Averting
Disaster
on the Grid
Strategy to Mitigate Risks of Catastrophic Events
By H arjeet Johal, K en Collison, Elliot Roseman, Dan Rogier
32 Public Utilities Fortnightly September 2016
© Can Stock Photo Inc. / pmfpires
M
aintaining the security of the electric grid today is far from business as usual. The grid is under increasing threats to its very viability from cyber-attacks, natural disasters, and physical assault. Moreover,
the severity of each of these threats is on the rise.
It is not possible to protect or harden the grid across the tens of thousands of miles of high-voltage
lines and tens of thousands of substations. And while utilities maintain some operational spares to
replace large power equipment that fails due to normal wear and tear, it is economically prohibitive for a utility to
stockpile multiple million dollar pieces of equipment to prepare for the worst.
This reality puts the grid and the reliable supply of power to customers at risk for extended periods. Many key
pieces of equipment have long lead times and are difficult to replace. This could cripple the grid and severely extend
the interruption of power supply.
With the threats rising, utilities must develop plans on how they will mitigate the risks of such events. In fact, federal
regulations now require this.1 Grid Assurance is a coalition of six major U.S. utilities2 dedicated to providing a costeffective solution to address the increasing threats to the security of power supplies. And to provide the right level of
inventory in the right locations to expedite recovery following an event.
Working together, Grid Assurance and its consultants created
a first-of-a-kind framework to quantify the potential benefits of
pooling equipment amongst utilities, and to develop best practices
for inventory hosting. Regardless of size, there are clear economic
benefits of pooling needs across multiple transmission owners for
this vital service. Utilizing this framework, and pooling resources,
will help reduce restoration times following a severe attack from
months to weeks or days.
Increasing Threat Landscape
The 2013 coordinated rifle attack to sabotage the Metcalf substation in California is but one example of the new threats that face
the nation’s grid. The energy industry is by far the most targeted
Harjeet Johal is a senior manager with ICF International and an
expert in energy economics and power system consulting. He has
over ten years of experience in electrical engineering, energy planning, economic evaluation, and policy research.
Ken Collison is a vice president at ICF. He is in his fifteenth year
with the company. And an expert in power system planning, economic analysis, and reliability assessments. Ken also serves as an
expert witness in electric transmission and distribution cases.
Elliot Roseman is a vice president with ICF. And a senior policy
and regulatory expert who specializes in electric transmission and
energy infrastructure issues. He is in his fifteenth year with the
company, and in the energy industry for a good deal longer.
Dan Rogier is a veteran of thirty-six years in the utility industry,
and is an executive of American Electric Power. He has served in a
number of transmission engineering and operations roles, with
additional leadership experience in distribution, generation, customer service and information technology. Mr. Rogier is currently
serving as chief operating officer of Grid Assurance.
The grid is under
increasing threats
to its very viability
from cyber-attacks,
natural disasters,
and physical assault.
for cyber-attacks.
In 2014, the energy
sector reported seventynine incidents, out of
a total of two hundred
forty-five (thirty-two
percent of the total
across all industries).3
Figure 1 further strengthens the argument.
Physical attacks, cyber-attacks, combinations of the two,
insider plots, and natural disasters are identified as top threats
by NERC. These can have high likelihood of occurrence in the
future, with potentially widespread consequences.
The National Oceanic and Atmospheric Administration
also clearly shows us the increase in damaging natural disasters.
In 2016, there have been eight weather and climate disaster
events with losses exceeding one billion each across the United
States, as of July.
The year 2012 was the second costliest year on record.
It had more than seventy billion in damages, including the
episodic derecho which cut power supplies to more than 4.2
million customers in just a few hours, traveling more than
sixty miles per hour across the countryside. Hurricane Sandy
was even worse.4
We all have insurance policies to protect against damage to
our homes, vehicles and businesses. In the same way, the sharing
of transformer inventories is an insurance policy for the grid
and for the reliability of the electric power system.
