By Alberto Coria and Trent Chinnaswamy
A growing number of attacks on the United States’ critical electricity infrastructure threatens to cause supply chain disruption to thousands of businesses across the country.
In 2022, the U.S. electrical grid sustained at least 103 deliberate physical and cyber-attacks – the highest level in a decade.
Two recent attacks on electricity substations in North Carolina, and four in Washington, have raised alarm among experts at the U.S. Department of Homeland Security (DHS). These attacks resulted in over 45,000 homes as well as businesses in the surrounding area losing power.
In each case, the modus operandi was similar: intruders carrying firearms gained access to the facilities and disabled them. This has led experts to believe that the attacks, which occurred within a short time of one another, may have been coordinated.
Electrical disruptions in the U.S. caused by intentional human interference are rising. Vandalism accounts for the majority of outages, but suspicious activity – where the intention is unknown – and sabotage are also on the increase (see chart).
The previous peak in vandalism was mostly caused by individuals stealing and selling copper wires. But the industry standard has since changed to use a less profitable kind of copper.
Why then are these attacks increasing and what risk do they pose to businesses?
Exploring Electrical Supply Chain Issues
Regional blackouts, defined as power loss in an area, can affect not only households, but also industry and logistics operations. However, the degree to which different entities are affected varies. Owing to their typically higher demand for power, manufacturing facilities are more exposed to power surge issues and accustomed to experiencing power failures, with one in four experiencing a power failure once a month.
Manufacturing facilities are also more likely to have backup and stress-tested generators, and have a coverage plan. However, these are generally focused on short-term power outages caused by high energy demands. In the case of a physical attack on a substation, a manufacturing site may have to deal with a longer-term power outage. So they can still face moderate levels of risk in the case of a physical attack.
Non-manufacturing facilities that are part of a supply chain are also likely to be affected by power outages, with the industries most reliant on electricity at the highest risk. These include financial corporations, IT services providers, data centers, perishable item producers, control centers and medical.
Rural Substations are Key Vulnerabilities for an Electric Grid Attack
The U.S. electrical grid is broken up into three large, connected networks (Texas Interconnection, Western Interconnection, and Eastern Interconnection) that operate fairly autonomously with eight regions seen (see map).
The U.S. Federal Energy Regulatory Commission has determined that transformers in rural substations are most vulnerable to physical attacks. Substations in urban areas typically have higher levels of monitoring and protection, while rural substations are completely unguarded.
The Eight U.S. Electricity Generating Regions
While substations in rural areas are at high risk of attacks, and the surrounding areas are at risk of a power outage, only 10.8% of the U.S. electrical grid is subject to “cascading” blackouts.
This means that attacks on substations in rural areas are likely to affect only the surrounding areas, and not cause blackouts in other areas of the country. This likelihood of power outages remaining contained to smaller areas places a greater emphasis on assessing supply chain risk exposure in rural areas.
Transformers at high-voltage and rural substations are prime targets for physical attacks, as transformers are difficult to protect and replacement parts are difficult to obtain.
In many of the higher-risk rural areas, substations are considered “dead-end”. Dead-end structures are where the line ends or angles off, meaning there is no backup power connection. The pink dots on the map below indicate the propensity of dead-end substations across the US. The darker the area, the more likely there is no backup power connection in the case of disruption.
What Companies Should Do
To get ahead of this critical infrastructure risk, Interos recommends that companies do the following:
- Use supply chain mapping and operational resilience tools like Interos’ Resilience platform and global relationship data to identify suppliers in industries and locations at the highest risk of being affected by potential power disruptions, and which agencies are responsible for power restoration.
- Engage key suppliers in high-risk regions to understand what impact, if any, they have experienced as a result of physical and/or cyber-attacks.
- Assess high-risk suppliers’ mitigation plans in the case of a regional blackout, and develop business continuity plans or workarounds for such disruptions where possible.
