Physical attack is the risk of a threat actor motivated to cause harm to the power grid using low cost means such as guns or bombs (referred to as ballistics attacks) or vehicular impacts. Threat actors target high value or long lead time equipment, which may be located at critical facilities. The typical physical controls deployed at most facilities focus on denying unauthorized access to within the facility. Those controls are fences, gates, locks, and cameras, and while they can prevent the opportunistic threat actor intent on criminal activity such as theft and vandalism, they are not effective at stopping attacks from outside a facility.
There was a widely publicized attack in December 2022 on two substations in Moore County, North Carolina. Ballistics were used in that attack to damage and take substation equipment out of service, leading to tens of thousands of customer outages, some of which lasted for multiple days. Bulk Electric System equipment was not targeted; thus, customer outages were localized. This attack followed a similar attack on the Metcalf substation in California in 2013 and is a reminder that electric facilities are a valuable target for threat actors.
The NERC CIP-014 standard is focused on identifying and protecting transmission facilities from physical attack. However, this standard has limited effectiveness against a threat actor who is acting outside the perimeter of a facility. It is impractical and cost prohibitive to fully protect transmission equipment from all levels of physical attack.
In addition to existing perimeter controls and protections put on critical transmission equipment, reliability and resiliency measures should be pursued to limit the impact of equipment attacks. Increasing redundancy in the system and adding controls that offer delay and detection provide time for authorities to respond to the attack.
Preventing physical attacks from outside a facility from weapons and ballistic attacks require controls that deter, detect, and delay a threat actor. That combination reduces the probability of a threat actor targeting a critical facility to begin with, but also buys time to get law enforcement response during an active attack. The ready availability of open-source information exacerbates this risk because it helps inform threat actors of potential targets to attack.