Will Your Critical Substation Survive an Attack? (Part Four)
In the previous three issues, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3) In this issue we will examine how we choose and test upgrades to the physical […]
Will Your Critical Substation Survive an Attack? (Part Three)
In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.) In this issue, we examine how the scenario is used to test the physical protection system (PPS). The Vulnerability of Integrated Security […]
LiDAR & 3D Modeling: A Pathway to Smarter & More Precise Utility Security
Curtis Marquardt Jr.: Thanks for joining me today to talk about utility security, Martin! Can you tell our readers more about yourself? Martin Vojtek: Thank you. I am CEO of a company called Tacticaware, which became part of Hexagon in 2020. I’ve worked for more than 20 years in the security industry. My experience with […]
Crossed Wires: The GRC Gap Threatening Critical Infrastructure
Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-source intelligence tools to […]
Substation Intrusion: Are You Ready To Response?
It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there […]
Worlds Colliding: Why Physical and Cybersecurity Convergence Is Critical for Utility Protection
The utility sector stands at a crossroads. As critical infrastructure providers, utilities face an unprecedented convergence of physical and cyber threats that traditional siloed security approaches can no longer adequately address. The time has come for a fundamental shift toward integrated security operations that break down organizational barriers and create a unified defense against increasingly […]
Beyond the Meter: Cyber Mandates Reshape the Future of Utility Security
Let’s just call it what it is—cybersecurity is no longer the awkward sidekick in the corner of the boardroom whispering about “threat surfaces” and “zero trust.” Regulators have officially given it a bullhorn, a front-row seat and a stack of expectations tall enough to block the view of your latest digital transformation project. Federal regulators, […]
Key Strategies for Successful Security Meetings
I had the opportunity to talk with Burns Engineering’s security practice leader, René Rieder Jr., about his wealth of experience meeting with C-suite-level executives to discuss security strategies. During our discussion, he shared excellent insights on how executives can best reach security success by adopting key best practices and avoiding common pitfalls. CURTIS MARQUARDT JR.: […]
5 Questions with Joe Weiss
CURTIS MARQUARDT JR: Thanks for joining us, Joe! Can you tell our readers more about yourself and your utility security background. JOE WEISS: I have spent more than 50 years in the utility industry. I started as a nuclear engineer focusing on instrumentation, controls and equipment diagnostics for nuclear safety and reliability. I spent almost […]
From a Guessing Game to Real Data: How 3D Modeling, Digital Twins and Probabilistic Modeling Can Bring Clarity to Security Strategies
Securing a physical utility location takes a lot of work and a lot of imagination. Often, a strategy employed is to “think like your adversaries.” Where would they set up to shoot at a substation? Where would they most likely park their vehicle? What entry points would they consider the most advantageous to accomplishing their […]
Ross Johnson Continues and Closes His Insightful Series on Substation Protection
Will Your Critical Substation Survive an Attack? (Part Four)
In the previous three issues, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3)
In this issue we will examine how we choose and test upgrades to the physical protection system (…
In the News
LiDAR & 3D Modeling: A Pathway to Smarter & More Precise Utility Security
Curtis Marquardt Jr.:
Thanks for joining me today to talk about utility security, Martin! Can you tell our readers more about yourself?
Martin Vojtek: Thank you. I am CEO of a company called Tacticaware, which became part of Hexagon in 2020. I’ve worked for more than 20 years in the security in…
Crossed Wires: The GRC Gap Threatening Critical Infrastructure
Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-s…
Substation Intrusion: Are You Ready To Response?
It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there are two men outside the fence with bolt cutters and backpacks. They are busy cutting through the chain-link fence. The operator concludes that an attack on the substation by two intruders is underway.
Now what?
