On September 12, 2024, the National Governors Association (NGA), in partnership with the National Association of Regulatory Utility Commissioners (NARUC), National Association of State Energy Officials (NASEO), National Conference of State Legislatures (NCSL) and National Emergency Management Association (NEMA), hosted a one-day, in-person workshop at Exelon’s Baltimore, Maryland headquarters to discuss strategies state leaders can implement to protect electricity, oil and natural gas infrastructure from physical attacks. This meeting, supported by the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (DOE CESER), convened experts from state governments, federal agencies, law enforcement and the energy sector to examine the threat landscape, identify key barriers to mitigating physical attacks, and share best practices for improved coordination and information sharing between the states and key stakeholders. Attendees also had the opportunity to tour a local Baltimore Gas & Electric substation on September 11 to learn about physical security protective measures and procedures.
The safe and reliable provision of energy is an essential component of everyday life, and all other critical infrastructure sectors are dependent on power or fuel to operate. Energy infrastructure faces many threats, including severe weather, cyber-attacks and physical attacks. The frequency of physical security incidents against U.S. electricity infrastructure continues to increase and state leaders are eager to identify strategies to mitigate risks from physical attacks to energy infrastructure and increase the resilience of energy systems. Through facilitated discussion at the Roundtable, participants identified persistent challenges as well as key actions that state leaders, law enforcement, federal agencies and the sector can take to protect energy infrastructure against physical attacks.
This meeting was supported by the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response. NGA thanks NGA Partner Exelon for hosting the meeting at Exelon’s Headquarters in Baltimore, Maryland.
Key Takeaways
Coordinated risk assessments between utilities and state leaders can increase the resilience of the energy sector and improve emergency preparedness and response.
Owners and operators of energy infrastructure noted the importance of risk assessments for energy infrastructure. Risk assessments can be used for the consideration of innovative and effective risk mitigation strategies to protect infrastructure, as well as the prioritization of the most critical sites. Utility risk assessments would benefit from input from state energy, emergency response and homeland security leaders to inform investment prioritization, provided
this is done in a way that does not compromise sensitive data. Coordination with state agencies can provide a different, holistic perspective, inclusive of other critical infrastructure interdependencies such as water, waste management, healthcare and more. Similarly, utilities and infrastructure owners and operators can provide information to state policymakers as security investment and funding determinations are made. Increased coordination and collaboration of risk assessment and analysis efforts can improve outcomes and inform mitigation investments and priorities, as well as emergency response plans and processes.
All 56 states, territories and the District of Columbia recently conducted risk assessments for their State Energy Security Plans (SESPs). States and territories continuously exercise and iterate on these plans, updating assessments, contact information and outlooks to ensure they are up to date and effective. A key component of risk assessments in SESPs is stakeholder engagement with utilities, the energy sector and other key stakeholders.
Strong relationships between state leaders, law enforcement, and energy infrastructure owners and operators are important for preparedness and coordinated response.
Participants discussed the importance of establishing relationships and building intelligence capabilities between state officials, state and local law enforcement, fusion centers, federal partners such as the U.S. Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and other entities like the Joint Terrorism Task Force, as well as critical infrastructure owners/operators. These relationships should be built during blue sky periods and can be strengthened through regular engagements, such as joint exercises or site tours.
Maryland 2023 Foiled Attack: In February 2023, the Baltimore Field Office of the Federal Bureau of Investigation (FBI) and the U.S. District Attorney for Maryland arrested two individuals who plotted to attack several energy facilities in Baltimore, Maryland. Through coordination between the regional FBI office, the Joint Terrorism Task Force, Maryland State Police, and Baltimore County Police, damage to energy infrastructure was prevented and service was not disrupted. This coordination of law enforcement and information sharing between public and private entities serves as an example of effective engagement and communication, and the importance of building and maintaining strong relationships with key stakeholders.
As the first responders to a physical attack and a key source of threat information, building a strong relationship with law enforcement agencies is important for emergency response and information management.Â
To support intelligence capabilities, states can devote resources to help those utilities distill threat information. This can be particularly important for jurisdictions that have smaller utilities with limited resources. Similarly, the energy sector can work with law enforcement to provide sector overviews and foundational knowledge. For example, trade associations like the American Gas Association and Interstate Natural Gas Association of America have provided sector overviews to fusion centers to increase awareness and understanding of energy infrastructure within their jurisdiction. Where not already occurring, state leaders can work with energy infrastructure owners and operators to facilitate guidance for first responders on how to approach energy infrastructure safely and/or who to communicate with in the event of an incident. There may also be an opportunity for critical infrastructure owners and operators to coordinate with state and local law enforcement on how patrols are structured so as to provide an additional visible deterrent to potential attackers. While these relationships exist for many utilities, state leaders can play a crucial facilitating role to build connections between infrastructure owners/operators and state and local law enforcement.
