At the intersection of energy risk management and facility security

Security professionals in the utility sector must understand the distinct difference between risks, threats, and vulnerabilities and how they all provide useful data points for an effective risk management program. The outputs of this data should be used to create a responsive physical security plan.

electric substation infrastructure
Carla Wosniak (Creative Commons BY or BY-SA)

The security of critical infrastructure in the electricity sector is complex. Electricity assets are concentrated in small areas and distributed over large geographical expanses. They are manned and unmanned, involve dangerous equipment that citizens must be protected from, and they provide a resource to the public that enables the quality of life we enjoy today.

Protection of these assets require security professionals to use every tool in the toolbox. Security managers have to consider protecting physical property, cyber assets, employees, and the public. Priorities must be established that respects the needs of the public and the organization being protected.

+ MORE ON CRITICAL INFRASTRUCTURE: Protecting vital electricity infrastructure +

Any protection program that is developed must be as efficient and cost-effective as possible, as budgets are limited and ratepayers are sensitive to wasteful spending. Effective security programs rely on risk management principles and associated tools to establish priorities, allocate budget dollars, and harden infrastructure sites.

Physical security protection encompasses defensive mechanisms to prevent, deter, and detect physical threats of various kinds. Specifically, these measures are undertaken to protect personnel, equipment, and property against anticipated threats. Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility’s resistance to numerous threats while meeting demand, reliability, and performance objectives.

Security plans should be developed based off of solid security principles, practical security assessments, and known threat data. To create actionable security plans and procedures, we must first understand some very basic security principles. All too often, simple definitions are interchangeably used. This leads to confusion and unfitting assumptions. Understanding the definitions listed below will help start to build a comprehensive security program.

Threat - Actions, circumstances, or events that may cause harm, loss, or damage to your organization’s personnel, assets, or operations.

Risk - The combination of impact and likelihood for harm, loss, or damage to your organization from exposure to threats.

Vulnerability - Weaknesses and gaps in a security program or protection efforts that can be exploited by threats.

Resilience - The ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

Risk management - An analytical process that considers the operational context of the organization and the risk of unwanted events that might impact personnel, operations, and assets, with the aim of developing strategies that reduce risk by reducing the likelihood and impact of these events.

Once risks to a facility are accurately assessed, security professionals can determine whether countermeasures currently in place are adequate to mitigate those risks or if additional procedural, programmatic, or physical security countermeasures should be implemented. Any process used for identifying these risks should:

  • Identify those threats which could affect personnel, assets, or operations
  • Determine the organization’s vulnerability to those threats
  • Identify the likelihood and impact of the threats
  • Prioritize risks
  • Identify methods and strategies to reduce the likelihood and impact of the risks

Risk strategies

There are three general strategies for dealing with risk:

  1. Accept the risk – choose to accept the risk, and budget for the consequences that are likely to flow from that decision
  2.  Avoid the risk – choose not to undertake the risky activity
  3. Reduce the risk – design controls to reduce the likelihood or the impact of the risk.

As you assess risk, a useful tool is a Design Basis Threat (DBT) which describes the threats that an asset should be protected from. Often used in the nuclear power industry, a DBT is typically a description of the motivation, intentions and capabilities of potential adversaries. A DBT is derived from credible intelligence information and other classified and non-classified data concerning realistic threats.

A DBT for the electricity sector has recently been completed by the NERC Electricity Information Sharing and Analysis Center’s (E-ISAC) Physical Security Advisory Group, with the assistance of the US Department of Energy. It is available on the E-ISAC member web portal and NERC members are encouraged to consult the DBT as part of their security planning process. It is not intended to cover all facility-specific threats that may need to be considered, but it does provide a starting point for threats rooted in past attack examples in North America.

A threat and vulnerability assessment done by professionals and a DBT are simply tools designed to help you determine security gaps, assess the importance of fixing those gaps, and identifying mitigation measures. The outputs of using these tools will directly feed your physical security plan. Your risk assessment results should arm you with the information required to make sound decisions based on real risks to an organization's assets and operations.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)