Many security plans…
Worlds Colliding: Why Physical and Cybersecurity Convergence Is Critical for Utility Protection
The utility sector stands at a crossroads. As critical infrastructure providers, utilities face an unprecedented convergence of physical and cyber threats that traditional siloed security approaches can no longer adequately address. The time has come for a fundamental shift toward integrated securi…
Beyond the Meter: Cyber Mandates Reshape the Future of Utility Security
Let’s just call it what it is—cybersecurity is no longer the awkward sidekick in the corner of the boardroom whispering about “threat surfaces” and “zero trust.” Regulators have officially given it a bullhorn, a front-row seat and a stack of expectations tall enough to block the view of your latest…
Key Strategies for Successful Security Meetings
I had the opportunity to talk with Burns Engineering’s security practice leader, René Rieder Jr., about his wealth of experience meeting with C-suite-level executives to discuss security strategies. During our discussion, he shared excellent insights on how executives can best reach security succes…
5 Questions with Joe Weiss
CURTIS MARQUARDT JR:
Thanks for joining us, Joe! Can you tell our readers more about yourself and your utility security background.
JOE WEISS:
I have spent more than 50 years in the utility industry. I started as a nuclear engineer focusing on instrumentation, controls and equipment diagnostic…
Ross Johnson Continues and Closes His Insightful Series on Substation Protection
Will Your Critical Substation Survive an Attack? (Part Four)
In the previous three issues, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3)
In this issue we will examine how we choose and test upgrades to the physical protection system (…
Will Your Critical Substation Survive an Attack? (Part Three)
In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.)
In this issue, we examine how the scenario is used to test the physical protection system (PPS).
The Vulnera…
LiDAR & 3D Modeling: A Pathway to Smarter & More Precise Utility Security
Curtis Marquardt Jr.:
Thanks for joining me today to talk about utility security, Martin! Can you tell our readers more about yourself?
Martin Vojtek: Thank you. I am CEO of a company called Tacticaware, which became part of Hexagon in 2020. I’ve worked for more than 20 years in the security in…
Crossed Wires: The GRC Gap Threatening Critical Infrastructure
Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-s…
Substation Intrusion: Are You Ready To Response?
It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security op…
Worlds Colliding: Why Physical and Cybersecurity Convergence Is Critical for Utility Protection
The utility sector stands at a crossroads. As critical infrastructure providers, utilities face an unprecedented convergence of physical and cyber threats that traditional siloed security approaches can no longer adequately address. The time has come for a fundamental shift toward integrated securi…
Will Your Critical Substation Survive an Attack? (Part Four)
In the previous three issues, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3)
In this issue we will examine how we choose and test upgrades to the physical protection system (PPS).
Upgrades
Our analysis in the previous issue has revealed two problems in the PPS: the video surveillance system (VSS) cannot cover the full fence line adequately because of the overgrown foliage, and the fence does not delay his progress for enough time to allow the police to arrive.
The team decides to re-run the analysis with two changes to the PPS: the foliage is trimmed back from the fence for three yards around the full perimeter, and the fence is replaced with an anti-cut, anti-climb fence rated for 15 minutes of delay.
We now insert the upgrades in the steps where they will have an impact, so the foliage clearing is in Step 2, and the upgraded fencing is in Step 3. Because the fencing is rated to add 15 minutes delay, we increase the Step Time for Step 3 to 900 seconds.
Step 1: No change from Base Case.
Step 2: With the foliage cleared, there is a High probability that the LVM operator will see the Adversary as he approaches the outside of the fence at the place where he plans to cut the hole. Considering the time of night the operator calls the police, and the 600-second response clock starts.
Step 3: It takes the Adversary 900 seconds to cut through the fence, which means that the police arrive 300 seconds before he completes the task. We can reasonably assume that they apprehend the Adversary, and the scenario ends. Because the probabilities of detection, assessment, engagement, and neutralization are all Very High in this step, and as the Step Score is the highest score on the step it also is Very High. As the Overall System Effectiveness (OSE) is the highest of the Step Scores, we can now rate it as Very High.
These upgrades are good for another reason: they keep the Adversary outside of the substation. Although we had assessed that Step 5 was the step that he absolutely has to be stopped before, in reality we should be trying to keep all adversaries out of substations. An intruder armed with explosives or a firearm is best handled outside the perimeter, before they get in amongst energized equipment.
The space available in this column dictates that we have to keep the scenario simple, but it still demonstrates how weaknesses and vulnerabilities in a PPS can be isolated and fixed. The AOO should follow this process for each of the vulnerabilities and weaknesses they have discovered, and when complete, make an informed decision on the risks they face and the cost of meeting those risks.
