Terrorism and the Electric Power Delivery System

Electrical grid is said to be vulnerable to terrorist attack. I can agree that electrical power distribution network would be quite vulnerable if someone tries to sabotage it and knows what to do. I know this because I design software and hardware for control systems for electrical companies.

Some days ago I saw in Finnish television an interesting documentary Suomi polvilleen 15 minuutissa (viewable on Yle Areena at least for Finnish people still for few weeks). It says that in Finland there has been debate on how many weeks the army could protect the country against potential attacks. The document says that the country could collapse in 15 minutes if some outside attacker or a small terrorist group would attack to certain key point in power network. Practically nothing would work anymore without power and it will take quite bit of time to get replacement parts for some key component. There are not too many spare parts and it it take months or a year to build a new big high voltage distribution transformer.

This vulnerability would hold to practically all developed countries. I have understood that Finnish electrical power distribution network would be in pretty good condition compared to electrical power networks on some other countries. I think that in many countries could quite easily cause huge problems by damaging some key points on power distribution network. Those attacks could be either cyber-attacks or attacks or damaging physical infrastructure.


In USA there has been lots of talk lately about electrical grid vulnerability to terrorist attack. There are warnings like this: Cyber-terrorists could target the U.S. electrical grid and throw the nation into chaos. And there is indeed some truth on those because this critical infrastructure is vital to a country’s economy and security, not a new target for terrorist groups (there have been documented incidents since the 1970s), inherently vulnerable (economical and practical reasons) and extremely hard to protect well. The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles. Electrical infrastructure is not necessarily a new target for terrorist groups- there have been documented incidents since the 1970s.

New York Times writes that Terrorists could black out large segments of the United States for weeks or months by attacking the power grid and damaging hard-to-replace components that are crucial to making it work. By blowing up substations or transmission lines with explosives or by firing projectiles at them from a distance, the report said, terrorists could cause cascading failures and damage parts that would take months to repair or replace.

Remember the fact that causing large scale problems for long time is usually hard. In Debunking Theories of a Terrorist Power Grab article a Penn State power-system expert cites laws of physics to pull the plug on worries that a terrorist attack on a minor substation could bring down the entire U.S. electric grid. The most vulnerable points are the ones that have the most energy flowing through them — like huge power stations or highly connected transformers. Those are the ones that should be well protected well and there should not be too much worrying on protecting smaller transformers.

Here are few links to articles for more information:

There is also a free book Terrorism and the Electric Power Delivery System on-line covering those topics. Check it out if you want to learn more. It gives you much more background than those articles.


  1. Tomi Engdahl says:

    Puerto Rico governor: Power could be out for months

    (CNN)Puerto Rico’s energy grid took such a severe blow from deadly Hurricane Maria that restoring power to everyone may take months, Gov. Ricardo Rosselló told CNN on Wednesday night.
    The entire system is down, the governor said. No one on the island has power from utilities.

    Puerto Rico, which has been through a long recession and is deeply in debt, has a power grid that is “a little bit old, mishandled and weak,” Rosselló told “Anderson Cooper 360˚.”
    “It depends on the damage to the infrastruacture,” he said. “I’m afraid it’s probably going to be severe. If it is … we’re looking at months as opposed to weeks or days.”

  2. Tomi Engdahl says:

    DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol

    While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment (IOCTA).

    The report covers a wide range of topics, including cyber-dependent crime, online child exploitation, payment fraud, criminal markets, the convergence of cyber and terrorism, cross-cutting crime factors, and the geographical distribution of cybercrime. According to the police agency, we’re seeing a “global epidemic” in ransomware attacks.

    When it comes to critical infrastructure attacks, Europol pointed out that the focus is often on the worst case scenario – sophisticated state-sponsored actors targeting supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) in power plants and heavy industry organizations.

