By CHHS Extern Rebecca Wells

On February 3, 2023 thirty-eight cars of a Norfolk Southern train went off track in East Palestine, Ohio, at least ten of which contained hazardous and combustible liquids, creating concern over the potential for health and environmental crises. These chemicals included the colorless and flammable butyl acrylate and vinyl chloride, which are typically used for the industrial production of polymers.

The derailment caused a multi-day fire in the area. Residents within a 2-mile zone were required to evacuate by a mandatory evacuation order concern of the toxicity and flammability of the cargo. An estimated 3,500 fish have been killed by the chemical release. Cleanup crews are continuing to excavate a “grossly contaminated” 1,000-foot area around the train tracks. Visible plumes of contaminants floated down waterways along the Ohio River. The Ohio River courses through or borders Illinois, Indiana, Kentucky, Ohio, Pennsylvania, and West Virginia and supplies drinking water for over 5 million Americans. At the time of publishing, those contaminants appear to have been contained and have not polluted the Ohio River itself.

The evacuation order was lifted on Wednesday, February 8, and since then residents have reported a burning sensation in their eyes, animals falling ill, and a strong odor lingering in town.

Immediately following the derailment, U.S. Senator Sherrod Brown (D-OH) sent letters to the Ohio state government and federal government asking for an emergency declaration. Emergency declarations allow governments to act faster and provide more funding than they would be able to do otherwise. At the federal level, the president may make an emergency declaration under the Stafford Act, which provides two routes for receiving federal support: (1) emergency declarations and (2) major disaster declarations. Emergency declarations trigger aid that protects property, public health, and safety. The objective of these funds is to lesson or avert threat of an incident becoming a catastrophic event. Because of this, emergency declarations can be made before the event in question occurs. In contrast, major disaster declarations are issued after catastrophes occur, and give broader authority for federal agencies to provide supplemental assistance to help communities recover from the event. Requests must be submitted by Governors and the decision to approve a request rests solely with the President.

Despite asking for emergency declarations and swift action, the residents of East Palestine have been met with inaction and mixed messages. On the public health and environmental front, while the Ohio Health Director, Bruce Vanderhoff, urges residents of East Palestine to drink bottled water, messaging from other state and federal agencies has been inconsistent. On February 14, the Environmental Protection Agency (EPA) released a statement finding, “air monitoring has not detected any levels of health concern in the community that are attributed to the train derailment.” However, just a few days prior, the EPA sent a letter outlining Northfolk’s potential liability. In that letter they found that there were more chemicals dumped in the river than initial evaluations detected, including vinyl chloride, ethylene glycol monobutyl ether, ethylhexyl acrylate, isobutylene, and butyl acrylate. Notably, the EPA has set the Maximum Contaminant Level Goal (MCLG) of vinyl chloride at zero, meaning the only level at which there is no known or expected health risk is none.

Messaging on the transportation front has been lacking as well. After initially being largely absent in the conversation, Pete Buttigieg has since reflected that he could have “spoken sooner” about the derailment and its devastating impacts on human and environmental health.

On February 21, the EPA ordered Norfolk Southern to clean up their toxic spill, cautioning of fines and potential liability. On Thursday, February 23, the National Transportation Safety Board released their preliminary report, twenty days after the initial derailment. Chair of the Safety Board, Jennifer Homendy, called the derailment, “100% preventable,” citing a failure to detect an overheating car as a cause of the derailment, without assigning full liability to Norfolk Southern. The NTSB’s report marks a transition from identifying the crisis into recovering from it.

In addition to being preventable, the derailment was, unfortunately, foreseeable. While the federal government has urged Norfolk Southern to act and change their behavior, the government itself played a role in creating this disaster. During the Trump administration, several guidelines for railways were relaxed, including inspection and brake requirements. The most recent investigations into the derailment indicate that the train while undetected by sensors, the train overheated and its wheel bearings broke after the crew engaged the brakes. In the months preceding the derailment, rail workers across the country went on strike, demanding safer working conditions. President Biden signed a bill in December, 2022 making strikes by rail workers illegal.

Several lessons can be learned from this tragedy. Good emergency planning requires that the needs and perspectives of all impacted persons are considered, not just administrators.

