This article originally appeared in the August 2023 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Of all critical infrastructure sectors, utilities have been the most popular for targeted physical attacks lately. In fact, according to the North American Electric Reliability Corporation (NERC)’s Electricity Information Sharing and Analysis Center (E-ISAC), there were almost 1,700 physical security incidents reported to the E-ISAC in 2022, an increase of 10.5% from 2021.
While typical physical security incidents against utilities and substations involve vandalism, tampering, arson, and ballistic damage, most do not result in grid impacts; however, a trend toward more serious events occurred in 2022. As reported extensively by SecurityInfoWatch.com, in November 2022, a series of attacks occurred at six different substation facilities in Oregon and Washington state, five of which resulted in power disruptions. Then in December, gunfire disabled radiators and circuit breakers in two North Carolina substations, causing major outages for 42,000 customers during a cold spell in the area; and two Seattle substations were damaged resulting in Christmas outages.
“These recent high-profile events are deeply concerning for their sophistication and effectiveness, even while noting that customer impacts were localized,” explained Manny Cancel, the CEO of the E-ISAC, during July testimony before the U.S. House Energy and Commerce Subcommittee on Oversight and Investigations.
“In February 2023, law enforcement effectively thwarted a plot by domestic extremists to attack five substations in the Baltimore area with an eye toward disrupting service to the majority of the city,” Cancel added.
Shift in Attack Vector
As far as substation attacks go, the recent spate of activity points to a marked rise in ballistic attacks, where bad actors are attempting to disable the power grid by strategically targeting vulnerable assemblies within the substation with gunfire, as exhibited in the North Carolina attacks.
“Most notably, we are seeing a rise in ballistic attacks,” said Jarod Bleiweiss, a NERC sales specialist for energy facility services provider NAES Corp., during a recent webinar hosted by global integrator Convergint Technologies. The two companies, in fact, formed an official partnership in October 2022 to provide enhanced physical security services for critical infrastructure in the power and energy sector.
“[Ballistic attacks] are something that is on the top of everyone's mind, especially within the transmission side of the business,” Bleiweiss added.
“It is eye-opening, and we are seeing residual effects – not from an attack standpoint, but definitely an eye towards defense-in-depth strategies [among utilities],” Steve Sinclair, Convergint’s Director of the Utilities Vertical, said during the June 23 presentation. “It is changing the thought process from a physical security protective strategy standpoint. [Utilities are asking] how to develop protective strategies while taking these attack vectors into consideration.”
Sinclair goes on to outline potential technology solutions to the new attack vector: “We are certainly seeing a need and a call for more technology applications and the thought process behind them – whether it be physical security barriers, ballistic protection, increased camera quantity or installations, visual assessment, increased detection, and gunshot detection – we are seeing a lot of that from the market right now.”
While bringing technology to bear on a problem like this is paramount, Sinclair also pointed out that the role of the integrator goes beyond simply that. “I think the question really is the why – why are we doing this, and how are we doing this,” he said. “Then how to protect from the standpoint of adding those different layers and different defense-in-depth mechanisms and methodologies to increase safety and security for the perimeters and [inside] these facilities.”
“That why component is very important on the operations and energy side,” Bleiweiss added. “Whether it is a NERC regulation, an environmental regulation, or even just something that is needed within a substation or regeneration plant, we have got to make sure that we put in something that makes sense and that is not going to get in the way of operations. Considering the downstream effects and prioritizing what is more critical is going to be incredibly important as we as we move forward.”
Changes to Baseline Risk Assessments
One area where security integrators should be taking an active role in utility security is in the risk assessment process.
“Long gone are the days where you had a single-use device – like a camera that was only used for maybe one or two applications at best,” Sinclair said. “Now we have the capability with AI and machine learning, computer vision and all these other things out there to be able to think about it from the standpoint of defense-in-depth, but also not as a drain on operations but as a benefit. That [will become] part of this consideration and assessment process – how to implement the strategy a little bit differently than before to be more effective and safer while providing security.”
With that in mind, some changes are coming to the utility substation risk assessment process. In response to the substation attacks, the Federal Energy Regulatory Commission (FERC) directed NERC to reevaluate physical security protection requirements in the CIP-014-3 Physical Security Reliability Standard. Specifically, FERC directed NERC to evaluate the adequacy of the standard’s applicability criteria, required risk assessment, and whether a minimum level of physical security protections should be required for all substations and their associated primary control centers.
Cancel said that several initiatives came out of the study, including clarification to how entities conduct risk assessments of their substations and a technical conference scheduled for August 10 to consider additional actions.
Specifically, “NERC finds that the inconsistent approach to performing the risk assessment is largely due to a lack of specificity in the requirement language as to the nature and parameters of the risk assessment. Accordingly, NERC will initiate a Reliability Standards development project to evaluate changes to CIP-014 to provide additional clarity on the risk assessment.”
That said, the final conclusions of the report indicate that NERC does not recommend an overhaul, or a baseline set of minimum security requirements for substations. “Establishing a uniform, bright line set of minimum physical security protections for all (or even an additional subset of) BPS substations and associated primary controls centers, is unlikely to be an effective approach to mitigating physical security risks and their potential impacts,” the report says. “While a uniform set of minimum level of protections could potentially prevent some forms of physical security threats, NERC finds that such a pursuit lacks the application of a risk-based approach to expending industry resources, fails to provide for a methodical approach necessary to address site-specific threats or objectives, and does not consider the need for other reliability, resiliency, and security measures to mitigate the impact of a physical attack.”
Potential Opportunity to Break into the Market
As part of the CIP-014-3 Physical Security Reliability Standard reassessment, Cancel testified that the E-ISAC, industry trade associations, regional entities, DOE, PNNL, and FERC are hosting regional events focused on physical security.
These events are intended to enable the electric sector industry, government partners, local and federal law enforcement entities, and regional partners to have a thoughtful and actionable discussion on the current threat landscape, provide mitigation strategies, protective measures, and resources, and strengthen information sharing relationships.
“The hope is this event and subsequent discussions will demonstrate the continued focus on physical security within the electric sector to key stakeholders, reinforce relationships with local, state, and federal law enforcement and government partners, and socialize physical security resources available to industry,” Cancel said.
To learn more about this event and other E-ISAC events and advisory groups, visit www.eisac.com/s/programs-and-services.
Paul Rothman is Editor-in-Chief of Security Business magazine. Email him your comments and questions at [email protected]. Access the current issue, full archives and apply for a free subscription at www.securitybusinessmag.com.