Loading...
HomeMy WebLinkAboutPhysical Vulnerability of Electric Systems to Natural Disasters and Sabotage 1990LIBRARY COPY Please use BLUE SIGN-OUT CARD Sanden aS pe PHYSICAL VULNERABILITY OF cucctri€ SYSTEMS TO NATURAL DISASTERS AND SABOTAGE CONGRESS OF THE UNITED STATES OFFICE OF TECHNOLOGY ASSESSMENT Office of Technology Assessment Congressional Board of the 101st Congress EDWARD M_ KENNEDY. Massachusetts. Chairman CLARENCE £. MILLER. Ohio. Vice Chairman Senate House ERNEST F HOLLINGS MORRIS K. UDALL South Carolina Arizona CLAIBORNE PELL GEORGE €. BROWN. JR Rhoae isiana California TED STEVENS JOHN 0. DINGELL Alaska Michigan ORRIN G. HATCH DON SUNDQUIST Utan Tennessee CHARLES £. GRASSLEY AMO HOUGHTON lowa New York JOHN H. GIBBONS (Nonvoting) Advisory Council CHASE N. PETERSON, Chairman MICHEL T. HALBOUTY University of Utah Michel T. Halbouty Energy Co. California Space institute JOSHUA LEDERBERG, Vice Chairman NEIL E. HARL JOSEPH E. ROSS Rockefeller University lowa State University Congressional Research Service CHARLES A. BOWSHER JAMES C. HUNT JOHN F.M. SIMS General Accounting Office University of Tennessee Usibelli Coal Mine. inc LEWIS BRANSCOMB HENRY KOFFLER MARINA v.N. WHITMAN Harvard University University of Arizona General Motors Corp Director JOHN H. GIBBONS those of the Board, OTA Advisory Council, or individual members thereof. SALLY RIDE of this report. The views expressed in this report are not necessarily Recommended Citation: U.S. Congress, Office of Technology Assessment, Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage, OTA-E-453 (Washington, DC: U.S. Government Printing Office, June 1990). For sale by the Superintendent of Documents U.S. Government Printing Office, Washington, DC 20402-9325 (order form can be found in the back of this report) Foreword This assessment responds to requests by the Senate Committee on Governmental Affairs and the House Committee on Energy and Commerce to evaluate the potential for long-term electric power outages following natural disasters and deliberate sabotage. This report complements earlier OTA reports: Electric Power Wheeling and Dealing—Technological Considerations for Increasing Competition, and New Electric Power Technologies— Problems and Prospects for the 1990s. This country has enjoyed remarkably reliable electric service for the most part. Very few blackouts have affected many people for more than a few hours. Nevertheless, much worse blackouts are possible which could cause enormous disruption and expense for society. It is the intent of this report to analyze how such disasters could happen and how the risk could be reduced. OTA examined the effects on an electric power system when various components are damaged and how the system can be restored. Present efforts and potential options to reduce vulnerability are described. Also, specific policy measures are analyzed and grouped according to whether they are likely to be implemented and their costs. This report contains no information not readily available from other public sources that would assist saboteurs in destroying electric power facilities and causing widespread blackouts. An analysis of the vulnerability of specific equipment is included in a separate appendix that is under classification review by the Department of Energy. This appendix will be made available only under appropriate safeguards by the Department of Energy. OTA appreciates the generous assistance provided by our workshop participants as well as other individuals who contributed to this report by providing information, advice, and substantive reviews of draft materials. To all of the above goes the gratitude of OTAand the personal thanks of the project staff. Len Widen , JOHN H. GIBBONS Director Electric System Vulnerability Workshop Participants Edward Badolato CMS, Inc. Lex Curtis Westinghouse ABB John Edwards New York State Energy Office Michehl Gent North American Electric Reliability Council A. Leonard Ghilani RTE Power Products Henry Hyatt Federal Emergency Management Agency James Jackson Southern California Edison Co. Frank Kroll Arizona Public Service Co. Charles Lane U.S. Secret Service October 18, 1989 Joseph Muckerman I U.S. Department of Defense Jeffrey Palermo Casazza, Schultz & Associates, Inc. Bernard Pasternack American Electric Power Service Corp. Stanley Trumbower U.S. Department of Energy Joseph Walter Maryland Public Service Commission Emmet Willard Private Consultant John Williams U.S. Department of Energy John Wohlstetter Contei Corp. Frank Young Electric Power Research Institute Physical Vulnerability of Electric Power Systems to Natural Disasters and Sabotage OTA Project Staff Lionel S. Johns, Assistant Director. OTA Energy, Materials, and International Security Division Peter D. Blair, Energy and Materials Program Manager Alan T. Crane, Project Director Robin Roy, Analyst Joanne M. Sedor, Analyst Administrative Staff Linda Long Phyllis Brumfield Contributors Lillian Chapman A. Jenifer Robison Daniel Yoon Contractors Casazza, Schultz & Associates, Inc. Acknowledgments Glenn Coplan Michael Hunt U.S. Department of Energy Asea Brown-Boveri Lex Curtis Robert Mullen Asea Brown-Boveri Department of Energy James Dodd David Nevius Virginia Power Co. North American Electric Reliability Council Gene Gorzelnik Hilton Peel North Amencan Electnc Reliability Council Virginia Power Co. Richard Gudeber Kyle Pitsor Virgunia Power Co. National Electrical Manufacturers Association Roger Hamrick Charles Rudasill Virginia Power Co. Virgnia Power Co. Eric Haskins Charles White Edison Electric Institute National Electrical Manufacturers Association Additional Reviewers Steinar J. Dale Darriell Jones Oak Ridge National Laboratory Federal Bureau of Investigation James S. Gilbertson Monte Strait Federal Emergency Management Agency ' Federal Bureau of Investigation NOTE: OTA appreciates and is grateful for the valuable assistance and thoughtful critiques provided by the reviewers. The reviewers do not, however, necessarily approve, disapprove, or endorse this report. OTA assumes full responsibility for the report and the accuracy of its contents. Contents Page Chapter 1: Introduction and Summary ...... 1 RRO OO CO ee aU Ee leE ty. 1 SUMMARY | Pece eee sete ae rae 1 Causes and Costs of Extended Outages .... | Component Vulnerability and Impact See eee eee Ae vedic alae label everett 2 Current Efforts To Reduce Vulnerability .. 4 Policy Options To Further Reduce Vulnerability) oye ae hislslste Salocsteps estate 5 Chapter 2: Causes of Extended Outages ..... 9 NATURAL HAZARDS 200000. 2) 9 RRR UTES tose oce sete shel nveteterey efale esos cierto 9 RMRENOS Hoare estore ctorelestslatetsrerereier tet cieiels 12 Tornadoes and Thunderstorms ........... 12 Geomagnetic Storms .................... 13 SABOTAGE ||) ie a siete sale cnsinlateiae at staetetaiswe 14 Experience With Sabotage .............. 14 AAI TMG) Sched erst st lstete evelaveleletetsewvoletagelscarets 16 Chapter 3: Impacts of Blackouts ........... 19 OVERVIEW OF COSTS OF BAC OUTS ete eater aerate 19 BE EE oe ech yeas ee eeeen eae ene 19 Hypothetical Outage Cost Estimates ..... 20 Actual Outage Cost Estimates ........... 21 SECTORAL: IMPACTS 0303300. 000 5-3... 23 SIE aa bi eee ean eee aa oes aes (Commamnemirtall | Piesersre) stoic) lefiel-yolais iol volcts . 24 DEER ee eeeee eee eee eee Lr ns) OSMIRINRN |! Neeiere vat atetatetaraistetsrapslctetsstslote 25 MT RRMRERTORAOMA Sc lercrcietsiclloicteictoleie sto) sieleleciciels 26 Telecommunications .................... 26 Emergency Services ............... . 28 Public Utilities and Services ............. 28 Chapter 4: System Impact of the Loss of Major Components .............-+++se00+ 31 SHORT-TERM BULK POWER SYSTEM IMPACTS Ieee ccccecitescocccis ccc 31 The Importance of Any One Component: Preparing for Normal Failure .......... 31 Impacts of Multiple Failures: Islands and Cascading Outages............... 33 LONG-TERM BULK SYSTEM IMPACTS . 34 The Importance of Any Few Components: Large Reserves and Peak Capacity ..... 34 System Impact When No Outages Occur: Higher Costs and Lower Reliability .... 35 BULK SYSTEM RECOVERY FROM CUTAGSES ener vaceonsistelstecieletelstetelsielcice 35 Page SPECIFIC EXAMPLES OF ATTACKS .... 36 Destruction of Any One Generator, Transmission Circuit, or Transformer... 36 Destruction of One Major Multi-Circuit Transmission Substation or Multi-Unit Powerplant acne reece ee ha Destruction of Two or Three Major Transmission Substations ............. 37 Destruction of Four or More Major Transmission Substations ..... wy Chapter 5: Current Efforts To Reduce Energy System Vulnerability..... 39 Ce eR ee UH HLU ESS Private Industry oi. ey BALA S9) Federal Government .................... 40 ET aR el level eer ere ere eee 43 STATUS OF THE U.S. ELECTRICAL EQUIPMENT MANUFACTURING RE eee ee TT 44 Chapter 6: Options To Reduce VGINCERMIMEY oe 50.5015 0% cose cweisresis sisisicee's 47 PREVENTING DAMAGE TO THE SS rn ea OTT ee ot 47 Harden Key Facilities ................... 48 Sere eels vaetelstetseteaststesttss 49 ER eee eee UAL Aree toa 49 Coordination With Law Enforcement ASORCIES Reece ere cio nie tee eee 50 LIMITING THE CONSEQUENCES ....... 51 Improve Emergency Planning and rea eels eral taal lo latetere 51 Modify the Physical System............. 51 Increase Spinning Reserves ............. 52 SPEEDING RECOVERY.................. SZ: Contingency Planning ................... 52 Clarify the Legal/Institutional Framework TORR MERRI 21oloio fei o)eielaiolati cleseye cisiess)-)=sieiel= 52 Stockpile Critical Equipment ............ 53 Assure Adequate Transportation (SemeRrcssts ccelstescays erelesejalstepelatstel ers atsteets 55 Monitor Domestic Manufacturing sac elacstacclelsjatoterelsls itetstsisis) stones 55 GENERAL REDUCTION OF VULBABILETY .................- 55 Less Vulnerable Technologies ........... SS Decentralized Generation ................ 56 Chapter 7: Congressional Policy Options ... 59 PRESENT TRENDS. .................-555- 59 wi Advantages ...... eee 59 Disadvantages ........0. eee 60 LOW-COST GOVERNMENT INITIATIVES Sica cee mas Specific Initiatives (RAV SNtAGOS secrrier nem ee eee Disadvantages aenr. rien era MODERATE AND MAJOR INVESTMENTS TO REDUCE RISKS .. 62 Specific Initiatives pe eee eee Po ee eee Boxes Box Page A. The Armenian and San Francisco Earthquakes’ Effects on Electric Power Gye: << -.....0.0emees seen 10 B. Hurricane Hugo's Effect on South Carolina Electric 6 Gaa: Cor rere ciresciecier-1-icinieieis-l> 13 Box Page C. New York City Blackout ................ 22 D. Transportation Impacts—Northeast and New York City Blackouts .................. 24 E. The Organization of Electric Systems: Utilities, Control Areas. Power Pools, and Interconnections ....-...-.......... 32 Tables Table Page 1. Cost of the New York City Bhackout—1977 «5.205 cece ncesesseees 3 2. Options To Reduce Vulnerability .......... 7 3. Direct end Inditect Costs ......5..-6.6-0-> 20 4. Comparison of Cost Estimates for Power: Gusnees 7.0.02 eceene 21 5. Cost of the New York City Black@ut—1977 .........0..00setseses 23 6. Options To Reduce Vulnerability ......... 48 7. Policy Package Components .............. 60 Chapter 1 Introduction and Summary —_—_—__— CO 200 QCO8 a INTRODUCTION The reliability of U.S. electric power systems has been so high that the rare occurrences of major blackouts have been prominent national and even international news items. The most notable inci- dents—in South Carolina after Hurricane Hugo, in Seattle after the 1989 cable fire, New York City in 1977, or almost the entire Northeast in 1965—have demonstrated that blackouts are very expensive and entail considerable disruption to society. As damaging as these blackouts have been, much worse events are possible. Under several different types of circumstances, electric power systems could be damaged well beyond the level of normal design criteria for maintaining reliability. Seismic experts expect that several parts of the country could experience significantly larger earthquakes than the one that hit California in 1989. Hurricanes even more damaging than Hugo could move along the Gulf of Mexico or up the Atlantic coast, maintaining their strength rather than losing it inland. Either type of natural disaster could damage many electric power system components, causing widespread outages over a long period of restoration and recovery. Even more ominously, terrorists could emulate acts of sabotage in several other countries and destroy critical components, incapacitating large segments of a transmission network for months. Some of these components are vulnerable to saboteurs with explosives or just high-power rifles. Not only would repairs cost many millions of dollars, but the economic and societal damage from serious power shortages would be enormous. Electric utilities normally plan for the possibility of one, or occasionally two, independent failures of major equipment without their customers suffering any significant outage. If the system can be better protected, or made sufficiently resilient to withstand greater levels of damage, then the risk of a major, long-term blackout will be reduced. However, any such measures will cost money. Utilities are taking some steps, but apparently, generally consider the risk to be too low to warrant large expenditures, which would ultimately be borne by their customers, or by stockholders if the State utility commission did not approve inclusion of these costs in the rate base. =i However, the consequences of a major. long-term blackout are so great that there is a clear national interest involved. Steps that may not be worthwhile for individual utilities could make sense from the national perspective. The purpose of this report is to explore the options for reducing vulnerability and place them in context. It first reviews the threat from both natural disasters and sabotage to determine what damage might occur. However. an analysis of the probability of any of these threats materializing is beyond the scope of this study. Chapter 3 reviews the impact of major blackouts that have occurred, in order to help understand the costs of an even greater one that might be experienced eventually. Chapter 4 estimates the effect on the system when various critical components are damaged, and how the system can be restored. Chapters 5 and 6 describe present and potential efforts to reduce vulnerability. Finally, chapter 7 suggests how Congress could act, depending on how seriously the problem is viewed. SUMMARY Causes and Costs of Extended Outages A variety of events, both natural and manmade, can cause power outages. Widespread outages or power shortages lasting several months or more are unlikely unless significant components of the bulk power system—generation and transmission—are damaged. The most probable causes of such damage are sabotage of multi-circuit transmission facilities, and very strong earthquakes or hurricanes. The bulk power system is vulnerable to terrorist attacks targeted on key facilities. Major metropoli- tan areas and even multi-state regions could lose virtually all power following simultaneous attacks on three to eight sites, though partial service might be restored within a few hours. Most of these sites are unmanned, and many are in isolated areas, with little resistance to attack. Powerpiants can also be disabled by terrorists willing to attack a manned site, or isolated from the transmission network by high- power rifle fire outside the site. None of the attacks on electric power systems in the United States has been large enough to cause widespread blackouts, but there are reasons for concern that the situation may worsen. Small-scale, unsophisticated attacks on power systems have 3 2 ¢ Physical Vulnerabulity of Electric Systems to Natural Disasters and Sabotage occurred here. Power systems in other countries, especially in Latin America and Europe. have suffered much worse and more frequent damage. Latin American and African counmies have suffered outages of several weeks. Terrorist attacks in this country have not been a major problem over the past decade, but that could change rapidly. Terrorists could select power systems as targets if they want to cause a large amount of economic disruption with a relatively small effort. Efficient selection of targets would require more sophistication than has yet been shown by terrorist groups in the United States, but the required information and expertise are available from public documents as well as from foreign terrorist groups. In addition, some foreign groups might want to strike directly at the United States. Hurricanes and earthquakes can also have a devastating effect on power systems, but the pattern of destruction would be much different than after a large-scale attack by saboteurs. Hurricanes affect distribution systems much more than generation and transmission. The relatively low lines are vulnerable to falling trees, flooding, and flying debris. Restora- tion may be a monumental task lasting several weeks or even months, but replacement parts are readily available, and utilities are experienced in the type of tasks required. However, the lingering blackouts following Hurricane Hugo demonstrated that greater advanced planning may be warranted. For instance, some types of transmission towers failed in the high winds, suggesting that more resilient designs should be used in vulnerable areas. Utilities along the Gulf and Atlantic coasts, areas vulnerable to hurricanes, should be studying the lessons learned from Hugo. Earthquakes are quite capable of destroying generation and transmission equipment as well as distribution systems. However, where facilities have been constructed to withstand as in California, it is unlikely that more than a few key pieces of equipment would be damaged. The great- est concern is when an earthquake hits an area where seismic disturbances have not been considered in the design of equipment. The central Mississippi valley, the southern Appalachians, and an area centered around Indiana have the highest potential for earth- quake damage. No plausible natural disaster should damage the bulk power system so badly as to cause widespread power outages for more than a few days if utilities have taken adequate precautions. Utilities However it might occur, a long-term blackout is extremely expensive. Direct impacts include lost Production and sales by industrial and commercial firms, safety (e.g., incapacitated traffic and air system controls), damage to electronic equipment and data, inconvenience, etc. Indirect costs include secondary effects on firms unable to conduct busi- ness with blacked-out firms, public health (e.g. inoperable sewage treatment plants), and looting. Table | summarizes the costs of the 1977 blackout in New York City, which lasted for about 25 hours. Blackouts of a few hours or days have been estimated to cost $1 to $5 per kilowart-hour not delivered, far greater than what the power would have cost had it remained uninterrupted. Predicting costs for any specific longer-term outage is very uncertain because costs depend on many factors including the customers affected, the timing and duration of the outage, and the degree of adaptation customers and utilities can achieve to mitigate the outage. Unless the damage is extremely severe, at least partial power could be restored in a matter of hours. Full restoration may take many months if a large number of key pieces of equipment have been destroyed. In the interim, customers would be faced with rolling blackouts, voltage reductions, or lower reliability. An additional impact is that the cost of the power that is available will be high if some of the most economical generating stations are damaged or isolated from loads by transmission system damage and therefore idled. Component Vulnerability and Impact on System Three factors determine the importance of any individual component—its susceptibility to dam- age; the effect on the power system of its loss; and the difficulty of its replacement or repair. These factors vary with particular circumstances. For example, generating stations can be destroyed by saboteurs willing to enter the plant, but the presence of utility employees performing their normal func- tions is a deterrent. However, if an insider is involved, sabotage becomes much easier. Similarly, the vulnerability of generating stations to ecarth- quakes is low if they have been designed to withstand them and high otherwise. Widespread, long-term blackouts could only be caused by damage to several circuits isolating Chapter |—ntroduczion and Summary ¢ 3 Table 1—Cost of the New York City Blackout—1977* impact areas Direct ($million) Indirect ($milion) Businesses Food spoilage...........--5-+ $1.0 Small businesses .. $155.4 Wages lost .............6655- 5.0 Emergency aid Securities industy .......... 15.0 (private sector) ........... 5.0 Banking industry........... 13.0 Government Federal Assistance (Non-public services) Programs . . 11.5 New York State Assistance Program 1.0 Consolidated Edison Restoration costs 10.0 New capital equipment Overtime payments 2.0 (program and installation) 65.0 insuranc® Federal crime it 3.5 19.§ 10.5 Public Health Services To Other public services Metropolitan Transportation 0.2 Authority (MTA) revenue WORD os aie ae cos rss 2.6 11.0 MTA overtime and 0.01 unearned wages.......... 6.5 0.5 44 0.5 14 Westchester County Food spollage................ 0.25° Public services equipment damage, overtime payments .......... 0.19 Totals $55.54 $290.16 “Based on aggregate data collected as of May 1, 1978. with business losses might occur since some are recovered by insurance. Looting was inctuded in this estimate but reported to be minimal. Note: These data are derivative, and are neither comprehensive nor definitive. SOURCE: Systems Control, inc., impact Assessment of the 1977 New York City Blackout (Washington, OC: US Department of Energy, July 1978), p. 3. generating capacity from loads. No single failure should have a significant effect on power flow to customers since most utilities maintain sufficient generating and transmission reserves to accommo- date such failures. If more damage occurs, either to generating stations or the transmission system con- necting them to loads, the system can separate into islands. When these islands form, some have too much or too little generating capacity for their loads and lose all power. Other islands with approximate remainder of the system. The pattern of break up is not predictable, depending on the location of loads, which units are operating, the configuration of the transmission system, and the nature of the initiating event. Under extreme contingencies, substantial outages will occur. Modern protective circuitry should prevent the type of cascading failures across an entire system that occurred in the Northeast blackout of 1965, but there are many uncertainties over system behavior under untested conditions. Power systems can be constructed to ride out almost any earthquake or hurricane with only minimal damage to components that would require months to replace. Most customers of an adequately prepared system will have their power restored within a day or two, though extensive damage to transmission and distribution lines may mean some outages for a few weeks. As noted above, however, a major earthquake east of the Rocky Mountains 4 @ Physical Vulnerability of Electic Systems to Natural Disasters and Sabotage would cause major problems because few facilities are designed to withstand such an event. Sabotage could cause the most devastating black- outs because many key facilities can be targeted. Substations present the greatest concern. The trans- mission lines themselves are even easier to disrupt because they can be attacked anywhere along the line, but they are also much easier to repair. Generating stations are somewhat more difficult than substations to attack because they are manned and often guarded. Substations are used at generating plants to raise the low voltage of the generator to the level of the transmission system, and near load centers to reduce the voltage for the distribution network. The former are partially protected by the routine activity at powerplants, but few of the latter have any more defense than a chain-link fence. In some cases, an attack can be carried out without entering the facility. The destruction of two or three well-selected substations would cause a serious blackout. In many cases, most customers would be restored within 30 minutes, but this damage would so reduce reliability that some areas would be vulnerable to additional blackouts for many months. Virtually any region would suffer major, extended blackouts if more than three key substations were destroyed. Some power would be restored quickly, but the region would be subject to rolling blackouts during peak demand periods for many months. The impact would be less severe at night and other times when demand is normally less than peak, because utilities then would have a better balance of supply and demand. The greater the generating and transmission reserve margin, the less would be the impact on customers, because it is easier for utilities to find ways to get power delivered despite the damage. Current Efforts To Reduce Vulnerability Utilities historically have expended great efforts to ensure reliability, but only over the past few years have they started to take seriously the possibility of massive, simultaneous damage on multiple facili- ties. Awareness of the threat, however, has not yet led to the implementation of many measures to counter it. Few if any utilities plan their system and its operation to accommodate multiple, major fail- ures, and key facilities are still unprotected. Most of the actions the industry has taken have been instigated by the North American Electric Reliability Council (NERC) and the Edison Electric Institute (EE). NERC completed a major study of vulnerability in 1988. Some of the recommendations have been adopted, while others are still under review. EE] has a large and active security commit- tee which facilitates information exchange on physi- cal protection of facilities. The Federal Government's role for the most part has focused on national security issues—how to keep facilities operating which are vital to the United States during times of crisis. There has been less concern over the damage to the civilian economy that a major power outage would cause. The National Security Council is the lead agency for emergency preparedness, with the Federal Emer- gency Management Agency serving as adviser. Both of these agencies consider many vulnerabilities in addition to energy. Energy concerns are included in the new Policy Coordinating Committee on Emer- gency Preparedness and National Mobilization (PCC-EP/NM). The Department of Energy (DOE) has prime responsibility for energy emergencies. DOE’s Of- fice of Energy Emergencies (OEE) was created to ensure that industry can supply adequate energy to support national security and the Nation's economic and social well-being. Most of OEE’s activities have been directed at national security issues, but other efforts have included information exchanges with State governments, disaster simulations, and contin- gency planning. OEE also operates the National Defense Executive Reserve Program, which recruits civilian executives from the electric power industry among others to provide information and assistance in case of national emergency. DOE also has established a threat notification system to alert energy industries to potential problems. The Department of Defense administers the Key Assets Protection Program. The Program's purpose is to protect civilian industrial facilities essential for national defense from sabotage during a crisis. The Program has identified electric power facilities required for vital military installations and defense manufacturing areas and coordinated plans for their protection with the owners. Two trends that may increase vulnerability should be noted. First, the U.S. electrical equipment manufacturing industry has declined with the slow- down in utility growth. Many production facilities have closed and the skills of their work forces have been largely lost. In addition, imports of equipment have risen to about 20 to 25 percent of the total market, and most U.S. production capability is controlled by foreign companies. The concern re- garding vulnerability is that in a major emergency, say if all the transformers at several substations are destroyed, foreign companies may lack the incentive U.S. companies would have in expediting the restoration of service. If a worldwide resurgence of growth has filled their order books, will foreign companies accord adequate priority to U.S. emer- gency needs? There is no definitive answer to this question. Some observers see no problem while others are quite concerned. Second, power systems’ reserve margins are dropping as growth in demand exceeds construction. Reserve margins have been unusually high and still are in some areas, so utilities find this trend economically beneficial. If a major disaster such as discussed in this report occurs, however, extra reserve margin would be extremely valuable in restoring service to some customers. Utilities would have additional options in finding ways to generate and transmit power. These options are disappearing as margins return to planned levels. Policy Options To Further Reduce Vulnerability Measures to reduce vulnerability can be grouped according to whether they prevent damage to the system, limit the consequences of whatever damage does occur, or speed recovery. An obvious way to prevent