On Saturday, December 3, just after 7 p.m., electric customers in Moore County, NC, started to have power outages, eventually totaling about 40,000 customers. Utility and law enforcement responders reported “intentional vandalism occurred at multiple sites” including two substations, which were “targeted.” The repairs may not be completed until Thursday, while the estimated cost is in the millions.
Parallels immediately come to mind with the Metcalf sniper attack back on April 16, 2013, where 17 transformers were shot up by unknown (to this day) gunmen with rifles. Fiber-optic telecommunications cables were cut nearby, prior to the attack. This attack primarily hit the transformers’ cooling oil reservoirs, causing them to overheat and fail. Power was re-routed and the big customers in Silicon Valley weren’t affected, although repairs cost over $15 million.
Following the Metcalf attack, in 2014, the Federal Energy Regulatory Commission (FERC) ordered the North American Electric Reliability Corporation (NERC) to expedite the creation of a physical security standard to be included within the suite of critical infrastructure protection (CIP) standards; CIP-014 was drafted and submitted to FERC within the 90-day requirement, which is quite a feat in the typical standards process.
The purpose of CIP-014 is “to identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.” Electricity utilities are required to do initial and subsequent risk assessments of those facilities, with third-party verification of the risk assessments, and create physical security plans covering those assets.
A spokesperson for Duke Energy would not confirm that the substations in Moore County were subject to these CIP-014 criteria. Still, given the reports of additional vandalism of equipment at different sites, significant planning, reconnaissance, and coordination were required to execute these attacks on potentially less-protected sites and escape before first responders arrived on the scene.
Hopefully law enforcement will have better success than they’ve had since the attack in 2013, which remains unsolved. It will be interesting to learn what physical security measures were in place at these substations, if there were any cross-sector attacks as well, and what specific damage was caused at these sites – whether the transformers were just damaged or if they were destroyed.
It will also be interesting to see if this spurs more regulatory action, although these sites may be numbered in the tens of thousands of substations that are state-regulated distribution substations and not be subject to FERC regulation.
Physical and cyber risk assessments are vital for critical infrastructure asset owners and operators, as well experts and consultants in the risk management field. SecurityGate.io’s platform is specifically designed to enable users to perform complex OT and IT risk assessments more efficiently, with better visibility across organizations and facilities, with instant reporting, and a single-pane-of-glass view of all assessments.