Darkest Night

The vulnerability of the grid, and what to do about it.

by Peter Schiavelli

Just before midnight on September 1st, 1859, the clear night sky over the Rocky Mountains was suddenly set ablaze. Streams of color erupted from the horizon: long, glowing tendrils that slashed across the dark expanse and hung there, draped like a net over the sky, slowly shifting in color from red to orange, to yellow, to white, and back again.

Magnetic readings the day of September 1st, 1859, taken by The Greenwich Observatory, London.

As the minutes passed, the aurorae grew brighter, and the tendrils were joined by a rolling, ruddy, flocculent haze. Soon the florid sky became so bright that camping miners awoke and began to make breakfast, convinced that they must have slept soundly through the night, and that they were witnessing the rise of an especially sanguine sun.

The Cincinnati Daily Commercial described the firmamental display as “a glorious canopy”; The New York Times called it “a livid red flame…[that was] magnificent auroral glory.” The celestial conflagrations continued all through the night, until they were finally washed out by the dawn.

The scene inside telegraph offices, on the other hand, was utter chaos. While the miners were outside, basking in the magnificence of a sky the likes of which hadn’t been seen in 500 years, the telegraphers were inside, dealing with machines so overcharged with electrical current that they were close to combustion.

London in 1860.

The machines acted as if possessed: they rained sparks, ignited telegraph paper, and even electrocuted an unlucky operator so severely that a visible spark shot out from his forehead.

Naturally, the telegraphers disconnected their systems from their power sources, only to discover that the lines somehow remained operable (if unpredictable), and the most adept of the operators were actually able to continue sending and receiving messages powered solely by the electricity in the air.

The most adept of the operators were actually able to continue sending and receiving messages powered solely by the electricity in the air.

Astronomer Richard Carrington

The legendary white-light flare sketch of Richard Carrington and Rodger Hodgson on September 1st, 1859, which correctly predicted the second Earthwide Solar Flare of the Carrington Event.

The event became known as the Carrington Event—named after Richard Carrington, a British amateur astronomer who had, earlier that day, observed “two patches of intensely bright and white light” on the sun’s surface that were eventually connected to the auroral display that night—and it was the most powerful geomagnetic storm to hit Earth on record. In 1859, few things were affected by electromagnetic surges—Thomas Edison wouldn’t demonstrate his light bulb for another twenty years—so the damage was relatively negligible. Today, a solar storm of that magnitude is one of the National Intelligence Council’s six “black swan” events, because it could mean the end of civilization as we know it.



In 2015, Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies issued a report called “Business Blackout” that examined the economic effects of a cyberattack on the United States’ electric grid. This report imagined a scenario in which a number of electrical substations were remotely deactivated, resulting in a 15-state blackout over the Northeast United States.

Power was restored to some areas in a matter of days, to others in a matter of weeks. The scenario was significant but not catastrophic—the impacted area was relatively limited, the blackout short-lived—but the estimated economic losses alone still topped $1tn.

The Eastern Seaboard of the United States, as seen from an expedition 30 crew member aboard the International Space Station. (NASA)

A far grimmer scenario also exists. Instead of a cyber-attack temporarily deactivating a handful of substations, irreparable, structural damage is done to a number of extra-high voltage (EHV) transformers. Usually, when a transformer goes off-line, its electrical load is diverted to adjacent units, which bear the increased load until the transformer can be reactivated, but, this time, so many are disabled that too much power is diverted.

A grid substation

The sudden influx overloads adjacent transformers, knocking them out as well. Transformers fall like dominoes, and soon the entire national grid succumbs to a massive cascading blackout. Because the transformers are broken and not just switched off, they must be physically replaced or repaired, processes that can take between six and eighteen months.

Illuminated from above.

The darkness persists. Gas stops pumping; transmitters stop relaying. Without fuel or signal, the country’s transportation, communication, and agricultural systems soon fail. Shops and markets are looted and stripped in days. What food there is spoils without refrigeration, and new supply is cut off. Without working treatment centers, raw sewage pours into our water. Police and military are outnumbered and impotent; they abandon their jobs to focus on protecting their families. Lines for fuel and potable water are twelve hours long, and most of the supplies are hoarded by roving militias. As the weeks become months, people resort to drinking from contaminated pools and wells. Many starve. As the blackout continues, diseases—particularly waterborne ones like cholera—run rampant. Martial law prevails. The Congressional EMP Commission estimated in 2008 that within one year of societal breakdown, two-thirds of Americans would be dead.