damage is to improve physical security and earthquake resistance for fg facilities. The most problematic sites can be fairly well-protected against casual or attacks. The initial cost for walls around the transformers, crash- resistant fences, and surveillance systems would be a few percent of the replacement cost of the facility. Protection against a sophisticated attack would be extremely expensive, and probably not very effec- tive unless response forces are near. However, even if key facilities are protected, there is lithe that can be done to protect transmission lines against a saboteur with a high-power rifle. It is easy to destroy insulators on a transmission tower or the line itself, either of which will incapacitate the entire line. Such damage can be repaired quickly if Chapter |—4ntroduction and Summary « § sufficient replacements are on hand, but the saboteur can repeat it even more quickly in a different portion of the line or on other lines. Key transmission lines can thus be kept out of service (or at least kept unreliable) for long periods. Protection of key facilities can also be enhanced by improved planning and coordination with the FBI to provide warning, and police or military forces to provide rapid response. Utility employee training can also be expanded to include greater awareness of suspicious activities and recognition of sabotage, so warning can be given to other facilities. These suggestions also have been made by NERC’'s National Electric Security Committee and have been adopted by NERC’s Board of Trustees in October 1988. Measures to limit the consequences of damage include improved training of system operators to recognize and respond to major perturbations, im- proved control centers and other system modifica- tions, and increased spinning reserves. The intent of these steps is to isolate the damaged areas and keep as many customers as possible on-line. Rapid action can prevent the disruption from spreading as far as it otherwise might. Measures to speed the recovery focus on the large transformers. The recovery period could be greatly reduced if more spares can be made availa- ble. One way would be to use those spares that utilities normally consider necessary for their own reliability but which are not actually in service at the moment. Legislation to relieve utilities of liability over potential blackouts in their own areas resulting from the absence of this equipment may be neces- sary. Alternatively, utilities could purchase spares for key equipment and store them in secure loca- tions, or a stockpile of at least the most common transformers could be established. A stockpile might entail initial costs of about $50 to $100 million for the step-down transformers used to lower voltage from the transmission system for use on a distribution network. Step-up transformers at generating stations are less standardized than step-down transformers. They employ a greater variety of voltages and different physical layouts for the high current bus from the generator. There is much less likelihood of finding a suitable spare, and a stockpile would have to be sizable. A less expensive alternative would be to stockpile key materials (copper wire, core steel, and porcelain) 6 © Physical Vulnerabuity of Electric Systems to Natural Disasters and Sabotage and, in an emergency, to use preexisting designs instead of custom designing for the parucular application. Under these conditions, manufacturing tume could be reduced from over 12 months to about 6 months for four prototype units and two to three per month thereafter. However, the product would lack the optimization and state-of-the-art improve- ments of a custom-designed unit. Suboptimal trans- formers. whether stockpiled or manufactured generi- cally, would be less efficient, resulting in signifi- cantly higher operating costs. Hence these expedited transformers might have to be replaced when better ones can be produced. In addition to the measures intended to reduce the vulnerability of the existing system, the evolution of the electric power system can be guided toward inherently less vulnerable technologies and configu- rations. In particular, a system that emphasizes numerous small generators close to loads is, overall less vulnerable to sabotage. However, the total relative costs of moving toward dispersed systems are not clear, and substantial government incentive might be necessary to expedite the trend toward smaller units. Another step would be to improve standardization of system components to make stockpiling, equipment sharing, and emergency manufacturing easier. However, there are good reasons for the diversity of components, and stan- dardization would result in some loss of efficiency of the system. Greater use of underground cables would also offer some advantages compared with overhead lines, though if damage does occur, replacement of cables is much slower and more costly. These measures are listed in table 2. Some measures are already being addressed to some degree by the industry and government. Poli- cymakers can accept this level of progress if present trends seem adequate for the level of threat. Alterna- tively, a more activist approach can be taken to enhance these steps and add others. Some of the steps listed would be quite expensive, but others would have nominal costs. Considering the present budget constraints, funding new costly initiatives will be justified only if the threat is seen as serious. Therefore table 2 notes whether the activity is being addressed under present trends, whether it can be implemented at low cost, or whether it would be relatively expensive. Several items appear in two categories, indicating differing levels of implemen- tation, or planning in one and implementation in another. Utilities can be mandated to make these investments without government financial assis- tance, but that will make implementation more difficult unless they are assured of passing the costs on to their customers. The appropriate level of government intervention is a matter of value judgment and opinion. The level of threat, both sabotage and natural disaster, cannot be quantified, and the costs of a major outage are highly dependent on the exact nature of the outage. If a worst case scenario is experienced, the costs would be much greater than all the measures discussed here. If a very strong earthquake occurs and suitable reinforcements avert major damage to the power system, or if terrorism increases in this country, then even very large investments will have been justified. However, it is also impossible to quantify the degree to which these measures would reduce vulnerability. It is relatively easy to counter low- level threats, including almost all natural disasters, or prevent them from causing massive damage. It is much harder to counter any threat more serious than a small, unsophisticated terrorist group, though the recovery from the damage can be expedited. Further- more, even greatly increased resistance to sabotage might just move the problem elsewhere. As noted above, if saboteurs can’t destroy substations, they can still cause blackouts by shooting power lines. Alternatively, they can turn to other parts of the infrastructure, such as telecommunications or water supplies. Thus, it is questionable how much protec- tion society would be buying. It is possible to reduce vulnerability, but at a cost. Any of these measures can be justified if the threat is estimated to be sufficiently serious. Not taking any action is an implicit decision that no action is worthwhile. With the level of terrorism in this country as low as it is, many people will be skeptical of the need for any action, especially major invest- ments such as increased reserve margins or stock- piles. However, terrorism could increase much faster than the measures to counter it could be impie- mented. If this seems plausible, then at least planning and other low-cost measures should be started earlier. If a rapid increase in terrorism seems at all likely, then even expensive measures are reasonable insurance. There is no ‘‘correct’’ answer as to which is the most appropriate approach. Chapter '—dntroauctic on 3nd Summur. ¢ Table 2—Options To Reduce Vuinerability A. Preventing damage Maintain guards at key substations. eee ee information and coordinate responses.......... 8. Limiting consequences Improve emergency planning and operator training. . C. Speeding recovery Assure adequate transportation for heavy equipment. Monitor domestic manufacturing capability O. General reduction of vuinerability Moderate to Present trends Low cost major investments Harden key substations—protect critical equipment with wails, toughen equipment to resist damage, etc... 6. eee x Surveillance (remote monitoring) around key facilities (coupled with rapid- response fOrceS). 0.0.6... eee ec eee ee eee i6ergs enw: x cae x Improve coordination with law enforcement agencies to provide threat 4 x x Modify the physical system; improve control centers, increased reserve | PROEGIN, OC. ccc eee e eee eee teen ene enens x Increase spinning reserves. ..... 2.6.6... cece cece x x Contingency planning for restoration of service............. 6... eee ee x x Clarity lega//institutional framework for sharing reserve equipment. . =3 x Stockpile critical equipment (transformers) or any specialized material x x x x x x x SOURCE: Office of Technology Assessment, 1990. Chapter 2 Causes of Extended Outages Virtually everyone in the United States has some experience with power outages lasting at least a few munutes. Blackouts that last for a day or more are headline-making news, such as the 1989 storm damage in Washington, D.C. that kept some people without power for several days. Hurricane Hugo, one of the most destructive storms to strike North America this century, caused extensive damage to electric utilities in its path and left many people without power for several weeks. Over the last decade, concerns have begun to be raised about the possibility of extended blackouts due to intentional damage to electric power and other energy systems (e.g., sabotage). U.S. electric power systems have been targets of numerous isolated acts of sabotage. None has been serious enough to cause significant impact, but there is increasing recognition that a concerted effort by saboteurs could blackout major regions of the country. This chapter focuses on extended outages caused by natural disasters and sabotage and their resulting effects on electric power systems. The impacts of extended outages, including costs, are discussed in chapter 3. NATURAL HAZARDS Natural hazards with the potential to cause extended blackouts include earthquakes, hurricanes, tornadoes, and severe thunderstorms. Each affects the power system differently. In general, earth- quakes could damage all types of power system equipment, and are the most likely to cause power interruptions lasting more than a few days. Hurri- canes primarily affect transmission and local distri- bution (T&D) systems, but the resultant flooding could damage generating equipment. Tornadoes and severe thunderstorms affect T&D lines directly through wind damage, and indirectly through downed trees, etc. Freak occurrences can cause particularly high levels of damage. In October 1962, for example, the only hurricane in recorded history to hit the west coast of the United States left parts of Oregon and Washington without power for up to 2 weeks, primarily because of the time needed to clear downed trees. Earthquakes An earthquake’s actual impact depends on the population density and/or level of development in the affected area, the type of soil or rock matenal. the structural engineering, and advance warnings and preparation. For both loss of life and property damage, the most damaging earthquake of this century was Tangshan, China, in 1976 (Richter 7.8). Over 250,000 people died, and 20 square mules of the city were flattened.'! The 1988 Armenian earthquake and the recent San Francisco Bay earthquake pro- vide painful reminders of a strong earthquake's capacity to do damage and the importance of good seismic design and construction and emergency preparedness planning to mitigate the impacts (see box A). Earthquakes sometimes result in compound disas- ters, in which the major event triggers a secondary event, natural or from the failure of a manmade system. In urban areas, fires may originate in gas lines and spread to storage facilities for petroleum products, gases, and chemicals. These fires often are a much more destructive agent than the tremors themselves because water mains and fire-fighting equipment are rendered useless. More than 80 percent of the total damage in the 1906 San Francisco quake was due to fire. Most of the United States has some risk of seismic disturbance. The series of earthquakes that struck New Madrid, Missouri were probably the most severe in North America. The tremors were felt as far away as Boston. The first quake, which occurred in December 1811, may have been stronger than the 1906 San Francisco earthquake; it was followed in 1812 by hundreds of after-shocks.? According to the American Association of Engineers, it is very likely that a destructive earthquake will occur in the Eastern United States by the year 2010. The central Mississippi valley, the southern Appalachians, and an area centered around Indiana have the highest ‘Robert Muir Wood, Earthquakes and Volcanoes (New York, NY: Weidenfeld & Nicolson, 1967). 2Robert Redfern, The Making of a Continent (New York, NY: Times Books, 1983). ad 10 © Physical Vuineradulicy of Electric Systems :o0 Naturai Disasters and Sabotage Box A—The Armenian and San Francisco Earthquakes’ Effects on Electric Power Systems On December 7, 1988, Armenia was struck by a 6.9 magnitude earthquake—the most destructive to hit the region in centunes. Hundreds of buildings. including hospitals, schools, apartments, and industnal facilities. were destroyed. At least 30,000 people were killed and some 500.000 were either left homeless or jobless. Several large cities in the epicentral region sustained massive damage and high casualties. Leninakan. population 290.000. was 80 percent destroyed and Kirovakan, population of 150,000 was also heavily damaged. The city closest to the epicenter. Spitak. was completely destroyed. ! The high death toll was caused by the collapse of buildings, many of which were constructed of masonry and precast concrete. Building materials—such as structural steel and wood. which are more flexible than concrete—are in short supply in Armenia. Steel-frame buildings and other steel structures, such as construction cranes. sustained far less damage than concrete structures. Also, the lack of emergency preparedness planning contributed to the catastrophe.? In contrast, the October 17, 1989 San Francisco Bay Area earthquake did not result in the catastrophuc loss of life and property that was experienced in Armenia. The 7.1 magnitude earthquake was the strongest to hit the area since 1907. The death toll is at least 66 people and approximately 3,000 injured. The quake caused an estimated $7 billion in damage in northern California.> However, the growing California population, particularly in the earthquake-prone areas, could lead to a much greater loss of life and property in the future. Like Armenia, California lies within a large seismically active area. Unlike Armenia, though, California has one of the most comprehensive and up-to-date emergency preparedness plans in the United States and perhaps the world. For example, in June 1989, Pacific Gas & Electric (PG&E), the largest electricity supplier in the area, performed a company-wide earthquake | emergency exercise. This exercise proved invaluable in responding to the real thing 4 months later, according to | PG&E.‘ In addition, a great deal of attention is given to seismic considerations in structural design, engineering, | and construction. These and other factors can mitigate the impacts of a major earthquake disaster. | Armenia>—tin Armenia, electricity was interrupted for 4 to 7 days in the epicentral area. Two substations were | severely damaged or almost totally destroyed. A 220-kV facility in Leninakan sustained damage to capacitor racks, ceramics, and circuit breakers. The 110-kV facility near Nalband was almost totally destroyed. The under-reinforced masonry and precast concrete control house collapsed and struck nearby equipment as it fell. Transformers, circuit breakers, and capacitor banks were severely damaged. Soviet authorities had to bring in a rail-mounted substation | to restore power to the region. | The two-unit Armenian Nuclear Powerplant, located 75 kilometers south of the epicenter, continued to operate | during and after the earthquake. But, the plant was eventually closed because the units required substantial | additional seismic reinforcement to remain safe, and the price was considered prohibitive. No damage to steel transmission towers throughout the region was reported. Wooden poles also survived intact, except for a few cases where partially rotted poles snapped at their bases. San Francisco—About 48 hours after the San Francisco earthquake, electricity had been restored to all but 12,000 of the 1 million customers affected. About half were those in the Marina District of San Francisco, which sustained heavy damage.® The Moss Landing powerplant and high-voltage switchyards, located near the earthquake’s epicenter, were heavily damaged. PG&E indicated that a 340-ton air preheater was knocked off its pedestal and the bottom dropped out of an 800,000-gallon raw water tank, creating a bog.” Only one section of a 230-kV circuit near Moss Landing was knocked down. However, substantial damage was reported to distribution lines, especially in the Santa Cruz area. Damage to distribution lines in San Francisco was limited because most are located underground. * \"Real- World Lessons in Seiamic Safety,” EPRI Journal, June 1989, p. 23. Tid. 3**California Governor Signs Earthquake Relief Measures,"’ Washington Post, Nov. 7, 1989, p. A-14. 4*"PG&E Credits Mock Earthquake Drill im Responding Quickly to Real Thing,"’ Electric Usility Week, Oct. 30, 1989, p. 3. 5**Real World Lessons in Seismic Safety,’’ op. cit., foomote 1. 6 PG&E Credits Mock Earthquake Drill in Responding Quickty to Real Thing,”’ op. cit.. foomote 4. 7**Coping With Loma Prieta: How PG&E's Ges and Power System Fared,"’ The Energy Daily, vol. 17, No. 234, Dec. 12, 1989. p. 3. 5**Barthquake Cuts Off a Million PG&E Customers; Two-Thirds Back in Day,"’ Eleciric Utility Week, Oct. 23, 1989, p. 2. potential for earthquake damage.> An earthquake similar to the New Madrid series would seriously affect 12 mullion people in seven States.* Impact on Electric Power Systems More than any other natural hazard, major earth- quakes are capable of producing almost complete social disruption in modern urban areas. Infrastruc- ture. both above and below ground, may be shat- tered, and quick repair of below-ground items is almost impossible. Earthquakes can destroy all types of power system equipment, but the damage drops off rapidly with distance from the epicenter. Most structural research has gone into multi-story buildings, dams, nuclear powerplants, and storage tanks.* Except for structures located at points of earth slippage, foundations in reasonably firm soil will tend to move with the ground without damage or relative displacement. Above grade, however, natu- ral modes of vibration of the structure may be excited, amplifying the ground motion.® Depending on its age or size, a powerplant itself may survive a moderate-to-severe quake, but its stacks might not. The only large generating plant damaged by the 1989 San Francisco earthquake was the Moss Landing facility, located about 20 miles south of Santa Cruz, the earthquake’s epicenter. In addition, two 104-MW generating units at the Hunter's Point powerplant in San Francisco were briefly shut down manually after the earthquake shed the load, but were returned to service within 24 hours. The quake also knocked out of service five small generating plants, totaling 467 MW, near San Luis Obispo, some 230 miles south of San Francisco, but did not affect the Diablo Canyon nuclear plant.” Chapter 2—Causes of Extended Outages © [1] The increase in transmission voltage over the years has resulted in larger substation equipment whose size makes it more seismically vulnerable. The increased susceptibility to damage is caused by two principal factors: |) a drop of the frequencies of vibration into a lower and more severe region of the characteristic seismic frequency range, which pro- duces an amplification of the seismic forces in the equipment; and 2) the inherent structural deficien- cies—the brittle nature and low-energy dissipation Properties—of electrical insulating material such as porcelain.® In the 1971 San Fernando earthquake, failures occurred in many new extra-high-voltage (EHV) substations which had not previously been subjected to a strong seismic event. Subsequent studies by manufacturers and utilities resulted in modification of some of the existing equipment and extensive revision of the specifications for future substation equipment. The design criterion for seismic acceler- ation increased from 0.2 to 0.5 Gs in the most seismically active areas. The 1972 standard in Japan, where earthquakes are frequent, was 0.3 Gs.? The Institute of Electrical and Electronic Engineers has seismic qualification standards for power transform- ers, lightning arresters, circuit breakers, relays, etc.!° During the 1989 San Francisco earthquake, PG&E experienced significant internal damage to a 500-kV substation located near the Moss Landing powerplant. Damage to circuit breakers and trans- formers at the substation isolated two 112-MW units that were operating at the Moss Landing facility at the time of the earthquake. !! Performance of transmission lines, towers, and poles under earthquake conditions generally has been excellent. Steel towers move with the ground and the acceleration stresses are well within the 3Coordinating Committee on Energy of the Public Affairs Council, American Association of Engineering Societies, Vulneratiliry of Enerzy Distribution Syssems to an Earthquake in the Eastern United Stases—An Overview, December 1986. *U.S. Geological Sarvey, National Center for Earthquake Engineering Research. SGilbert F. White and J. Engeme Haas, Assessment of Research on Naneral Hazards (Cambridge, MA: The MIT Press, 1975). 4L.W. Long, ‘‘Amatysis of Seiamic Effects on Transmission Structures,’’ paper presented at the IEEE PES Semmer Meeting and EHV/UHV Conference, Vancouver, BC, Canada, July 1973. 1*PG&E Credits Mock Earthquake Drill in Responding Quickly to Real Thing,'’ Electric Utility Week, Oct. 30, 1989, p. 3; ‘Earthquake Cuts Off a Million PG&E Customers; Two-Thirds Back in Day," Electric Usiliry Week, Oct. 23, 1989, p. 2. °K.M. Skreiner and L_D. Test, '‘A Review of Seismic Qualification Standards for Electrical Equipment,'’ The Journal of Environmental Sciences, May/June 1975. bid. \OTEEE 323-1974, standards for safety-related equipment. \"PG&E Credits Mock Earthquake Drill in Responding Quickty to Real Thing,"’ op. cit., footnote 7. 12 @ Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage margins required for wind resistance. Wood poles are inherently more flexible than steel towers, and the flexibility reduces the seismic stress substan- ually.'? However, earthquakes can cause transmis- sion outages when tower foundations are subject to earth slippage. Detailed soil analysis, adequate footing design, and periodic inspection of existing foundations are essential. In the 1971 San Fernando earthquake, tower foundations failed that over the years had their strength reduced by erosion or adjacent excavation for roads or buildings.'? The only major transmission line damage reported dur- ing the 1989 San Francisco earthquake was a section of 230-kV circuit between the Moss Landing power- plant and Watsonville. However, substantial distri- bution line damage was reported in areas close to the earthquake’s epicenter. '* Hurricanes The losses caused by a landfall hurricane are a function of the storm’s strength and path and the area’s population and economic development. Hur- ficanes are accompanied by torrential rains, typi- cally 3 to 6 inches but more if the forward progress is slow. Winds can exceed the design of a total structure or its components and cladding, or cause hazards from windborne debris. The winds also produce disastrous sea surges and waves. A large proportion of the damage to coastal areas is caused by the storm surge, an influx of high water accompa- nying the hurricane. Other hazards include flooding of streams induced by the heavy rainfall and accelerated coastal erosion. Occasionally tornadoes accompany a hurricane.!5 In the United States, most hurricane damage occurs in a narrow zone along the coastlines of the Atlantic Ocean and Gulf of Mexico. The trend is toward fewer deaths due to improved storm warning and management. However, property loss is increas- ing because of greater coastal development. '¢ '2Long, op. cit., foomote 6. Effects on Electric Power Systems Hurricanes primarily affect T&D lines. High winds can damage or uproot T&D poles. Poles can also fall when soils become water saturated by accompanying torrential rains, as was the case in 1982 when Hurricane Iwa struck the Hawaiian Islands and in 1989 when Hurricane Hugo hit the Carolinas. Hurricane Hugo knocked out power to more than | million customers in the Carolinas. Many people were left without power for several weeks. High winds and flying debris downed transmission towers and several hundred miles of transmission lines, and falling trees knocked out thousands of distribution lines. Four utilities hardest hit by the September 22, 1989 storm have indicated that the cost of restoring service and cleanup may exceed $170 million. Insurers are expected to pay for about 10 percent of the cost.'!’? See box B for a discussion of Hurricane Hugo’s effect on the largest supplier of electricity in South Carolina. Tornadoes and Thunderstorms In the United States, tornadoes are most prevalent in a region known as ‘Tornado Alley’’ that extends from the western Texas Panhandle across Okla- homa, Kansas, southern Nebraska, and Iowa, but have been known to occur in all States.'8 Tornadoes kill hundreds of people and destroy property valued at billions of dollars every year. The combination of high winds and the sudden drop in air pressure causes heavy destruction of everything in a tornado’s path.'9 Heavy rain and large hailstones often fall north of the tornado’s path. Tornado families occur when up to six tornadoes are spawned from the same thunderstorm.” Severe thunderstorms can produce damaging lightning and high winds with the potential to cause extended blackouts. For example, the 1977 New York blackout began with a series of severe light- ning strokes. Also, in 1989, a severe thunderstorm \3albert W. Atwood, Jr., and Kenneth L. Griffing, comments on Long, op. cit., foomote 6. \4“PG&E Credits Mock Earthquake Drill in Responding Quickly 0 Real Thing,'* op. cit., foomote 7, p. 3. 'SWhite and Haas, op. cit., foomose 5. ‘6bid. \7*"Damage Estimates Prom Hurricane Hugo Pegged at up to $170 Million,"’ Electric Utility Weak, Nov. 13, 1989, p. 5. '8*“Tornado,"’ McGraw-Hill Encyclopedia of Science and Technology, vol. 18, 1987. '9**Tornado,'’ Encyclopedia Americana, vol. 26, 1986. Tornado," McGraw-Hill Encyclopedia of Science and Technology, vol. 18, 1987. a ution ; field 14 @ Physical Vulnerabuity of Electric Systems to Natural Disasters and Sabotage field (as well as causing the. aurora borealis). Both solar activity and geomagnetic storms ebb and flow in an | 1-year cycle, although large storms may occur at any time. The peak of the current geomagnetic storm cycle, which is expected to be the most violent yet recorded, is anticipated to arrive in approxi- mately 1991.2! Effects on Electric Power Systems Fluctuations in the Earth’s magnetic field create electric potentials (differences in voltages) on the Earth’s surface. The resulting electric potential differences of 5 to 10 volts per mile fluctuate very slowly and are typically aligned from east to west. Geomagnetically induced currents (GICs) flow wherever a power line connects areas of different electric potential. The magnitude of GIC depends on several factors including a power line’s location, length, and resistivity relative to the resistivity of the ground. Areas with long east-west transmission lines and highly resistive geology typical of igneous rock formations are most likely to experience large GICs. GIC produced in a power system may either damage equipment or merely take it out of service during the course of the geomagnetic storm. Both may lead to system outages. When struck by GICs, EHV transformers may overheat, resulting in perma- nent damage or reduced life. Voltages in transform- ers may drop significantly, leading to unacceptable loadings on generators and transmission lines result- ing in their being taken out of service by protective relays. Harmonic distortions created in the trans- formers may cause misoperation of relays, too. Relays may operate when they shouldn’t, resulting in equipment being taken out of service unnecessar- ily; they may also fail to operate when needed, resulting in damage to the attached equipment. A very strong geomagnetic storm on March 13, 1989 damaged voltage control equipment in Que- bec, resulting in the collapse of nearly the entire system for a 9-hour blackout. The same storm tripped protective relays in several areas of the United States and damaged several large transform- ers. One of these transformers, a step-up unit at the Salem Nuclear Plant in New Jersey, had to be removed from service, forcing the plant to shut down for 6 weeks. SABOTAGE No long-term blackouts have been caused in the United States by sabotage. However, this observa- tion is less reassuring than it sounds. Electric power system components have been targets of numerous isolated acts of sabotage in this country. Several incidents have resulted in multimillion-dollar repair bills. In several other countries, sabotage has led to extensive blackouts and considerable economic damage in addition to the cost of repair. Some terrorist groups hostile to the United States clearly have the capability of causing massive damage—the loss of so many generating or trans- mission facilities that major metropolitan areas or even multi-state regions suffer severe, long-term, power shortages. The absence of such attacks has as much to do with how terrorists view their opportuni- ties as with their ability. U.S. electric power systems are only one target out of many ways of striking at America, and not necessarily the most attractive. This section briefly reviews the range of acts of sabotage against electric power systems and the capabilities of different types of saboteurs. How- ever, an analysis of the motivations and intentions of terrorists is beyond the scope of this study. Several referenced studies have considered this subject. The reader is also referred to a forthcoming OTA study “The Use of Technology To Counter Terrorism."’ Experience With Sabotage United States Over the past decade there were few notable acts of sabotage, and apparently none that were intended to cause harm other than to the local utility. The most common cause has been labor disputes. In July 1989, a tower on a 765-kV line owned by the Kentucky Power Co. was bombed, temporarily disabling the line. No arrests have been made. In 1987-88, power line poles and substations were bombed or shot in the Wyoming-Montana border area. Later in 1988, similar attacks were i in West Virginia. Such attacks had also occurred in 1985 in West 2) This discussion is drawn from: ‘‘A Storm From the Sun,'’ EPR! Journal, Jely/Angast 1989, pp. 14-21; VD. Albertson, ‘* Canses and Power Syseem Effects,’ JEZE Power Engineering Review, July 1989, pp. 16-17; J.G. Geomagnetic Disterbances: Present and Petere Concerns,’’ [EEE Power Disturbance “Power System Suscepubility © Review, faty 1989, pp. 15-16; and D. Soutier, ‘The Hydro-Quebec System Blackout of March 31, 1989," REE Power Engineering Review, July 1989, pp. 17-18. Virginia and Kentucky. All these attacks occurred during coal mine strikes.” Two Florida substations were heavily damaged by simultaneous dynamite explosions in 1981 in one of the most expensive incidents. Damages totaled about $3 million, but no significant customer outages Tesulted. No arrests have been made, but circumstantial evidence points to a contractor labor dispute.> Incidents stemming from unknown motives in- clude the cutting of guy wires and subsequent toppling of a tower on the 1,800-MW, 1,000-kV DC intertie in California in 1987. There was negligible impact on the power system, because the load on the line was light at the time and it was scheduled for maintenance the next day, so alternate power routes had already been arranged. Damage was repaired in about 4 days.** No suspects have been announced. Wooden poles were also cut in Colorado in 1980, bringing down a 115-kV line. The damage was repeated later in the year. Total costs were about $200,000 each time. Another incident demonstrates that saboteurs can mount a coordinated operation. In 1986, three 500-kV lines from the Palo Verde Nuclear Generat- ing Station were grounded simultaneously over a 30-mile stretch. It happened at a time when none of the nuclear reactors was operating, so no disruption occurred. Under different conditions, the reactors would have shut down. No arrests have been made.” In 1989, several environmental extremists were arrested in the act of cutting a tower on a line in Arizona. The group, which reportedly had been inspired by Edward Abbey’s The Monkeywrench Gang, had been infiltrated by the FBI. Two members of this group have prepared a manual detailing how to attack equipment and facilities, including power lines, deemed harmful to the environment. Since 1980, only Puerto Rico has experienced extensive attacks that might be characterized as terrorist, as opposed to labor disputes or vandalism. In 1980-82, many bombings occurred at substations and transmission towers. Some of these incidents Chapter 2—Causes of Extended Outages © 15 have been attributed to Macheteros, a separatist group. Several of the resultant outages lasted for several days. The FBI and other agencies do not maintain statistics on energy facility sabotage separately from those of other targets. The best available database is that developed from public sources by a private consultant to the Department of Energy, which records a total of 386 attacks on U.S. energy assets from 1980 through 1989, an average of 39 per year.2” Electric power systems, mostly transmission lines and towers, were the target in a large fraction of these 386. This database may understate the problem because some utilities may not publicize attacks out of concern that more may be inspired. Other Countries Terrorist sabotage has been much more extensive and violent in Europe and Latin America than in the United States. Attacks have been made by separa- tists, radical revolutionaries, and anti-technology and anti-nuclear groups. A few examples will illustrate this: France has experienced assassinations of energy officials as well as bombings, arson, rocket attacks on energy facilities, and grounding of transmission lines. The saboteurs included anarchic, separatist, and political terrorists, and anti-nuclear extremists. West Germany also is familiar with bombings and assassinations from the Baader-Meinhof group, Red Army Faction, and other groups. In addition, there has been an intensive campaign to destroy transmis- sion lines by cutting or bombing towers. In 1986 alone, about 150 acts of such sabotage were commit- ted. Much of the violence has been by politically motivated or anti-nuclear extremists. Transmission lines from nuclear reactors have been a major focus, and the nuclear industry itself has been a target. Attacks on electric power systems have been most severe in E] Salvador. The Farabundo Marti Na- tional Liberation Front (FMLN) has repeatedly bombed or fired on transmission towers, substations, 2Robert K. Mallen. Consultant to the U.S. Department of Energy, testimony at hearings before the Senase Committee on Governmental Affairs. Feb. 7-8, 1989, pp. 246-247. DKenneth Caldweil, Manager of Corporass Security Services, Florida Power & Light Co.. personal communication, Feb. 7, 1990. “Electric Utility Week, Ang. 10, 1987. Mullen, op. cit, foomote 22. 28Deve Foreman and Bill Haywood (eds.), Ecodafense: A Field Guide to Monkeywrenching, 2nd ed. (Tecsom, AZ: Ned Ladd Books, 1987). 7 Robert K. Mallen, personal communication, Feb. 7, 1990. 16 © Physical Vuinerabtlity of Electric Systems to Natural Disasters and Sabotage and hydroelectric powerplants. Up to 90 percent of the entire Nation has been blacked out by the FMLN during some sabotage campaigns. The FMLN has even produced a manual detailing how to attack an electric power system. According to official sources, the FMLN has launched over 2,000 attacks on electric systems since 1980. The Sendero Luminosa (Shining Path) revolutionary group has adopted a similar strategy in Peru, frequently leaving Lima. as well as a 600-mile stretch of the country, blacked out or under power rationing for 40 to 50 days.*8 Countries where insurgents or hostile forces have targeted electric power systems have found it worthwhile to take protective measures. Passive techniques, such as concrete sheaths around trans- mission tower legs, make them more difficult to topple. Some countries, including South Korea, maintain army conscripts at key facilities. Because of the expense of adequately protecting distributed systems, others simply repair the damage, and may design their systems to be easily repairable. The Threat Intentional damage to an electric power system: can be caused by a wide variety of actors. Most common are ordinary vandals, typically hunters who shoot at transmission lines or the insulators attach- ing them to towers. Utilities are experienced with handling vandalism, which is very unlikely to cause massive damage. Hence this report is not concerned with vandalism except to the extent that remedial measures for more serious attacks might have an incidental value in reducing it. The Single Saboteur Most of the U.S. incidents noted above could have been caused by one person. The fact that most have been relatively minor suggests that either the sabo- teurs did not know how to cause greater damage or they did not want to. In sabotage initiated over labor disputes, the perpetrators usually are trying to hurt the utility or their suppliers, not to cause widespread blackouts. The dispute would have to get extraordi- narily bitter before anyone would risk antagonizing a large part of the public. A personal grievance might be a more probable motivation for an individual to try to cause widespread damage. A utility employee who felt misused might want to use his expertise to retaliate in a spectacular fashion. Alternatively, any of the motivations of a group, discussed below, might apply to an individual who decides to take matters into his own hands. The primary difficulty faced by a single saboteur intent on causing a devastating blackout would be to assemble all the necessary information and supplies. He would have to get the idea in the first place; research how electric power systems work and what the vulnerable points are; determine the layout of his target system; physically locate the actual targets: plan the attack in considerable detail; procure explosives; rehearse; and carry out the actual attack. If any of these steps were deficient, the attack would lose effectiveness. It is unlikely, though not impossible, that an independent individual will combine the motivation, expertise, contacts to procure explosives, tenacity, and nerve to disable as many as eight facilities simultaneously. This would require visiting ail the sites over several days and would entail a significant risk of detection. A more probable scenario for the independent saboteur is a one-night series of assaults on as many facilities as he can reach. Such an attack can still cause major problems for a utility, but far fewer than would more widespread damage. Theo- retically, the saboteur could continue his attacks, but once utilities are alerted they can post guards to deter an immediate reoccurrence of the rampage. Terrorist Groups Organizations initiating terrorist attacks in other countries include separatists, political radicals, and anti-technology and/or anti-nuclear extremists. The only significant separatist movement in the United States in the past 125 years has been in Puerto Rico, and none seems likely to develop. Nor do the anti-technology or anti-nuclear movements seem likely to turn to large-scale, violent extremes, in part because people have peaceful ways to try to imple- ment their views. This country has had more experience with politically oriented : fenlesty in the sixties and seventies. The Weathermen and other groups did bomb some transmission towers and might well have wanted to cause more damage. Much of this violence was in reaction to the war in Viemam. It should be noted that current trends, if anything, indicate a lessening of terrorist attacks. thi. However, under some conditions, this threat might reemerge, possibly by environmental extremists. Electric power systems probably are not the most obvious targets but could become fashionable if terrorists choose to inflict great inconvenience and economic cost on society instead of more dramatic acts such as assassinations or destruction of sym- bolic targets. The Evan Mecham Eco-Terrorist International Conspiracy (EMETIC) targeted elec- tric system facilities in 1987-89.29 Even extortion on a gigantic scale might be considered to raise funds and shake confidence in existing institutions. Foreign groups could also import violence. Amer- ican property and individuals abroad have been the targets of attack in many countries. It is not clear why some cf the groups hostile to the United States have not carried their struggles here, and therefore it cannot be guaranteed that they won’t. Groups in volatile areas such as the Middle East and Central America might want to hurt the United States directly. Separatists might want to pressure this country to influence events in their country, even if they have no direct conflict with us. Drug cartels in Colombia could hope to make our drug wars too costly. Environmental extremists concerned over potential global climate change might see the U.S. electric power system as symbolic of the refusal to curb production of carbon dioxide. The logic does not have to be sound for an attack to be damaging. A group is much more likely than an individual to be able to mount a major assault on sufficient facilities to cripple a power system. A group combines all its members’ skills and contacts and resources available to any group. The knowledge gained by destroying substations and power lines in Germany and E] Salvador is available in the United States. In fact several ‘‘how-to’’ sabotage manuals are available for sale here. Weapons and explosives are also widely available here and abroad. If foreign terrorist groups wish to attack the United States, they can probably find assistance here in obtaining target Robert K. Mullen, personal communication, Apr. 2, 1990. Chapter —Causes of Extended Ourages e [7 information and in camouflaging their activities.* However, a group is also much more likely to be detected than an individual. Military Attacks Commandos with special training and essentially unlimited resources and support could mount a far stronger attack than could even the most sophist- cated subnational terrorist group that has yet emerged. The Soviet Union is reported to have such forces, called spetsnaz, available for operations in the United States.*! The object would be to create havoc and demoralization before overt hostilities commence. While this risk is diminishing, it has not disappeared. Alternatively, a hostile country might take this approach if it were unable or unwilling to declare war but wanted to take some military action against the United States. The ultimate attack would be an overt military operation. The vulnerability of electric power sys- tems can have serious national security implications. For example, in World War I, Germany’s highly centralized electric system was not attacked until late in the war. German officials, surprised at this omission, commented after the war that ‘‘The war would have finished two years sooner if you (the Allies) had concentrated on the bombing of our powerplants earlier...’’ When the Allies finally did destroy Germany's electric generating and synthetic fuel facilities, the German economy was crippled.32 This experience will not be ignored in any future hostilities. For defenses to be effective against military assault, either commando or overt, they would have to be extraordinarily strong and expensive, well Yonah Alexander, ‘international Network of Terrorism,'’ Political Terrorism and Energy, Yonah Alexander and Charies K. Ebinger (eds.) (New York, NY: Praeger Publishers, 1982). 3'Victor Suvorov, SPETSNAZ, The Inside Story of the Soviet Special Forces (New York, NY: W.W. Norton & Co., 1987) and as partially reprinted im the Hearings Record of the Senate Committee on Governmental Affairs, ‘‘ Vulnerability of Telecommeanications and Energy Resources to Terrorism.’ Feb. 7 and 8, 1989. Federal Emergency Management Agency, ‘‘ Dispersed, Decentralized and Renewable Energy Sources: Alternatives 0 National Vuinerability and Wer," December 1980. 20 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage Table 3—Direct and Indirect Costs Direct cost components (costs to household, Primary electniaty user firm, institution, etc.) Indirect costs Remarks Resigental @ inconvenience, jost leisure, stress b. Out-of-pocket costs —spoilage —property damage c. Health and safety . @ Opportunity costs of idle resources —abor and —capital —profits b. Shutdown and restart costs c. Spoilage and damage d. Health and safety effects a. Opportunity cost of idle resources b. Spoilage and damage Industrial, commercial, and agncuitural firms infrastructure and public a. Costs on other housenoids —s indirect costs are a minimal, if not and firms Negligible, fraction of total b. Cancellation of activities (direct and indirect) costs of a c. Looting/vandaiism curtailment. a. Cost on other firms that are — indirect effects are likely to be supplied by impacted firms minimal for most capacity- (multiplier effect) related interruptions, but can be b. Costs on consumers if significamt component of total impacted firm supplies a final costs for longer duration energy good shorttais. c. Health and safety-related externaities @. Costs to public users of indirect costs constitute a major impacted services and portion of total costs of institutions curtailment. b. Health and safety effects c. Potential for social costs stemming from looting and vandalism SOURCE: M. Munasinghe and A. Sanghvi, “Reliability of Electricity Supply, Outage Costs and Vatue of Service: An Overview,” The Energy Journal, voi. 9, 1988, p. 5. most parts of the United States due to the high standard of reliability.* Short- and long-term costs may have both direct and indirect elements (see table 3). Direct costs are those suffered by the direct customer, such as spoilage or lost production. Indirect costs include those realized by customers of an impacted firm; they may have to purchase higher cost substitutes, incur additional production costs, or have unrecov- ered costs. Indirect costs can be several times as effects often cannot be enumerated. These secondary effects, such as a potential increase in insurance Tates, represent long-term and far-reaching eco- sane narent ne G Hypothetical Outage Cost Estimates Numerous analyses have estimated the costs of Most of these are based on survey data from utility service areas. They vary substan- and among Table 4 shows some estimates of the costs of power outages. The more recent estimates, based on survey data, reflect the value of service reliability in terms of the average dollar change in a consumer’s monthly bill that would offset a change in service These estimates cannot be compared reliability. directly because of differing methodologies, as- “Prank J. Alessio, Peter Lewin, and Steve G. Parsons, ‘“The Layman’s Guide to the Value of Service Reliability to Consumers," in Criterion, Inc, The Value of Service Retiability 10 Conneners (Palo Alto, CA: Electric Power Ressarch instieste, EPRI-EA-4494, hay 1986). Mbid. ‘Aran P. Sangivi, ‘“Bconomic Costs of Hlectricity Supply ntecruptions: U.S. and Foreign Experience,’ in Criterion, Inc... op. cit., foomots 4, p. 8-45. vw sumptions, economic and demographic mixes, and other conditions. In general, the consensus among utility analysts is that system outage costs can be valued at something between $1 and $5 per kilowatt-hour (kWh) for the types of outages commonly experienced. However, they vary considerably by type of customer, the Condition! of the outage, the length of the outage, etc. Actual Outage Cost Estimates The costs of the 1977 New York City blackout have been studied more extensively than other outages. (Box C provides a description of the sequence of events that led to the blackout.) Table 5 summarizes the estimated costs of the blackout. Based on these figures, the direct cost of unserved energy was $0.66/kWh and the indirect cost was $3.45/kWh. For the most part, the costs in table 5 are based on secondary data sources provided by numerous public and private organizations. Significant impacts include losses in securities and banking, restoration costs, and capital equipment for Con Ed,® and losses to the small business commu- nity. Levels of inconvenience appear to have been substantial. These figures should be considered as lower bounds for the total costs.? Damages from looting and arson totaled around $155 million, or about 50 percent of the total economic costs associated with the blackout. The social impacts were sensitive to the unique circum- stances of the event and the socioeconomic condi- local income distribution and employment, political climate, and availability of contingency plans.!° Economic impacts of the 4-day 1988 Seattle blackout were very sensitive to its timing and duration. For restaurants and stores, the timing of the blackout was particularly bed, covering a regular downtown event—the First Thursday Gallery Walk—and the beginning of the Labor Day week- end. Department and clothing stores also missed out on last-minute school shopping. The Bon Marché department store estimated its unrecoverable losses Chapter 3A mpacts of Blackouts ¢ 2] Wl Table 4—Comparison of Cost Estimates for Power Outages’ Date Geographic scope Estimated cost 1971) eaeee New York State $2.17 milliorvhr* 1971 ..... New York City $2.5 milliorvhr* 1971 ..... United States $0.60/kWh? 1973 ..... New York State $0.33/«Whe 1976 ..... United States $1/kWht 1976 ..... United States $2.68/Wh (industrial) $7.21/ kWh (commercial) $077 ou cee Canada $15/kW (15-minute outage) $91/kW (1-hour outage) 1978 ..... New York City $4.11/Wh 1963? .... PG&E service area $14.87 to reduce outages to a minimum? -$26.41 to tolerate 1,400 hours additional outages 1983° .... PG&E service area $6.72/kWh (one 1-hr outage. summer afternoon)' $2,126/kWh (eight 48-hr outages, summer afternoon) 19864 .... PG&E service area $1.35/outage/year (momentary)? $3@/outageryear (12 hrs, winter moming) 1986 .... PG&E service area $2.93/kWh (4 hrs, winter morn- ing, 3.15 kWh unserved)" $14.61/cWh (1 hr, winter even- of Gecrical Service Refability With Market Research Data,” The Energy Journal, vol. 9, 1968, p. 105. 3Chi-Keung Woo and Kenneth Train, “The Cost of Electric Power eee ee eCommerce exes) The Brergy Jewnat. vehi 1000: P- 161. “Séichasi J. Doane, Raymond $. Hartman, and Chi-Keung Woo, “House- hold Preference for interruptibie Rate Options and the Revealed Vaive of Service Reliability,” The Energy Journal, voi. 9. 1988. p. 121 Swlichasi J. Doane, Raymond S. Hartman, and Chi-Keung Woo, “House- hoids’ Perosived Value of Service Reliability: An Anatysis of Contingent Vatuation Data,” The Energy Journal, vol. 9, 1968, p. 135. at about $500,000. Restaurants in the area estimated lost business at $10,000 to $45,000 for the 4 days. The costs at one hotel included lost revenues from the 75 percent of reserved guests who went to other 7Reme H. Males, ‘‘Preface: Valse of Reliability, the Undefined Issees,"’ in Criterion, Inc. op. cit., foomote 4, p. viii. %in addition to operating revemme losses of $5.7 million reflecting approximately 84,000 MWh of unserved energy, Con Ed's steps to upgrade system reliabilicy will probably cost more thas $65 millioa. Miles ot al, op. cit, foomote |, p. 66. ‘Toad. 22 © Physical Vulnerability of Electric Systems !o Natural Disasters and Sabotage Box C—New York City Blackout On July 13, 1977, at approximately 9:41 p.m., New York City plunged into total darkness. The blackout was caused by a series of lightning strokes compounded by improperly operating protective devices, adequate presentation of data to system dispatcher, and communication difficulties. These combined factors created conditions that cascaded to the point of total collapse of the Consolidated Edison (Con Ed) system.! | On this day, Con Ed was providing approximately 5,860 MW of electricity to its New York City customers over 345- and 138-kV transmission lines and cables. Approximately half of the electricity was being generated by plants located in Brooklyn, Manhattan, Queens, and Staten Island; the remaining load was supplied by Con Ed generators outside the city, and purchased from utilities in upper New York State and Canada. Con Ed also was | wheeling 240 MW to the Long Island Lighting Co. (LILCO) and approximately 200 MW of emergency power to the Pennsylvania-Jersey-Maryland Pool. At 8:37 p.m. lightning hit two 345-kV lines supplying 1,200 MW of electricity from the Indian Point No. 3 and the Bowline and Roseton generating units to the City. The resulting short circuit caused the protective relays, located at the Millwood West and Buchanan South substations, to open the circuit breakers and disconnect the lines. This interrupted the supply (870 MW) from Indian Point No. 3, which then shut down automatically. Isolating the generator at Indian Point No. 3 caused one of the 345-kV transmission lines between Pleasant Valley and Millwood West to increase load above its normal capacity rating (825 MW), although it remained within its long-term emergency rating (860 MW). This caused operators to reduce voltage by 8 percent. The Con Ed system operator requested all generators within the city to increase power production to replace the loss and relieve loading on the 345-kV line. However, by 8:55 p.m. the in-city generation had increased (S50 MW) only enough to compensate for the two-thirds of the power lost. Nineteen minutes later, another bolt of lightning hit with a devastating effect. This boit hit one of the remaining large, heavily loaded 345-kV lines bringing power to the city. Normally, the strike should have caused relays to temporarily isolate the line for mere moments—just long enough to dissipate the lightning’s energy. However, one circuit breaker failed to operate properly, causing other relays to isolate the line entirely. This loss of transmission capacity overloaded remaining lines, resulting in their isolation. With the now inadequate supply of power, Con Ed had no choice but to shed load, blacking out parts of Westchester County. Simultaneously, LILCO’s spinning reserves automatically increased output. However, the cables connecting LILCO and Con Ed were overloaded as a result, and LILCO disconnected itself from Con Ed, eliminating a further source of power. At 9:27 p.m., still another lightning bolt struck a power line. When this happened, the remaining Con Ed generators could not maintain the load and were shut off automatically. At the same time, Public Service Electric & Gas Co. disconnected from the Con Ed system severing Con Ed’s remaining ties to the north. At approximately 9:41 p.m. the 1977 New York City blackout began. Full power was restored in about 25 hours. Many protective circuit breakers had to be individually examined and reset. The city was powered up one section at a time, carefully balancing the added loads with supply, as described in chapter 5. ‘Systems Consroi, inc., /mpact Assessment of the 1977 New York City Blackout, prepared for the U.S. Department of Energy, July 1978, p. 13. St aan hotels, plus expenses for hiring additional security Another actual cost analysis was based on a guards.!! utility-imposed 25 percent curtailment during peak hours for 25 consecutive days in Key West, Florida One industry that profited from the Seattle black- in July-August 1978. The Key West system experi- out had electrical generators for rent. One company enced a generating equipment breakdown that re- received 50 to 60 phone calls for 2 generators; duced electric supply to 80 to 90 percent of peak another only had 3 available.'2 demand. Total electric shortage impact costs in Key Addy Hasch, ‘Businesses Assessing Losses Prom ths Blackout,'’ The Searsie Times, vol. 111, No. 215, sec. C, p. 4, Sept. 7, 1988. ‘Toad. Chapter 3—4mpacts of Blackouts © 23 Table 5—Cost of the New York City Blackout—1977* Impact areas Oirect ($M) Businesses Food spofage................ Government (Non-public services) Consolidated Edison Restoration costs .............. Overtime payments ........... insurance Public Health Services Other public services Metropolitan Transportation Authority (MTA) revenue: COMMER Gis ais eeileccie sate) MTA overtime and unearned wages.......... Westchester County Food spofage................ Public services: equipment damage, overtime payments SUNOIR ola rotete riers nes cis ce oie s 8 cles nloia’c olnie cieiete aleve Indirect ($M) Small businesses ......... 3 5.0 Emergency aid (private sector)........... 5.0 Federal Assistance Programs . New York Stati Assistance Program . 1.0 New capital equipment 2.0 (program and installation) 65. Federal crime insurance oa 3 Fire insurance ............... 19 Private property insurance ... . 10 $155.4 Besed on aggregate data collected as of May 1, 1978. DOvertap with business losses might ccoUr since some are recovered by Insurance. Looting was inciuded in thie estimate but reported to be minimal. NOTE: These data are derivative, and are neither comprehensive nor definitive SOURCE: Systems Control, inc., impact Assessment of the 1977 New York City Blackout, prepared tor the U.S. Department of Energy, July 1978. p. 3 West were $2.30 kWh average for all non-residential users. The breakdown is $2.00 to producers (e.g., auto repair, stores, schools), $0.10 to employees (wage loss), and $0.20 to consumers. The cost is approximately 50 times the then $0.05/kWh price of electric power in Key West.'