Vulnerable U.S. electric grid facing threats from Russia and domestic terrorists
If there's one thing we can't live without in our modern world, it's electricity. It provides heat and light, pumps water and fuel, refrigerates food, and breathes life into our TVs, computers and phones. So it is no surprise the North American electric grid, which creates, moves and delivers our electricity, is considered the most critical part of our critical infrastructure. What is surprising is the nature of the grid itself: a hodge-podge of public and privately-owned, half-century-old tech, that is increasingly vulnerable to severe weather, cyber-attacks, and even physical assaults. As we first reported earlier this year, no government agency, not even the Department of Energy, is truly in charge of protecting it. One attack, nine years ago, was a wake-up call for industry and government alike.
On the night of April 16, 2013, a mysterious incident south of San Jose marked the most serious attack on our power grid in history.
For 20 minutes, gunmen methodically fired at high voltage transformers at the Metcalf Power substation. Security cameras captured bullets hitting the chain link fence.
Jon Wellinghoff: They knew what they were doing. They had a specific objective. They wanted to knock out the substation.
At the time, Jon Wellinghoff was chairman of FERC, the Federal Energy Regulatory Commission, a small government agency with jurisdiction over the U.S. high voltage transmission system.
Bill Whitaker: You were concerned enough that you flew out there?
Jon Wellinghoff: That's correct. And I took two other individuals who train special forces, U.S. special forces. They train people to actually attack infrastructure.
And what the former commandos found looked familiar. They discovered the attackers had reconnoitered the site and marked firing positions with piles of rocks. That night they broke into two underground vaults and cut off communications coming from the substation.
Jon Wellinghoff: Then they went from these vaults, across this road, over into a pasture area here. There were at least four or five different firing positions.
Bill Whitaker: No real security?
Jon Wellinghoff: There was no security at all, really.
They aimed at the narrow cooling fins, causing 17 of 21 large transformers to overheat and stop working.
Jon Wellinghoff: They hit them 90 times, so they were very accurate. And they were doing this at night, with muzzle flash in their face.
Someone outside the plant heard gunfire and called 911. The gunmen disappeared without a trace about a minute before a patrol car arrived. The substation was down for weeks, but fortunately PG&E had enough time to reroute power and avoid disaster.
Bill Whitaker: If they had succeeded, what would've happened?
Jon Wellinghoff: Could've brought down all of Silicon Valley.
Bill Whitaker: We're talking Google, Apple; all these guys--
Jon Wellinghoff: Yes, yes. That's correct.
Bill Whitaker: Who do you think this could have been?
Jon Wellinghoff: I don't know. We don't know if they were a nation state. We don't know if they were domestic actors. But it was somebody who did have competent people who could in fact plan out this kind of a very sophisticated attack.
The grid is a sprawling target. There are actually three in the U.S.: the eastern, western and Texas has its own. Most of us rarely notice substations. There are 55,000 across the country, each housing transformers, the workhorses of the grid. Inside these massive metal boxes, raw electricity is converted to higher or lower voltages.
Should a transformer explode, like this one in Manhattan during Superstorm Sandy, the system is designed to trigger a localized, grid-preserving blackout. But if several sections of the grid go down at the same time, the shutdowns can cascade like dominoes. That's what set off the great Northeast Blackout in 2003, leaving 45 million Americans without power. A few months before the assault on Metcalf, Jon Wellinghoff of FERC commissioned a study to see if a physical attack on critical transformers could trigger cascading blackouts.
Jon Wellinghoff: It was actually a very shocking result to us that there's very few number of substations you need to take out, in the entire United States, to knock out the entire grid.
Bill Whitaker: Knock out the entire grid?
Jon Wellinghoff: That's correct.
Bill Whitaker: How many would it take to knock out putting the entire country in a blackout?
Jon Wellinghoff: Less than 20.
The report was leaked to the Wall Street Journal. It found the U.S. could suffer a coast-to-coast blackout if saboteurs knocked out just nine substations.
Bill Whitaker: You are relaying this in a very measured way. I would think this would be quite alarming.
Jon Wellinghoff: It was alarming. There's no question. It is alarming.
After the Metcalf attack, FERC pressed the utilities to harden defenses at their most critical substations – erect walls and sensors to prevent similar attacks – there's now a wall around Metcalf. But many substations remain vulnerable targets, like one we found in southern California that serves more than 300,000 customers - huge transformers protected by a chain link fence.
Dr. Granger Morgan: Anybody who knows about power systems knows that the, the grid is physically spread all over the countryside. There are a lot of places that are vulnerable.
Dr. Granger Morgan is a Carnegie Mellon University professor of engineering who chaired three National Academy of Sciences reports on the power grid for the U.S. government – the most recent in 2021. An earlier report on terrorism was classified for five years.
Dr. Granger Morgan: We simply made a strong case that the grid was physically very vulnerable.
Bill Whitaker: Why was there a specific report on terrorism and the grid?
Dr. Granger Morgan: There were concerns about the possibility that a terrorist organization could attack the grid. And around the world there have been a fair number of attacks on grids.
