Domestic attacks on the U.S. power grid are on the rise, and I’m not just talking about state-sponsored Advanced Persistent Threats (APTs). The highest threat to the US power system seems to be right here at home and they’re not using sophisticated malware or Distributed Denial of Service Attacks. They’re using guns and bullets. As one of the only – if not THE only – company that has robust intelligence capabilities to protect cyberspace and the real world, this is one of the threats we take seriously and track closely. A significant portion of these physical attacks start with communication on social media platforms. Through a combination of our Physical Security Intelligence (PSI) and DarkOps teams, we can follow those conversations, assess when an attack is likely to happen, and notify security or law enforcement teams with the access and authority to take action to mitigate these threats
Who’s Threatening Our Power Grid?
Threats to the US power system have been the target of increasing scrutiny, as evidenced by FBI warnings to CNI sectors (which include energy, water, transportation, and 13 other industries). Here are a just a few examples of the threats this sector has faced in just a few months.
3 Options for Proactive Defense
Protecting the U.S. power grid comes down to three key areas: make the physical infrastructure harder to find, make that same infrastructure harder to damage, and get ahead of the domestic terrorist threats through the collection, monitoring, and reporting of Intelligence that security and law enforcement need to stop would-be attackers and ensure the justice system creates a deterrent for future threat actors to consider.
Less Visible Facilities
In turn-of-the-century Toronto, to spare the scenery, substations were designed as brick-and-mortar houses, complete with a garden, driveway, and door knocker. They also followed suit with their hydro plants, clothing them in the “fashionable brick, masonry and woodwork of the day.”
In February, 2023 the FBI announced the arrest of two individuals with extremist ties who were planning to attack the power grid in Baltimore, Maryland. While their plot to “permanently completely lay this city to waste” was exposed and foiled, their actions likely represent a fraction of these kinds of plots. According to Brian Harrell, former Assistant Secretary for Infrastructure Protection at DHS, there has been a “significant uptick” in online talk around physically damaging substations. He added that, “The utility sector has a real problem on its hands.”
In mid-January 2023, the threat to a North Carolina substation turned into an actual attack, with the substation hit by “an apparent gunshot,” according to local authorities . “[The grid] is extremely challenging to monitor and protect. And many of these places are very remote, so officers have to get there. And by the time they do, the attackers are already gone,” says Errol Southers, professor of national and homeland security at the University of Southern California, speaking to NPR.
In early January 2023, power grid attack in Washington state left thousands without power on Christmas day. “We have seen attacks such as these increase in Western Washington and throughout the country and must treat each incident seriously,” said U.S. Attorney Nick Brown. “The outages on Christmas left thousands in the dark and cold and put some who need power for medical devices at extreme risk.”
A month earlier, on 2 December, 2022, the FBI had already issued a warning about the threat to substations in Oregon and Washington as a result of a recent series of physical attacks, including at least some that involved gunfire. Regarding those attacks, a security specialist with the Bonneville Power Administration – a federal agency that markets hydropower throughout the Pacific Northwest and owns 15,000 miles of transmission line and 200 substations – noted that “online extremist groups are calling for the attacks and providing instructions on how to do it.”
Also in early December, 2022 attack on an electric substation in North Carolina cut off power to 45,000 customers. Moore County Sheriff Ronnie Fields told reporters that whoever was responsible “knew exactly what they were doing to … cause the outage that they did.’”
Today, similar techniques are still used in major urban developments. For instance, on New York’s Roosevelt Island, an old brick laboratory was repurposed to house power-conversion substations, a faux Georgian-style building next to the Hard Rock Café in Chicago once served a similar purpose (with the windows nothing more than poorly disguised air vents), and Toronto – previously mentioned as a pioneer in this concept – now boasts over 250 disguised electrical facilities – all while not disturbing the view.
While tools like Google Earth make it increasingly difficult to hide anything, a well-disguised plant will still likely reduce the threat from casual and opportunistic troublemakers.
Extremist groups hold the power grid in their sights. Says Harrel, “When digging into the dark web, social media portals, and chat rooms, we quickly see that targeting and destroying energy infrastructure is a tactic many extremist groups fantasize about.”
One South Carolina energy authority’s words – “We weren’t adequately protected” – appears to be a common theme among all of these attacks.
More Resilient Infrastructure
While hiding facilities can reduce the risk of attack, it won’t eliminate that risk of attack from a motivated American with one of the roughly 400M registered firearms in the U.S. To withstand such an attack, one Southern California power plant installed ballistic walls around its substation equipment made of fiberglass-reinforced plastic to absorb the shock while not causing the equipment to overheat. These ballistic protective enclosures “are typically used in industrial settings, where a ballistic item might be accidentally released during the testing of a rocket motor or in a high-speed centrifuge, for example.”
Additionally, a range of technologies designed explicitly for this purpose include an Idaho-developed system made of military-grade steel that “not only protects from gunfire but vehicles carrying explosives, as well.” Pre-cast concrete is also being used to create a protective barrier against “high-velocity bullets”, facilitating a low-maintenance way to “better secure substations and other facilities which are typically unmanned and located in isolated areas,” according to one supplier.
In addition to adding protection to the facilities themselves, another aspect of hardening is to dedicate manpower to protecting them. Security personnel are a proven deterrent for criminals, including thieves and vandals. Armed with the knowledge of attacker plans, gained through the Intelligence in the section below, these personnel can be prepositioned to thwart attacks.
Smarter Security Plans
Most physical attacks are first planned by groups communicating digitally. This makes access to closed communications channels and underground forums is a key component for getting ahead of the threat. And, with Gartner predicting that by 2024, 75% of CEOs will be personally liable for damages from cyber-physical security (CPS) incidents that harm corporate personnel and facilities, the need to increase efforts (and budgets) for defending these critical systems has never been more clear.
ZeroFox Managed Intelligence Services provide near real-time alerts for incidents that pose a threat to customer organizations. Our 24x7x365 Physical Security Intelligence (PSI) team is constantly scouring digital sources for the latest cyber-physical threats and compiling them into key events that ensure security professions have a complete picture of the threat landscape as it relates to their needs.Before an alert get to a customer, it is vetted, enriched with relevant threat data (from public and proprietary threat feeds), tagged, and categorized by incident type, time, and location. Within the ZeroFox platform, our customers – supported by our team of experts – are empowered to customize alert rules for the greatest return on their investment. They can even customize the platform for specific use cases.
How ZeroFox Can Help
Getting ahead of public safety events (shootings, natural disasters, violence), disruptions (protests, travel advisories), and other observable anomalies that put an organization at-risk is the foundation for effectively defending against these growing threats to our critical infrastructure.
- 24x7x365 threat intelligence collection
- Scalable investigation efforts across tens of thousands of online avenues
- Reduce false positives with a team of specialized physical security analysts
- Automated in-platform alerts in over 100 languages
- Immediate situational awareness via mobile app, porta, SMS message, or email
- Out-of-the-box physical security policies
- Geo-specific physical threat warnings
ZeroFox uses behavioral-driven threat analysis and a team of intelligence researchers to provide insights that are second to none in the industry, with deep access to both the underground economy and extremist forums. We know how to detect the online rumblings that precipitate physical attacks and how to prevent you against them – online and in the real world.