? In addition, several empirical studies on user loss from power shortages were conducted. These studies examined two electric power shortages of several hours in San Diego, the Key West curtailment, and natural gas shortages in Alabama, Kentucky, Ohio, and Tennessee. The findings concluded that the extra cost to make up interrupted production com- prised 60 percent of the loss to both commercial and industrial users. Unrecovered costs totaled 20 and 30 percent for commercial and industrial users, respec- tively. The inconvenience from postponing appli- ance use comprised 36 percent of the cost to residential users.'¢ SECTORAL IMPACTS Industrial Many industrial processes are highly sensitive to power disruptions. An interruption of less than | second can shut plant equipment down for several hours. Outages can spoil raw materials, work-in- ‘SJeck Puscea Associaess, Anatysical Framework for Evainating Energy and C apecity Shortages (Palo Also, CA: Electric Power Research Lnsutate. EPRI-BA-1215, April 1980), vol. 2, pp. 1.5-1.7. “Ernest Mosbaek, ‘‘Shortage Costs: Results of Empirical Stedies,"’ in Criserion, lnc. op. cit., foomote 4, pp. 3-3, 3-11. 24 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage progress, and finished goods. Spoilage is a signifi- cant problem in chemical processes, steel manufac- ture, food products, and other industries.!5 Black- outs also pose opportunity costs from idle factors of production. Human health and safety effects are another major concern in industrial outages. Not only are the workers exposed to possible injury or health hazard from the power interruption, the neighboring population also could be exposed to risk from hazardous spills or releases due to the loss of environmental or safety equipment.'® Costs Industrial-sector costs are more directly measura- ble in terms of equipment damage, loss of materials, cost of idle resources, and human health and safety effects. Lost output is the primary cost. One ap- proach is to take the classic economic factors of production—land, labor, capital, profit, and en- trepreneurship—and identify the value of the fore- gone opportunities for each of them for various industrial processes. Those opportunities can be evaluated using some measure of excess capacity of each of the factors of production. When all resources are idle (have excess capacity), the opportunity cost is estimated at the value of wages. When all resources are fully employed, the loss includes the value that would have been added in production. One may need to add the costs of spoilage and other damage, long-term adaptive costs, indirect costs, and consumer surplus if final demand is left un- served. For example, in 1965 Dunlop Tire’s Buffalo plant lost 1,700 tires (worth $50,000) when power failed during the critical curing process. The Tonawanda, New York Chevrolet plant had to junk 350 engine blocks because high-speed drills froze while boring piston holes. Ford's huge Mahwah, New Jersey assembly plant had to wait for standby power when Orange & Rockland Utilities, Inc. gave West Point Priority because ‘‘the cadets need to study to- night.’"!7 Commercial For many commercial customers, any outage of a duration of more than | or 2 seconds has a significanr cost due to cumputer problems, equipment jamming, or ruined product. For these firms a 1-hour outage is not substantially more costly than a 10-second outage. With the increasing pervasiveness of computers and communications systems in all economic activ- ity—commercial sales, offices, industrial process control, finance, communications, public works control, government—their performance in a black- out affects all impact sectors. The major conse- quences include costs associated with the inability of the computer to perform critical functions, loss of data, and possible damage to the computer and peripheral equipment. Degradation of storage media is a major concern if the room temperature strays too far from the norm.'® Critical systems usually have backup power sources, although most are not designed for an extended blackout, when the operat- _ ing environment becomes more of a concern. An entirely new industry has grown up around the need for backup systems and recovery services for heavily computer-dependent activities. Computer security companies take over computer functions, such as payroll, inventory, and records maintenance, when disasters temporarily or permanently disable corporate computers. '9 Costs The commercial sector is the most difficult of the three sectors to analyze and has been studied the least. Its boundaries and components are ill-defined, and it incorporates a very wide variety of products and services. In many areas, the commercial sector is the most rapidly growing customer class, and the costs of outages may average the highest.” Some utilities define the commercial sector as what is left over after accounting for residential and large industrial customers. Using this definition, large apartment buildings, small grocers, and moder- SM. Munasinghe and A. Senghvi, ‘Reliability of Electricity Supply, Oumge Costs and Value of Service: An Overview,'’ The Energy Journal, vol. 9, 1988. ‘SMosbeek, op. cit., foomots 14. 'The Disaster That Wasn't," Time, Nov. 19, 1965, p. 36. '6S yams Consrol, Inc., ‘Impact Assesment of the 1977 New York City Blackout,” prepared for he U.S. Department of Baargy, July 1978, p. 46. '?Tyson Greer, ‘‘Weyerhacuser Division Waits for Data Disnsters,"’ Puget Sound Business Journal, vol. 9, Ne. 21, sec. 2, p. SA, Oct. 3, 1988. PSengivi, op. cit. foomoe 6, p. 8-26. ate-sized manufacturing firms would all fall in the commercial class. Another classification is based on SIC (Standards of Industrial Classification) codes. Still others are based on peak demand levels, a kWh rule, or the voltage of service.”! For those parts of the commercial sector where the principal activity is production that can be made up after an outage without substantial cost (e.g., laun- dries, drycleaners, bakeries, etc.), the idle resource cost approach used in the industrial sector probably is most appropriate. At the other extreme, large apartment buildings can be viewed as a concentra- tion of households, and analyzed using one of the residential-sector outage cost methods.” Between these two extremes are commercial establishments that sell products and those that provide services. The potential for product damage and the ability to make up lost production are critical here. Food stores and warehouses, for example, can have significant spoilage costs. Similarly, fast-food outlets not only can have high spoilage costs, but also service immediate demand and usually cannot make up lost business.” Agriculture An Ontario Hydro survey conducted between 1976 and 1979 indicates there can be significant hazards to livestock and produce during a blackout. Sensitive processes include incubation, milking, pumping, heating, air-conditioning, and refrigera- tion. Of the larger-than-average farms included in the survey, 26 percent had standby generation. About 60 percent had facilities to shut off a portion of their load in an emergency. In 1965, farmers deprived of power for their milking machines bgeieed them up to penguin opemted by wacter motors. Residential Never are Americans more aware of their depend- ence on and the machines it drives than during a blackout. Without electricity, air- conditioning is off, and many people do not have Chapter 3—Ympacts of Blackouts ¢ 25 heat or hot water. In high-rise buildings. people must use stairwells. Senior citizens and the disabled are at an extreme disadvantage in outages. Consumers do not have lights, refrigerators and freezers, stoves and microwave ovens, toasters, dishwashers, intercoms, televisions, clocks, home computers, elevators and escalators, doorbells, hair dryers, heated blankets. can openers, food processors, carving knives, tooth- brushes, razors, and garage door openers. With the advent of high-tech electronics, most people have battery-operated radios or TVs, but few keep enough batteries on hand to last more than a few hours. If a blackout occurs during the winter, as did the 1965 outage, those with yards or balconies can put food outside. In the 1989 summer blackout in Washington, DC, PEPCO distributed dry ice. For those with fireplaces or barbecues, cooking is still possible; others must resort to cold food or restau- rants. [ness from food spoilage can be a significant problem. One of the more sociologically interesting im- pacts of the 1965 outage was the fact that without access to their normal forms of entertainment. people turned to each other; 9 months after the blackout, the birthrate increased from 50 to 200 percent at New York hospitals.” Costs Electricity permits activities whose value varies with time of day, week, or year. The short-term ity cost is the degree of disruption of the household’s preferred consumption pattern. Some activities, such as cleaning, can be deferred without significant loss (and in many cases might be considered an emotional benefit). Others can be deferred or relocated (e.g., washing clothes, eating dinner). Still others can only be relocated (e.g., watching a particular TV program). At some times of the day/year and/or for particular groups, there can be health and safety implications (e.g., lack of heat/AC, elevators, life-support systems, hot water, and refrigeration). Costs also vary by household income, type of appliance stock, preferred leisure activities, and other household characteristics. 2Tbid. 2th. ?Thid. Len Skoe, ‘‘Outario Hydro Surveys on Power Sysem Reliability: Semmary of Customer Viewpoints," in Criserion, Inc., op. cit.. foomote 4. 3*"The Dienster That Wasn't,"’ op. cit., footnote 17. Blackout Pallout,"* Time, Ang. 19, 1966, p. 40. 26 ¢ Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage In addition to deferring or relocating activities, households may experience out-of-pocket expenses for mitigating responses such as using block or dry ice to preserve food, firewood for heat or cooking, candles and batteries for lighting, batteries for radio/television, etc.?7 Two equivalent measures of loss are the dollar amount the household would accept as compensa- tion for the disrupted consumption pattern, and the amount the household would be willing to pay not to have its preferred consumption pattern disrupted. Transportation A blackout affects virtually every mode of trans- portation (box D). Subways, elevators, and escala- tors stop running, and corridor and stairwell lights usually are out. Street traffic becomes snarled without traffic lights. Gasoline pumps do not work, and the availability of taxis and buses declines over time. Parking lot gates and toll booths will not operate. Pedestrians are perhaps the least affected, although their danger increases without traffic sig- nals and after dark with the loss of street lighting. Trains can still function, but doing so can prove hazardous without signal lights. Airports are pow- ered by auxiliary generators that enable aircraft to land and take off in an emergency. However, considerable delays can be expected. In high-density areas where most people are dependent on public increased by the inability to get to work. Other transportation effects result from the inability to deliver goods. Telecommunications There is a growing reliance on telecommunica- tions networks in all sectors of the U.S. economy. Businesses and government depend on reliable communications to perform routine tasks. Also, businesses are using their communications systems and the information stored in them to achieve a competitive advantage and to restructure their or- ganizations on a regional or global basis. Thus, the failure of a communications system can lead not only to market losses but also to the failure of the business itself.” The functioning of all crucial municipal public services, such as police, fire, etc., will also depend on telecommunications. A recent study by the National Research Council noted that our public communications networks are becoming increas- ingly vulnerable to widespread damage from natural disasters or malicious attacks.”9 Extended power outages can affect telecommuni- cations networks and lead to economic disruption. The extent of the disruption will depend on whether telecommunications networks, both public and pri- vate, have emergency backup power systems and how reliable the backup systems are. Today, many networks have their own dedicated emergency backup system. The importance of backup power systems was evidenced during Hurricane Hugo and the recent San Francisco earthquake. At the height of Hurricane Hugo, 39 central offices and 450 digital loop carrier facilities were operating on backup power. Southern Bell indicated that the facilities could operate on battery power for about 8 to 10 hours before gas or diesel generators take over.” With the commercial power turned off in San Francisco because of the risk of fire, central offices operated on diesel generators. These diesel genera- tors could operate for up to 7 days, according to PacBell. The earthquake did little damage to the network.3! In an emergency, commercial satellites could also be used to augment or restore a public network. Currently, only the American Telephone & Tele- graph Co.’s interexchange carrier network is aug- mented by the Commercial Satellite Interconnectiv- ity program, which uses surviving C-band commer- cial satellite resources.>2 The impact of a disruption will depend on how crucial communications equipment is to a particular 7Sanghvi, op. cit., foomors 6. 23U.S. Congress, Office of Technology Assesment, Critical Connections: Commmumication for the Funure, OTA-CIT-407 (Weshingwoa, DC: U.S. Government Printing Office, January 1990). National Research Council, Growing Vulnerability of the Public Switched Networks: Implications for National Security Emergency Preparedness (Washington, DC: National Academy Press, 1989). Telephony, ‘Survival of the Network,’’ Oct. 23, 1989, p. 42, and ‘‘Hugo No Match for So. Beil,"" Sept. 25, 1989, p. 3. 3\*"PacBell Network Survives Quake,’ Telephony, Oct. 23, 1989. p. 14. 3Avid., p. 18. = 28 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage industry/business. Medium-- and large-size busi- nesses that use integrated information systems to link operational processes—i.e., order entry, sched- uling, etc.—will experience economic damage shortly after a power failure. While many business use a number of interconnected networks, supplied by a variety of sources (including local area net- works and private and public networks), most private networks depend on public networks for transmission and switching capabilities. The Federal Government, for example, uses a number of private networks to communicate within a particular depart- ment or agency, but uses public networks to communicate outside.*? OTA has found that, in general, businesses have been slow to prepare for emergencies or adopt security measures, often postponing action until after a problem has occurred. One major reason cited is cost. Moreover, the value of communication security has to be traded off not only against cost, but also against system access and interoperability.“ Emergency Services Emergency services include police and fire and their communications and transport, as well as hospitals. Power outages can also affect these services. All hospitals have emergency power sys- tems to support the most critical activities, such as operating rooms, intensive-care units, emergency services, etc. Depending on the facility, auxiliary power systems may not be able to support some other activities, including x-ray, air-conditioning, refrigeration, elevators, etc. Moreover, technical problems may arise with the auxiliary generators, as evidenced in the 1977 New York blackout. In some instances, hospitals had difficulty bringing genera- tors on-line, and were faced with generators over- heating and inoperable transfer switches for con- necting loads to emergency circuits. Fire-fighting and police communications could be severely disrupted by the loss of power. Fire alarm systems may be inoperable and fire-fighting may be hampered in those areas where some power is required for pumping water. Moreover, the indirect impacts of a blackout, such as looting and arson, can severely strain fire-fighting and police services. For example, during the New York City blackout, 70,680 calls were made to 911, compared with the 17,700 made in a normal 24-hour period. Also, during the 1977 blackout, there were 1,037 fires (primarily arson) with over 6 large-scale fires, requiring 5 companies. More than 80 injuries were reported due to the abnormal fire activity. Exhaustion was common due to the high heat and humidity and the lack of food supplies and rest areas.>5 Public Utilities and Services Public utilities include electric, water, gas, sew- age, garbage, and related services (e.g., public health inspection). Water supply systems generally rely on gravity to move water from reservoirs through the mains and to maintain pressure throughout the system. Some power may be required at Pumping stations and reservoirs. Loss of pressure in mains hampers fire-fighting and hospitals, and may permit contami- nants to seep into the water supply. Typical system pressure will supply buildings up to five or six stories tall. High-rise buildings use electric pumps to provide adequate supply on upper stories, or have roof tanks with 24- to 48-hour storage capacity. If electric pumps in high-rise buildings do not work, residents would have to go without water or get it from neighbors below. Electricity is needed in treatment and pumping of sewage. An outage at a treatment plant causes raw sewage to bypass the treatment process and flow into the waterways. Lack of pumping station power prevents sewage flow and ultimately causes a backup at the lowest points of input (usually basements in low-lying areas). During the 1977 New York City blackout, many of the sewage treatment plants and pumping stations in Westchester County and New York City had standby power supplies, but only for short durations. After the standby power was exhausted, untreated sewage flowed continu- 33Tbid., pp. 82-84. Office of Technology Assessment, op. cit, foomote 28, ch. 10. SSymems Control, lnc., op. cit., foomoss 18. Tid. ously into the harbors. Signs were posted on ail neighboring beaches prohibiting use.’ Costs Outage costs attributable to essential services and infrastructure, including street and traffic lights, public transport, telecommunications, hospitals, air- ports, sewage and sanitation, fire and police protec- tion, etc., are difficult to measure. For many of the essential functions, backup emergency generation already exists, although it may be unreliable or only designed to be operated for a few hours at a time. For some infrastructure services, the cost of installing standby generation should provide a reasonable order-of-magnitude estimate of outage costs. How- ever, the costs of public transportation and lighting outages are more difficult to estimate.*® In a blackout, electric utilities have revenue losses from unserved energy, expenses for equipment and Chapter 3—dmpacts of Blackouts @ 29 overtime personnel to restore power, plus any capital investments needed to ensure that particular type of blackout does not occur again.*? Consolidated Edison suffered more than bad press in 1977. In addition to operating revenue losses from 84,000 MWh of unserved energy, and the cost of restoring power, Con Ed had to make capital and other investments (e.g., operator training programs) to upgrade system reliability. “© Moreover, Con Ed stock experienced increased trading on July 14, and closed at its lowest value for some time. The stock had a closing loss of 1.25 at the end of a week that had begun with increasing values.*! Following the 1965 blackout, utilities across the country changed their operating procedures and made capital investments in relays and circuit breakers to ensure that no single failure would again result in a cascading outage. (See ch. 4.) "bid. *Senghvi, op. cit., foomots 6. "The Diaster That Waan't,"’ op. cit., footmots 17. ‘Nias ot al, op. cit., footnote 1. “'Symams Consol, inc. op. cit., foomots 18. uapici v System Impact of the Loss of Major Components A sophisticated saboteur or major natural disaster can readily cause widespread power outages. The ume and effort needed for a system to recover could range from seconds to months, depending on which components are damaged, the system's basic charac- teristics, and the availability of spare parts. Even if a power failure is avoided or lasts only seconds, costs may be high as less efficient reserve generating capacity replaces low cost units, and sensitive consumer equipment such as computers are disa- bled. This chapter addresses the resilience of current bulk power systems to equipment outages, examin- ing both reliability and economic impacts. U.S. utilities have been highly successful in maintaining very high levels of bulk power system! reliability. Bulk power systems in the United States are designed and operated to be reliable and econom- ical in the face of normal events including occa- sional equipment failure. Utilities are also prepared to minimize the impact of some highly unlikely events such as multiple simultaneous equipment failures at a single site. However, sabotage or major natural disaster can inflict damage well beyond what utilities plan for. Because U.S. utilities have per- formed so reliably and have only rarely faced widespread and multiple equipment failures, there is uncertainty about how bulk systems will actually behave in extreme circumstances. One factor leading to reliability and resilience is the highly interconnected network common to modern power systems (see box E). Because of the vast size of most power systems, no individual powerplant or transmission component is critical to the operation of any power system. An electric system typically has many powerplants, in some cases several dozen. An individual powerplant, even a large multi-unit one, supplies only a small fraction of the total demand of most control areas. There are some very small control areas in the Midwest, but each powerplant provides only a small fraction of the total capacity in the interconnection. Distribution systems are not designed to have such a high level of reliability as the bulk system. In fact, the great majority of outages that customers experience result from distribution system prob- lems, not from the bulk system (around 80 percent by one estimate). However, unlike bulk system failures, distribution-caused outages are localized, and utilities have considerable experience in re- sponding to them. SHORT-TERM BULK POWER SYSTEM IMPACTS The Importance of Any One Component: Preparing for Normal Failure? Some of the thousands of components in any system occasionally fail or operate improperly, or are disabled by natural events such as lightning strikes. Because these events are common and inevitable, utilities consider them to be normal. Most bulk power systems in the United States are de- signed and operated to continue operation following the failure of any one device without interrupting customer service or overloading other equipment.‘ This is commonly referred to as the ‘‘n-1 operating criterion.’’ Some utilities prepare for two such contingencies (called the n-2 operating criterion). Systems west of the Rockies make some exceptions to the n-1 criterion for certain major facilities. In those systems, some customers may be briefly interrupted following certain outages, but with no overloading of other equipment leading to uncon- trolled or cascading outages. Preparing for equipment failure involves two main functions. These are: 1) holding sufficient generation and transmission capacity in reserve to ‘Balk power systems inciude the generation and transmission, bet oot distribution (see US. Congress, Office of Technology Assesament, Electric Power Wheeling and Dealing, OTA-E-410 (Washingwa, DC: U.S. Govermment Printing Office, May 1969), ch 4). This chapter focuses on bulk systems sunce damage to them may be far more widespread and difficult to repair then distribution damage. 2U.S. Department of Energy, ‘“The National Electric Reliability Steady: Executive Summery,"’ DOB/EP-0003, April 1961, as cited in: Power System Reliability Evaluation, institate of Electrical and Electronics Engineers, 1982, p. 42. +See Office of Technology Assesment, op. cit., foomote 1. ‘North American Electric Retiability Council, Overview of Planning end Reiiabiliry Criteria of the Regional Reliability Councils of NERC (Princeton. NJ: April 1988). 5See Office of Technology Assesment, op. cit.. footnote 1. 32 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage ————_——— Box E—The Organization of Electric Systems: Utilities, Control Areas, Power Pools, and Interconnections! The electric power industry today is a diverse and heterogeneous amalgamation of investor and publicly owned | utilities, government agencies, cogenerators, and independent power producers.” In most of the country, individual | utilities are highly interconnected and operate under a variety of formal or informal coordination agreements. The | level of power transfers and coordination between utilities is determined largely by control areas, power pooling | arrangements, and physical interconnections. Control Areas | Responsibility for the operation of the Nation's generating facilities and transmission networks is divided | among more than 140 ‘‘control areas.’’ In an operational sense, control areas are the smallest units of the interconnected power system. A control area can consist of a single utility, or two or more utilities tied together by contractual arrangements. The key characteristic is that all generating utilities within the control area operate and control their combined resources to meet their loads as if they were one system. Control areas coordinate | transmission transactions among electric power systems through neighboring control areas. Control areas maintain | frequent communications about operating conditions, incremental costs, and transmission line loadings. | Power Pools There are two types of power pool arrangements—tight power pools, which include holding company power pools; and loose power pools. Tight power pools are highly interconnected, centrally dispatched, and have established arrangements for joint planning on a singie-system basis. Four of these tight pools consist of utility holding companies with operations in more than one State; the others are mostly multi-utility pools. Together, the tight power pools account for about a quarter of the industry's total generating capacity. Arrangements among utilities in loose power pools are quite varied and range from generalized agreements that coordinate generation and transmission planning to accommodate overall needs to more structured arrangements for interchanges, shared reserve capacity, and transmission services. Interconnections North America’ ain moe deceit ene, tahalindcaeiniaien networks: the Eastern Interconnection (or Seven Council Interconnection); the Texas Interconnection; the Western Systems Coordinating Council (WSCC); and the Hydro Quebec System. DC and AC transmission interties between the networks are limited in location and capacity, with the result that the transmission systems in the United States do not form a single national grid, but rather form three huge, separate grids. However, even the smailest one. the Texas Interconnection, is very large with installed generating capacity of over 50,000 MW comprised of scores of generating units. ‘See U.S. Congress, Office of Technology Assesament, Electric Power Wheeling and Dealing, OTA-E-410 (Washington. DC: U.S. Government Printing Office, May 1989, ch. 4. 21 present, the Nation's utility industry imctades 203 investor-owned operating companies, 1.968 local pablicty owned systems: 994 rural electric cooperatives, 59 public joimt-action agencies, and 6 Federal power agencies. In addition, there are several bundred cogeneration and smail power producers selling power to utilities. respond immediately; and 2) designing circuit breakers and relays to protect and isolate equipment in a controlled manner. Reserve Generation and Transmission Utilities keep enough generation, transmission and substation capacity on-line and ready for opera- tion to replace any operating components that fail. Generating units must be warmed up and rotating in synchronism with the 60 Hz of the power system before operating. Generating units which are syn- chronized and ready to serve additional demand immediately are called spinning reserves. Utilities select ‘‘unit commitment plans’’ specifying which units will be warmed up and cooled down to follow the cycle of loads over the course of a day, week or season. Unit commitment schedules are chosen which minimize the total expected costs of operation and spinning reserves required to maintain reliabil- ity and meet expected changes in demand. substations don’t require any warm-up time and are instantly available as long as they are connected to the system. The flow of power in a transmission network is dictated by the laws of physics. One of the key laws is that power flows on all available paths Chapter 4—System Impact of the Loss of Major Components ¢ between a generator and a load. This is called parallel path flow. After a generator or transmission circuit fails, the power flow on the remaining circuits responds immediately. To ensure that resulting flows don’t exceed emergency ratings, ‘‘security- constrained dispatch’’ techniques are used to ensure sufficient transmission reserves. Control center op- erators typically examine a series of contingency cases to determine the most severe contingency and the resulting transmission loadings. When they find a contingency would create unacceptably high loadings, the generation dispatch is adjusted to reduce the resulting flows to acceptable levels. Circuit Breakers and Relay System Design Relaying techniques and circuit breakers to iso- late and protect equipment are essential to main- taining reliable service. Circuit breakers are installed at each end of every circuit and transformer in the system to provide protection in the event of a short circuit. Under normal conditions the breakers per- form routine switching operations such as discon- necting and isolating equipment for maintenance or inspection, transferring loads among circuits and disconnecting generators when not needed. When relays sense a short circuit, they cause the circuit breakers to operate, isolating the faulted component. Most breakers on the bulk power system operate in no more than five cycles (1/12 second in the U.S. 60-Hz system), and three cycle (1/20 second) operation is common. Prompt isolation of faulted components is critical to ensuring that the remaining equipment is not damaged and is able to continue operation. Increasingly, many power systems are using elaborate relaying schemes for protection.