Local

I-Team: Are electric companies doing enough to prevent attacks on the U.S. power grid?

DAYTON — You might only think about your electricity when you get your bill every month. But the power supply we all rely on to heat our homes, preserve our food, and light our communities is under threat. That power comes from places like electrical substations.

But how safe are those facilities? To find out, we staked out power substations across the country, including right here in the Miami Valley.

As you read this report, know that this is not a “how-to” of causing damage to the power grid for bad actors. In fact, recent cases prove the bad guys already know how to do this and are doing it. Public documents on the internet make it easy for people with bad intentions to find the largest and most critical substations.

The I-Team surveyed the security of our local power grid for ourselves. And here’s why: last year, attacks on the U.S. power grid skyrocketed to an all-time high.

In December, gunfire attacks at two electrical substations in North Carolina cut power to tens of thousands of homes for several days. Earlier this month, two suspects in Maryland were arrested and charged -- accused of plotting to shoot out substations around Baltimore. Investigators said they were hoping to kill power to the entire city.

Data the I-Team pulled from the U.S. Department of Energy (DOE) shows 163 instances of physical attacks, vandalism, suspicious activity, or sabotage in 2022 -- nearly tripling from 2018 when there were 57 such instances. DOE reported 81 in 2019, 96 in 2020, and 91 in 2021. And Ohio is a top target. DOE reports show we were among the top 10 states in attacks last year -- with five instances in 2022.

“I think it’s one of the most significant threats we have currently,” former Federal Energy Regulatory Commission (FERC) Chair Jon Wellinghoff told the I-Team of the direct physical attacks against electrical infrastructure across the U.S. FERC is a government agency that oversees America’s power grid.

Already this year, News Center 7 has covered a case of criminal trespassing at a power substation in Greene County. Deputies arrested a man at an AES Ohio substation for trying to take scrap metal from that facility. Greene County deputies wrote in their incident report that the suspect cut through the fence.

“We got a call, an alarm that we responded to,” Greene County Sheriff Scott Anger said of the January incident.

“We have in place at all our substations security in terms of fencing, lighting, alarms, other digital devices that can identify any disruption or tampering,” said Mary Ann Kabel, AES Ohio’s Director of Corporate Communications.

But here’s one of the biggest problems: at many substations, there is a clear line-of-sight from public property to key equipment that keeps your lights on. This is especially problematic, Wellinghoff says, when it comes to the gunfire attacks we’ve seen.

“You have line of sight through a fence,” Wellinghoff said. “You don’t even need to get inside the substation. You don’t need to cut a lock. You don’t need to actually breach a fence. You can shoot through a fence into the critical parts of the substation and you can take it out.”

Wellinghoff believes power companies across the country aren’t doing enough to protect the power grid. He was FERC chair when criminals pulled off a sophisticated gunfire attack at a substation in California in 2013. Since then, the FBI and the Department of Homeland Security (DHS) have issued numerous warnings to power companies saying domestic terrorists were planning attacks on critical U.S. infrastructure, including the power grid.

News Center 7 teamed up with our sister stations to visit more than 50 substations in seven states.

In Seattle, security for a power company there called police to the substation our crew was visiting.

In Charlotte, Duke Energy provided still images from security camera footage that show their cameras saw our crew visiting one of their substations in North Carolina. The company also notified police of that visit from our crew.

Here in the Miami Valley, the I-Team drove more than 150 miles over the course of two days to visit substations in Warren, Greene, Montgomery, and Clark counties. We made eight unannounced stops at substations for the three biggest power companies in our area: AES Ohio, Duke Energy, and Ohio Edison.

We did not break any laws and spent more than 30 minutes at each location. At each substation, no one approached us. And we checked, and no one reported us to police. We even made stops at night when most of the attacks have happened.

All three companies told the I-Team they have robust security in place.

In a statement emailed to the I-Team, Will Boye, a Senior Communications Rep for Ohio Edison’s parent company, First Energy, said, “Protecting the energy grid and providing our customers with reliable power is a top priority for FirstEnergy. We’re constantly using real-time monitoring to detect any potential physical or cyber security threats to the grid, and we follow rigorous procedures and standards that protect the grid by improving reliability and reducing the impact of potential threats. A wide variety of surveillance, deterrence, physical and technology measures are in place, and we continually invest to ensure our protective measures are robust.”

“In addition, we practice our response in numerous drills throughout the year, partnering with other utilities, response organizations and regulators to ensure we are prepared should a threat materialize. For example, late last year FirstEnergy participated in PJM’s 2022 grid security drill, which is designed to assess the response capabilities of PJM and transmission owners for potential disruptions to operations resulting from physical or cyberattacks.”

Duke Energy spokesperson, Sally Thelen sent a statement to the I-Team that read:

“As the largest grid operator in the country, Duke Energy knows our responsibility to protect the power grid is paramount, and our strategy continually evolves as threats do.”

“We know how important electricity is to our customers and communities. That’s why protecting the electric grid and maintaining reliable, resilient service is a top priority. When it comes to grid protection, we have a multilayered risk management strategy that includes a physical defense system, a cross-functional team that monitors and responds to threats 24/7/365 and daily information sharing with our industry and government partners. This intelligence sharing is essential, and we have strong relationships with federal, state and local law enforcement in all of our jurisdictions.”

“Duke Energy is spending $75 billion over the next decade on grid improvements, which will include investments in making the electric grid more secure from cyber and physical threats. We continually assess our security posture and also prioritize resiliency as we look at new and emerging threats, so that we can preserve reliable service for our customers.”

“Grid resiliency, which helps us recover quickly from disruptions when they occur, also plays a key role. The same self-healing technology that can detect power outages from storms and reroute power to restore service to customers can also play a role in deterring attacks on the grid. If an individual looking to create a disruption with a grid attack finds that we’re able to re-route power and restore power to customers quickly, they may reconsider that action.”

In an interview with the I-Team this month, Mary Ann Kabel, AES Ohio’s Director of Corporate Communications said, “Safety is number one. And protecting our grid is not only just (of concern to) the local utility but is of national concern and federal agencies and local officials.”

“The most important thing to note, though, is it’s evolving. We are always abreast of any new technologies to incorporate in our safety, to protect the grid, and our infrastructure. We also meet regularly with law (enforcement) officials and fire departments to make sure that we share a contingency plan, so they are aware of what needs to be done and how quickly they need to respond. And we also take guidance from the Edison Electric Institute. So, we share that information so that we’re cognizant and on top of everything that needs to be done to protect our grid and protect our infrastructure.”

After getting those statements from the three power companies, the I-Team asked all of them the same questions:

Were they notified of our presence near their substations?

If so, how were they notified?

And can we get a copy of that notification?

None of the companies would tell us where we were citing security reasons.

First Energy replied to those questions by saying, “For security reasons we don’t disclose specifics about our substation security activities.”

AES Ohio responded with, “We do not disclose information on elements of our layered defense system.”

And Duke Energy followed up to our questions by telling the I-Team they, “don’t want to confirm or deny whether we knew about your visit to our substations that you asked about.”

As for further solutions to help improve measures to keep our substations safe, former FERC Chair Jon Wellinghoff has been giving recommendations for more than a decade. We’ll have that part of the story in part two of our investigation Friday on News Center 7 beginning at 5:00.

0