    However, these are not the most likely and most common types of attacks – at least not from a law enforcement perspective as they are more likely to be considered threats to national security. More likely attacks, based on reports received by law enforcement agencies in Europe, are ones that don’t require attackers to breach isolated networks, such as distributed denial-of-service (DDoS) attacks, which often rely on easy-to-use and widely available tools known as booters or stressers.

    While these types of attacks may not lead to a shutdown of the power grid, they can still cause serious disruptions to important utilities and services.

    “While DDoS is often a tool for extortion, the lack of communication from the attackers may suggest that these attacks were of an ideological nature,” Europol said in its report. “Although European law enforcement recorded an increasing number of these attacks last year, they also note that they only had moderate, short-lived impact.”

    Internet Organised Crime Threat Assessment (IOCTA) 2017

  3. Tomi Engdahl says:

    Home> Power-management Design Center > How To Article
    Hurricane hardening for utility power architectures: Puerto Rico

    In the aftermath of Hurricane Maria, the island of Puerto Rico has been devastated with a loss of their electrical power infrastructure and lack of fresh water. The electrical infrastructure efforts are estimated to bring power back to the island in six months.

    The Puerto Rico Electric Power Authority (PREPA) is the only power distributor on the island. PREPA’s power plants were 44 years old when Hurricane Maria struck; most industry power plants average 18 years. They burned Venezuelan oil at these aging power plants which needed billions of dollars in overdue repairs and renovation. Puerto Rico being essentially bankrupt did not help. This is a lesson for other governments to make sure their citizens are well protected for typical catastrophes that occur in their region.

  4. Tomi Engdahl says:

    NASA Images of Puerto Rico Reveal How Maria Wiped Out Power On the Island

    Hurricane Maria was the most devastating hurricane to make land in Puerto Rico in nearly 100 years and the country is still reeling in its wake. Much of the island still doesn’t have running water, reliable communication or electricity. Recently, NASA published a set of date-processed photos that show the island’s nighttime lights both before and after the storm.

    These NASA Images Of Puerto Rico’s Power Loss Are Staggering

  5. Tomi Engdahl says:

    Hurricane Maria Left Puerto Rico Absolutely Devastated

    Hurricane Irma pounded Puerto Rico earlier this month, leaving hundreds of thousands without power, but narrowly avoiding a worse-case scenario.

    Unfortunately, Hurricane Maria slammed directly into Puerto Rico at Category 4 strength on Wednesday, lashing the island with 155 mile per hour (250 kilometer per hour) winds and double-digit storm surge. The storm immediately knocked out the region’s entire power grid, much of its communications networks and large stretches of road, making it impossible for the territory’s central government to assess the damage.

    But the scale of the second hurricane’s devastation across Puerto Rico is rapidly becoming clear, the Washington Post reports, with many towns across the territory totally destroyed.


  6. Tomi Engdahl says:

    Part II: Powering America: Defining Reliability in a Transforming Electricity Industry

  7. Tomi Engdahl says:

    How Do South Korea’s Secretive “Blackout Bombs” Actually Work?

    IFLScience logo
    How Do South Korea’s Secretive “Blackout Bombs” Actually Work?
    How Do South Korea’s Secretive ‘Blackout Bombs’ Actually Work?
    These non-leathal weapons are still somewhat under wraps. Josemaria Toscano/Shutterstock

    10 OCT 2017, 11:51
    As tensions across the Korean peninsula continue to simmer, reports are now circulating that South Korea’s military forces are prepared to use so-called blackout bombs in any future conflict. These high-tech weapons have only been used a handful of occasions before – most notably during the last two Gulf Wars and during the conflict in Kosovo – so what exactly are they?

    Classified until only recently, these weapons are decidedly non-lethal. They contain millions of small particles of chemically treated carbon filaments, essentially a type of graphite.

    these bombs are targeted at major power grids and lines: when these particles make contact, a current flows through them at such extreme temperatures that it melts part of the mainline wiring, and the system shorts out. So long as the power lines aren’t insulated, these graphite bombs can be incredibly effective.