® These involve coordinated operation of multiple circuit breakers simultaneously in different locations rather For example, in the Pacific Intertie, which connects the Pacific Northwest with southern California, a complex scheme is employed which isolates genera- tion in Oregon and transmission circuits in Arizona when certain circuits in California fail. This system, which enables California to reliably import la amounts of power, ensures that a transmiss failure in California will not cause damaging imt ances in neighboring States. Impacts of Multiple Failures: Islands anc Cascading Outages While the failure of any single generating w transmission line or substation normally should 1 cause significant outages, simultaneous failure more than one major component generally « result in interruption of service.’ When abnorm multiple failures occur, a power system typica undergoes ‘‘system separation,’’ in which portic of the system disconnect from each other.’ Some these isolated portions, called ‘‘electrical islands may have an imbalance of supply and loads. Thc islands have either more generation than load more load than generation, causing the syste frequency to deviate from its normal value of 60 ° and transmission voltages to exceed design limits. turn, protective relays would cause several gene tors and transmission circuits to disconnect from 1 island, resulting in a blackout. Other islands m have a balance of supply and demand, allowi continued operation even though disconnected frc the rest of the system. “‘Cascading outages’’ occur when the failure one or more components causes the overloading a failure of other equipment and breakup of the syste into islands in an uncontrolled fashion. It is no possible to accurately predict the way a system w break up after a major disturbance—there are tc many variable factors.’ Utilities do analyze the systems and implement plans to help anticipate ar control the likely pattern of islands. Their analys: show that the pattern of islands will vary dependir on the location of loads, which units are operatin how much each unit is generating, the configuratic of the transmission network, and the specific se ond-by-second sequence of events causing t disturbance. However, one can predict that casca ‘North American Electric Relinbility Council, 1987 Retiabiliry Assessmens—The Fumere of Bulk Eleceric Symem Reliability in North Ameri. 1987-1996 (Princeton, NJ: October 1987). "This assumes that the system is operated for n- | contingencies. A system operated for a-2 should be expected to have significant impacts only wt more than two major components fail. Electric Corp., Usility Survey of Methods for Minimizing the Number and Severity of System Separations, EPR! EL-3437 (Palo Al CA: Electric Power Research Institues, March 1964). Thid. 34 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage ing failures will extend over large areas, in some cases over a multistate region. Preparing for Extreme Contingencies Because uncontrolled, cascading outages can be so widespread and difficult to recover from, U.S. utilities have made special provisions to avoid them even though the circumstances leading to them are viewed as highly unlikely. In addition to planning for ‘‘normal’’ contingencies, U.S. utilities also plan for ‘‘extreme’’ contingencies.'° The reliability crite- ria of each of the NERC regional reliability councils specify that bulk power systems shall be planned and operated in a manner to avoid uncontrolled, area- wide interruptions under certain extreme contingen- cies. Under extreme contingencies, substantial out- ages will occur, but should not extend across an entire system. Typical extreme contingencies examined include the loss of an entire multi-unit generating station, multi-circuit transmission substation, or loss of all circuits on a common right-of-way. Thus, the failure of all units in a large multiple-unit plant would cause serious, although perhaps temporary, blackouts in most systems. While customer interruptions would be expected in the immediate area, cascading failures resulting from overloading of remaining equipment should not occur if the extreme contin- gency planning has been performed properly. The types of equipment failure that a terrorist attack or major natural disaster may cause are far more severe than those considered by utilities as extreme contingencies. The extreme contingencies planned for by utilities today are limited to failures at a single site. However, natural disaster or attack could well affect two or more major sites. The simultaneous failure of any combination of two or more large multi-unit powerplants, or multi-circuit transmission corridors or substations may well lead to cascading failures. While the extent of the impact (e.g., the characteristics of the electrical islands) can’t be accurately predicted, it can be very large. LONG-TERM BULK SYSTEM IMPACTS The Importance of Any Few Components: Large Reserves and Peak Capacity Most of the time, U.S. utilities have large amounts of generating capacity in excess of demand. Any- thing less than the failure of much of this generation reserve should cause outages lasting no longer than the few hours required to start idle capacity and restart the system. However, there may be a daily cycle of shortages or rotating outages during hours of peak demand. The large surplus of generating capacity over demand results from two factors: 1) installing sufficient capacity to meet peak loads: and 2) plamned reserve margins in excess of peak demand. Power systems are designed to meet widely fluctuating loads which reach their peak for only a few hours in any year. Peaks usually occur in the late afternoons of hot summer days when air- conditioners add to normal loads, or on very cold winter days when space heating is uncommonly high. Because capacity is installed to meet the peak demand, a large amount of capacity operates at partial output or is idle except during those peak periods. Off-peak-period loads may be as little as one-third of daily peak. On average, demand it a year is around 60 percent of peak demand.'! Thus, on average, the power plants in a System operate at no more than around 60 percent of capacity. Furthermore, even at peak periods, there is generally a large amount of reserve generating capacity. Most utilities plan to install generation reserve margins of 15 to 20 percent.'? Utilities install reserve capacity in order to accommodate both planned and unplanned needs such as scheduled maintenance, unexpectedly high load growth and equipment outages. Because loads grew much slower than anticipated during much of the 1970s and 1980s, many areas of the country now have far too, with over 35 percent in some NERC regional reliability councils. ‘North American Electric Reliability Council, Overview of Planning and Retiability Criseria of the Regional Reliability Councils of NERC (Princeton, NJ: April 1988). 'IU.S, Department of Eaergy, Elecsric Power Supply end Demand for the C onsiguous United Seases 1968-1997, DOBAIB-0013, Jammary 1969, tables cis. '2U.$. Congress, Library of Congress, Congressional Research Service ‘‘Do We Really Need Al Those Electric Plaass?"’ Angust 1962. Chapter 4—System Impact of the Loss of Major Components © 35 As loads continue to grow, however, this excess capacity gradually is being reduced. Other regions of the country, on the other hand, are beginning to experience relatively small reserve margins.'? Transmission systems are planned to accommo- date both the geographical distribution of power- plants as well as the changing patterns of loads. Thus, the reserves of generation are necessarily accompanied by similar reserves of transmission. Transmission networks also link the many utilities in the Nation’s three interconnections (see box E). NERC reports that some transmission systems are heavily loaded by economy energy transfers both within and among regions, and will continue to be during the 1988-97 forecast period. These transfers are driven by fuel price differentials rather than reliability requirements. For example, the Pacific Intertie carries low-cost hydroelectricity from the Pacific Northwest to displace expensive natural gas-or oil-fired generation in California. However, on some occasions, large, long-distance transmis- sion lines carry power which is essential for reliabil- ity, not just for minimizing electricity costs.. Because there generally are large reserves of transmission just as there are of generation, it would take the destruction of the transmission capacity associated with several powerplants to keep any system down for an extended period of time over a wide area. However, at certain times such as extreme peak periods or when scheduled maintenance or unplanned outages have reduced actual reserve margins, failure of only a few key generation or transmission components units could significantly disrupt service. System Impact When No Outages Occur: Higher Costs and Lower Reliability Even if a blackout is brief or avoided altogether, the loss of damaged or destroyed base-load generat- ing units is very expensive for the duration of the outage. Base-load units, fueled by uranium, coal, or hydropower, have the lowest operating costs of any units in a power system and are typically the largest units. If they are damaged, the energy they would have produced must be replaced by other more expensive units such as inefficient peaking units using natural gas or oil. In the case of a large nuclear unit replaced by natural gas-fired turbines, the additional cost can be well over one-half million dollars daily.'* The lost use of the transmission capacity neces- sary to deliver the power from a generanng unit to consumers is similariy costly. The capacity to transfer power while remaining within voltage and load flow limits on the system is a constraint on economic dispatch. When sufficient transmission is not available to deliver power from the lowest cost generators to loads, other generators must be oper- ated instead. Any loss of generation and transmission capacity Teduces the reliability of a system somewhat. The BULK SYSTEM RECOVERY FROM OUTAGES There has been little experience with the types of widespread, carefully planned and executed acts of aggression addressed in this report. However, the utility industry has a long history of responding to various kinds of emergencies, whether they are relatively small, such as an outage of a transmission circuit or a generator unit, or more serious, due to ee ee ee Most some plans in place for restoring sumtee ali « teal diltinaes. tieecarer, few have '3U.S. Department of Energy, Electric Power Supply and Demand for the Contiguous Unised Seases 1968-1997, DOBTIB-0013, Janmary 1989, table: C19. ‘This estimase is based on a 1,000-MW emit outage and the sverage operating costs of auciear units and gas terbines reported in U.S. Departmen of Energy, Historical Plant Com and Anmmal Production Expenses for Selected Elecwic Plants 1967, DOB/ELA-0455(87) (Washingwa, DC: US Government Printing Office, May 1989), figure 1. The costs are, respectively, 2.1 and 4.7 comm/kWh. 36 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage longer, especially those that were completely blacked out. Restarting Generating Capacity If an external source of power is available, restarting a unit is not a problem. However, if no external power sources can be used, the powerplant must have ‘‘black start’’ capability. Black start capability can be provided from a diesel or a self-starting gas turbine unit in the plant. It is also possible to provide black start capability from the interconnections of a system. This is done by disconnecting the interconnections from the load- serving circuits (to avoid overloading the lines) while keeping the generator connected. The inter- connections can then be energized to import power from the neighboring system to use in starting the unit. Restoring Transmission As generating units are restarted, portions of the transmission system can be energized. The segments energized must be carefully selected to avoid building up excessive voltages due to the capacitive effects of the high-voltage lines. This requires that load be added as line segments are energized. Care must be exercised not to overload the small amount of generation connected. A power system is restored by successively restarting generators, connecting transmission lines, and connecting load until significant islands of operating load and capacity are available. Then the separate portions of the system are connected to each other. In this way, the portions of the system that are operable can be completely restored and returned to as near normal operation as feasible. Restoration of an outage should begin within minutes of an outage. The length of time to restore full service depends on the design of the system, the severity of the blackout, and the components damaged. SPECIFIC EXAMPLES OF ATTACKS To evaluate the impact of sabotage on electric power systems, postulated attacks were developed and reviewed for their effect on six areas in the United States. The impact of these attacks is described below, beginning with the simplest at- tacks that are most applicable nationwide. Most of the attacks involve transmission circuits (whether at substations or along transmission lines). The components attacked could be identified by someone generally familiar with power systems, either using published transmission maps or from direct observation. Physically locating the targets would involve modest effort and planning, since they are generally large and highly visible. Anyone familiar with power systems could readily identify the particular transmission facilities that need to be attacked for effective disruption. However, it is possible for unsophisticated saboteurs to mistakenly target small or relatively unimportant facilities. These cases assume that the attack occurs at a load level of about 80 percent of annual peak load. It is also assumed that about 20 percent of the total generating capacity is undergoing maintenance or forced outage. In all of the cases, the extent of the initial i would not be affected by the time of day or load level. That is because the amount of reserves which are warmed up and ready to operate is sufficient to handle only one (or in some cases two) contingencies, as is standard utility practice. The near- and long-term impacts would be lessened, however, if the attacks occurred during the spring or fall when system loads are lower. In most cases, rolling blackouts would be necessary only during certain hours, e.g., between 10 am. and 6 p.m. on weekdays, when loads are typically their highest. Destruction of Any One Generator, Transmission Circuit, or Transformer As has been noted above, U.S. power systems are operated to withstand the loss of any single piece of equipment without interrupting customer load. Therefore, the destruction of any one of these would not cause a blackout. The loss of any of these may significantly increase a utility’s operating costs, if it made replacement of low-cost baseload generators Destruction of One Major Multi-Circuit Transmission Substation or Multi-Unit Powerplant As noted above, U.S. utilities generally pian for the loss of an entire multi-circuit transmission cascading outages. However, customer interrupuous should be expected. No case was found in which Chapter 4—System Impact of the Loss of Major Components © 37 such an attack would seriously disrupt the bulk power system or affect more than a subarea of a utility. Immediately after the loss of a transmission substation (or of the multi-circuit corridor supplying it), the customers served directly and some others would be interrupted. Some more distant customers might be affected by the operation of protective relays as a result of power transients. The more distant customers interrupted would be restored in several minutes as the operators reconnected the circuit breakers and adjusted generation output. Customers in the immediate area of the failed substation would experience a longer power outage, lasting on the order of one day. Customers served by a distribution circuit powered directly from a de- stroyed substation might not return to service for several days or even weeks. If a powerplant was taken out of service (whether by attacking the generating units themselves, the generation substation, or the transmission circuits leading from it to the network), the impacts would be less severe. While the outages could cover large areas, service should be restored in several minutes as operators reconnected the circuit breakers and adjusted generation output. Costs of replacement power could be high, particularly if the plant was a large, low-cost baseload unit replaced by inefficient peaking units. Destruction of Two or Three Major Transmission Substations In most cases, the nearly simultaneous destruction of two or three transmission substations would cause a serious blackout of a region or utility, although of short duration where there is an approximate balance of load and supply in the isolated areas. It is almost certain that the transmission system would have too little capacity to continue after the second loss, resulting in separation of the system and the interruption of customer load in several areas. Most customers would be restored within 30 minutes, after undamaged interconnections were restored. For most systems, there would be a sufficient balance of generation and load to restore all customers as soon as generation could be warmed up and brought on-line. There are some areas of the country where failure of key substations could cause long-term disrup- tions. Two particularly vulnerable cities would be isolated by the loss of two or three substations, because of a serious shortage of generation. Rolling blackouts during high-load times (e.g., daytime) would occur for several weeks until temporary repairs were made. Destruction of Four or More Major Transmission Substations The destruction of more than three transmission substations would cause long-term blackouts in many areas of the country. Only a few areas have a good enough geographic balance of load and genera- tion to survive this very severe test. For example, one city is served by a ring of nine evenly spaced transmission substations. Nearly all the interconnec- tions serving this major metropolitan area would be destroyed by attacking the seven largest and easiest to identify transmission substations. The other two are smaller and of little importance during normal conditions. There is enough local generation in this case to restore service to most customers quickly, although it is considerably more expensive than the imported power. This case represents the best case of a multiple-substation attack. A final example is a city served by eight transmission substations spread along a 250-mile line and located in five States. A knowledgeable saboteur would be needed to identify and find the eight transmission substations. A highly organized attack would also be required. However, the damage would be enormous, blacking out a four-State region, with severe degradation of both reliability and economy for months. Chapter 5 Current Efforts To Reduce Energy Systems Vulnerability Since the late 1970s national emergency prepar- edness initiatives have focused primarily on devel- oping programs within appropriate government agencies. The National Security Council (NSC) has played a central role in directing this effort. About 20 Federal departments/agencies are involved with emergency preparedness. The Department of Energy (DOE), through its Office of Energy Emergencies, is the lead agency for energy-related issues. Other involved agencies include the Departments of De- fense, Interior, and State, the Federal Bureau of Investigation, the Federal Emergency Management Agency, and the Nuclear Regulatory Commission. In the early 1980s, the General Accounting Office cTiticized Federal Government agencies for inade- quate energy emergency preparedness planning and coordination. Since then, improvements have been made in developing comprehensive plans and pro- grams, streamlining coordination, and eliminating duplication. However, because of the number of Federal agencies involved in energy emergency planning, uncertainties about authority, responsibili- ties, and activities are bound to exist. These same uncertainties may be magnified during a national emergency and thus hamper efforts to ensure ade- quate energy supplies and distribution to essential facilities. The Federal Government has limited authority or responsibility to provide physical protection for energy systems. Individual utilities are responsible for protecting their physical plants and ensuring reliability. Utilities routinely build redundancy and plan for inevitable but occasional equipment failure but do not consider multi-site sabotage when design- ing the system. That is not to say that utilities are not North American Electric Reliability Council (NERC) has been working quietly on vulnerability materials and information on vulnerability. It also has encouraged member utilities to establish liaisons with government agencies and other industry groups. To a large extent, NERC facilitates commu- nication and coordination among its members—an activity that would be essential during an emergency situation. State efforts in energy emergency preparedness peaked in the early 1980s in response to the ou disruptions of the 1970s. Funding and staffing levels have since declined. This decrease in funding and staffing could affect the States’ ability to respond to an energy emergency. In addition, most of the States’ plans and organizational structure were developed in response to a particular crisis—an oil supply disruption—and may not be relevant to other situations. Plans need to be revised to reflect other potential disruptions, including natural disasters and sabotage. Furthermore, interstate and intergovernmental communication and coordination may be inade- quate. According to DOE, only 9 States have developed routine communication systems with surrounding States. Based on an energy emergency simulation, a Federal interagency group concluded that existing Federal and State crisis management plans were not well-coordinated and may be at cross purposes. This chapter provides an overview of current efforts and responsibilities of various institutions, including the utility industry, Federal agencies. States, and public utility commissions. Also, the current status of the U.S. electrical equipment manufacturing industry is discussed. CURRENT EFFORTS Private Industry Utilities In the United States the physical protection of electric power facilities does not appear to be a high-priority item for utility management. Histori- cally, deliberate attacks on electric power facilities have not resulted in power or financial losses significant enough to justify a major investment in Secarity Preparedness, Jannary 1989. \Repor: of the Inseragency Growp on Energy Vuinerability, November 1986-Nowamber 1988, prepared for the Seasor Interagency Group for Nanonal 40 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage physical security. However, it is important to note that the utility industry is concerned about vulnera- bility and has been working quietly on security issues for some time. Utilities recognize that communication is an important part of any security plan. Under emer- gency conditions, including sabotage, the ability to communicate is even more critical. Thus, utilities place a high priority on the restoration of communi- cation networks during emergencies. Utilities also recognize the need for improved communication with law enforcement officials and other utilities. Virtually all utilities with key facili- ties have established contact with the local FBI office. The FBI can assist utilities in evaluating threats, inspecting facilities, and planning emer- gency responses. In addition, utilities have encour- aged additional information exchanges between operating personnel and security managers to ensure adequate emergency preparedness. North American Electric Reliability Council (NERC) NERC and its nine regional councils were estab- lished in the late 1960s to assist utilities in providing for the reliability and adequacy of electric genera- tion, transmission, and distribution systems. Forma- tion of the organizations was aided by Federal legislation following the Northeast blackout of 1965. At NSC’s direction, DOE requested NERC to address electric power systems vulnerability issues. In 1987, NERC established the National Electric Security Committee (NESC) to assess the degree of vulnerability of U.S. electric power systems and develop a program to mitigate vulnerability to sabotage and terrorism. The Security Committee established three working groups which dealt with physical security enhancements, operating strate- gies, and design and restoration improvements. In July 1988, the NESC presented its report and recommendations to the NERC Board of Trustees. The report with its recommendations was approved in October 1988. Most of the recommendations have been implemented while a few are still under review. NERC’s program includes a close-working rela- tionship with the Federal Bureau of Investigation. Also, NERC has identified utilities where spare transformers are located. A small number of agencies have been briefed on the NERC report and recommendations. These agencies include the National Security Council, the Department of Energy, the President’s Science Adviser, and the Federal Emergency Management Agency. The NESC, having completed its mission, has been disbanded and related activities assigned to NERC’s Engineering and Operating Committees or to the Regional councils or the utilities. Edison Electric Institute (EE EEI has established a security committee, which consists of 70 members who are responsible for physical protection of utilities’ facilities. According to EEI, more than half of the committee's members are ex-FBI agents or members of other law enforce- ment agencies. EEI’s security committee facilitates security information exchange among its members, NERC, and government agencies. Federal Government National Security Council (NSC) The NSC is the lead agency for national security emergency preparedness policy. In 1988, NSC defined the government’s approach to emergency preparedness. It grouped government agencies by particular areas such as economics, energy, human services, law enforcement, telecommunications, and transportation. One department/agency is the lead agency within each group and is responsible for oe responsibilities and operating proce- and coordinating activities with other groups. Fr commie tin is bs ‘oud pinoy fx Gn omy group. Also, NSC is the principal liaison with Congress and the Federal judiciary on national security matters. Federal Emergency Management Agency (FEMA) FEMA serves as adviser to NSC on national security emergency which includes mobilization? preparedness, civil defense, techno- to other Federal agencies in developing and impie- menting emergency preparedness plans. More spe- 7Mobdilization is defined as the marshalling of resources, both civil and military, to respond to and manage a national security anergency. 8 wt ee Chapter S—Current Efforts To Reduce Energy Systems Vulnerability © 4/ cifically, FEMA is responsible for developing plans for the conversion of industrial capacity and supply during a national emergency. This effort involves identifying industrial facilities that are essential to national mobilization and developing mechanisms, including standby agreements, to allocate facilities when production capacity is in short supply. During a oational mobilization, FEMA would likewise be involved in coordinating and facilitating emergency supply imports. In addition, FEMA authorizes government agencies to establish National Defense Executive Reserve programs (discussed in a later section) and provides guidance in this regard. Recently, FEMA prepared a prototype national plan for graduated mobilization response (GMR) options. This process provides a framework for mobilization planning in three incremental steps: planning and preparation, crisis management, and national emergency/war. Eight Federal departments and three agencies were considered in the process. As a result of this effort, a Defense Mobilization Order was issued in January 1990. The order defines GMR, provides policy guidance, and further estab- lishes a system for developing and implementing mobilization actions that are responsive to a wide range of national security threats and warnings. FEMA expects that a final document, which will institutionalize the process, will be available in 1990. Another ongoing FEMA activity is the prepara- tion of Major Emergency Action papers. These Papers are intended to provide information to decisionmakers on response options, costs and benefits, and the implementation process during a wide spectrum of emergencies.’ FEMA also published a Defense Mobilization Order, which provides criteria and guidance for Federal departments/agencies to develop strategies, plans, and programs for the security of essential facilines and resources. Responsibility for protect- ing essential facilities rests with Federal departments/agencies. FEMA monitors liance and reports its findings to the NSC. FEMA's disaster relief activities are the most visible. The most recent examples are FEMA's efforts to assist South Carolina, Puerto Rico, and the Virgin Islands in the wake of Hurricane Hugo and victims of the Loma Prieta earthquake. Department of Energy (DOE) DOE is the lead government agency for energy emergency preparedness. Its mission is to ensure that adequate energy supplies are available to support the Nation's infrastructure during a national emergency. In this regard, DOE's Office of Energy Emergencies (OEE), created in 1981 in response to Execunve order 11490, is responsible for dealing with energy system vulnerability concerns. OEE’s FY89 program budget totals about $6.2 million, the bulk of which is used for staff salaries. The budget has remained essentially the same over the past 5 years. OEE consists of 71 professional and support staff.‘ Vulnerability Program—Recently, the OEE developed a Vulnerability Program whose purpose is to reduce the risks of energy system interruption. The Program consists of four phases: Phase I included case studies to determine the nature of vulnerabilities in the electric power, petroleum, and natural gas industries. This effort included consider- able input from industry, Federal, State, and local governments and is essentially completed. The results of the studies are classified. Phase II establishes an industry outreach program which provides information and solicits industry/ government joint cooperation. DOE cites the NERC/ DOE initiative, noted earlier, as an example of Phase TI activity. According to DOE, the first phase has been completed and the second is progressing. Phase III of the program includes additional case study exercises and other industry outreach efforts. DOE expects industry to respond to the concerns raised by these exercises. However, there appears to be no provision for follow-up activities under this phase. Phase IV will identify national security vulnerabilities which cannot be addressed by the respective industries. This phase may include feder- ally funded programs to remedy energy system vulnerability concerns. Other OEE efforts have included updating the State emergency contracts directory, reviewing legislation and contingency Federal Emergency Management Agency, National Preparedness Directorate, Office of Mobilization Preparedness, Motilizazion Prepar edness—An Overview, March 1989. “Edward V. Badolato, Depety Assistant Secretary for Energy Emergencies, U.S. Department of Energy, testimony at hearings before the Senate Governmental Affairs Comminee, Feb. 8, 1989, pp. 4, 6. 42 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage plans, and disseminating information to States via an electronic mail system called DIALCOM. OEE has also conducted regional seminars and simulations to provide assistance to State energy planners.’ An overview of the results of the regional seminars is given in the ‘‘State Efforts’’ section. DOE has established a threat notification system to alert energy industries. Notification consists of a message describing a threat that could lead to aggressive actions. For example, notification of Iran's reaction to the reflagging of Persian Gulf vessels was sent to NERC, the American Petroleum Institute, the National Gas Association, the Inter- state Natural Gas Association of American, and the National Coal Association. These organizations in turn notify their respective industry members. Interagency Group on Energy Vulnerability/ Policy Coordinating Committee on Emergency Preparedness and Mobilization Preparedness— Because of a growing concern about international terrorism, the NSC directed DOE to establish the Interagency Group on Energy Vulnerability (IGEV). It focused on national security issues relating to the vulnerability of U.S. energy systems. The Group was charged with developing initiatives to decrease vulnerability and mitigate the impact on national security of any disruptions.° In late 1988, IGEV was terminated and its concerns and functions merged into a new interagency group, the Policy Coordinat- ing Committee on Emergency Preparedness and Mobilization Preparedness, Standing Committee on Energy. Committee members include the Depart- ments of Energy, Defense, Justice, Interior, State, Transportation, and Treasury; the Central Intelli- gence Agency; the Federal Bureau of Investigation; the Federal Emergency Management Agency; Na- tional Communications System; National Security Council; and the Nuclear Regulatory Commission. National Defense Executive Reserve (NDER) Program Authorized by Congress, the NDER is a collection of civilian executives recruited from various indus- tries. When authorized by the President, the industry executives, called reservists, would provide infor- mation and assistance in their areas of expertise to Federal authorities. Reservists would also help coordinate industry efforts in meeting national needs. FEMA authorizes government agencies to establish NDER units and provides overall policy guidance. The Office of Energy Emergencies within DOE administers three NDER units: the Emergency Petroleum and Gas Executive Reserve, the Emer- gency Electric Power Executive Reserve, and the Emergency Solid Fuels Executive Reserve. DOE indicates that these industry executives could provide invaluable assistance in assessing damage, evaluating supply capability, and coordi- nating repair and restoration efforts. DOE plans to have about 400 industry representatives involved in the NDER program. The reserve staff for the Electric Power unit is at 50 percent of the staffing goal and Solid Fuels is up to 80 percent, according to DOE.’ Since its birth in 1964, the NDER program has not been without criticism. It has been administered by several government agencies, including the Defense Electric Power Administration within the Depart- ment of the Interior, the Economic Regulatory Commission, and finally the Office of Energy Emergencies within DOE. Questions have been raised about training and recruitment, and antitrust concerns have been raised by petroleum industry officials. Consequently, the petroleum executive reserve unit has not been fully developed. Over the last few years, however, DOE has been aggressively recruiting reservists and facilitating training ses- sions for new reservists. The Federal Bureau of Investigation (FBI) ties. The Bureau recently proposed a counterterrorist program that would focus on the vulnerability of the Nation's infrastructure to sabotage. The program was designed to place 70 additional agents in field offices to identify key infrastructure facilities, de- velop contingency response plans, disseminate in- formation, and provide assistance to private indus- try. Funding for the $17 million program has not National Research Cowncil, Committee on State and Federal Roles im Energy Emergency Preparedness, Sasse and Federa/ Roles in Energy Emergency Preparedness, prepared for the U.S. Department of Energy (Washington, DC: National Academy Press, January 1989), pp. 15-18; Badolsto Testimony, op. cit., foomor 4, p. 10. eee CT ae Corr er rene rn 7Badolato Testimony, op. cit. foomos 4, p. 15. Chapter $—Current Efforts To Reduce Energy Systems Vulnerability © 43 been approved. A second proposal, now under review, will use existing resources within the Bureau to develop liaisons with private industry and dissem- inate threat information.® Currently, the FBI main- tains a liaison with the Department of Energy. Threat warnings are disseminated to DOE, which in turn notifies private industry. Department of Defense (DoD) DoD administers the Key Assets Protection Pro- gram (KAPP), whose purpose is to protect selected civilian industrial assets from sabotage during a national emergency. Selected industries are those that are deemed essential to national defense and include some industry-owned energy facilities. Key assets are not owned or controlled by DoD. The program identifies which electric power systems provide energy to vital military installations and defense manufacturing areas. In addition, critical nodes on each power system are identified in order to facilitate defense planning. As administrator of the KAPP, the Commander in Chief, Forces Command, develops and maintains a classified Key Assets List (KAL). Facilities that are inchuded on the list must be nominated by DoD and meet stringent criteria, which includes onsite inspec- tions and the approval of owners. DoD also solicits nominations of infrastructure assets from other Federal department and agencies. Responsibility for ensuring the security of a facility rests with the owner/operator initially. In the mid-1970s, the electric utility industry participated in the Defense Industrial Facilities Protection Program (now KAPP). At DOE's insis- tence, DoD discontinued the ‘‘utility list’’ in 1980. The utility industry and DOE objected to DoD’s need to conduct onsite physical security surveys, particularly by Defense agency personnel unfamiliar with electric power systems, and the arbitrary nature of de cstoetianneente? Uo Oltiar tabesny hakant rejoined KAPP. Since then, DoD, with an initial grant from FEMA, is again attempting to identify facilities. Once identified, DoD will notify owners and solicit their cooperation in improving reliability and/or security of the critical nodes. The identified nodes will not be placed on the KAL. States States’ efforts to plan for energy emergencies vary considerably. This assessment is based on a 1988 DOE survey of State energy emergency prepared- ness and information collected by DOE in 1985 and 1986.!° According to DOE, most energy emergency plans were developed under the Energy Emergency Conservation Act, which no longer exists. DOE found that most States had established a formal authority to deal with energy emergencies and developed plans that delineate responsibilities and provide guidance. DOE noted that almost all of the plans were developed in response to the 1979 oil disruption, and only three plans have been updated since 1983. Many of the plans focus on educating the public and on conservation programs. Fewer than one-third address the social impacts of energy supply disruptions. '! While some authority and organizational system is in place, staffing and funding levels have de- creased over the past few years. About one-third of the responding States have at most one full-time professional staff person working on energy prepar- edness; 58 percent have two or fewer. Most States indicated that staff are not full time. The majority of respondents noted that the decline in funding has reduced some States’ response capability.!2 And, in terms of intergovernmental coordination, some re- spondents expressed a need for more information and communication between their States and DOE. On a regional level, energy emergency planning and preparedness varies as well. In 1988, DOE’s Office of Energy Emergencies conducted four re- gional seminars, which included a simulation of an energy emergency. From these seminars, DOE found that energy emergency planning was just getting off the ground in the Southeastern States.'? "Bill McGrach, Federal Bureas of lnvestigatioa, personal commanication, Dec. 11, 1989. 5U.S. Congress, General Accounting Office, Federal Electrical Emergency Preparedness 13 Inadequate, EMD-$1-50, May 12, 1981, p. 19 "National Research Council, op. cit. foomote 5. "hdd., p. 24, Nhid., pp. 23-24. ‘For purposes of these seminars, the Southesstern region inctudes: Texas, Otishoma, Arkanses, Louisiana, Mississippi. Alabama, Flonda. Georgia. Seuh Carolina, North Carolina, and Tennessee. 44 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage The Southern States Energy Board is a central player in this region, encouraging cooperation and coordi- nation among State and regional energy officials. The Western States'* had the best integrated emer- gency planning of all the regions, according to DOE. Emphasis is placed on interstate and regional planning, and many States conduct energy emer- gency exercises. Perhaps because of the danger of earthquakes, California has one of most coordinated and knowledgeable emergency planning offices in the country. California has a large staff and one member of the Energy Commission assigned to energy emergency preparedness. The State’s plans are updated and tested regularly.'5 It does not appear that the inland Western States are as highly coordi- nated as the Pacific Coast States. The Northeast/ Mid-Atiantic region'® is the most vulnerable to energy emergencies because of its dependence on fuels produced in other regions or countries. DOE did not report on the status of emergency planning in this region. And, in the Middle West region,!” responsibility for dealing with energy emergencies is left to the industrial sector.'* Public Utility Commissions Public utility commissions oormally allow utili- ties to recover security costs. For example, security fences and guards, and monitoring and surveillance equipment are included in the overall cost of operating a nuclear power facility. Also, spare components are typically held as an essential part of the operation and are included in the rate base. Utilities have expressed reluctance to employ addi- tional security measures. Among the arguments they have raised is a concern that utility commissions would disallow any related expenditures. This con- cern is as yet untested. It is possible that utility commissions may find that no need exists for additional security against very low-probability events (e.g., concerted aggression against utility systems). If so, they would be unlikely to allow utilities to charge for such expenditures. However, if utility activities are in response to Federal emer- gency preparedness policy or guidelines, approval of expenditures is more likely. STATUS OF THE U.S. ELECTRICAL EQUIPMENT MANUFACTURING INDUSTRY The heavy electrical equipment manufacturing industry has been undergoing restructuring in recent years, resulting largely from the drastic slowdown in clectric power capacity expansion and new equip- ment orders. At one time, U.S. companies dominated the heavy electrical equipment manufacturing in- dustry. Today, there are only a handful of U.S. companies. Some companies have entered into joint ventures, while others have exited the business altogether. Still others have negotiated mergers and buyouts. For example, General Electric sold its extra-high-voltage (EHV) transformer manufactur- ing technology to Westinghouse, which in tum formed a joint venture with ASEA Brown Boveri (ABB) in 1989.!9 Recently ABB, itself a merger of Swedish and Swiss companies, exercised its option to buy out Westinghouse. Manufacturing facilities will remain in the United States. Currently, Westinghouse and Cooper Power Sys- tems, a wholly owned subsidiary of Cooper Indus- tries, are the only domestic manufacturers of very large Generation Step Up transformers (GSUs). Transformers manufactured overseas by a number of foreign companies, including Siemens of West Germany and Hitachi, are also sold here. The Westinghouse ABB facility, located in Muncie, Indiana is operating at about 50 percent capacity and has not been profitable in the last few years. However, the plant is active, with over two shifts continuing jon at reduced throughput.” Drexel Burnham Lambert estimated that capacity utilization in the U.S. electrical equipment industry \The Western region inciades: Washington, Oregon, Catifornia, Nevada, New Mexico, Nevada, Arizona, Colorado, Wyoming, Montana. and Idaho. \Stnside Energy With Federal Lands, ‘DOB Working With States To improve Responses to Energy Emergencies,'’ Oct. 30, 1989, p. 7. \¢The Northeesy Mid-Atlantic regioa imciades: Virginia, West Virginia, Maryiand, Deiewsre, Pennsytvania, New Jersey, New York, Connecticut, Massachusetts, Vermont, New Hampshire, Rhode Isiaad. and Maine. '"The Middle West region inctades: North Dekota, South Dakota, Nebraska, Kansas, Minnesota, lowa, Missouri, Michigan, Wisconsin, [ndians, Dinois, Ohio, and Kentucky. \®The Strom Thurmond Institute, Regional Differences, Common Concerns—f ederel- Sease-industry Roles in Energy Emergency Preparedness, Regional Seminars Conference Report, Summer 1968, pp. 11-14. \9Mesting with Westinghouse transformer plant persoane!, Muncie, IN, July 27, 1969. PTbid. Chapter S—Current Efforts To Reduce Energy Systems Vulnerabiliry © 45 ranges from 50 to 80 percent, depending on the product line.?! Furthermore, EHV circuit breakers are no longer manufactured by American-owned companies, al- though they are produced domestically. General Electric sells Hitachi-made circuit breakers and Westinghouse markets Mitsubishi-made models. Two foreign suppliers—Siemens of West Germany and ABB—manufacture circuit breakers in U.S. factories. The restructuring trends are influenced by the declining market for electrical power equipment and subsequent profitability and the presence of foreign manufacturers. The power transformer industry, for example, has significant overcapacity because of the decline in demand, according to the Department of Commerce. Moreover, nearly 40 percent of U.S. EHV transformer production capacity has been removed in the last 3 years. At the same time, foreign manufacturers’ share of the U.S. power equipment market has increased to about 20 t and is expected to continue to rise.*? Foreign-controlled companies have been predicted to account for about 60 to 75 percent of the market for all core electrical equipment products (distribution transformers, switchgear, transmission, construction equipment, and power generation) by 1990.% However, it is important to note that a larger fraction of these products will be manufactured domestically. Be- cause of the decline in the U.S. dollar, foreign companies have found serving U.S. markets very expensive and one solution to this situation is to establish facilities in the United States. In contrast, U.S. participation in foreign markets is minimal. One reason is that electrical equipment has been excluded from GATT (General Agreement on Tariffs and Trade) jurisdiction, resulting in limited U.S. access to foreign markets. This exclu- sion from GATT was influenced by the close relationships among utilities, electrical equipment manufacturers and the government in European countries. Most foreign utilities are State-owned or subsidized. This government stakeholder position has made penetration of some European markets difficult. According to the National Electrical Manu- facturing Association (NEMA), between 1975-88, U.S. manufacturers of large power transformers and steam turbine generators did not win a single order from a European Community (EC) purchaser with a domestic production base for these products.”6 Recently, access to foreign markets has been the subject of discussion and negotiations among the Department of Commerce, the U.S. Trade Represen- tative, and the EC Commission, which will control trade for its members, beginning in 1992. The EC, in late 1988, issued a directive that covers procurement in three previously excluded sectors: energy, water, and transport. The directive, which is currently under review by the European Parliament and Council of Ministers, proposes that utilities compet- itively procure purchases above a certain EC unit value (about $170,000 - U.S.). The utilities, how- ever, will have considerable latitude in choosing tendering and procurement procedures, and will be allowed to exclude offers that have less than a 50 percent ‘‘EC content,’’ which will be based on contract value.?” According to recent testimony by NEMA, the proposed directive provides no new right of access for non-EC suppliers. American electrical equip- ment manufacturers will continue to face closed utility markets in most EC member states, according to NEMA. On the other hand, U.S. markets are open to foreign suppliers.2 Proponents for maintaining U.S. electrical equip- ment manufacturing capability suggest that eco- nomic—jobs for U.S. workers—and national secu- rity considerations are two of the most compelling 2!Drexei Bernbam Lambert, ‘‘Current Perspectives on the Electrical Equipment Industry,’’ December 1967, reported in Electrical Marketing, ‘‘Why Foreigners Will Control U.S. Electrical Equipment Market,"* vol. 13, No. 3, Feb. 5, 1988, p. 8. 2**The Rise of Insarnational Sepptiers,’’ ZPR/ Journal, vol. 13, No. 8, December 1988. p. 7. DCharies H. White, National Electrical Manufacturers Association. testimony at hearings before the Senses Committee on Governmental Affairs, on Vulnerability of Telecommunications and Energy Resources to Terrorism, Feb. 7 and 8, 1989, p. 65. Drexel Burnham Lambert, op. cit, foomowe 21. Thi. Bernard H. Palk, President, National Electrical Manufacturers Association, testimony at hearings before the Howse Committee on Foreign Affairs, Subcommittee on Europe and the Middle East and Subcommittee on International Economic Policy and Trade, Apr. 5, 1989, p. 2. Tid, pp. 4-5. *Thid.. p. 5. (Gan 46 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage arguments. Others maintain that without an adequate number of companies in the industry, competition will erode and a sellers market will prevail. Sall others believe that the transportation of foreign- made equipment will take longer to reach the United States, which may be critical im a crisis. Some question whether standard American spares would be readily available from foreign manufacturers and wonder whether foreign manufacturers will give U.S. companies priority during a crisis. NEMA argues that an adequate domestic manufacturing capacity is needed to support a surge in demand for equipment or respond to a crisis. Others see no compelling reason for maintaining U.S. capability. Foreign companies make quality electrical products and do it in a timely manner. Many feel that foreign suppliers are committed to meeting U.S. needs. One utility executive noted that the global market is already part of the business environment, and procurement policies can address spare parts availability and other issues.” i PWhite, op. cit. foomore 23, p. 65. %**The Rise of inernational Supptiers,'’ op. cit. foomote 22. Chapter 6 Options To Reduce Vulnerability The preceding chapters have established that U.S. electric power systems, while capable of absorbing considerable damage without interrupting service, are vulnerable to attacks by saboteurs and, to a lesser extent, to massive natural disasters. Damage could occur that exceeds normal utility contingency plan- ning, resulting in widespread, severe power short- ages and rolling blackouts that would be extremely expensive and disruptive, and could continue for many months. The risk that massive damage will occur is not high, but neither is it negligible. International terrorist groups appear to have the capability of mounting a crippling assault, and at some point, they or domestic extremists may see a motivation. Earthquakes and hurricanes more severe than have yet been experienced in the United States are inevitable. Eventually one will cause unprecedented damage to an electric power system, although the random nature of such disasters makes the ie disruption very uncertain. Various measures can be taken to reduce vulnera- bility disruption if damage does occur. The North American Electric Reliability Council has recog- nized that threats exist, and some utilities have taken action, as discussed in the previous chapter. How- ever, such actions are voluntary on the part of individual utilities. It can be easy to ignore low-risk events, even if they are of high consequence, especially when protective measures are costly. Given the unpredictability of these types of disruptions and the uncertainty of their costs, it is not possible for a cost/benefit analysis to determine how much protection is worthwhile. The desirability of further measures is a matter of judgment more than analysis, as is the potential role of the government in stimulating greater protection. This chapter describes the measures that could be useful in reducing the risk. This can be done by: 1. preventing or minimizing damage to the sys- tem; 2. minimizing the consequences of any damage that does occur; and 3. assuring that recovery can be accomplished as Tapidly as possible. -47- In addition, the evolution of the electric power system can be guided toward inherently less vulner- able technologies and patterns. Table 6 lists the specific steps. These measures are presented independently of how they would be implemented or who would pay for them. The following chapter discusses consistent policy packages of these measures that could be undertaken depending on the judgment of the decisionmaker as to the severity of the problem. The packages address the issues of implementation. PREVENTING DAMAGE TO THE SYSTEM While it is not possible to protect energy facilities completely, it is possible to deter attacks and limit damage. Measures to reduce vulnerability include both physical changes or additions to electric power facilities and institutional measures. Physical changes include constructing walls or berms around critical facilities and adding monitoring devices to detect unauthorized entry. Some changes may be prohibitively expensive, while others may involve minimal expense. The transmission network is the part of the power system of greatest concern because it is highly vulnerable to attack, and the consequences can be great. The lines themselves are essentially impossi- ble to protect because they extend over many thousands of miles, often in sparsely populated areas. However, lines can usually be repaired quickly with equipment and materials that utilities keep on hand. Substations are the part of the transmission system with the most serious combination of vulner- ability and potential consequences. Unguarded and unprotected substations in remote areas are as vulnerable as lines, but damaged equipment could take months to replace. The loss of even one key substation could effectively isolate a substantial part of the regional generation capacity from the load centers, posing the risk of long-term power short- ages. 48 © Physical Vulnerabulity of Electric Systems to Natural Disasters and Sabotage Table 6—Options To Reduce Vuinerability A. Preventing damage 1, Harden key substations—protect critical equipment within wails or below grade, separate key peices of equipment such as transformers, toughen the equipment itself to resist damage, etc. 2. Surveillance (remote monitoring) around key facilities (cou- pled with rapid-response forces). 3. Maintain guards at key substations. 4. Improve coordination with law enforcement agencies to provide threat information and coordinate responses 8. Limiting consequences 1. Improve emergency planning and procedures for handling power flow instability after major disasters and ensure that Operators are trained to implement these contingency pians. 2. Modify the physical system—improve control centers and Protective devices, greater redundancy of key equipment, increased reserve margin, etc. 3. Increase spinning reserves. C. Speeding recovery 1. Contingency planning for restoration of service, including identification of potential spares and resolution of legal uncertainties. 2. Clarity legaiinstitutional framework for sharing reserve equipment. 3. Stockpile critical equipment (tr.nsformers) or any speciai- ized material (e.9., various types of copper wire) needed to manutacture this equipment. 4. Assure availability of adequate transportation for a stockpile of very heavy equipment by maintaining databese or rai/berge equipment and adapting Schnabel cars to fit all transformers if necessary. 5. Monitor domestic manufacturing capability to assure ade- quate repair and manutacture of key equipment in times of emergency. O. General reduction of vuinerability 1, Emphasize inherently less vuinerable technologies and designs where practical, including pole-type transmission lines, underground transmission cables, and standardized equipment. 