Naturally, there is a premium to pay for insurance. But
it is a small fraction of the cost of incurring the catastrophic
events against which it is protecting, events that are becoming
increasingly common.
September 2016 Public Utilities Fortnightly 33
Framing a Solution
Squirrels
Natural disasters
Physical attack/theft
Cyber attack
Insider threat/
catastrophic human error
Coordinated physical
& cyber attack
The increasing numbers, likelihood and severity of events like these demand enhanced
resiliency measures. The goal is to ensure the
continued reliable operation of our nation’s
electric transmission grid.
However, such events still occur infrequently
and have few precedents. So it is challenging to
develop a planning framework that accurately
captures their risks to the power grid.
In this section, we lay out the key elements
Fig. 2
of such a framework. And we address the
factors that affect the pooling benefits and
ultimately the inventory requirement.
The inputs for each utility may vary.
But we found that the key to success is to
How often do
individual events
deploy the following framework and analytic
occur?
process, including the six factors outlined
below. See Figure 2.
1. Events: Not all events will be relevant to
How diverse is
each utility. For example, hurricanes are more
equipment base?
common in the Southeast, while tornadoes are
more likely in the Midwest.
2. Frequency: How often do the individual
What is planning
events occur? The greater the likelihood of
criteria for
service reliability?
occurrence of an event, the higher will be the
inventory level required.
3. Diversity in equipment: Pooling benefits
relate directly to the diversity in equipment
base. If different areas have completely different voltage classes of equipment, the overall inventory requirement will increase.
4. Severity: The severity of the events determines the extent
of damage. For example, the damage from category three storms
would likely be limited to the coastal regions, while category five
storms can have damaging effects many miles inland.
5. Operational Spares: Under some situations the operational
spares can be used towards event restoration, which can help to
lower the inventory requirement.
6. Desired Service Level: Planning criteria to provide insurance
against catastrophic events. We proposed a very high service
34 Public Utilities Fortnightly September 2016
NERC Threat Landscape
Fig. 1
Likelihood
Substantial economic
benefits are achieved by
pooling the needs across
multiple geographicdiverse utilities.
Supply chain disruption
or compromise
Pandemics
Geomagnetic disturbance
Direct energy weapon
CBR attack
High-atitude EMP
Nuclear
Consequence
Framework For Developing Optimal Inventory Levels
EVENTS
What are relevant
events for
each subscriber?
FREQUENCY
SEVERITY
What is likely
damage?
Identify extent of damage
Geographic impact areas from
each relevant event
Impact Assessment tool
Company specific database is
used to identify high voltage
equipment at risk
DIVERSITY
SPARES
Identify relevant events
Physical attack, cyber attack,
weather events, GMDs
Can you count
operational spares?
Determine operational spares
Percent of operational spares
for event restoration
SERVICE LEVEL
Catastrophic Inventory Model
tool
Monte Carlo analysis to
determine the inventory for a
desired service level
standard of 99.97 percent, or 5 Sigma.
We used this approach on an illustrative example to assess the
value of pooling the inventory needs across several utilities. This
approach could in turn be applied to any combination of firms
desiring to share in the protection from these catastrophic events.
Simulated Physical Attack
A carefully orchestrated physical attack on key substations can
result in significant loss of large power transformers. It can cause
widespread outages to customers and compromise the overall
reliability of the transmission grid.
Parameters for Selecting Target Substations
Fig. 3
Transmission Lines
Voltage Class kV
Under 100
100–161
230–300
345
500
50
mil
es
We created a first-ofa-kind framework to
quantify benefits of
pooling equipment
amongst utilities, and
develop best practices.
n Disruption of power
in metropolitan
areas will likely
cause most havoc
n Bigger substations
are probably most
critical
n Likely that up to
six substations
can be attacked
simultaneously
City center
345/138
230/69
500/230
230/115
345/115
230/138
345/161
138/69
765/345
161/69
345/230
161/138
161/115
765/138
115/69
Number of transformers
We used this construct to identify areas that
could be likely targets, and screened for stations with large power transformers within a
certain distance from the city center. Figure
3 conceptually shows the process used to
identify such substations.