    When they were first deployed in the 1990 Gulf War against Iraq by the US Air Force, up to 85 percent of the country’s electrical supply was knocked out. Similarly, when used by NATO forces against Serbia in 1999, 70 percent of the country’s power grid was shut down.

    South Korea’s Agency for Defence Development has been working on them recently, and has, according to Yonhap News Agency

  8. Tomi Engdahl says:

    Energy Regulator Acts to Improve Power Grid Security

    With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.

    In response to such concerns, the Federal Energy Regulatory Commission (FERC) yesterday proposed new cyber security management controls to enhance the reliability and resilience of the nation’s bulk electric system.

    “FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security ñ Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System,” it announced.

    The new standard will particularly improve on existing standards for access control, “by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.”

    FERC Proposes New Security Management Controls for Grid Cyber Systems

    Today’s Notice of Proposed Rulemaking also proposes to direct the North American Electric Reliability Corp. (NERC) to develop modifications to provide clear, objective criteria for electronic access controls for low-impact cyber systems and to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards.

    In a separate order, the Commission accepted NERC’s preliminary geomagnetic disturbance (GMD) research work plan and directed that NERC file a final plan within six months.

  9. Tomi Engdahl says:

    Protecting Critical Infrastructure When a Dragonfly Beats its Wings

    The Threat of Cyberattacks on Power Networks is Real, But We Have the Ability to Build Defenses That Minimize The Disruption to Services

    News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.

    Anyone who works in security quickly gets used to the dilemma at the heart of what we do. It’s vital for us to communicate openly, clearly and with transparency about the threats faced in today’s networked world. Yet all too often, we run the risk of creating an unnecessary public panic which still doesn’t have the required effect of motivating those responsible for protecting critical systems into following good security practice.

    The recent revelations were published by researchers at Symantec and concern a cyber-attack group known as Dragonfly. They found that over a two-year period Dragonfly-affiliated hackers have been stepping up their attempts to compromise energy industry infrastructure, notably in the US, Turkey and Switzerland. The Symantec researchers found that the behavior of the Dragonfly group suggests they may not be state-sponsored, but that they have been conducting many exploratory attacks in order to determine how power supply systems work and what could be compromised and controlled as a result.

    An obvious target

    This shouldn’t come as a shock. Even the most innocuous web server will face dozens, if not hundreds, of attacks every day. Industrial control systems and critical national infrastructure have always been prime targets. Everyone from bedroom hackers to state sponsored spies have wanted to breach critical systems since the dawn of the networked era, whether that be for monetary gain, secret information, or just pure curiosity.

    What’s important in the Symantec report is not that energy systems are under attack, but that the methods detected – email phishing, Trojan malware and watering hole websites – are all well understood and can be mitigated against.

    Symantec was keen to point out that it has already integrated protections from the known Dragonfly attack methods into its software. Even so, it would be foolish to underestimate Dragonfly. It’s clearly a sophisticated group with a clear purpose, and while Dragonfly’s primary mechanisms at present appear to be based on social engineering, there are plenty of other state and non-state sponsored groups who have yet more sophisticated tools at their disposal.

    What’s more, the industrial internet of things (IIoT) continues to expand and our power infrastructure is diversifying to include smart grids and new, decentralised generation and transmission technologies. These may be beyond the control of traditional energy companies, but are still connected to their networks, introducing many more potential points of weakness to protect. We already know that there are many hundreds of thousands of consumer devices out there that are poorly secured against malware such as Mirai and its successors . The risk is that the same weaknesses may be unwittingly introduced to critical infrastructures.

    Building our defenses

    What does defense in-depth mean for the power supply industry? For a start, more work needs to be done to convince utility companies that security spending must be an absolute business priority. Proactive regimes that include regular retraining and offensive exercises, such as penetration testing and “red teaming”, require ongoing investment and a commitment at all levels, but are essential to keeping defenses honed.