2. Move toward an inherently less vulnerable bulk power system (e.g., smaiier generators near loads) as new faciiiies are planned and constructed. SOURCE: Office of Technology Assessment, 1900. Harden Key Facilities Most substations are enclosed with nothing more formidable than a chain-link fence. Improved fences and gates could delay an attack while guards are summoned by perimeter monitoring systems. How- ever, no fence will delay experienced, dedicated adversaries for more than a few seconds. Hence there seems little in constructing very expensive perimeter barriers unless police or armed guards are stationed at or close to the site. Moderately rein- forced fences, perhaps anchored at the bottom and incorporating rolls of barbed tape, would provide some protection against opportunistic saboteurs and vandals, especially if coupled with perimeter alarms. Protective barriers—walls or berms—could be built around the transformers to preclude damage from off-site rifle fire. Barriers might be particularly valuable in substations at generating plants. Unso- phisticated saboteurs might prefer to avoid ap- proaching generating stations too closely because they are manned and often guarded, but appropriate walls would prevent easy attack from a distance. Walls would not stop a saboteur willing to climb the fence and attack from close range, but deterring less aggressive attacks could still prevent the loss of a billion-dollar generating station. Barriers would also limit the damage that could be caused by one large bomb, forcing the saboteurs to plan a more elaborate, Tisky attack. The cost of hardening a particular facility depends on the site characteristics and the type of protection required. For example, a sheet metal wall (or building) will hide equipment from view. That might help against vandals, but it would provide no protection against a saboteur with a high-power rifle who knows the equipment is inside and will simply spray the wall with many bullets. A heavier wall, perhaps made of reinforced concrete that can stop rifle fire, would be considerably more expensive. If the surrounding terrain provides high-vantage points, the wall would have to be commensurately high. While no general rule is proposed, crash- resistant fences and a concrete wall would add perhaps $100,000 to $200,000,' a few percent of the multimillion-dollar facility cost. Some measures, such as walls, would make installation and mainte- nance of equipment more difficult. These costs should be included when evaluating the desirability of adding protection. 'Dertved from The U.S. Army Corps of Bagineers, ‘‘Security Engincering Manmai,"’ Angst 1967, and Sandia Netiounl Laboratories, ‘‘ Access Deiay,’’ Sand 87-1926, 1989. App. A of the ACE manual lists several vehicle barriers diaches (about $4/foot), comcrew- filled posts (SS0/foot), reinforced fences (about $40/foot), etc. For example, a 4-ecre site would have a fence of sbout 2,000 fest. Assuming ditch on 75 percent and filled posts on the rest, the cost would be $31,000, plus s crash gate at $13,000. In addition, a fence designed to delay attackers on foot, perhaps roils of barbed tape artached to a standard chase-link fence, would cost abowt $6/foot, or $12,000. Suck a famce would be little deterrence t s well-equipped atversary. More formidable barriers would cost over $20/foot. Aa §-iach thick concress wall around the transformer would cost $13.50 per square foot. A three-phase transformer might imvotve a three-sided wail of sbowt 25 fest per side plus an additional 7S-foot straight wail to shield the opening while allowing access in case the transformer has to be removed. The wail might be 25 fest high, for a tounl of 3,750 square fest which would cost abowt $50,000. The grand tori for the example is $106,000. Utilities in most parts of the country generally have not designed their facilities to be earthquake- resistant, except for nuclear powerplants, yet several regions besides the west coast are vulnerable. Generating stations are particularly vulnerable to earthquakes unless adequately designed and con- structed. The central Mississippi valley, the southern Appalachians, and an area centered around Indiana are particularly vulnerable to major earthquakes but are much less prepared than California. Review and appropriate upgrading of existing facilities, and application of appropriate seismic standards to new construction, could avert a major loss of generating capacity. Surveillance Equipment can be installed at unmanned, key facilities to detect intruders. Intrusion detection systems include sensors, alarm communication sys- tems, and possibly video equipment to assess the cause of an alarm. Perimeter alarms and motion detectors would alert utility headquarters or police/ military units which could instigate rapid, armed response. A rapid response could interrupt an attack and that possibility might deter an attack by a group sophisticated enough to recognize the problem. To be of greatest value, a detection system should be coupled with some sort of physical protection of the main substation components, to reduce the possibil- ity of off-site attack. A wide variety of intrusion sensors have been developed, ranging from buried pressure sensors to electric field disturbance detectors to fence-motion detectors. None is perfect. All sensors have some probability of failing to detect an intrusion, depend- ing on such specific factors as the imstallation conditions, weather and conditions, and sensitivity of the sensors. Sensors also may trigger nuisance alarms—ie., alarms caused by spurious factors such as animals, weather (e.g., wind or rain), background noise, or failure of the sensor itself. Intrusion detection systems may include a closed- circuit television system for remote assessment of the cause of alarms. A detection intrusion system at a substation with a 2,000-foot would cost on the order of $125,000.? Chapter 6—Opnons To Reduce Vuinerability ¢ 49 At remote sites surveillance would be less useful because the response would take too long. Saboteurs cap cross almost any barrier, leave explosives to destroy critical substation components, and depart within a few minutes. [f several teams operate simultaneously at different sites, a utility may know a major attack is in progress but be helpless to do anything about it. Even at remote sites, however, surveillance sys- tems still would serve two major purposes. Detect- ing and monitoring unauthorized entry would permit the utility to investigate and presumably discover and disarm timed explosives. Thus the potential damage that one or a few saboteurs can accomplish would be limited to only one or two sites before utilities would have guards out. In addition, some forms of surveillance, such as remote TV cameras. may provide crucial evidence for an investigation even if an attack is successful. A related issue is employee training to recognize and respond to sabotage threats. Reporting suspi- cious behavior near key facilities may uncover plans for an attack. Alternatively, recognition that sabo- tage and not natural causes has led to damage may lead to the preservation of evidence. Guards Detection and delay will do little to stop a serious saboteur if a human response is unavailable to intervene. A heavily armed response to an actual attack is most appropriate to police or military forces (see below), but private guards can deter some attacks. Currently, armed guards are used at all nuclear powerplants. As a matter of routine, nuclear plant licensees must develop physical security plans, which include the training and use of guards. A well-trained, armed, and dedicated onsite security force is one of the major elements of a nuclear powerplant security system. Guards are also used at non-nuclear powerplants to monitor employees and visitors and vehicle traffic and for perimeter surveil- lance. The training and use of guards at powerplants vary by utility. Guards generally are not used at substations. bid. App. A of the ACE manmal lists detector costs ranging from $20/foot for fence motion detectors 10 $4(0/foot for ufrared systems. For a 2,000-foot perimeter this totnls $40,000 to $80,000. A basic control panel would cost around $10,000, iaciading the contro! unit, power supply, ‘sad communication module. A CCTV system costs around $30/foot, adding another $60,000 to the surveillance package. Personne to monitor the system would add an operating cost. 50 @ Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage The deterrent value of guards depends on their numbers, training, capabilities, and orders as well as on the capabilites and motivations of their potental adversaries and the physical characteristics of the site. Opportunistic saboteurs and vandals may be deterred by even a single, unarmed guard. Ruthless terrorists with the resources to mount a well- planned, violent attack essentially could ignore any force less than a well-trained and motivated group of armed guards. Barriers and surveillance equipment can greatly increase the effectiveness of guards. Guards are employed in different situations for a variety of reasons: to prevent or detect intrusion, vandalism, and theft; to control people and vehicle traffic; and to enforce rules, regulations, and poli- cies. Although, private security guards perform some functions similar to public law enforcement officers, often wear uniforms and badges, and occasionally carry weapons,’ their legal authority differs in many significant respects from that of public officers. In general, private security guards have no more formal authority than other civilians in the United States. A private security guard has only that authority which his employer possesses: the employer’s basic right to protect persons and prop- erty is transferred to the security officer.‘ Most guards are not armed and can do little directly to halt an attack in progress. Guards are in a much better position to detect suspicious behavior and report it to management or authorities. The ability of local law enforcement to mobilize rapidly in the event of an attack would be critical. In this situation, communication among local law enforce- ment officials, contract security firms, and the Federal Bureau of Investigation is essential The typical training period for most security guards is less than 2 working days. Many guards, including some who are armed, receive less than 2 hours of training. Most guard personnel aren’t cognizant of their legal powers or authority. How- ever, this situation may be changing. Because demands on security guards and the potential for legal liability have been increasing in recent years, a growing number of companies and schools are providing security training. 5 The extent and cost of training security personnel employed at electric utility facilities vary by company and by site depending on the degree of risk aversion acceptable to management.§ A utility's decision to use guards at a facility would have to address a number of issues: the kind of security coverage needed and costs; the effective- ness of guards in deterring different kinds of attacks; whether to employ in-house security personnel or contract out for guard services on a temporary or permanent basis. Because many substations are located in remote areas, a related question is how long would it take for contract guards, if not stationed at the site, to arrive after a warning has been received. The rate of deployment would depend on a number of factors, including the circumstances of the event, and the location and resources of the contract security firm. A utility’s decision to employ guards as a security measure also raises a number of institutional issues. One issue is whether the government should grant police powers to utility security personnel. Advan- tages include increased authority and reduced liabil- ity risk. Potential disadvantages include abuse of authority (e.g., unnecessary arrests) and the legal implications of such abuse.’ Another issue is who should pay for the additional security. Normally, utility commissions allow utili- ties to recover security costs. Before additional security measures are taken, utilities and utility commissions will have to agree on what constitutes a valid need and is in the interest of the consumer. Coordination With Law Enforcement Agencies Ongoing communication among utilities and Federal, State, and local law enforcement agencies, is essential to reducing vulnerability. Clear lines of they enable law enforcement agencies to warn a Joseph Arwaddy, Burns International Security Services, Inc., personal communication, Jan. 23, 1990. According to Arwaddy, lees than 2 percent of security work involves armed personnel. “Charles Schnaboik, Physical Security: Practices and Technology (Wobarn, MA: Butterworth Publishers, 1963), p. 55. Noid. SArwaddy, op. cit, foomore 3. 7Norman D. Bates, ‘Special Potice Powers: Pros and Cons,"’ Security Management, Augast 1989, vol. 33, No. 8, p. 54. utility of a potential-attack, should they learn of such circumstances. Second, they allow the utility and the law enforcement agencies to coordinate armed response plans when attacks occur or seem immi- nent. Lf utilities are forewarned that an attack is likely. they can take preventive measures such as temporarily increasing spinning reserves or station- ing guards at important facilities. The North American Electric Reliability Council (NERC) has recommended that utilities establish communications with the local FBI office. Regular information exchanges with local law enforcement agencies should also be pursued. These are steps that all utilities could employ at low cost. A utility’s decision to establish a liaison with the FBI is purely voluntary, although most generally implement NERC’s recommendations. The Federal Govern- ment might consider requiring the FBI to maintain communications with utilities. If an attack is detected, whether by guards or remote surveillance, very rapid, armed response may be required to prevent damage. Such responses must be planned and tested beforehand. Considerable coordination will be required to assure that the appropriate forces are available, know what is required, and will be alerted promptly. The forces could be local or State police, or, as is already being planned for facilities vital to national security, U.S. military forces. If no response forces are available in a useful time-frame (a matter of very few minutes), increased hardening and permanent armed guards are the only options for minimizing damage. Under some conditions, it might be necessary to temporarily station armed guards, such as the National Guard, at electric power facilities. These troops could be deployed much faster and more effectively if contingency plans have been prepared and studied beforehand. LIMITING THE CONSEQUENCES If damage cannot be prevented, the next best thing is to ensure that i on customers are as low as possible. Utilities have already installed protective devices on the transmission networks such that it is unlikely that blackouts would cascade beyond the directly affected region. Other steps can be taken that would further reduce the extent of the impacts. Chapter 6—Opnons To Reduce Vulnerability « S/ Improve Emergency Planning and Procedures The behavior of a transmission system following simultaneous destruction of several key facilines cannot be predicted with complete accuracy. It depends on the circumstances on the system at the time as well as on the pattern of destructon. Considerable contingency planning under a vanety of conditions is necessary to ensure that the best responses are identified. In cases where there is some warning, operators can revise the pattern of generation and transmission so that more failures can be accommodated. In addition, operators will be required to make quick judgments after damage occurs. Training in recognizing and responding to multiple, simultaneous losses, which no utility has yet experienced, will help operators control instabil- ities and keep as much power flowing as possible. The Pacific Gas & Electric Co. has credited its drills and planning with minimizing disruption after the 1989 Loma Prieta earthquake. Modify the Physical System Transmission networks are generally designed with reserve capacity to accommodate equipment failure and maintenance requirements, and allow for unpredictable developments in loads and resources. One or two equipment failures should cause no significant problems for the customers. Transmis- sion networks could be designed to ride out virtually any conceivable attack, but that would require prohibitively expensive redundancy of equipment, including spare lines in separate corridors. However, some upgrading would limit the extent of the blackout in case of the loss of several key facilities. Analysis of the bulk power system following postu- lated severe damage can identify potential con- straints to keeping at least some of the system operating. Some of the improvements that might prove worthwhile are upgraded control centers, greater redundancy at certain substations, more protection devices and interconnections, upgraded lines, improved communications, etc. The Electric Power Research Institute is developing highly so- phisticated computer systems that could analyze and respond to abnormal fault conditions, thereby limit- ing disruption. One counter trend should be noted. Loads on transmissions lines are increasing as utilities find opportunities for economic transfers of power. Oe 52 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage Increasing competition in the electric power indus- try could further increase these loads.? Unless construction keeps pace with the increasing loads, the result will be smaller reserve margins. The greater the reserve margin, the more opportunities utilities would have to bypass damaged facilities. Thus increasing efficiency of use of the transmission system could conflict with reliability of service, especially under the kind of extraordinary coudi- tions considered in this report. Increase Spinning Reserves When a major failure of generating or transmis- sion capacity occurs, utilities must have replacement capacity available immediately. Since generators take some time to warm up before they can start delivering power, reserve capacity must be kept on-line. Usually this means several generators are operated sufficiently below full load so that any anticipated outage can be accommodated by an increase in their power level. The usual reserve is at least equivalent to the largest single unit or transmis- sion line in operation, in accordance with customary planning for the possible loss of any one piece of equipment. If multiple facilities are sabotaged simultane- ously, the available spinning reserve is likely to be inadequate. Operators will not be able to find adequate replacements for the isolated generators, and many areas will lose power, at least until other units can be started which may require several hours. Under such conditions, increased spinning reserve levels could significantly reduce the disruption, depending on the patterns of damage and the remaining available capacity. Utilities are prepared to increase spinning reserves temporarily if they are aware of a specific threat against them such as sabotage or major storms. Maintaining higher levels routinely would protect against unexpected attacks. If additional generating capacity is available, operating it as spinning reserve is not very expen- sive. The additional fuel and labor costs are modest. Some parts of the country currently have excess capacity which may be used for spinning reserves, although load growth is slowly reducing that surplus to historically normal levels. During certain periods, such as extreme peak hours or when multiple units are undergoing maintenance, surplus capacity is not available for increased spinning reserves. Increasing spinning reserves during those periods could require expensive new construction. SPEEDING RECOVERY Once the system has been stabilized, operators try to restore power as quickly as possible. Even after severe damage, power to parts of the system usually can be restored within a few hours by isolating the damage and resetting circuit breakers. Restoration to full service and reliability depends on at least temporary repair of the damage. The measures here are intended to eliminate constraints to both near- and long-term recovery. The benefits of expedited restoration can be extremely large, even if no power outages occur. For example, for each day that a large coal-generating unit is idled, a utility must spend on the order of $1 million for replacement power.’ Contingency Planning As in the two previous sections, advance planning and analysis is vital to minimizing problems. If utilities have already analyzed the problems, they should be able to act more efficiently. For instance, few operators have ever had to blackstart a generator or deal with an entire region of mismatched genera- tion and transmission capacity and loads. Planning can also help with longer term problems such as where to get replacement transformers and how to get them to the site. NERC has started to inventory transformers in order to facilitate emergency bor- rowing. Completion of this task, such that the operators of all key facilities know where to look to borrow critical equipment, could save precious time in an emergency. Clarify the Legal/Institutional Framework for Sharing Utilities routinely loan equipment and crews to help restore another utility’s power after an emer- gency, when this can be done without jeopardizing their own operations. However, utilities normaily maintain spare large transformers only to the extent that they are needed to permit maintenance and 5U.S. Congress, Office of Technology Assessment, Electric Power Wheeling and Dealing: Technological Considerations for Increasing Competition, OTA-E-409 (Washington, DC: U.S. Government Printing Office, May 1969). See ch. 4 for 2 discussion of the cost of disabled units. replace failures. Lf these spares are loaned, the owner is risking its own system reliability. From a national perspective, it is better to risk reliability in one area than to keep another area blacked out, but utilities cannot be expected to willingly sacrifice their own reliability for the national interest. In addition to their own economic interests, they may be con- cerned that they will be sued by their customers who suffer blackouts because backup equipment has been loaned out. The Defense Production Act and other national emergency laws already permit the government to requisition equipment (with just compensation) needed in case of a threat to the national security, for instance if a key defense facility is blacked out in time of war. There is no general power to intervene in a major economic emergency that has no national security implications, but the legal situation that would pertain is complicated.!° State governments can guarantee such transfers within their own boundaries, and utilities can make their own volun- tary arrangements including indemnification. How- ever, a national policy establishing a mechanism to determine priorities and protect economic interests may be needed to expedite action and in cases where the equipment would be shipped across jurisdic- tions. Stockpile Critical Equipment Rapid restoration of a system damaged by the loss of several large transformers requires finding and installing at least temporary replacements. Many utilities keep some spare transformers in case of equipment failure. At least one utility keeps spare Generation Step Up (GSU) transformers for each plant because of past problems with GSU reliabil- ity.!! However, these spares are typically kept at the substation site, near the operating transformers, where a saboteur could readily destroy them along with the operating transformers. If a utility is unable to obtain spares, whether from its own system or from another utility, the only other option is to order a replacement from a manufacturer. Custom- designed units may require a year or more to manufacture. Chapter 6—Opnins To Reduce Vuinerability © $3 A secure source of emergency transformers could cut many months off replacement time. Such a source could be a stockpile of the most commonly used types of transformers, available to any utility in an emergency, or it could be individual backup units for each vital substation. In either case, the units would have to be stored in a secure location, perhaps at military installations. Backups for each substation would effectively solve the problem of long-term blackouts, but at a high price. The effectiveness of a common stockpile in reducing vulnerability depends on several factors relating to the nature of the destruction. the physical characteristics of the system, the availability of spares from other sources, and the number and type of spares in the stockpile. The wide variety of transformers in use compli- cates the development of a stockpile. The major criteria are the input and output voltages and the power level. There is also a wide choice of less crucial factors such as insulation level and tolerable range of voltages. Because voltages on transmission and distribution systems are standardized, there are only a few common and important combinations of step-down voltages. Six to eight key combinations of voltages could be identified for developing model transmis- sion transformers. While there are many other voltage combinations and functions of transformers, those factors would not be the key consideration in an emergency. GSU transformers present a more challenging stockpiling problem. Because generator output volt- ages are designed to maximize operating efficiency and not according to standardized values, voltages range from 12 to 30 kV.!2 A stockpile of GSU transformers would have to make use of the ability of generating units to produce a small range of output voltages (+ 5 percent of nominal), although with a slight loss of efficiency.'? Also, ABB transformer engineers have suggested that it should be possible to design transformers to work with a variety of input voltages, in which case most 345-kV transformers could be backed up by two separate models and most 500-kV transformers by three to ‘Robert Poling, Congressional Research Service, personal communication, Feb. 12, 1990. "Bernard Pasternack, American Electric Power, persceal communication, October 1989. '2U.S. Congress, Office of Technology Assessment, op. cit., foomote 8, p. 91. '3D.G. Pink and H.W Beatty (eds.), Seendard Handbook for Electrical Engineers (New York, NY: McGraw-Hill, 1978), p. 7-34. OO 54 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage four common single-phase models.'* Assuming similar numbers for 230- and 765-kV units, a stockpile of GSU transformers could be based on a total of around one dozen models. Another vanable is the physical configuration. The bus from the generator carmes an extremely high current so the losses can be high. Therefore, the substation and GSU are designed to minimize the distance this current has to travel, which may call for a custom- designed connector. Power ratings, insulation levels, and impedances for both GSU and transmission transformers would have to be selected based on a trade-off of costs and expected application, and efficiencies would be suboptimal. Around 20 transformer models would cover most critical applications. However, a stock- pile would almost certainly require more than one set (three single-phase or one three-phase transform- er) of transformers of each model. For example, if saboteurs disabled four or more sets of transformers, it is probable that at least two of the sets would have the same voltage combinations and would be re- placed by the same model. The number of units of each model would have to be selected based on an assessment of the likelihood of serious sabotage. Stockpiling raw materials for the manufacture of transformers may be another way to reduce produc- tion time in case of an emergency. The customary practice is to design the transformers first and then order the materials because of the customized nature of the product and costs. Copper, for example, is special-ordered for each transformer (the copper wire is rectangular, not cylindrical, with particular width and height) and takes about 10 to 16 weeks on order. Core steel, porcelain, load-tap-changers (LTCs) are similarly special-ordered. If existing designs and stockpiled materials are used, new transformers can be produced in less than 6 months (in contrast to normal procurement of over 12 months). Additional spare transformers would be expen- sive. A set of extra-high-voltage transformers costs on the order of $2 to $5 million. If all important substations are to be backed by duplicate transform- es, the capital cost could range up to many hundreds of millions of dollars, depending on the definition of important. Common transformers would have to be designed for use in a variety of applications, so they are unlikely to fall at the low end of the cost range. This is particularly true for the GSUs, which would Tequire a mechanism to accommodate a range of input voltages. Assuming a stockpile of 40 trans- former sets (two of each model), the capital cost would be on the order of $100 to $200 million. Building and maintaining storage facilities would add to the cost. The suboptimal characteristics of common trans- formers would also result in substantial indirect costs. To match the voltage capability of a nonop- timized GSU, the generator would need to operate at other than its optimal voltage output, resulting in slightly degraded efficiency. Further, the trans- former’s generic characteristics could result in significant efficiency losses, for example if it is oversized for the generator and as a result operates at partial load. Assuming a combined efficiency loss of 1 percent, the cost at a S00-MW coal plant would be on the order of $2 million during the year required to obtain a custom-ordered replacement transformer. Presumably, however, this cost would be much less than the cost of not having a stockpiled transformer when it is needed. There would also be costs associated with trans- porting the transformer from storage to the damaged site. Both the time required and the cost depend on the location of the stockpile and the damaged site. Also, because a common stockpiled transformer would not be perfectly matched to the specific site Tequirements, it would probably be replaced by a new or repaired transformer, and returned to the stockpile, doubling transport costs. Overall how- ever, the cost of is a small fraction of the capital cost of a transformer.'5 A decision to establish a stockpile would have to address issues of how many units and of what design, where to store them, under what conditions to release the equipment, and how to transport it. Priorities for the use of stockpiled equipment should more than one utility have a need may also need resolution. Payment for the stockpile is another critical issue. Spares are typically held as an essential part of the \Lex Curtis, Manager of Techmical Sepport, Westinghouse/ABB (now ABB), personal communication, July 27, 1969. 