spokesperson provided the information on the condition that they not be identified by name.
The Energy Department’s records don’t include at least seven reported physical assaults last year and this year that the Department of Homeland Security and the affected utilities said caused substantive economic damage or cut off power to thousands of customers. POLITICO found these incidents by cross-checking the department’s data against warnings issued by DHS and the FBI’s Office of the Private Sector.
DOE said the incidents may not meet its reporting thresholds.
Several of the incidents missing from DOE’s data involved clear physical attacks, based on other agencies’ descriptions. But the utilities involved said they did not report the incidents to the department because the attacks did not affect the kind of major equipment that could lead to widespread, regional power failures.
One of the incidents not found in DOE’s records cut off power to about 12,000 people for roughly two hours in Maysville, N.C., after a shooting damaged a substation in November, according to a DHS report. The FBI’s investigation into the incident is ongoing, according to the intelligence agency.
The utility affected by the incident, Carteret-Craven Electric Cooperative, reported the incident to NERC’s Electricity Information Sharing and Analysis Center, but didn’t report the attack to DOE because it was a “distribution-level” incident, said Melissa Glenn, a spokesperson for the utility. That means the outages caused by the damage would have been limited to local power customers and not lead to the wider blackouts federal regulators are most concerned with.
In another case unreported to the Energy Department, a substation owned by the East River Electric Cooperative serving the Keystone oil pipeline in South Dakota was attacked by gunfire late at night in July 2022, according to DHS. The incident caused more than $1 million in damage and forced the pipeline to reduce operations while repairs were underway.
East River co-op spokesperson Chris Studer said the utility reported the incident to local law enforcement, which brought in the FBI. East River also reported the incident to NERC and its E-ISAC, along with regional grid agencies, but said it did not report it to DOE because the attack did not affect the bulk power system.
Brian Harrell, a former assistant secretary for infrastructure protection at DHS, said in an email that utilities have too many competing agencies to report to, and suggested reporting be streamlined to NERC’s E-ISAC.
“This lack of consistency, by no fault of the utility, suggests that the numbers may not paint a complete picture,” he said.
Grid experts said these data gaps clearly indicate a lack of understanding about which agencies utilities need to report to and when.
Utilities may be using a “loophole” based on definitions of what constitutes “critical infrastructure,” said Jonathon Monken, a grid security expert with the consulting firm Converge Strategies. He was previously senior director of system resilience and strategic coordination for the PJM Interconnection, the nation’s largest power market.
There are “lots of ways” to work around DOE requirements, Monken added, but as he reads the regulation, utilities are required to report any operational disruptions caused by a physical attack.
“[I]t appears the information you collected shows that companies are still missing the boat when it comes to mandatory reporting,” he said. “Not good.”
One former FERC official who was granted anonymity to speak about a sensitive security issue said the commission also received no alerts from law enforcement officials about the planned and actual attacks that took place last year. That omission hinders agencies’ ability to respond to these kinds of events, the person said.
A spokesperson for FERC declined to comment on the commission’s communications with law enforcement.
But Cancel defended government agencies’ response to these incidents, and said federal investigators may have had specific intelligence reasons for keeping FERC and state utility agencies out of the loop.
“I’m not a lawyer or a law enforcement professional, but you had an active criminal investigation going on,” he said. “I don’t think they wanted to sort of blow the horn on that and compromise the integrity of the investigation.”
An FBI spokesperson offered no direct response to these criticisms in an email, but said the agency “views cybersecurity as a team sport.” The person commented on the condition that the remark be attributed to the bureau.
The FBI urged utility executives last month to attend security training hosted by intelligence agents in order to ensure they are up to speed on the threats posed by bad actors.
“We can’t do it without you,” Matthew Fodor, deputy assistant director of the FBI’s counterterrorism division, said during an all-day FERC technical conference on Aug. 10. “The challenges that we have — and DOE can probably speak to this better than anybody — is limited resources.”
People attacking the electricity supply have thousands of potential targets, including power substations and smaller but critical pieces of utility infrastructure. The smaller pieces often go unprotected because federal standards do not require utilities to secure them.
Nearly half of the 4,493 attacks from 2020 to 2022 targeted substations, according to the NERC briefing from February, making them the most frequent targets for perpetrators over that period.
Details on how to carry out these kinds of attacks are available from extremist messaging boards and other online content, researchers and federal security officials say. These include maps of critical entry points to the grid, along with advice that extremists have gleaned from incidents like the assault in North Carolina.
Stanek, the Maryland electricity regulator, said he was “disappointed with the level of coordination and communication” that federal and state law enforcement displayed in handling the alleged plot in Baltimore. No trial date has been announced for the case, which is in U.S. District Court in Maryland.
Maryland’s Public Service Commission is in charge of ensuring that the state’s power system keeps the lights on. Regulators need to be kept informed of threats to the system so they can coordinate with other agencies in case an attack succeeds, Stanek said.
At the same time, he quipped, maybe he was better off in the dark after all.
“There’s a lot of colorful details in [the FBI report],” Stanek said. He paused, thinking. “And honestly, as a regulator, had I received these details in advance and shared the information with trusted sources within state government, I would have had sleepless nights.”
“So perhaps the feds did a favor by only sharing this information after everything was all said and done,” he added.