    On a practical level, it should be a given for even the smallest business in this day and age that application and client software is regularly patched and up-to-date, but as recent ransomware outbreaks have shown, this is not something we can take for granted.

    For power companies, the challenge here isn’t just about rapid deployment of desktop and server software security patches, there are myriad field devices and control systems that need protecting too, which requires careful consideration. The update-and-patch ethos applies just as it does in the server world, but many of the MTUs, the RTUs and the IEDs may be legacy units for which security was an afterthought. They must be supplemented with intelligence in the network that can spot anomalies and improve the ability to detect new threats and signatureless malware.

    Improving capabilities for prevention and detection of attacks, however, won’t be effective without similar investment in the ability to respond to incidents. This requires the development of specialist forensic skills and knowledge within the ICS and SCADA environment, so that once an incident is detected, it can be quickly neutralised and identified with the least possible disruption to operations. To further minimize disruption, solid plans for business continuity also need to be drawn up and prepared.

  10. Tomi Engdahl says:

    Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

    Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

  11. Tomi Engdahl says:

    Cyber Defense Tool Is an Early Warning System for Grid Attacks

    A new tool will enable grid operators to better detect not only a brutal physical attack, but also a hacker probing for vulnerabilities

    Grid operators worry that the loss of one or more critical substations could trigger an outage that cascades across a region

  12. Tomi Engdahl says:

    Attack on Nine Substations Could Take Down U.S. Grid
    Feds seek new rules to protect against physical attacks

  13. Tomi Engdahl says:

    Electrical Substation visit. Inside an Electrical Substation.

    An electrical substation is a subsidiary station of an electricity generation, transmission and distribution system where voltage is transformed from high to low or the reverse using transformers. Electric power may flow through several substations between generating plant and consumer, and may be changed in voltage in several steps.

  14. Tomi Engdahl says:

    Electricity has such amazing power – Compilation


  15. Tomi Engdahl says:

    Electrical Substations

    6 Electrical Substation Bus Schemes Explained

    A substation bus scheme is the arrangement of overhead bus bar and associated switching equipment. The operational flexibility and reliability of the substation greatly depends upon the bus scheme.

  16. Tomi Engdahl says:

    140,000 Volt Substation Explosion

    140,000 Volt Substation Explosion. (Damage)

  17. Tomi Engdahl says:

    High Voltage Substations around the world… 125kv, 66kv, 33kv

  18. Tomi Engdahl says:

    Control room of 400/220kV substation, Scada control

  19. Tomi Engdahl says:

    Isolating a Disconnecting Circuit Breaker using live line working

    As it becomes more and more common with live working, performed by special trained staff, the question has been raised if it is possible to use the manual links in the DCB-design for live working.

  20. Tomi Engdahl says:

    351 Substation Demolition — B Roll

    The U.S. Department of Energy (DOE) recently teamed with contractor Washington Closure Hanford to complete a major recycling effort during cleanup of the Hanford Site in southeastern Washington State.

  21. Tomi Engdahl says:

    Cyber Defense Tool Is an Early Warning System for Grid Attacks

    A rifle attack on an electrical substation near California’s Silicon Valley in April 2013 led to the development of a new tool for grid operators that will enable them to better detect not only a brutal physical attack but also the slightest hint of a hacker looking for vulnerabilities in these critical links in the grid.

    Although distributed in nature, grid operators worry that the loss of just a few critical substations could trigger an outage that cascades across a region, potentially crippling a major urban center.

    Indeed, in 2014, the Wall Street Journal reported the startling findings in confidential report by the Federal Energy Regulatory Commission (FERC): Thirty substations across the U.S. played an outsized role in grid operations; knocking out nine of them could cause a cascading outage capable of bringing down the nation’s grid.

    During the still-unsolved crime, attackers cut fiber optic cables to the facility, and then shot up 17 transformers, resulting in $15 million in damage. The utility had to to re-route power around the damaged substation until repairs could be made.