'SHilson Peel, Manager of Operations, Virginia Electric Power Co., perscual communication, July 19, 1989. jon of a system and are included in the rate base.'® Currently, neither utilities nor State utility commissions have found compelling reasons to stockpile critical components beyond normal spares. To develop a stockpile paid for by utilities and their customers, both the utility and the utility commis- sion must agree that the expenditures are a valid cost of business in the interest of consumers. Assure Adequate Transportation Capability Moving large transformers is difficult under any condition. Frequently, bridges have to be temporar- ily braced and overpasses removed. Under emer- gency conditions, transportation could be a serious constraint. The contingency planning discussed above should identify the transportation problems that could slow delivery of transformers to key facilities (or removal from other facilities for use as replacements). Utilities can move to eliminate as many of these problems as possible. For instance, if the rail lines that brought in the transformers have closed, alternative routes could be developed. If transformers are stockpiled and many are required at once, transportation equipment itself may be a constraint. Large transformers are moved ee are only 13 in the country (plus 1 in Canada), and some handle only one type of transformer or are sufficient Schnabel Cars will be available. This might involve the production and stockpiling of the cars, or just the conversion of all existing cars to handle all transformers. If only single-phase trans- Monitor Domestic Manufacturing Capability U.S. manufacturing capability of transmission equipment, particularly the large transformers, has declined and imports have risen. The use of imported equipment per se is not a problem if it is the least expensive, best quality equipment available. How- ever, some utilities are concerned that in an emer- gency, they will have less leverage with foreign longer to deliver from abroad. Repair of damaged transformers also would be delayed if they Chapter 6—Opnons To Reduce Vulnerability © $5 had to be shipped abroad and back. At this time, it is not possible to determine what would have to be done to maintain the U.S. industry, or how great would be the value during emergencies. However. the situation would appear to warrant continued attention and analysis by the Department of Energy and the Department of Commerce. National security concerns may dictate the maintenance of some minimum capability even if it is not justified economically under normal conditions. Alterna- tively, the incentive for stockpiling may increase if supply from abroad can't be considered to be as expeditious. GENERAL REDUCTION OF VULNERABILITY The measures discussed above could be imple- mented specifically to reduce the vulnerability of existing bulk power systems. Other measures have not been listed because they would be far too expensive to retrofit. However, as the system grows, new construction is required that might emphasize different approaches. Vulnerability to massive de- struction has never been a design parameter in electric power systems (except for nuclear power- plants). Making it a parameter could guide the evolution of future systems toward inherently less vulnerable technologies and configurations. Vuiner- ability is not likely to be the key factor in most cases, but it could swing an otherwise close decision. Less Vulnerable Technologies Existing equipment has not been designed to resist sabotage. It is possible that alternative trans- mission towers, insulators, transformers, etc., could be more resistant than current practice. The Electric Power Research Institute, equipment manufacturers, and DOE might be encouraged to study how to do this. In some cases, alternative designs may be available now that would be less vulnerable even though that was not one of the design criteria. For example, underground cables are less notice- able and less accessible than overhead lines. There- fore they are less likely to be targets of casual saboteurs, and somewhat harder to attack for serious terrorists. They also avoid drawing attention to substations. Underground cables should also be more resistant to major natural disasters, since they “Toid. Chapter 6—Options To Reduce Vulnerability « $7 changes the institutional structure of the industry!9 and on the relative costs of fuels (natural gas is cularly suitable for small plants). Economies of scale have not disappeared. They merely have been overwhelmed by other factors, some of which, such as high inflation and construction stretchouts, would not be expected to recur in the future. A related issue is the use of transmission corridors and substations for multiple circuits. Utilities often try to maximize the use of corridors because it is economical to do so and increasingly difficult to establish new corridors. However, this concentration increases vulnerability. Utilities plan for common failures of adjacent facilities (e.g., a plane crashing in the corridor could bring down all the lines) but saboteurs could attack several multi-circuit corri- dors simultaneously with very great impact. The use of single-circuit corridors and substations, wherever practical, would reduce the impact of each attack commensurately. Vulnerability considerations are not likely to be dominant if traditional approaches prove much more economical. However, under some conditions, it may be worthwhile to include vulnerability as a factor when siting and sizing new facilities. Further study of the relationship between decentralization, economics, and vulnerability may be warranted. — For an analysis of the effects of competition, see U.S. Congress, Office of Technology Assessment, op. cit., foomote 8. Chapter 7 Congressional Policy Options All the measures discussed in the previous chapter would reduce the vulnerability of the electric power system. Some are already being implemented by the power industry, as utilities become more aware of the potential for major disasters. However, the level of implementation of these steps could be increased, and other effective measures are available which the industry is less likely to implement on its own initiative. Some steps, such as planning, analysis, and legal arrangements, need not cost much, but could signifi- cantly increase preparedness in case of disaster. Others, such as stockpiling, would require consider- able investment. The following analysis groups the specific measures according to whether they are likely to be implemented under present trends; or if they would require small expenditures; or whether they would be moderately to quite expensive. These groups are shown in table 7. Some of the measures are shown in more than one group, representing differing levels of implementation, or analysis in one and implementation in another. The desirability of further government involve- ment in a largely private enterprise is a matter of opinion. There is a clear government role in handling emergencies and protecting the public health and safety (e.g., minimum standards for nuclear reactor safety, and direct implementation of airport secu- rity). It is less clear how far the government should go in preventing emergencies that have major indirect but little direct impact on the public. If, in the judgment of policymakers, the threat is greater than is being recognized by industry, and the consequences have grave ramifications for the public, then policy action may be justified. How- ever, it should be noted that some of the initiatives discussed here will be controversial on ideological as well as practical grounds. PRESENT TRENDS Utilities are moving to reduce vulnerability through improved security and planning. The Na- tonal Electric Security Committee of the North American Electric Reliability Council (NERC) has made a series of recommendations intended to Teduce the risk of major damage occurring and to expedite restoration of service afterwards. The Edison Electric Institute has a security committee that coordinates information for physical protection for its member utilities. In addition, there are several government programs that analyze vulnerability and address weaknesses. These activities are described in chapter 5. Collectively, these steps are reducing vulnerabil- ity, and should lead to further improvements. However, the improvements are unlikely to be as great as could be realized if Congress takes a more activist role. Furthermore, the generating and trans- mission overcapacity of the last 15 years is diminish- ing. This overcapacity was expensive, but it had the unintended effect of providing reserves that would have been highly beneficial if a major disaster had occurred. It is likely that the increase in vulnerability due to decreasing reserve margins outweighs the improvements in security underway. The advan- tages and disadvantages of leaving the decisions in the industry’s hands follow. Advantages If decisionmakers see the threat of massive destruction as quite low, the measures already underway may be adequate. The design and opera- tion of U.S. electric power systems are quite adequate for all emergencies except the loss of several key facilities at one time. Considerable damage can be accommodated without greatly affecting customers. Only extraordinary disasters would cause more than short-term, localized black- outs. The actions utilities are taking will further fo gphedinn inl grtag Sebamed ing consequences. With the additional attention being paid to earthquakes and hurricanes, prepara- tion for natural disasters may be sufficient to handle all but very unlikely events. Under most plausible sabotage or natural disaster scenarios, the utilities themselves would be big losers, from lost sales and damaged equipment. Therefore they also have incentive to achieve a reasonable level of defense. Leaving the decision- making to the utilities on investments to protect against disasters minimizes the risk of a commit- ment to expensive measures that prove ineffective. MMMM a trrrsnee 60 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage Table 7—Policy Package Components Moderate Present Low to major trends cost nmvestrent A. Preventing damage x 1. Harden key substations... . 2. Survelance .............. x 2. Mealy the ayia system x 3. Spinning reserves . 5 | 2 Disadvantages Terrorist attacks are largely unpredictable. The lack of such attacks in recent years is no guarantee that there won’t be an upsurge in the near future. Several international situations, including the Co- lombian drug wars, separatism in Puerto Rico, tensions in Central America and the Middle East, and even the shifting political climate in Eastern Europe could lead to efforts to cause harm to the United States by surreptitious means. Electric power systems could be a prime target for such attacks. Even though some utilities are taking steps for protection, it is unlikely that all will implement even minimal measures. Some managers are bound to ignore low-risk, high-consequence events until they materialize, but by then it would be too late. Some areas could suffer extensive blackouts, at great economic and social cost, that might be averted or at least minimized if the government assures that the national interest is given due consideration. LOW-COST GOVERNMENT INITIATIVES Most of the measures in this package are already being addressed to some extent, and were included in the preceding section. The purpose of this package is to assure that these efforts are adequate, especially those that are voluntary for utilities. In addition. initiatives with potentially important long-term im- plications but which would not require large expend- itures of government or private funds are included. This group of options is intended for those who conclude that electric power system vulnerability is a problem that requires greater attention. but does not justify major financial commitments. Several of the steps discussed below suggest an approximate budget level for implementation by the Department of Energy (DOE) or other agency. This study has not analyzed the effectiveness or effi- ciency of any of the government agencies men- tioned. Therefore it intends no suggestion as to whether the activity could be absorbed within the existing budget by simply increasing efficiency, or if less important activities could be cut back, or whether the overall budget would have to be increased. Specific Initiatives Planning for Emergencies Most utilities with vital facilities appear to have established contact with the Federal Bureau of Investigation (FBI) to facilitate warnings that sabo- tage efforts are likely. DOE could perform a survey to confirm this coordination (which in itself would encourage utilities to establish and maintain these contacts) and perhaps sponsor regular meetings among utilities with critical facilities and the appro- priate law enforcement agencies. This activity would require perhaps $100,000 in DOE’s budget for the Office of Energy Emergencies (OEE). DOE could also play an important role in coordi- nating utility emergency plans. Many of OEE’s activities have been concerned with national secu- rity issues—assuring that vital military and indus- trial facilities will not be crippled by power short- ages during an international crisis. Less attention has been paid to the economic damage that could be Department of Defense (DoD) has a list of transmis- sion substations that are vital to militarily important facilities, but DOE has no i list for facilities vital to major civilian load centers. OEE could expand its cooperation with NERC, individual utilities, and State and local ts to analyze a wide range of disasters. OEE could then heip the utilities and local police (or other agencies) plan Sw we mee emergency responses. These same exercises could include emergency planning to limit the conse- quences of damage and speed recovery (e.g., contin- gency planning for locating and transporting spares). All these activities could require OEE expenditures of several hundred thousand dollars annually, de- pending on how rapidly the analyses and planning exercises are to be completed and how often they would have to be updated. The Federal Emergency Management Agency (FEMA) and other govern- ment agencies should also have a role in this emergency planning. Increased Spinning Reserves Increasing spinning reserves beyond present lev- els would have to be either mandated or paid for by the government. Additional equipment would have to be kept operating, which incurs manpower, fuel, and maintenance costs. In some cases, low-cost units would have to be operated at less than full load to supply spinning reserves because other units couldn’t be operated at the necessary levels. Con- struction of new generating equipment would also be required if the installed capacity was inadequate to support higher reserves, as is becoming true in many parts of the country. Both the costs and the value of increased reserves are uncertain. Utilities have not yet determined the cost of spinning reserve as a separate, unbundled service to be purchased under competitive generation. A DOE study, possi- bly done in cooperation with NERC, could be of value to determine the costs of increased spinning Teserve and the value if widespread damage does occur. Increased Sharing of Spares Congress can consider legislation to encourage the sharing of backup equipment, which utilities would otherwise consider necessary for their own system. This legislation would establish a forum for determining priorities in a national emergency and relieve lending utilities of liability for power outages in their own territory stemming from the absence of this equipment. The purpose would be to improve the chances that spare transformers and other key equipment are available where most critically needed. The first step would be to request a legal analysis, perhaps from the Congressional Research Service, to determine the applicability of existing legislation to a situation of a major, long-term power crisis that does not have great national security implications. It also could be beneficial to have DOE Chapter 7—Congressional Policy Opnons ¢ 61 analyze how to include such sharing of otherwise unavailable equipment in the emergency planning discussed above. Assuring Adequate Equipment Supply The future of the electric equipment supply industry is of concern to both DOE and the Department of Commerce (DOC). A joint study of both its competitiveness and its role during emer- gencies would establish whether there is a govern- ment interest in maintaining particular capabilities. This study would not have to be very large. DOC already has studied the competitiveness of the industry. Utilities and the supply industry, both here and abroad, should cooperate in determining how equipment would be handled during an emergency. Analyze Vulnerability Implications of Future Growth DOE could also consider how the long-term evolution of the industry could be guided toward reduced vulnerability. Analysis of different technol- ogies (e.g., underground cables) and configurations (e.g., small, dispersed generation) could determine the relative vulnerability, costs, operability, etc. In addition, the study would consider how to get the industry to give low-vulnerability options proper consideration. This would be a complex, demanding study with many different lines of analysis. Advantages This package of options would raise the visibility among utilities of the necessity of preparing for major attacks. Advance emergency planning should improve the handling of a disaster and the recovery afterwards, at least if the disaster conforms to anticipations. Few attacks would be deterred by this package, but the impact of some could be reduced. This package would also raise the priority given to such preparation by government agencies and pro- options should lead to a useful reduction in vulnera- bility without requiring much investment by either government or industry. Disadvantages There are no real disadvantages to this package. The main question is whether the modest gains justify the modest costs. It is impossible to quantify the benefits of this package relative to present trends, but they are unlikely to be major, at least in regard | 62 © Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage to terrorist attacks. There are too many different ways in which the system can be attacked to anticipate all of them. Advance planning by utilities has obvious value, but it would still be easy to overwhelm these preparations with a large-scale attack. Even routine vandalism, including shooung at transmission lines and substations, would not be greatly deterred. The studies proposed could be useful, but unless the results are implemented, they would provide no significant benefits. MODERATE AND MAJOR INVESTMENTS TO REDUCE RISKS If the initiatives discussed above are seen as inadequate, the next step is to ask what could be accomplished at higher cost. There are several options outlined in the previous chapter that entail considerable cost but promise significant reduction in vulnerability, at least under some conditions. Utilities are not likely to undertake these measures on their own. The measures are intended to address low-probability, high-consequence events that utili- ties do not consider sufficiently probable to include in their reliability considerations. If policymakers find that national interest considerations require that these investments be made, it is likely that the government will have to at least share expenses or coerce utilities. Sharing expenses will call for significant government ¢ i at a time of considerable budget difficulty. One possibility would be a kind of users fee: a small, temporary tax on power sales. For instance, a tax of 0.01 cent per kilowatt-hour (raising an 8 cent/kilowatt-hour charge to 8.01 cents) would produce almost $300 million per year while remaining virtually invisible to all but the largest users. If imposed for a year or two, this tax would pay for most of the proposals discussed here. oe eS some States to fund energy studies, for —.. However, the fact that such a tax would not obvious does not justify it if the need for government involvement is seen as very small. Specifle Initiatives Protect Facilities damage, especially from low-level threats (unso- phisticated saboteurs and vandals). The problem is to determine which facilities are worth protecting, what measures to take, and how to pay for them. DOE presumably would identify the most important facilities if the analyses of the previous section are performed. Depending on the decrease in vulnerabil- ity desired (i.e., how many areas are of concern, the acceptable duration of blackouts, and the level of reliability required after a disaster) there could be as few as 30 or as many as 150 facilities that would require protection to significantly limit the long- term disruption following a multi-site attack. The exact protection measures—hardening, surveil- lance, guards—for each facility would depend on its importance, physical characteristics and location as well as on the nature of the anticipated threat. Both DoD and DOE have extensive experience in protec- tion design though they may not have applied it to many substations. These agencies could expand on DoD’s Key Assets Protection Program to include designs for physical protection. The utility owner should also be involved in this exercise to ensure that the physical protection and its implementation would not interfere with the operability of the facility. The cost of physical protection such as remote surveillance equipment and walls around the trans- formers would be highly variable, but the one-time total might be on the order of several hundred thousand dollars for each substation. This is only a few percentage of the cost of the facility, but it is still significant. Stationing a guard during off-hours (about 130 hours per week) would entail an annual cost that might be on the order of $50,000 to $100,000. It is likely that some utilities would be reluctant to make these changes voluntarily. The benefits (e.g., reduced threat of a major blackout) considered in arriving at the level of protection specified, accrue largely to the users of the power, not to the utility. Therefore it is likely that the government would have to mandate these improve- ments or pay for at least part. Make Power Systems More Resilient The analysis that identified key facilities presum- Con (e.g., upgraded control centers, improved commmmnisadians) to tie physical aysiaun teat would help maintain reliability following major damage the system. However, getting these modifications implemented is likely to be difficult because 00 appropriate policy tools exist. Utilities build thet bulk power systems according to industry standards for reliability. Other than certain licensing proce- dures and interstate economic regulation, the Fed- eral Government has little direct influence on how transmission systems are built and operated. The Federal Government does not tell utilities when to build more lines, how to operate them, or how to assure reliability. Unlike upgraded physical protec- tion, which involves decisions on relatively few key facilities, system improvements are likely to entail many small modifications. Voluntary cooperation on the part of utilities would be essential. One way would be for DOE to establish a program to help utilities identify weak points that would hamper recovery from a widespread attack, and at least share the costs of corrective action. Utilities would be particularly uninterested in extremely expensive physical modifications, such as increased generating and transmission reserves. Utilities are concerned with building new capacity to meet growing demand, but not to increase reserve margins above the levels they find prudent. Any estimate of the level of funding that would be required is highly speculative at this time because analyses showing what would be needed have not been conducted. Stockpile Transformers Stockpiling of transformers beyond the spares kept for customary reliability purposes is also of little interest to utilities, though there has been at least one case of the lack of a spare keeping a low-operating cost, nuclear powerplant inoperable for a considerable period. The total cost of establish- ing a stockpile would be large, perhaps $100 to $200 million. Requiring utilities to back up each impor- tant transformer would cost several times as much. However, the cost of either approach would be small compared to the benefits if several substations are destroyed simultaneously. A transformer stockpile would be needed only to counter terrorist threats since natural disasters (or even casual attacks) are very unlikely to damage more than one or two substations. The likelihood of a major assault is outside the scope of this analysis. If policymakers and the industry are convinced that the threat is Chapter 7—Congressional Policy Opnons ¢ 63 sufficient, a government-industry cooperative ven- ture might be possible. In addition to establishing the stockpile, decisions must be made on where to locate it, how to maintain it, how to allocate the transform- ers in case of a major emergency, and how to expedite their transport. Considerable advance plan- ning and analysis must be conducted before imple- mentation. DOE and FEMA might cooperate with the industry on these studies. Advantages Collectively, these steps would greatly reduce the vulnerability of the U.S. electric system to the kinds of attacks (see ch. 2) that have been experienced in the United States. The risk of major disruption from small-scale terrorist attacks would be virtually eliminated. In addition, normal operation should be more reliable because of greater reserve margins. Disadvantages Several of these steps could be very expensive (e.g., greater reserve margins, stockpiling). Appor- tioning these costs among utilities, rate-payers, and government will be difficult unless a general kilo- watt-hour tax, as discussed above, is imposed. Furthermore, power systems would still be vulnera- ble to sophisticated saboteurs, including sophisti- cated terrorist groups as well as national comman- dos. These measures would make destruction more difficult and perhaps reduce the damage, but they won’t eliminate the greatest concerns. Furthermore, even greatly enhanced resistance to sabotage is likely to simply move the problem somewhere else. For instance, small groups deterred from attacking substations could simply shoot transmission lines out. While the impact of a single incident would be much less dramatic and lasting than that of blowing up several substations, it could be repeated fre- quently over a wide ic area, achieving much of the same disruption. Alternatively, the saboteurs could turn to telecommunications, water supplies, or other infrastructure elements. Thus, it is questionable how much protection would be pur- chased by these options for society as a whole. Office of Technology Assessment The Office of Technology Assessment (OTA) was created in 1972 as an analytical arm of Congress. OTA’s basic function is to help legislative policy- makers anticipate and plan for the consequences of technological changes and to examine the many ways, expected and unexpected, in which technology affects people's lives. The assessment of technology calls for exploration of the physical, biological, economic, social, and political impacts that can result from applications of scientific knowledge. OTA provides Congress with in- dependent and timely information about the potential effects—both benefi- cial and harmful—of technological applications. Requests for studies are made by chairmen of standing committees of the House of Representatives or Senate; by the Technology Assessment Board, the governing body of OTA; or by the Director of OTA in consultation with the Board. The Technology Assessment Board is composed of six members of the House, six members of the Senate, and the OTA Director, who is a non- voting member. OTA has studies under way in nine program areas: energy and materi- als; industry, technology, and employment; international security and com- merce; biological applications; food and renewable resources; health; communication and information technologies; oceans and environment; and science, education, and transportation. CONGRESS OF THE UNITED STATES Orrice OF TECKNCLIG’ ASSESSMENT NASMINGTON DS 206 1-4C2E BOSTAGE ANO FEES 7410 OFFICE OF TECHNOLOGY ASSESSMEN™ OTA-E-453 JUNE 1990