The constraints of legal definitions of physical attacks and incidents can have impacts on response, investigation and potential prosecution. Attendees considered how legal definitions of certain actions considered to be physical attacks on energy infrastructure can impact deterrence and the efforts of law enforcement to investigate and prosecute such crimes. Specifically, definitions in statute of what constitutes theft, vandalism, destruction, sabotage or terrorism can carry different sentences.
Challenges persist in sharing sensitive information about critical energy infrastructure during steady-state and emergencies.
States, federal partners and the energy sector continue to identify communication methods to share risks and threat intelligence. Opportunities remain to develop more coordinated risk assessments and information sharing channels that can account for public and private sector priorities.
State policymakers can review state laws and regulations governing the sharing of sensitive information, known as Critical Energy Infrastructure Information (CEII), and proprietary business information to create a pathway for the sharing of sensitive information that all parties feel comfortable with. This can include a determination of what information is shared and with whom, and the appropriate classification levels that are necessary. States can consider introducing legal protections to exempt CEII from Freedom of Information Act (FOIA) requests and other public disclosure requirements. In certain cases, federal law enforcement officials may waive clearance requirements for executives to share threat or emergency information.
Virginia Law Protecting Critical Infrastructure Information: Virginia has amended the state Freedom of Information Act statute to include exemptions for information that pertains to critical infrastructure and vulnerability assessments or security plans. This reduces the availability of sensitive information related to the locations, criticality, and vulnerabilities of critical infrastructure, including energy infrastructure.
In the event of an attack, misinformation can spread and cause further public safety concerns. Ensuring a unified message across public and private stakeholders is important to reduce the likelihood of confusion and misinformation. State leaders can coordinate public communications and emergency response efforts through a joint information center (JIC) to ensure a unified message and reduce the likelihood of misinformation. These communications practices should be established and documented in advance of an incident to enhance coordination across agencies and with the energy sector.
Funding to prevent or mitigate physical attacks on energy infrastructure is needed.
Challenges persist for determining the value of energy security and resilience. Investing in enhanced physical protections, such as ballistic shielding and advanced thermal imaging CCTV cameras, may be appropriate at certain sites identified as most critical, but identifying these sites and associated tactics through a risk-based analysis would have the greatest per dollar impact.
Determining the most prudent investments can include risk-based, system-wide analyses that factor in the types of customers impacted by energy disruptions. A transparent, collaborative process will allow state leaders to identify priority facilities and help to assure regulators that investments are prudent. The utilization of risk assessments as well as sector-wide analyses and information from the U.S. Department of Energy and NERC Electricity Information Sharing and Analysis Center (E-ISAC) can help inform investment decisions.
Attendees discussed potential considerations for states to increase physical security and resilience investments, including the possibility of including guidance within resilience grant programs to emphasize the importance of, or grant preference towards, project proposals that incorporate energy security investments or stack physical security measures on to resilience projects.
Conclusion
Bolstering the physical security of energy infrastructure and mitigating the risk of a malicious attack is a critical component of a resilient energy system. The State Experts Roundtable on Protecting Energy Infrastructure from Physical Attacks identified several opportunities for state leaders to improve physical infrastructure security in partnership with the energy sector. These include clarifying and improving threat sharing processes, an understanding of the risk to the most critical of energy assets and ensuring security investments in energy infrastructure are supported by risk analyses. Joint exercises and ongoing relationship-building activities like this Roundtable are crucial to identifying gaps in information sharing and protection efforts, as well as in fostering increased coordination. The state associations (NGA, NARUC, NASEO, NCSL and NEMA) will continue to collaborate with one another, DOE, and the energy sector to support state and territory efforts to prepare for and respond to physical attacks on energy infrastructure.
Helpful Resources
Federal Resources
State Association Resources
Sector Resources
This publication was prepared by Fiona Forrester, Policy Analyst, Energy and Phil Nichols, Senior Policy Analyst, Homeland Security & Cybersecurity with support from Dan Lauf, Program Director, Energy and Jessica Davenport, Program Director, Homeland Security & Cybersecurity of the NGA Center for Best Practices. The authors acknowledge and thank the following organizations for their reviews and contributions:
- U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response
- National Association of Utility Regulatory Commissioners,
- National Association of State Energy Officials
- National Conference of State Legislators
- National Emergency Management Association
For additional energy assurance and security resources, please reach out to the energy or homeland security program directors at the NGA’s Center for Best Practices: Dan Lauf (dlauf@nga.org) and Jessica Davenport (jdavenport@nga.org).