• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

Grid security insights for 2017: Pressure mounts to prevent physical attacks

Dec 12, 20166 mins
Critical InfrastructureIT SkillsPhysical Security

The new year will bring security challenges and its share of opportunities.

‘Tis the season for predictions! As we close out 2016 and look forward to 2017, it seems appropriate to pause a moment and provide some grid security predictions for the new year. Predictions based on trends, insight, and understanding can arm security programs with the knowledge needed to test policies, exercise physical protection systems, and allocate corporate funds for resources. Physical security anxieties for the power grid are not going away anytime soon, so let’s start to “read the writing on the walls” and get ahead of this critical topic.

A fresh new year is an opportunity to reflect on the path recently traveled, and to strategize on how to navigate the road in front of us. While a new presidential administration will certainly dictate philosophies and set the regulatory course, it is safe to say that no administration will tolerate a prolonged blackout due to a grid security event. In order to keep the confidence of the new President and the American people, utilities must keep their foot on the gas pedal and make the needed investments and upgrades to their physical security programs. As we finalize capital budgets and acquire resources for the new year, here are a few considerations utility security professionals should consider.


While the NERC CIP-014 physical security standard will target approximately 1,000 to 1,500 critical substations across North America, protections to non-CIP-014 transmission sites will continue to be a focus for the industry. As new substations are built and introduced into the bulk power system, security protections will be implemented as a forethought and not a “bolt on” after the fact. The utility industry must understand that any substation, high voltage transformer, or other equipment being shot at or subject to physical attack will be propelled into media scrutiny and a utility’s reputational risk could be altered. As a result, substations that don’t meet the criteria for CIP-014 compliance, but are system or business critical, will start to receive threat and vulnerability assessments and added security mitigation measures designed to deter, detect, and delay potential attackers.

Drones, or whatever they’re called…

Unmanned Aerial Systems (UAS), quad-copters, or more commonly known as drones, will continue to provide useful situational awareness information during response and recovery operations after storms, earthquakes, and floods. Unfortunately, with the good comes the bad. Security professionals are mindful of the nefarious scenarios where a drone could be the vehicle in which to drop a pipe bomb or other explosive device into a substation or generating plant.

As quality drones become cheaper, more common, and increase their payload lift ability, these ‘tools’ could be used to inflict damage on critical infrastructure. Utilities have begun to address the potential threat by deploying frequency jamming security systems. Unfortunately, owners and operators of infrastructure sites don’t own the airspace above, so when a “hobbyist’s” drone is driven into the ground by anti-drone technology, the utility will likely be liable for damages. Utilities should monitor and be mindful of local drone laws and Federal Aviation Administration (FAA) operator rules.

Are we allowed to talk about Generation sites yet?

The discussion will begin about better protecting non-nuclear generation plants from physical attack. In the event that a fossil or hydro plant is attacked in the United States, a major knee-jerk reaction would be felt throughout the country and new legislation would be introduced. Given the reaction after a 2013 substation shooting in California, where FERC mandated a physical security standard (CIP-014) be created, it can be reasonably assumed that similar rules would be forced onto the industry if a major attack occurs at a power generation station.

In the aftermath of such an attack, very difficult questions will be directed towards industry executives as to why utilities do not have current physical security standards in place for generation. In the short term, utilities will consider how to “harden” their sites with improved perimeter security, access control, and video monitoring. These very basic steps can lead to becoming a hard target.

Security convergence

The natural gravitation towards security convergence and the integration of all security disciplines has already begun. Convergence can be defined as the integration of logical security, information security, operational security, physical security, and business continuity. Considering the various types of security threats (terrorism, identity theft, data breaches, insider threats, etc.), one side of the security spectrum simply cannot protect an organization to its greatest potential.

While utilities remain effective at addressing traditional threats such as severe weather, vegetation management, and routine transmission disruptions, the evolving nature of physical, cyber and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations. An interconnected grid that incorporates computing, communications, markets and physical assets unfortunately presents potential attackers with opportunities that require a holistic approach to security.

Momentum of the Chief Security Officer

Grid security has received more attention in the last several years and organizations have realized that they lack a designated individual with the appropriate authority to carry out the security responsibilities of a utility. Enter the modern utility Chief Security Officer (CSO). The CSO is chief advocator, prognosticator, and crisis manager. The duties of the CSO have dramatically changed with the introduction of targeting electric infrastructure for attack, the advancement and reliance on cyber systems, and the job of ensuring compliance with the NERC CIP Standards.

Likely the biggest responsibility is to create and foster a program that helps manage reputational risk. The modern CSO is business savvy and fully understands the impact that security has with respect to “keeping the lights on”, business resiliency, and regulatory compliance.

A rising tide lifts all boats

Investor owned utilities (IOU), with help from industry trade associations, will continue to push the industry towards greater physical security protections at critical sites. As smaller municipal utilities and rural cooperatives see the protections being put in place by larger utilities, it will naturally force these utilities to invest in similar protections. These smaller utilities have security in place, but they struggle to bring the same amount of resources or a comparable security budget to the table. Soon, all utilities will be discussing the implementation of concrete perimeter walls, ballistic protections, and gunshot detection systems, and not just a select few.

Facing uncertainty is something security professionals deal with on a regular basis. How vulnerable are you, really? What is the likelihood of a successful attack? Unfortunately, these uncertainties can be placed into two buckets, “known unknowns” and “unknown unknowns”. Let’s hope that 2017 isn’t consumed by the latter.

Head over to Facebook to comment on this story.


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.