A typical high-voltage substation can
host several large power transformers. Our
modeling assumed that a sophisticated attack
would be successful in crippling all such
transformers in the identified stations.5 In
Equipment At Risk Across Multiple Metropolitan Areas
Fig. 4
this illustrative example, Figure 4 counts a
total of two hundred eighty-eight at-risk large
60
power transformers across multiple cities if
Total relevant equivalent – 288 transformers
they were simultaneously attacked.
50
Losing this number of units is clearly
unrealistic.
But one needs to understand the
40
full scope of the challenge to capture and plan
for a severe situation which utilities could face.
30
In practice, just a few voltage classes have
sufficient volumes to drive significant pooling
20
benefits. In this example, the 345/138 kiloVolt
and the 230/69 kiloVolt classes account for
10
thirty-seven percent of the total equipment
and appear in multiple metropolitan areas. As
0
such, the pooling benefits for transformers in
these voltage classes will be higher than those
in the classes with a much lower number
of transformers.
In its 2010 Critical Infrastructure Strategic Roadmap, NERC
The equipment at risk is a key input to the Inventory Modelidentified such an attack as one of its three priority risk scenarios. ing Tool, a sophisticated Monte Carlo engine that is used to
Such a scenario would disable difficult-to-replace equipment randomly simulate an attack on these cities in different years.6
such as large power transformers.
The model optimizes the inventory requirements based on a
Even without access to detailed information and sophisticated desired level of reliability.
tools, public data exists that could be used to plan a grid attack.
For example, a service level of one hundred percent implies
For example, extra-high and high-voltage substations near major that the utilities would maintain adequate inventory to cover
metropolitan areas could be presumed to serve a large number the worst case catastrophe, taking into account the lead time
to replace equipment.7 Using our example model, there are
of customers and critical loads.
Similarly, attackers can target the grid serving major areas or fifty-five 345/138 kiloVolt transformers at-risk. The worst case
popular tourist destinations to maximize international resonance. event would impact thirty of these units.
September 2016 Public Utilities Fortnightly 35
36 Public Utilities Fortnightly September 2016
345/138
230/69
500/230
230/115
345/115
230/138
345/161
138/69
765/345
161/69
345/230
161/138
161/115
765/138
115/69
Number of transformers
Number of transformers
Power system planning does not require a
Fig. 5 Example: Inventory Requirement for 345/138kV Transformers
one hundred percent service level. Rather it
By varying service level
should cover all but highly unlikely events.
60
We modeled a service level that is based on
an industry accepted threshold of risk. This
50
allows for a loss of load expectation of one day
45%
40
in a ten-year period.
This assumption equates to a service level
30
33%
of 99.97 percent.8 While reducing the service
20
15%
level from 100 percent to 99.97 percent may
seem small, it substantially reduces the num10
ber of transformers required by thirty-three
0
percent, to twenty units. See Figure 5.
Equipment
Worst case event
99.97%
99%
Further reduction in service level can
at risk
(100% service level)
service level
service level
provide additional pooling benefits, but only
marginally. At a service level to 99 percent,
Desired Inventory Level at 99.97% Service Level Reliability
Fig. 6
the required inventory reduces by three units
By transmission class, multiple cities
of the 345/138 kiloVolt at-risk transformers,
60
to seventeen units.
We then repeated the Monte Carlo analysis
50
for all fifteen equipment classes across the
Equipment at risk – 288
metropolitan areas. Figure 6 summarizes the
Target inventory – 144
40
results for the optimal inventory level needed
at the 99.97 percent service level.
30
The numbers show that substantial economic benefits are achieved by pooling the
20
needs across multiple geographic-diverse utilities, using an approach like Grid Assurance.
10
In this example, the required inventory is only
fifty percent of the at-risk transformers. Or
0
one hundred forty-four transformers across
all voltage classes.
This level of reduction is not possible if
individual utilities serving the multiple metropolitan areas develop their own inventory hosting program.