This scenario is extreme, yes, but not nearly as outlandish as we’d like to believe. The United States’ electrical grid, in its current state, is vulnerable. It is vulnerable to temporary deactivation, and—potentially far more devastating—it is vulnerable to a permanent crippling of its infrastructure.



An American power station, complete with Extra High Voltage Transformers (EHVs)

At its most fundamental, the structure of the electrical grid has three parts: the producers, the transmitters, and the distributors. In order for electricity to get from the producers (power plants) to your home, it must be transmitted long distances. And in order for it to be transmitted long distances, its voltage must be increased at the production source, then decreased at the distribution center. EHV transformers are in charge of increasing and decreasing the voltage at these two points, meaning that without them, almost none of the power the plants generate can be transmitted, distributed, or used, and the grid as a whole ceases to function. The Department of Homeland Security (DHS) estimates that 90% of the country’s consumed power passes through an EHV transformer at some point.

Our national grid involves around 2,500 large transformers, many of them over 40 years old and nearing the ends of their working lifespans. But replacing them is tricky: for one thing, they are massive—some weigh over 400 tons—and for another, many of them are unique, so you can’t just grab a spare one from the transformer supply closet. Plus, we only have the facilities to domestically produce around 15% of our current demand, so we have to order and import most of our transformers from Germany and South Korea (the only two countries that are willing to manufacture and export them). What this means is that if a key transformer were to need replacing, it would likely take over a year for the new one to be constructed, shipped, and installed.


This would not be such an issue if the grid were designed to compensate for extensive transformer failure. Unfortunately, it’s quite the opposite: the stability of our grid is so precarious that it suffers from what has been called “the nine substation problem.”

The name comes from an internal study conducted by the Federal Energy Regulatory Commission (FERC), which found that the transformers at certain substations are like the electrical grid’s vital organs: if just nine specific substations fail, the entire system fails, and the country is plunged into a blackout that could last around eighteen months. (The particular combination of substations, thankfully, is not public knowledge.)

The Metcalf Silicon Valley Substation

To make matters worse, the transformers themselves, despite their size, are frighteningly fragile. In 2013, a small terrorist assault team attacked the Metcalf substation just outside San Jose. Armed only with basic assault rifles, the assailants destroyed seventeen of the station’s twenty-one transformers in less than twenty minutes.

And their method was not exactly complex: they simply planted themselves in the underbrush of the surrounding hills, just beyond the substation’s perimeter and outside the purview of security cameras, and unloaded a hail of bullets; they never even had to penetrate the compound. (The only obstacle they really had to surmount was the substation’s security fence, which, being chain-link, surprisingly offered little resistance to gunfire.) The damage was largely fixable, but it still took almost a month for the station to be repaired and reactivated. The attackers were never identified.

A Wall St. Journal Graphic detailing the 2013 Metcalf Substation attack

This was not an isolated incident. In 2016, a fifty-seven year-old man shot up the radiator of a transformer at the Buckskin substation in rural Utah, causing the transformer to overheat and fail. The repairs took six months. He fired a total of four bullets.

According to the Wall Street Journal, in just a three year period between 2011 and 2014, there were almost a thousand instances of “significant” physical damage done to transformers. Of those, two hundred seventy-four were “deliberate damage” done by humans, and another seven hundred were “weather-related” of the sort that caused the Northeast Blackout of 2003—the second biggest blackout in history—which started when three power lines near Akron, Ohio sagged into overgrown trees.

The 1965 Northeast Blackout

The 2003 Northeast Blackout

The branches caused the lines to short-circuit, starting a cascade of power surges that overloaded systems from Cleveland to Ottawa and plunged over fifty million people into darkness. Three sagging power lines in rural Ohio blacked out Times Square.

The threats get bigger than firearms or tree branches. Let’s look at nuclear weapons: if a one hundred kiloton warhead were detonated at a sufficiently high altitude above the mainland United States—let’s say two hundred ninety-four miles over Kansas—although the population would be safe from incineration or radiation, the electromagnetic pulse (EMP) released by the detonation would circumscribe the whole of the contiguous forty-eight states (not to mention a vast chunk of Canada and most of Mexico), overloading and destroying almost every transformer in the pulse radius. Two-hundred and ninety-four miles is roughly the height of low Earth-orbiting satellites: the International Space Station, for example, or the Hubble Space Telescope. Or, say, the test satellites North Korea decided to launch in 2012 and 2016.