They have attacked with bombs, planes and drones. Russia's cyber attack on Ukraine's grid in 2015 knocked about 60 substations offline, leaving 230,000 people in the dark. The U.S. secretary of energy has said Russia could do the same thing here.
Dr. Granger Morgan: In the report we did on the resilience of the power system we did argue that we needed an organization, probably DOE and Department of Homeland Security, to systematically look at all the kinds of vulnerabilities we have and then begin to figure out who could address each. In terms of resilience issues, there's nobody in charge. I mean, there's no single entity that has responsibility for everything.
Mike Mabee: The U.S. electric grid is the largest machine in the history of mankind. It is a marvel of modern engineering. No one person owns or controls it. It's actually 3,000 different companies, both public and private sector, that own or operate little pieces of the electric grid.
Mike Mabee is an Iraq war vet, a former cop and a self-taught grid security expert. By day he works for the government. In his spare time, he uncovers public information electric utilities would rather not see the light of day and publishes them on a website called "Grid Security Now." He is both fascinated and horrified by the grid.
Mike Mabee: I think everybody needs to be as alarmed as I am. We've had disasters in the past but they've generally always been regional in scale. What we've never had is a national-scale blackout, which is completely possible under some known threats such as the cyber threat, the physical security threat, or even extreme weather. And the U.S. public is completely unprepared to survive without the electric grid for any period of time whatsoever.
So when he moved to Texas two years ago, he prepared for the worst, installing solar, wind and battery power.
Mike Mabee: The whole system's 48 volts.
Mabee's family survived last winter's deadly storm, hundreds of Texans perished.
Mike Mabee: And the deaths were largely due to hypothermia, carbon monoxide poisoning because when people got cold they would do things like go into their car in the garage to try to stay warm.
Mabee has become a thorn in the side of the federal government and utility companies.
Mike Mabee: I filed a complaint about supply chain cybersecurity. I filed a complaint about physical security. I filed a complaint about the Texas blackout.
Bill Whitaker: The government and the industry. They think you're an annoyance?
Mike Mabee: I've been termed a "grid security gadfly," which I wear that as a badge of honor.
One frequent target: the Department of Energy. Mabee told us the grid information the DOE puts out is confusing and dispersed. He said he spends hours trying to make sense of it all.
Mike Mabee: There is a requirement that they report electric disturbance events. But the data from the Department of Energy is so bad. So, you know, I took it upon myself to do some data crunching. And what I found is that 38% of the electric disturbance events in the United States are due to physical attacks against the electric.
Bill Whitaker: 38%? That's a lot.
Mike Mabee: So in the past decade, there have been over 700 physical attacks against the U.S. electric grid.
Many are copy cats of the Metcalf assault. In 2016, an eco terrorist in Utah shot up a large transformer, triggering a blackout. He said he'd planned to hit five substations in one day to shut down the West Coast. In 2020, the FBI uncovered a white supremacist plot called "lights out" to simultaneously attack substations around the country.
Dr. Liz Sherwood-Randall: We're seeing planning to disable the delivery of power to the American people.
Dr. Liz Sherwood-Randall is President Biden's homeland security advisor. We met with her and Anne Neuberger, deputy national security advisor for cyber. They told us the administration's infrastructure plans should help secure the grid, but acknowledge the threats are real.
Dr. Liz Sherwood-Randall: We have physical threats to the grid. We have natural threats to the grid. We have cyber threats to the grid.
Neuberger came to the White House from the secretive National Security Agency, where she battled Russian hackers in cyberspace.
Bill Whitaker: You said that you've been talking to private utility companies around the country about the potential for a cyber attack. What are you telling them?
Anne Neuberger: We're sharing with them some of the context regarding how Russia and other countries use cyber in crisis or conflict. We've actively downgraded intelligence. We've taken any information we have about malicious software or tactics that the Russian government has used, shared that with the private sector with very practical advice of how to protect against it.
Bill Whitaker: Isn't the problem that when it comes to the grid, there's nothing like the FAA or the Food and Drug Administration or the Securities and Exchange Commission? There's no one overall agency overseeing these, you said, 3,000 different utilities across the country?
Dr. Liz Sherwood-Randall: We don't have one system. We have several grids. We also have individual energy ecosystems in regions and states. And that's part of our strength because the resources for energy are different in different regions. And we have to acknowledge that we're not going to have a one-size-fits-all system.
Bill Whitaker: You call it one of our strengths. But it also seems to be one of our vulnerabilities.
Dr. Liz Sherwood-Randall: Well, in my view, we can't impose the regulations that would-- you would be suggesting as a federal government. We can set standards and we are setting standards in a variety of arenas.
Carnegie Mellon's Granger Morgan says what government, industry and law enforcement are doing doesn't meet the magnitude of the threat.
Dr. Granger Morgan: What we need at this point is to get the White House to put all the key players together in a room to identify the biggest vulnerabilities and then take steps to reduce them.
Bill Whitaker: I'm surprised that's not being done.
Dr. Granger Morgan: It has not been done. And it needs to happen now.
Produced by Graham Messick. Associate producer, Jack Weingart. Broadcast associates, Emilio Almonte and Eliza Costas. Edited by Craig Crawford.
