Just before 1 a.m. on April 16, 2013, snipers opened fire on an electrical substation in Metcalf, California. The attack lasted 19 minutes and knocked out 17 huge transformers responsible for funneling power to Silicon Valley. To avoid a blackout, electric grid officials had to reroute power around the site and ask power plants in the area to produce more electricity to accommodate the loss. Bringing the substation back to working order took utility workers 27 days.
The Metcalf incident was a massive wake-up call for the industry, exposing serious vulnerabilities to the power grid and critical infrastructure in North America. While many utility organizations have security measures in place should anyone penetrate the perimeter, threats from outside the perimeter hadn’t been a major area of focus.
A report from the National Academies of Sciences, Engineering, and Medicine concluded that the U.S. electric grid is vulnerable to a range of threats, including terrorism or natural disasters. Many of our power grid’s systems sit out in the open and exposed. They’re usually in remote locations, secured by little more than cameras and chain-link fences. Transmission substations, like the one in Metcalf, are critical links in the power grid. They make it possible for electricity to move long distances and serve as a hub for intersecting power lines. Attacks on these critical areas can cause serious problems for neighboring cities, towns and businesses. In addition to the headaches that attacks can cause for the utility company and energy consumers, transformers are extremely costly and difficult to replace.
In response to the Metcalf incident, the Critical Infrastructure Protection (CIP) Standards were created for the North American power system. The CIP standards and requirements address the security of perimeters and the protection of critical assets, including training, security management and disaster recovery planning.
All utilities that contribute power to critical sections of the national grid are required to provide a plan to secure their Tier 1 and Tier 2 assets. While the standards do provide a level of detail as to what elements may be included to secure these vital assets, the guidelines are very broad in nature. As a result, major public utilities are addressing this challenge in a variety of ways. The greatest challenge is to compose a design for physical security elements that meet or exceed the requirement, in a manner that accords with corporate security processes, with a view to operational efficiencies.
In some respects, this is the classic approach to balancing the amount of money invested, versus level of risk posed by the perceived threat to be mitigated. Since substations vary in location from urban to suburban and even very remote rural locations, utility providers are relying on the latest technologies to meet geographical, topographical, communication and notification challenges.
A tailored solution is needed to properly address an organization’s unique risk considerations that vary depending on the setting and identifiable vulnerabilities. However, this is easier said than done and many organizations are finding themselves struggling to rapidly deploy and meet CIP deadlines.
Utility companies can take a layered approach to securing their critical infrastructure by thinking beyond someone penetrating the perimeter, and identifying several different integrated technologies that can work together to provide a comprehensive solution. Below are some solutions to consider for protection of critical infrastructure.
Intrusion Protection
Intrusion protection is a serious component to work into a security plan. Advancements in fencing have made it possible to avoid situations like the one that happened in Metcalf. They have transitioned from your standard chain-link fence to metal panels, and now, fences for areas like power substations typically consist of 12 feet high concrete barriers, similar to what you see on the highway.
Thermal Cameras
Another technology to consider is thermal cameras, which outperform a typical visual camera in dark scenes and are a great tool for detecting people and objects in 24/7 surveillance. These cameras are less sensitive to problems with light conditions, such as shadows, backlight, darkness and camouflaged objects. By coupling these with analytics, organizations have another layer of security and surveillance.
Lighting
In addition, advanced lighting should be considered for an intrusion protection solution. In addition to ensuring the area is clearly lit, new technology can strobe to disorient intruders or raise the attention of someone approaching the perimeter. Depending on how populated the area is, automation can be added, and the lights can be triggered once someone enters the designated area.
Access Control
Controlling who has access to the area is another essential component of your security plan. Multi-factor authentication – such as requiring an access card and pin for entry – is an easy way to ensure only designated individuals can access the power grid, and they also provide a clear log of who was there and when. By coupling this with awareness cameras, organizations can verify who was on site should an incident occur.
Analytics
Utility organizations should look to create Security Operations Command Centers (SOCC) for these pieces of critical infrastructure. Typically, SOCCs are centrally located and enable the staff to supervise the site using data processing technology. Officials can monitor activity from all solutions at once, closely manage access credential administration for employees and contractors and manually let individuals in and out of the perimeter when the need arises.
Radar
Everyday expanding technologies are coming to the security market. By connecting with integrated partners, organizations can rest assured that they always have someone keeping an eye out for a way to incorporate new technologies to help improve processes. For some, a ground-based radar solution may make sense for their substations. Radar systems are a cost-effective way to monitor perimeters. They easily integrate into existing security systems and can be automated with technology, like security cameras, to provide complete perimeter protection. Additionally, these devices have no moving pieces, so they are easy to maintain and are robust.
Seismic Detectors
Utility owners should also consider seismic detectors, which monitor the vibration and temperature of the protected surface. This technology can detect all known types of intruder attacks, such as sledgehammers, diamond-head drills, explosives, hydraulic pressure tools and thermal tools.
Shot Detection
There are also shot detection solutions that should be considered. These solutions identify the sound of a shot and alert the appropriate officials while automating necessary security technologies. They provide an extra layer of proof should an organization not have staff at the facility.
A Qualified Partner
While utility providers share best practices and knowledge gained, the unique nuances of each organization’s operations and challenges leave them to carve their own path towards compliance. There are a lot of sophisticated solutions on the market, but the technology is only good if it is installed, maintained and updated correctly.
The CIP requirements only further highlight the need for utility providers to work with a qualified security partner, who can help support security efforts at critical infrastructure sites. This may be their most valuable resource in protecting their assets, which are not only important for their bottom line but also the neighboring communities they power.
About the Author:
As vice president and general manager, security, for Johnson Controls’ Building Technologies & Solutions, North America, Joe Oliveri manages the full P&L responsibility for the security business in the U.S. and Canada. He also leads the company’s Advanced Integration Business and plays an integral role in the company’s network of security innovation programs, including centers in Silicon Valley and Tel Aviv, Israel.