A short-range Scud missle

And the HEMP (High-Altitude EMP) threat is not limited to nations with satellite-launching capabilities or a stolen SpaceX keycard.

A typical, short-range Scud missile—the kind produced by the thousands and seen in practically every major military engagement since the Cold War, from Iran-Iraq to the ongoing Yemeni Civil War—is still capable of traveling almost one hundred miles above the Earth’s surface. If a nuclear-tipped Scud were shot into the sky, the EMP would cover half of the country. Even the pulse from a warhead strapped to the back of a particularly robust mallard duck could take out Nebraska. And both scenarios could result in a nationwide grid failure due to cascading overloading from the downed transformers.

And the HEMP (High-Altitude EMP) threat is not limited to nations with satellite-launching capabilities or a stolen SpaceX keycard.

Our vulnerabilities extend into the digital. Cyberwarfare, increasingly prevalent as the world becomes more computer-reliant, is also a risk. Cyberattacks are easier to coordinate than military ones and easier to execute, and there are more possible sources, from government-funded hacking programs to an isolated saboteur in a basement. Ukraine, for example, has been hit by cyberattacks twice since 2015— the first targeted its power grid, leaving hundreds of thousands without power (though for less than a day); the second, in 2017, hit financial institutions as well as utilities, not to mention various international companies in fields from advertising to shipping.

And although cyberattacks don’t always cause structural damage—which is a good thing, because power restoration is much faster when the damage isn’t physical—the financial costs can still be tremendous. The 2017 attack in Ukraine resulted in $1.2B in damages. The final total of the “Business Blackout” scenario depicted earlier came out in the trillions.

Also, none of this implies that cyberattacks can’t inflict structural damage as well—after all, like the body by the brain, physical equipment is generally controlled by digital code.

The Stuxnet virus may have permanently damaged over 1,000 Uranium centrifuges

In the early 2000’s, Iran’s nuclear program was subtly sabotaged by Stuxnet, a computer worm that lurked in the circuitry of Natanz, an Iranian nuclear facility. The worm, likely though not definitely designed jointly by the U.S. and Israel, would increase the rotor speed of the facility’s uranium-enriching centrifuges until the centrifuges would break, while at the same time concealing its presence by projecting falsely stable readings onto technicians’ computers. Before it was discovered in 2010, Stuxnet was responsible for the destruction of almost 1,000 centrifuges.

But of all the threats to the grid, the biggest one also happens to be the most certain, and the least open to negotiation: the sun. Even in a world with no satellite (or mallard duck) EMPs, with no colonies of hackers or covert assault teams, with taut power lines and well-manicured underbrush, our grid, in its current state, is still doomed. No matter how successful our diplomacy is, or how intimidating our arsenal, sooner or later, the sun will pummel us with another Carrington Event: a massive coronal mass ejection (CME)—what is essentially a burst of magnetized plasma released from the surface of the sun—that, when it hits our atmosphere, will act like a giant HEMP. (This burst is what Carrington the astronomer witnessed flashing on the sun’s surface; the plasma took roughly eighteen hours to travel ninety-three million miles.)

Satellite visualization of a coronal mass ejection (CME) from the Sun

CME collisions are actually very common, but most of them are small enough to be harmless (not to mention pretty; they help create the northern lights); the large ones, though, are powerful enough to fry our electrical grid nationwide. The Carrington Event suffused the sky with aurorae visible from Japan to the Caribbean, while at the same time overloading telegraph systems across Europe and North America with so much current that they burst into flames. Our transformers would fare no better.

The question, then, becomes: when? Predicting a solar super-storm is similar to predicting an earthquake, or a number on a roulette wheel: the timing is not exact, but the event is assured.

Lloyd’s of London, in a 2013 study called “Solar Storm Risk to the North American Electric Grid,” summarized it like this: “while the probability of an extreme storm occurring is relatively low at any given time, it is almost inevitable that one will occur eventually.” (“Almost inevitable” in the same way that if you were to flip a coin a thousand times, it is “almost inevitable” that at some point the coin would land heads; yes, it is technically possible that you’d flip tails a thousand consecutive times, but you’d never bet that way.)

“while the probability of an extreme storm occurring is relatively low at any given time, it is almost inevitable that one will occur eventually.”

