‘Tis the season for predictions! As we close out 2016 and look forward to 2017, it seems appropriate to pause a moment and provide some grid security predictions for the new year. Predictions based on trends, insight, and understanding can arm security programs with the knowledge needed to test policies, exercise physical protection systems, and allocate corporate funds for resources. Physical security anxieties for the power grid are not going away anytime soon, so let’s start to “read the writing on the walls” and get ahead of this critical topic.
A fresh new year is an opportunity to reflect on the path recently traveled, and to strategize on how to navigate the road in front of us. While a new presidential administration will certainly dictate philosophies and set the regulatory course, it is safe to say that no administration will tolerate a prolonged blackout due to a grid security event. In order to keep the confidence of the new President and the American people, utilities must keep their foot on the gas pedal and make the needed investments and upgrades to their physical security programs. As we finalize capital budgets and acquire resources for the new year, here are a few considerations utility security professionals should consider.
While the NERC CIP-014 physical security standard will target approximately 1,000 to 1,500 critical substations across North America, protections to non-CIP-014 transmission sites will continue to be a focus for the industry. As new substations are built and introduced into the bulk power system, security protections will be implemented as a forethought and not a “bolt on” after the fact. The utility industry must understand that any substation, high voltage transformer, or other equipment being shot at or subject to physical attack will be propelled into media scrutiny and a utility’s reputational risk could be altered. As a result, substations that don’t meet the criteria for CIP-014 compliance, but are system or business critical, will start to receive threat and vulnerability assessments and added security mitigation measures designed to deter, detect, and delay potential attackers.
Drones, or whatever they’re called…
Unmanned Aerial Systems (UAS), quad-copters, or more commonly known as drones, will continue to provide useful situational awareness information during response and recovery operations after storms, earthquakes, and floods. Unfortunately, with the good comes the bad. Security professionals are mindful of the nefarious scenarios where a drone could be the vehicle in which to drop a pipe bomb or other explosive device into a substation or generating plant.
As quality drones become cheaper, more common, and increase their payload lift ability, these ‘tools’ could be used to inflict damage on critical infrastructure. Utilities have begun to address the potential threat by deploying frequency jamming security systems. Unfortunately, owners and operators of infrastructure sites don’t own the airspace above, so when a “hobbyist’s” drone is driven into the ground by anti-drone technology, the utility will likely be liable for damages. Utilities should monitor and be mindful of local drone laws and Federal Aviation Administration (FAA) operator rules.
Are we allowed to talk about Generation sites yet?
The discussion will begin about better protecting non-nuclear generation plants from physical attack. In the event that a fossil or hydro plant is attacked in the United States, a major knee-jerk reaction would be felt throughout the country and new legislation would be introduced. Given the reaction after a 2013 substation shooting in California, where FERC mandated a physical security standard (CIP-014) be created, it can be reasonably assumed that similar rules would be forced onto the industry if a major attack occurs at a power generation station.
In the aftermath of such an attack, very difficult questions will be directed towards industry executives as to why utilities do not have current physical security standards in place for generation. In the short term, utilities will consider how to “harden” their sites with improved perimeter security, access control, and video monitoring. These very basic steps can lead to becoming a hard target.
The natural gravitation towards security convergence and the integration of all security disciplines has already begun. Convergence can be defined as the integration of logical security, information security, operational security, physical security, and business continuity. Considering the various types of security threats (terrorism, identity theft, data breaches, insider threats, etc.), one side of the security spectrum simply cannot protect an organization to its greatest potential.
While utilities remain effective at addressing traditional threats such as severe weather, vegetation management, and routine transmission disruptions, the evolving nature of physical, cyber and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations. An interconnected grid that incorporates computing, communications, markets and physical assets unfortunately presents potential attackers with opportunities that require a holistic approach to security.
Momentum of the Chief Security Officer
Grid security has received more attention in the last several years and organizations have realized that they lack a designated individual with the appropriate authority to carry out the security responsibilities of a utility. Enter the modern utility Chief Security Officer (CSO). The CSO is chief advocator, prognosticator, and crisis manager. The duties of the CSO have dramatically changed with the introduction of targeting electric infrastructure for attack, the advancement and reliance on cyber systems, and the job of ensuring compliance with the NERC CIP Standards.
Likely the biggest responsibility is to create and foster a program that helps manage reputational risk. The modern CSO is business savvy and fully understands the impact that security has with respect to “keeping the lights on”, business resiliency, and regulatory compliance.
A rising tide lifts all boats
Investor owned utilities (IOU), with help from industry trade associations, will continue to push the industry towards greater physical security protections at critical sites. As smaller municipal utilities and rural cooperatives see the protections being put in place by larger utilities, it will naturally force these utilities to invest in similar protections. These smaller utilities have security in place, but they struggle to bring the same amount of resources or a comparable security budget to the table. Soon, all utilities will be discussing the implementation of concrete perimeter walls, ballistic protections, and gunshot detection systems, and not just a select few.
Facing uncertainty is something security professionals deal with on a regular basis. How vulnerable are you, really? What is the likelihood of a successful attack? Unfortunately, these uncertainties can be placed into two buckets, “known unknowns” and “unknown unknowns”. Let’s hope that 2017 isn’t consumed by the latter.
This article is published as part of the IDG Contributor Network. Want to Join?