    A rifle assault means the attacker has to come close enough to blast away at a substation. Perhaps more worrisome to grid operators, however, is the possibility of a cyberattack launched remotely from anywhere on the globe.

  22. Tomi Engdahl says:

    Critical Infrastructure Threat Is Much Worse Than We Thought

    Adversaries Most Likely Want to Acquire a “Red Button” Capability That Can be Used to Shut Down the Power Grid

    Last October the United States Computer Emergency Readiness Team (US-CERT) published a technical alert on advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Recently, it was updated with new information uncovered since the original report, and there are some interesting revelations this time around.

    Since the initial alert, The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with U.S. and international partners, determined that attacks were already underway and being carried out by unspecified threat actors. The new report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.

    The boldest revelation is the decisive manner in which the unspecified “threat actors” are explicitly identified. There is no equivocation; what was once believed to be an amorphous “threat actor” has now been identified as the “Russian Government”.

    As for reconnaissance and weaponization, in the original alert DHS identified the then “threat actor” as being interested in website and open source material pertaining to critical infrastructure. The report stated that no compromise was detected. The new alert reneges the “no compromise” statement and provides a very detailed description of how the Russians used malware to compromise industrial control system (ICS) networks. Moreover the use of zero day, APT and backdoor techniques all indicate the sophistication and intent of the activity designed to take over US critical infrastructure.

    The breadth of these attacks are not only deeper but also broader than originally thought. Because it is infinitely easier to hack into a trade magazine website than into a critical infrastructure network, the report also notes the use of “watering hole” attacks; architected to compromise machines belonging to ICS personnel that visited popular online news outlets. Once installed this malware could be easily used for account takeovers.

    The updated alert also reveals the effort put into exploitation. The October alert stated, “there is no indication that threat actors used Zero Day exploits to manipulate the sites.”

    Also new, for the first time, the attackers attempted to cover their tracks, making it much harder to understand exactly what facilities were compromised.

    Protecting the Power Grid from Cyber Attacks

    One thing that remained static in both reports is the target of the attack: “…campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

    As alarming as the revised alert is, perhaps most glaringly absent is a situational analysis of what the attackers did once they successfully gained access. The updated report only scratches the surface. To date, no detailed technical report – except for Stuxnet in 2010 – has been released detailing that last mile of malware inside of ICS networks, and specifically the damage caused by the attack.

    What we can conclude from this new alert is that the Russians have been running a cyber campaign against industrial infrastructures for nearly a decade. Most likely, they and others want to acquire a “Red Button” capability that can be used to shut down the power grid, or cause other infrastructure damage, at some point in the future. Having these capabilities can cause more damage and disruption that a traditional armed conflict and in many cases organizations and nations are less prepared to deal with it.

  23. Tomi Engdahl says:

    U.S. Energy Department Offers $25 Million for Cybersecurity Tech

    The United States Department of Energy (DOE) on Monday announced that it’s prepared to award up to $25 million for the research and development of technologies designed to protect the country’s energy infrastructure against cyber threats.

    The funding opportunity announcement (FOA) comes from the Office of Electricity Delivery and Energy Reliability’s Cybersecurity for Energy Delivery Systems (CEDS) program and it seeks applications for researching, developing and demonstrating novel approaches to improving cyber resilient energy delivery systems.Energy Department offers $25 million for cybersecurity

    “This FOA builds on DOE’s efforts with the private sector toward improving the security of the Nation’s critical energy infrastructure, and reducing the risk of a cyber incident that could disrupt energy delivery,” the DOE said. “It will expand the development and adoption of energy technologies that will help ensure a more secure, resilient, and reliable electricity system.”

    In September 2017, the Energy Department announced its intention to invest $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure, including more than $20 million in cybersecurity.


Leave a Comment

Your email address will not be published. Required fields are marked *