The derailment in East Palestine also demonstrates how difficult disaster recovery can be when appropriate preventative measures are not taken. Since the East Palestine derailment, a second Norfolk Southern train has derailed in Ohio. A third train derailed in Alabama, just hours before the C.E.O. of Norfolk Southern testified before Congress regarding his company’s liability and safety protocols. A failure to act proactively has created a scenario while these derailments will be expected until Congress acts to strengthen safety requirements for railroad and railway companies.

By CHHS Extern Peter Scheffel

On Monday, February 6, 2023, two individuals were arrested by the FBI on criminal complaints of conspiracy to destroy an energy facility in connection with a plot to attack multiple substations in the Baltimore area. While this physical attack (the individuals intended to shoot the targeted substations) was thwarted, it highlights a growing trend in planned and carried out attacks on the U.S. electrical grid. One such attack occurred in December of 2022 in Washington state, where two individuals who were later arrested shot at four electrical substations in Pierce County. This event left more than 15,000 people without power. Likewise, North Carolina experienced a targeted physical attack in December 2022 on their energy infrastructure (also by way of gunfire), as individuals damaged two substations in Moore County. The North Carolina attack arguably led to the most dramatic response in which due to the high number of people affected (100,000 residents in Moore County, tens of thousands of which without power), schools were closed and a curfew was imposed.

Both the carried-out attacks in Washington State and North Carolina as well as the attempted attack in Baltimore indicates an increasing awareness by malicious actors of the U.S. power grid’s importance and its vulnerability to both physical and cyber-based attack. Thus, these attacks should serve as a harsh reminder of not only the need to increase preventative measures against physical attacks on the U.S. grid, but also to remind that the grid remains vulnerable to cyber-attacks. In the often-hasty rush to secure the physical aspects of the grid post physical attack, a danger exists in overlooking the equally necessary cyber-related vulnerabilities present. As the grid continues to be modernized and as we continue to electrify cars, replace furnaces with electric heat pumps, and connect substations to the internet, a more comprehensive preventative strategy is needed.

One of the main areas of risk are grid distribution systems, which often take the form of a pole near homes and businesses and serve as the final stage of the electrical grid, distributing electricity to homes, industry, and other end users from transmission systems (large structures often seen beside interstates and other roads which carry the high voltage electricity to the distribution systems). Grid distribution systems have become more vulnerable to cyberattack chiefly because they are increasingly allowing remote access and connections to the internet. This leaves open the potential for malicious actors to enter the system and create problems. According to the Director of National Intelligence’s 2022 Annual Threat Assessment, both nation-states and criminals are the greatest cyber threats to the U.S.’s critical infrastructure, including the electrical grid, and their capacity to attack successfully continues to increase. The U.S. Government Accountability Office (GAO) in 2021 even found that the federal government lacked sufficient awareness and understanding of the severity in scale of potential attacks on distribution systems, which are not subject to the Federal Energy Regulatory Commission (FERC). The absence of FERC regulatory authority over distribution systems results in a less cohesive strategy which fosters an environment susceptible to exploitation at a crucial stage of energy reliance: distribution to end users. An earlier GAO report, in 2019, also highlighted the need for changes to increase cybersecurity measures within the grid. These recommendations are not yet fully implemented, thus leading to continued vulnerability in the grid. While it is important for FERC to prioritize the first two aspects of the grid over which it has authority: generation and transmission, working with state partners is equally important to better protect distribution systems.

One stark example of the risks of an unprotected grid is the Russian-linked attacks just before Russia’s invasion of Ukraine last year. Hackers connected to Russia got incredibly close to taking out a large piece of the U.S. power grid through cyberattacks using malware during the first few weeks of Russia’s invasion of Ukraine. The attack included the use of malware called PIPEDREAM to take down up to twelve U.S. electric and liquid natural gas sites. The potential success could have been devasting, leading to possible loss of life. In addition, such a large and successful attack on U.S. critical infrastructure could have been seen as the “9/11” of the cyber-sphere, leading to sweeping changes to U.S. law and policy in response. Thankfully, these attacks were not successful (though the coalition of U.S. government and cyber industry groups which prevented the attack did not disclose how it was prevented). According to experts, this was the closest the U.S. has ever been to having its infrastructure go offline from a cyberattack.

