November 03, 2009

Just How Vulnerable is DoD's Grid Security? Not Quite Sure, Says GAO

Last week I covered an event at the Wilson Center where Dr. Amory Lovins, a member of the Defense Science Board’s Task Force on DoD Energy Strategy, gave a stark presentation on what he deemed to be the real clear and present danger to national and theater energy security: electrical grid vulnerabilities. His address came just days after the Governmental Accountability Office (GAO) released its report, Defense Critical Infrastructure: Actions Needed to Improve the Identification and Management of Electrical Power Risks and Vulnerabilities to DoD Critical Assets (pdf). This morning I thought I would share what I found to be the most significant takeaways.

According to the GAO, the Department of Defense “depends overwhelmingly on the U.S. commercial electrical power grid for electricity to support its operations and missions.” (p. 10) In fact, 99 percent of the energy consumed by DoD installations is generated from outside the installation, while 85 percent of the energy infrastructure that DoD relies on is commercially owned. This bodes poorly for the Department given that, according to the DSB Task Force on DoD Energy Strategy, the commercial power grid is “brittle, increasingly centralized, capacity-strained, and largely unprotected from physical attack, with little stockpiling of critical hardware.” (quoted in Defense Critical Infrastructure, p. 13)

The GAO outlined several factors that contribute to the commercial grid’s vulnerability, including:

… (1) Increasing national demand for electricity; (2) an aging electrical power infrastructure; (3) increased reliance on automated control systems that are susceptible to cyberattacks; (4) the attractiveness of electrical power infrastructure as targets for physical or terrorists attacks; (5) long lead times (of several months to several years) for replacing high-voltage transformers – which cost several millions of dollars and are manufactured only in foreign countries – if attacked or destroyed; and (6) more frequent interruptions in fuel supplies to electricity-generating plants.  (p. 13)

Because of DoD’s dependence on the commercial electricity grid, its “most critical assets and the missions they support are vulnerable to disruptions in the electrical power supplies.” According to the GAO’s survey of the Department’s most critical assets, “all of these assets require electrical power continuously in order to function and support their mission(s).” What is more, the GAO concluded that the “most critical assets depend on other supporting infrastructure – such as water, natural gas; and heating, ventilation, and air conditioning – that in turn also rely on electricity to function.” (p. 22)

In October 2008 the Defense Critical Infrastructure Program (DCIP), the Department’s apparatus for identifying and managing vulnerabilities to DoD infrastructure, designated 34 assets as most critical to DoD operations and missions. According to the GAO, these assets have been designated with such “extraordinary importance” that “their incapacitation or destruction would have a very serious, debilitating effect on the ability of the department to fulfill its missions.” (p. 15)

As the GAO noted in its findings, 29 of the 34 critical assets are owned by DoD, while five are owned by domestic and foreign commercial and foreign government entities. During its survey, the GAO concluded that “at least 24 of the 34 most critical assets experienced some electrical power disruptions – lasting up to 7 days – during the 3-year period from January 2006 through December 2008, and the missions supported by 3 of those critical assets were adversely impacted by electrical power disruptions.”  (p. 22)

In April 2008, DoD Instruction 3020.45 (pdf) implemented a requirement for the Department to conduct a critical infrastructure vulnerability assessment on its most critical assets every 3 years. Since the Department identified its most critical assets in October 2008, it has until October 2011 to complete these vulnerability assessments. However, according to the GAO, as of June 2009,

DOD had conducted DCIP vulnerability assessments on 14 of the 34 most critical assets; had scheduled additional assessments for 13 other most critical assets from July 2009 through December 2010; and had not yet scheduled assessments for the remaining 7 most critical assets. (p. 24)

It is important to note that of the seven most critical assets that have not been scheduled for vulnerability assessments, five of them are not owned by DoD. Part of the reason that they have not been scheduled for vulnerability assessment is a fear shared within the Department that “notifying a U.S. or foreign commercial entity, or a foreign government, about its asset’s designation as one of DOD’s most critical assets could compromise DCIP security guidelines or U.S national security.” (p. 25)

These are some of the most significant findings that the GAO concluded in its report. Below are some of the other significant findings that I have taken in full from the report’s executive summary (p. 7):

  • The U.S. Army Corps of Engineers has not completed the preliminary technical analyses requested because it has not yet received infrastructure-related information regarding the networks, assets, points of service, and inter- and intradependencies related to electrical power systems that it requires from the military services.
  • Although DOD is in the process of developing guidelines, it does not systematically coordinate Defense Critical Infrastructure Program vulnerability assessment processes and guidelines with those of other, complementary DOD mission assurance programs—including force protection; antiterrorism; information assurance; continuity of operations; chemical, biological, radiological, nuclear, and high explosive defense; readiness; and installation preparedness—that also examine electrical power vulnerabilities of the most critical assets, because DOD has not established specific guidelines for such systematic coordination.
  • The 10 Defense Critical Infrastructure Program vulnerability assessments we reviewed did not explicitly consider assets’ vulnerabilities to longer-term (i.e., of up to several weeks’ duration) electrical power disruptions on a mission-specific basis, as DOD has not developed explicit Defense Critical Infrastructure Program benchmarks for assessing electrical power vulnerabilities associated with longer-term electrical power disruptions.

The GAO outlined its five recommendations for executive action on page 39, but the bottom line is that the Department needs to complete its vulnerability assessments on all of its critical assets, both DoD- and non-DoD-owned, by October 2011 (as required by DoD Instruction 3020.45). Because “until DOD completes these DCIP vulnerability assessments, the department will not have complete information about the electrical power vulnerabilities for all the most critical assets.” Until it knows the full extent of this vulnerability, dependence on the commercial electric grid could, as Dr. Amory Lovins suggests, represent a clear and present danger to national and theater energy security, and DoD operations and missions writ large.

GAO Report: Defense Critical Infrastructure