Potential attackers will know that their plans to disrupt the reliable supply of power would be much less effective. Like a home
Concluding Remarks
security system, it could also cause those with bad intentions to look
Our analysis outlines that the case for collaboration amongst elsewhere for targets where they would hope to have more impact.
many utilities in this inventory service can be compelling. First,
The most compelling impact of this collaboration will be to
the protection and security offered to expedite the recovery from lower the costs to customers, which will be much smaller than if
a catastrophic event is significant. Many studies have shown a utility were to consider developing a large inventory of critical
how much customers rely upon a reliable source of electricity, equipment on its own.
and how industrial, commercial and residential activity would
By joining forces, utilities dramatically lower the number
be crippled without it.
of large power transformers required, as they share the cost of
The economic losses can easily mount into hundreds of bil- building and maintaining this lower level inventory with others.
lions from an extended outage. This inventory of long lead-time
These compelling results provide utilities significant rationale
equipment will provide the required additional capacity needed to assess their options to meet these new threats to our nation’s
to meet the new threats that face the nation’s grid.
grid. And to develop solutions that are the most cost-effective
In addition, such a stockpile could have a deterrent effect. for their customers. PUF
Expert
$24
SEPTEMBER 2016
PUBLIC UTILITIES
insight
and
analysis
in
FORTNIGHTLY
“In the Public Interest”
every issue
Tom Flaherty, Bob Catell
Charles Bayless, Ahmad Faruqui
Roger Woodworth, Comm. Echols
25 contributing authors
D.C. PSC Staff
PUBLIC UTILITIES
FORTNIGHTLY
1609 Cover-r1.indd 1
Subscribe today:
fortnightly.com/subscribe
“In the Public Interest”
Your best source for unbiased
and insightful coverage
of the critical issues
facing the energy industry.
or sign up for a no obligation trial at
fortnightly.com/free-trial
or call 1-800-368-5001.
Endnotes:
1. The North American Electric Reliability Corporation took the important step
of focusing on the critical equipment in the standard on critical infrastructure
protection for physical security (CIP-014-1) that became effective on January
26, 2015. The standard requires transmission owners to identify and protect
equipment that could cause cascading outages and blackouts if damaged.
Also, the bill H.R.2244 requires the Department of Energy, acting through
the Office of Electricity Delivery and Energy Reliability, to submit to Congress a plan to establish a Strategic Transformer Reserve for the storage, in
strategically located facilities, of spare large power transformers in sufficient
numbers to temporarily replace critically damaged large power transformers.
2. American Electric Power, Great Plains Energy, Eversource, Edison Transmission, Duke Energy, and Berkshire Hathaway Energy.
3. U.S. Department of Homeland Security. ICS-CERT Monitor, September
2014 – February 2015.
4. These damage figures only account for the direct costs of repairing buildings,
replacing infrastructure and fixing other facilities and possessions damaged in
such events. In addition, there are the indirect costs to our economy of losing
the contents of our refrigerators; losing retail sales at shopping malls and res-
9/2/16 9:29 AM
5.
6.
7.
8.
taurants; losing industrial production; and losing job productivity that are
many times the direct costs.
We used industry-available data to identify the high-voltage transformers
within a target substation. We did not include generation step-up transformers in our analysis.
This example assumes that the likelihood of a physical attack on a metropolitan area is once in five years. Because of a lack of historical data on such
events, once in five years is used as a best estimate. Sensitivities were evaluated
to determine the best estimate to assess the impact on the inventory hosting requirements.
This example assumes a large power transformer lead-time of eighteen
months. The worst case event would therefore be a scenario where three metropolitan areas are attacked consecutively in three consecutive years but
within a time span of eighteen months.
One day in three hundred and sixty-five days per year, in ten years, is equivalent to a 99.97 percent reliability standard. In this illustrative example, using
this reliability level with long-lead time equipment of eighteen months implies
that a catastrophic event, which could result in inadequate inventory, is
expected to occur once in every five thousand years on average.
September 2016 Public Utilities Fortnightly 37