Terrorists take aim at PG&E. Can it shield itself?

After masked gunmen popped out of a manhole into a San Jose, Calif., substation last year, firing automatic weapons and destroying 17 transformers, Pacific Gas & Electric Co. (PG&E) got the message. The utility will spend $100 million over the next three years beefing up security at its Northern California operations that is home to many of America's high-tech giants.

In a world where terrorists are looking to stage dramatic attacks, Silicon Valley represents a huge opportunity. One way to bring it down is by attacking the electric grid that powers it – not just with cyber weapons but also with physical assaults. How PG&E responds to these threats is an early test of how well utilities in the United States, especially those serving high-profile centers of finance and government, will protect themselves from an amorphous, ever-evolving enemy.

“The bad guys are getting smarter,” says Siobhan MacDermott, chief information security officer for Utilidata, a Providence, R.I.-based firm that advises companies on how to protect their critical infrastructure. “It used to be that Wall Street companies were attacked, cyberwise. Then the attackers started to look at where they would get the most impact: Google, Facebook, Amazon – all of which are in Silicon Valley and in PG&E’s network.”

The good news is that PG&E has hired the best minds and is investing plenty of money to deter such violations, she says in an interview.

The company will start by erecting fences that can obscure sensitive operations as well as by improving lighting and providing better physical security as well as cybersecurity. The company will also enhance its internal and external communications, and its coordination with local law enforcement – all things that it revealed at a workshop it performed before its California Public Utilities Commission.

One of the secrets to its success is that PG&E is bridging its information technology department with its operations unit, meaning that those who are responsible for securing the company are communicating closely with those who keep the lights on, Ms. MacDermott adds.

Plenty can go wrong. Some common ways that cyberattackers can enter secure systems is by impersonating key corporate personnel, she says. Unknowing employees then provide the names and passwords that allow attackers to access sensitive information. Or they plug USB devices into networks by using a power box located near the facility, giving them entry.

“Utilities need to continually increase cyber security awareness and accountability to strengthen the weakest link: humans,” adds Scott Marshall, senior consultant for critical infrastructure at Norway-based DNV GL, in an e-mail.

The electric grid is a fat target for two reasons. First, it's a critical economic asset. A single brownout can cost as much as $10 billion, which comes in the form of direct losses as well as lost opportunities, estimates the Federal Energy Regulatory Commission, or FERC. Second, the grid is vast: some 200,000 miles of wires serving more than 300 million people and valued at $1 trillion.

The Department of Homeland Security reports that in 2012 there were 198 attacks on oil pipelines, electric grids, and other critical infrastructure assets – and that utilities may need better insight into who has admission to these areas. Because the network is so interconnected, managerial and information systems should be capable of catching internal errors or intentional sabotage, concludes a November 2012 report by the National Academy of Sciences.

The question for lawmakers is whether the FERC should require utilities to take certain precautions, such as forcing background checks on key employees, as suggested by Democrats in a congressional study last year, or whether today's largely voluntary system is better.

Power companies are already supposed to certify with the FERC that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. But utilities prefer voluntary efforts, noting that as owners of the assets, they are naturally motivated to secure them. More than 200 utilities and several government agencies participated in an emergency drill last fall that simulated prolonged blackouts from both physical and cyber attacks.

Utilities have yet to deploy new physical and cybersecurity systems on a wide scale, mostly because the threats are continually evolving in type and sophistication and because companies must budget for such unforeseen threats. But as the spotlight shines on these issues, utilities and regulators are motivated to act.