Although it didn’t quite fit the FBI’s criteria for terrorism, a mysterious nighttime attack on an important Northern California substation two years ago was a wakeup call for the electric power industry. Someone using wire cutters and a rifle caused $15 million in damage and forced the substation out of service for nearly a month. Since this happened in the middle of the night when power demand was low, no homes or businesses were blacked out, but the chairman of the Federal Energy Regulatory Commission at the time characterized it as “the most significant incident” involving the power grid that had ever occurred.
The substation’s owner, Pacific Gas & Electric, conceded in a report to the California Public Utilities Commission that there were flaws in its preparedness and response, and added, “Given recent events and analysis, and the potential for malevolent actors to disrupt the electrical system, physical security for the electric grid is a significant concern.” One of the ten largest electric utilities in North America, PG&E has revealed plans to spend about $100 million through the end of 2017 to improve security at its power facilities.
A critical infrastructure protection (CIP) standard for physical security measures (CIP-014-1) developed by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC) went into effect on January 26 of this year, a reaction in part to the PG&E substation attack. The new standard mandates that private, public, and municipal electric utilities develop security plans for critical infrastructure locations and substations, including resiliency and security measures that deter, detect, delay, assess, communicate, and respond to physical threats and vulnerabilities.
The CIP specifically requires utilities to contact and coordinate their plans with law enforcement, and perhaps by association this should include collaboration with all state, county, and municipal governments that could potentially contribute to the effort.
What does this mean to government executives and security industry professionals? For some answers, I contacted David Karsch, global account manager at Honeywell Security Group, who works with global security organizations and IT teams.
“Regional and local government entities should reach out to the chief security officers of their local utilities, and work with them to understand their critical assets and any early warning systems they have in place,” Karsch advised. “Identify the assets that each entity has available and conduct periodic response drills. NERC recommends practice events once or twice a year. These may include participation by the FBI and the development of standard procedures to be followed in the event of an incident. Utilities and governments should not wait for an incident to happen. They should be proactively reaching out, making plans, and creating programs that are both scalable and sustainable.”
When integrating assets, it’s important to think about all the components holistically, Karsch advised.
“In general, regulators are looking for risk mitigation and sustainable programs that are going to work over the long term. Initially, they have instructed utilities to rank their assets as critical, medium, or low priority, based on location, power generation levels, and transmission capacity. In the past, smaller facilities often did not have a lot of security, other than locks on gates and doors. Now, utilities need to have more robust, integrated security systems. Some larger utilities may have 800 substations, and 15 percent of them will be critical. As many as 50 percent of them could be ranked medium or low, and never had any security before. There’s a huge movement underway to understand what utilities need to do at those stations to deter, detect, and delay people from penetrating them.”
Like the PG&E substation compromised in Northern California, some facilities are located in remote areas, and it might take some time for responders to arrive on scene. Net-centric technologies like VMS systems, cameras, video analytics, and acoustic sensors can serve as a first line of defense.
“We’re also seeing utilities putting in more physical barriers and other measures to address multi-threat levels and provide early alerts,” Karsch added. “These may include protections against cyberattacks, physical alarms triggered by video analytics guarding a fence line, acoustic detection of sounds, and temperature sensors that watch for abnormal readings from power transformers. You can create more meaningful alerts if you coordinate the data from several systems, and determine that it’s not just a herd of deer that ran by a fence. When you get simultaneous alerts from two or three different sensors, you know you need to dispatch an armed response.”
Best practices in the utility industry now include geographic buffer zones and extra measures outside the usual perimeter, Karsch mentioned.
“To visualize this, draw a small square inside two larger rectangles. The square is a command center or secured building with card readers and electronic visitor logs in the building. This way, you protect communications and cyber assets with physical access control. There are not typically many visitors to substations, so any activity, especially at nighttime or on weekends, should be considered suspicious. The perimeter fence and access gate surrounds larger things like transformers, generators, and transmission lines, and those are watched by PTZ cameras, recorders, and analytics. Beyond that, we’re starting to see companies clear about 200 feet of trees and vegetation to establish a larger buffer zone equipped with thermal imaging cameras. If anyone approaches the outer zone, we get an initial warning, and if they get inside the fence, we’ll receive a more urgent alert.”
While expenses must always be considered, the $15 million in damages at the PG&E station demonstrate that these investments can be financially justified.
“Cameras are very cost-effective, and every critical substation should use analytics 100 percent of the time,” Karsch recommended. “Thermal imaging cameras can run $1,000 to $35,000, and video analytics can add $5,000 to a project. The idea is to create layers and barriers. In one situation, we used third-party radar at a critical substation that would have massive implications if it was pulled off the grid. Radar can distinguish a deer from a truck or a car, and with latitude and longitude coordinates we can also estimate whether a person or vehicle is a threat to the facility or just a kid joyriding on a four-wheeler. With IP cameras and Voice over IP intercoms, remote security personnel can make announcements such as ‘you are trespassing, please leave the area.’”
Honeywell, Karsch pointed out, is able to deliver complete end-to-end solutions to utilities that are similar to those used on military bases in harsh environments. All remote assets, including those from third parties, can be managed by a video management system and access control system to guard up to 400 substations from a single corporate command center.
Contributed by John Convy, Convy Associates, Washington, DC.