• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

Security from the outside looking in

Jul 12, 20164 mins
Critical InfrastructureData and Information SecurityIT Skills

Utilities that utilize red team exercises can benefit from the knowledge they produce, so long as you have executive buy in and are willing to take potential criticism.

This past April, security professionals in the utility sector were up-in-arms about a very public and documented red-team video documentary that highlighted how “easy” it was to “fully compromise” a power company. Simply put, a boutique cybersecurity and network penetration firm, that specializes in “ethical hacking”, entered corporate buildings, unmanned distribution substations, and the company’s IT server room under the cover of darkness rather quickly and with little challenge.

As you can imagine, this event is not only embarrassing for the utility, but it’s also a gut punch for those who have worked tirelessly to improve security and promote the positive steps industry is making to secure the grid.

[ ALSO ON CSO: Ever been in these social engineering situations? ]

While this video does not paint the utility company in the best light, the benefits of red teaming can help security professionals and utility executives determine weaknesses and where to ultimately spend next year’s budget dollars to reduce security risk. The usefulness of such an exercise far outweighs the risk and will certainly bring to light protection concerns.

For a successful example, we simply need to look at the defense industry and what our military forces use to examine their vulnerabilities to perimeter security, access control, and the detection of unauthorized individuals. While I’m not suggesting that utilities hire a US Marine Corps team of covert experts to circumvent their security measures, I will advocate that there is value in “thinking like the enemy”. Having an outside firm, with no affiliation to your company, infrastructure, or systems, conduct an assessment on how they would infiltrate, gain access, or sabotage equipment may be very eye-opening and provide an impartial assessment.

Red teaming is the practice of analyzing a security mechanism from the standpoint of an external attacker or adversary. A red team is a group of third-party penetration testers that detects vulnerabilities in your physical security systems or cyber networks while mimicking the attacks of an intruder. The ultimate purpose of red teaming is to harden your security against real-world attacks after taking the lessons learned from the test. Presumably, after digesting the gaps and the perceived weaknesses in your system, infrastructure owners will improve their security programs by updating their mitigation measures and adding additional focus to gaps in awareness, detection, and defense.

[ MORE: What security pros can learn from the networking team ]

Obviously, I am a major advocate for exercises and examining how to make infrastructure “harder” targets. That said, utilities should be educated and fully understand the inputs and information that a red team exercise will provide. Below, I have listed a number of concerns and considerations that utilities should be mindful of prior to any such evolution.

But first, a word of caution. As recent events have shown us, utilities must protect themselves from this information and the security “results” from getting into the wrong hands. Built into any contract with a third party must be provisions for nondisclosure and extreme confidentially. Utility executives will be mindful of this and the ever-present reality that information in the incorrect hands can result in unwanted hits to reputational risk.

If your company sees the value in having an unaffiliated third party conduct a red team exercise against your corporate campus, IT systems, or physical infrastructure, here are a few thoughts to consider:

  • Have your company leadership be fully aware and have complete “buy-in” as to the process and methods used to obtain the exercise results.
  • Once the results are in and gaps have been discovered, what will this information be used for? Is company leadership prepared to immediately respond and mitigate any discovered vulnerabilities?
  • Nobody likes to have their baby called ugly! Be prepared to hear an outsider’s perspective — that means the good, the bad, and the ugly.
  • Provide limited situation awareness to those who absolutely “need to know”. If you are completely prepared and anticipate the “outsider threat”, what real value are you getting from the exercise? It is better to judge reactions, assess mitigation measures, and evaluate response from a simulated crisis while responders are in the moment.
  • Get others involved. An exercise is always a good excuse to reach out to other internal departments, intelligence agencies, and law enforcement.

At the end of the day, be open to new ways of addressing an old problem. After all, this is a critical review and analysis of already-existing plans. You presumably will do this because you are interested in improvement. So go do it, and improve!


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.