Encouragingly, when combined with the spate of recent physical attacks, this now disclosed attempted cyberattack on the U.S. power grid may have spurred action that could and should continue in order to prevent such attacks. As of January of 2023, FERC is working towards developing new cybersecurity rules. These include the U.S. Department of Energy funding next-generation cybersecurity research and development projects, a software bill of materials (an ingrained inventory or list of ingredients that make up software components) required for certain energy vendors or other grid related services, and required disclosure of what components go into grid software. While a good start, distribution systems remain vulnerable as they are not subject to FERC authority. In order to better protect distribution systems, state legislative policy is needed. States must understand their role in protecting distribution systems and should prioritize increased grid cybersecurity within their borders. A great example of such measures is via the state of New York, which recently adopted legislation that will require utilities to prepare for cyberattacks in their annual emergency response plans. To implement this legislation, the New York Public Service Commission was given enhanced auditing powers so that critical infrastructure and customer data would be secured. The commission is also directed under the law to provide necessary rules and regulations, and operates under a mandate to provide a report to elected officials, reviewing compliance and providing recommendations to the legislature on if additional measures are needed.

Grid cybersecurity is often seen as an afterthought and becomes a response to an attack instead of a tool of prevention. As the grid continues to modernize and gain connectivity to the internet, cybersecurity must be prioritized as much as better physical fencing and concrete barriers. Should a successful attack go through such as the one Russia-affiliated hackers attempted, waiting to respond will prove costly beyond monetary value alone. In order to remain resilient despite ever growing reliance, the U.S. power grid must prospectively implement sound policy and continue to pursue actionable measures at both the state and federal level.

By CHHS Extern Kimberly Gainey

The Federal Aviation Administration (FAA) garnered significant negative attention last month after an overnight outage of its Notice to Air Missions (NOTAM) system grounded early morning domestic flight departures for approximately 90 minutes on Wednesday January 11, 2023. This nearly unprecedented nationwide stop in air traffic, the first in over 20 years, led to thousands of flight delays and cancellations. The FAA attributes the outage to a database file “damaged by personnel who failed to follow procedures.” Despite the FAA’s not so veiled attempt to place the blame on human error, public attention remains focused on outdated technology. A government source indicated that the applicable software is approximately 30 years old, with updates not planned for another six years.

Recent scrutiny reverberates sentiments expressed by airlines about FAA funding constraints, staffing limits, and outdated technology. United Airlines CEO Scott Kirby indicated that the FAA needs both “more funding” and “more investment for technology.” The CEO of the US Travel Association, Geoff Freeman, described the “catastrophic system failure [a]s a clear sign that America’s transportation network desperately needs significant upgrades.”

In spite of FAA assurances that there was no evidence of a cyber attack, people were quick to question the agency’s cybersecurity. Congressman Ritchie Torres (D-NY) expressed concern regarding the “cyber vulnerabilities of the antiquated systems that undergrid modern air travel” and requested a joint review by the Cybersecurity and Infrastructure Security Agency and the Department of Transportation. Transportation Secretary Pete Buttigieg welcomed attention from Congress given the upcoming FAA reauthorization bill, which will provide the agency with funding and direction for next five years. The FAA’s budget estimate for 2023 includes the need to “eliminate the failing vintage hardware that currently supports . . . the national airspace system.” Senator Ted Cruz (R-Texas) called for Congress to “enact reforms” in the impending legislation, describing the “FAA’s inability to keep an important safety system up and running [a]s completely unacceptable and just the latest example of dysfunction within the Department of Transportation.” The House of Representatives responded, passing the NOTAM Improvement Act of 2023 “to strengthen the reliability and effectiveness of the FAA’s NOTAM system.”

This myopic focus on the NOTAM system is a missed opportunity to discuss the multifaceted nature of cybersecurity, which attempts to manage and mitigate dynamic threats across an expansive threat landscape. The FAA extolls its efforts “to be increasing proactive and vigilant when it comes to cyber threats,” highlighting “a cybersecurity workforce that protects our aerospace assets” comprised of “unsung heroes, because this cyber battle is being fought behind the scenes, 24/7/365.” These efforts implement a 2021 Executive Order on Improving the Nation’s Cybersecurity, requiring “agencies to enhance cybersecurity and software supply chain integrity.” However, whether the FAA’s cybersecurity actions are laudable or deficient is an open question that one seems to be asking. The continued reactive focus on the NOTAM system involved with the ground stoppage misses a larger problem. Our leaders need to adjust their perspective and pivot to a proactive assessment of risk from older systems, which may merit updating. It is not enough to figure out what went wrong last month; we need to look for other vulnerabilities and remediate them.