NewsCovering Colorado


As states report more attacks on their critical infrastructure, Colorado says it's as prepared as it can be

Power substation
Posted at 1:04 PM, Dec 09, 2022
and last updated 2022-12-09 15:04:49-05

DENVER — An attack over the weekend on two power substations in North Carolina is once again highlighting the vulnerabilities of critical infrastructure in the U.S.

The substations were disabled after someone fired multiple bullets at them, knocking out power to an entire community for days. This is just the latest in an uptick in attacks on power facilities in recent months, including an attack on an Oregon substation.

Now, the FBI is investigating an attack near a power facility in South Carolina.

“These new things, like vandalism, or things we didn't expect to be threats to the grid — cyber attacks, physical attacks — the grid isn't quite prepared for those,” said Kyri Baker, an assistant professor of engineering at the University of Colorado in Boulder.

Utility companies across the country have built a number of redundancies into the grid so that if one component goes down, the power can be rerouted so there is not a disruption of service. In the North Carolina case, however, when two substations were taken down, it was almost impossible for the utility to reroute the power.

“Attacks like this, physical attacks on the infrastructure where it's not just putting a power pole back up and resetting a breaker, but where it's replacing a $5 million transformer, these are extremely hard to deal with,” Baker said.

While utilities might be prepared to respond to weather events that can knock part of the grid offline, attacks on the infrastructure pose their own set of challenges. However, attacks, and even cyber hacks, on critical American infrastructure is nothing new.

In 2018, the Cybersecurity and Infrastructure Security Agency (CISA) alerted the public that the Russian government targeted U.S. government entities, as well as American energy, nuclear, commercial, water, aviation and critical manufacturing sectors. An investigation by the Department of Homeland Security and the Federal Bureau of Investigation found that Russians staged malware and gained remote access into energy sector networks in an attempt to disrupt them. The Russian government also conducted reconnaissance and collected information from these systems.

Texas state regulators and energy companies reported earlier this year that Russian hackers had probed the state’s energy infrastructure for weak points in an attempt to disrupt operations amid the war with Ukraine.

Last year in Oldsmar, Florida, a hacker was able to successfully gain access into the water treatment system. The hacker then tried to increase levels of sodium hydroxide (lye) in the city’s water supply to 100 times its normal levels, which could have poisoned thousands of residents who rely on the water. That circumstance was avoided, however, because an operator watched the mouse moving as the hacker increased the levels and was able to bring the system back to its normal levels quickly.

Also last year, a similar attack took place in San Francisco, when a hacker accessed the water treatment system using the username and password of a former employee’s TeamViewer account. The hacker then deleted a program that the plant used to treat drinking water. However, the sabotage was discovered the next day, the programs were restored and the passwords were changed.

A Department of Defense report found that if nine key substations in the U.S. were taken down, it could cause widespread power outages across the country.

“That's why the power grid models are sort of kept secret,” Baker said. “I think the reason that power is being targeted is power's essential to all these other pieces of infrastructure, like natural gas pipelines, water infrastructure.”

Most of the power substations are not underground for two reasons. First, placing these substations underground is expensive, and second, the systems conduct a lot of heat, so having them out in the open where wind can naturally help cool them is an economical way to maintain them.

The location of the substations is also relatively easy to find online, so much so that Baker asks her students every year to take a selfie near the one that supplies power to their homes. Normally, there is only a fence to keep people away from the substation itself, with very few additional security measures in place.

Engineers are mainly focused on efficiency, cost and reliability in their designs, not necessarily attacks. The threat of weather events, cyber attacks and vandalism are important reasons Baker and other professors have begun to teach and stress the importance of hardening these systems to their students.

“It's improving and hardening the power grid. And it's also making sure smaller-scale communities are able to withstand some of these disasters,” she said.

The Colorado Division of Homeland Security and Emergency Management says it works with the FBI, the Department of Homeland Security, the National Guard and other agencies to protect this infrastructure and be prepared to quickly respond to events.

“As we've seen with recent incidents, that somebody that wants to attack can attack. What we try to do is make sure that we have resilience built in,” said Kevin Klein, the division’s director.

In order to protect Colorado’s infrastructure, Klein says the first step is identifying the top facilities to protect, then managing the risks around them by ensuring physical threats are limited.

Part of the discussion around resiliency has to do with creating redundancies, or backups to systems, so that disruptions are rare. However, duplicate systems are expensive.

“We can build really hard, really resilient, really big systems that are completely bulletproof, right? But they cost more, and that cost gets passed on to the consumer,” Klein said.

Another challenge: Colorado is moving more to electrification with renewable energy and is becoming increasingly interconnected with the internet. That means the system is also becoming even more vulnerable to hacks.

One idea to prevent major disruptions while still moving to more interconnectivity and electrification: microgrids. These are smaller grids that can be isolated from the larger power grid and continue to operate even if something is happening in a neighboring area.

Renewable energy can help bring resiliency to smaller grids that rely more on its power that traditional utilities.

“Those types of things as we as we grow and start looking at these alternatives to the big grid system, I think that helps build in more resilience,” Klein said.

For Baker, resilience means rethinking the designs of these substations altogether as Colorado’s infrastructure ages and is replaced. She hopes the new systems will be designed and built in such a way that they can withstand cyber hacks, physical attacks and even extreme weather events, as climate change causes longer outages on power systems.

For now, for the millions of people relying on Colorado’s critical infrastructure nearly every minute of every day, the state says it is as prepared as it can be for an attack. The question is whether all that work is enough.