In a paper published in Space Weather in 2014, physicist Pete Riley of Predictive Sciences, Inc. determined that there is a twelve percent chance of a Carrington-level solar storm striking in the next ten years. Viewed another way, it’s widely accepted in the scientific community that, statistically, solar super-storms hit us about every 150 years. The Carrington Event struck in 1859, 159 years ago. We also know that, in 2012, a Carrington-level CME whizzed past us by astronomical inches. The bottom line is that no matter how the odds are explained, we’re living on borrowed time; almost everything eventually regresses to the mean.



Protecting the grid would seem to be an obvious proposition, and, technologically, it’s not even a particularly complex one. From installing modifications like faraday cages, capacitor banks, surge arresters, and EMP-hardened battery chargers and generator controls, to simply expanding the amount of spare parts kept on-site, there are plenty of ways to physically “harden” an existing transformer and significantly reduce the grid’s EMP-susceptibility. (And even if a transformer does go down, the technology exists to help contain the damage: manufacturing company ABB Inc. has developed a prototype “recovery” transformer that’s smaller, lighter, and more mobile than its EHV relative. The idea is that it acts like a spare tire for the electrical grid: it can be installed quickly in the event of an emergency and bear the electrical load until the full-scale EHV transformer can be repaired or replaced.)

The complexity, it turns out, is political, and it arrives with the invoice. (The technology may be incontrovertible, but its costs are not.) The EMP Commission estimated in 2007 that physically hardening the national grid against EMP would run between $2.9 and $3.9 billion—$3.3 and $4.7 billion, adjusted for inflation. (For reference, $4.7 billion would be just 5% of the amount Congress recently earmarked for disaster relief funding, or the amount the government spends on defense every two and a half days.) The Edison Electrical Institute, however, disagrees with this number. In its 2015 report Electromagnetic Pulses (EMPs): Myths vs. Facts, the EEI puts forth that the EMP Commission’s estimates are “off by a factor ten or more.” (This was included as part of a “Fact” the EEI wrote that was paired with its rather suggestively-phrased “Myth” that “it would cost only $2 billion to protect the entire grid from any EMP attack.”) This toes the company line: the power industry and the North American Energy Reliability Corporation (the NERC, which is itself comprised primarily by large energy companies) have lobbied for years for less governmental regulation—including torpedoing proposed legislation like the GRID Act in 2010 or the SHIELD Act of 2011, which has been stalled for years in the House Energy and Commerce Committee—insisting instead that the EMP threat is less existential, the grid more secure, and the cost more prohibitive than is generally being reported.

The trouble with these assertions is that they fly in the face of both widespread scientific opinion and the conclusions drawn in FERC’s own study, Electromagnetic Pulse: Effects on the U.S. Power Grid. Conducted in 2010 by Oak Ridge Laboratory on behalf of the FERC, the study opens with the statement that “the nation’s power grid is vulnerable to the effects of an electromagnetic pulse (EMP),” and then goes on to corroborate the “unacceptable societal burdens” associated with a long-term power outage, and to espouse extensive technological development in both system infrastructure and personnel training. Nevertheless, in 2016, the FERC—which regulates the NERC—still approved a new set of standards for grid resiliency that fell far below what even their own scientists and researchers recommended, essentially leaving the NERC and the electric utilities to police themselves.

There is debate, too, over who should even foot the bill to begin with. The resiliency of the country’s electrical grid is under the jurisdiction of the Department of Energy and the NERC, but bomb threats are clearly classified as matters of national security, bringing the Department of Homeland Security and the Department of Defense into the conversation. The question partly revolves around whether EMP-proofing the national grid is an infrastructure standard or an add-on for defense. As it is, neither side seems particularly inclined to pull out its wallet. (And it should be noted that a handful of states, tired of waiting, have already passed and instituted measures to help protect their local substations and micro-grids.)

NOAA Images of Puerto Rico before and after Hurricane Maria

After Hurricane Maria, Puerto Rico requested $17 billion in aid just for grid repairs. In February, five months after the disaster, over ten percent of the population was still without power, and, even now, a month away from the start of hurricane season, the country suffers intermittent, rolling blackouts. Four thousand more people died from a lack of food, clean water, and medical care in the aftermath of the hurricane than died in the hurricane itself, and the territory’s economic losses currently top $90 billion, almost 90% of its annual GDP. The United States has over 300 million people in it, and a 2017 GDP of $19.4 trillion; extrapolating even a fraction of Puerto Rico’s numbers would yield almost incomprehensibly disastrous results. No matter who is doing the math—no matter how the odds are calculated or the costs tallied or the damages estimated—this is a disaster we have the technological and financial means to avert. Neglecting to do so could be catastrophic.