Grid security isn’t all cyber
7 suggestions on the physical side
April marked the two-year anniversary of an industry-famous late-night shooting spree. An apparent lone rifleman situated in a thicket on a hillside in San Jose, attacked a large electrical power transmission substation by aiming at critical components as if playing an arcade game. In similar attacks in the same year of 2013, gunmen fired shots into a gas turbine power plant close to the Missouri-Kansas state line and at another substation just near Colorado Springs.
The attack in San Jose was more significant than the others; the attacker fired about 100 bullets in less than 20 minutes into the transformers, and the substation’s ability to maintain electrical current began failing quickly (within 14 minutes). Approximately 17 of substation’s transformers were severely damaged, resulting in millions of dollars of repair costs and a solid month of downtime for the substation.
The utility operator in San Jose reacted to the attack and subsequent government push following a Wall Street Journal article in 2014 by committing funds for an extensive security upgrade investment of more than $100 million spanning over three years to fortify and better secure its major substations across its Northern California service region. Many other major utilities took note and also began investing in substation security upgrades.
In the months that followed, the North American Electric Reliability Corporation prompted by the Federal Energy Regulatory Commission approved a more stringent set of security standards under the National Infrastructure Protection Plan, more specifically within the Energy Subsector and established the Critical Infrastructure Protection Reliability Standard 014 (better known as CIP-014). Today, CIP-014 is well into its 6th revision and major utilities are entrenched in compliance measures heavily focused on physical security improvements.
Learning from the attack
The San Jose substation attack taught us one major lesson: Our nation’s bulk power supply is at risk due to its current vulnerable state. The specific response of the utility operator and the NERC reaction of 014 support that lesson.
But putting that lesson into practice isn’t easy or cheap. Most of our industrial systems were not designed for operation in areas of conflict and will take years to adequately harden. Here are seven suggestions from our experience in the security field to help tackle those hardening projects.
1. Find a provider that can bring you the whole security package. Using a total solution provider that can logically integrate physical defense systems with perimeter intrusion detection systems is a solid path to successfully protecting a facility. It helps to select a single provider to design and install an integrated package and to commission the systems based upon an operation’s unique set of performance objectives.
2. Don’t forget the fifth zone in your planning. The fifth zone is the area immediately outside of the protected facility and can be key to achieving advanced warnings. Just like in military operations, you want to see the enemy before he sees you, and that can’t be done if security systems are focused on just the immediate perimeter.
3. With perimeters, stronger is better. With conventional means—the classic chain-link fence structure, for example—intruders can get into your facility in minutes. By using high-delay-time fencing products, vehicle barriers, retractable bollards, crash-rated gates and sally ports, video surveillance, intrusion detection systems and advanced motion analytics around the entire perimeter, facilities can become adequately secure and protected from most crime.
4. When going with a strong perimeter, don’t slack. The weak side of a perimeter is the choice side for any criminal. They’ll find it. So don’t create it. Use combinations of welded wire, expanded metal and louvered panels, all of which offer much longer delay times and require significantly more sophisticated means of forced entry.
5. Clarity and redundancy are important. Alarm notifications should provide clear and concise instructions for each type of event and the associated intrusion systems should be redundant and well maintained, allowing for multiple confirmations that help reduce and eliminate false and nuisance alarms.
6. Don’t forget posts and foundations. As perimeter protection solutions became more advanced and made with stronger steel and thicker gauges, the support posts and structural foundations also need to be sturdier and better engineered to support the additional weight and wind loads.
7. Don’t let cost define your security protocol. Because of its relatively low cost, chain link fencing is being used today at sites which comprise millions of dollars of capital infrastructure. Without significant modifications, standard chain link products can be easily breached in a matter of seconds by pulling up on the mesh and passing beneath it or by snipping and unwinding one of the coils and passing through the impending opening. The ease in which this is accomplished diminishes the legitimacy of low-cost chain link fencing for consideration as a secure perimeter defense solution.
High-security fencing systems are just one of many necessary components for perimeter protection. High-security fencing systems are just one of many necessary components for perimeter protection. The return on your security investment is measured in terms of cost avoidance: Replacing millions of dollars of capital assets and other business interruption expenses associated with this loss.