To answer the question posed in the title, we see that prior to the upgrade, the site was vulnerable to an attack, but after the upgrade, the site would probably be successful in repelling it – at least for the scenario in the example.
About Ross Johnson
Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio.. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. Reach him at ross@bridgeheadsecurity.com.
Step 1: No change from Base Case.
Step 2: With the foliage cleared, there is a High probability that the LVM operator will see the Adversary as he approaches the outside of the fence at the place where he plans to cut the hole. Considering the time of night the operator calls the police, and the 600-second response clock starts.
Step 3: It takes the Adversary 900 seconds to cut through the fence, which means that the police arrive 300 seconds before he completes the task. We can reasonably assume that they apprehend the Adversary, and the scenario ends. Because the probabilities of detection, assessment, engagement, and neutralization are all Very High in this step, and as the Step Score is the highest score on the step it also is Very High. As the Overall System Effectiveness (OSE) is the highest of the Step Scores, we can now rate it as Very High.
These upgrades are good for another reason: they keep the Adversary outside of the substation. Although we had assessed that Step 5 was the step that he absolutely has to be stopped before, in reality we should be trying to keep all adversaries out of substations. An intruder armed with explosives or a firearm is best handled outside the perimeter, before they get in amongst energized equipment.
The space available in this column dictates that we have to keep the scenario simple, but it still demonstrates how weaknesses and vulnerabilities in a PPS can be isolated and fixed. The AOO should follow this process for each of the vulnerabilities and weaknesses they have discovered, and when complete, make an informed decision on the risks they face and the cost of meeting those risks.
To answer the question posed in the title, we see that prior to the upgrade, the site was vulnerable to an attack, but after the upgrade, the site would probably be successful in repelling it – at least for the scenario in the example.
About Ross Johnson
Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio.. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. Reach him at ross@bridgeheadsecurity.com.
Will Your Critical Substation Survive an Attack? (Part Three)
In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.)
In this issue, we examine how the scenario is used to test the physical protection system (PPS).
The Vulnerability of Integrated Security Analysis (VISA) methodology breaks the scenario into discrete steps and evaluates how likely the system is to detect, assess and stop the threat. Our scenario (outlined in the previous issue) is divided into steps, entered into a worksheet and timed accordingly.
Analysis
Step 1: This activity occurs outside the range of any security systems. The probability of detection and assessment is very low. Because the response force has not yet been called, the likelihood of engagement and neutralization is also very low. The step score, which defaults to the lowest probability value, is very low. Step 2: The video surveillance system (VSS) covers only a few yards beyond the perimeter. Due to foliage along the fence, the adversary is unlikely to be detected. Probabilities and the step score remain very low. Step 3: The adversary takes two minutes to cut through the fence. Because of existing cover, the VSS is unlikely to detect him, and the live video monitoring (LVM) operator is unlikely to assess that an attack is underway. Therefore, no call to police is made. We assess the probability of detection and assessment as low, and since the response force has not yet been activated, the probability of engagement and neutralization remains very low. Step score: very low. Step 4: The adversary is now seen by the LVM operator, who assesses that an attack is underway and calls police. The response clock starts. The police are 10 minutes (600 seconds) away. Step 5: This is a critical step, as the adversary must be stopped before placing the explosive. The LVM operator continues monitoring his progress. Probabilities of detection and assessment are very high, but since the police have not arrived, probabilities for engagement and neutralization remain very low. Step score: very low. At the end of this step, the police are 540 seconds away. Step 6: The adversary returns to the hole in the fence, remaining in view of the VSS. Probabilities and the step score are unchanged. The police are 520 seconds away. Step 7: The adversary crawls through the hole and exits the area. The police are 490 seconds away. The total attack time is 310 seconds — just over five minutes. When police do arrive, they will not enter the site until it is de-energized and cleared by the explosives ordnance disposal team. We assess a low probability that the adversary will be seen by the VSS during his departure. The step score reflects this. Step 8: Police have been on-site for 350 seconds when the explosive detonates, destroying the critical component. Because the adversary was never engaged or neutralized, the step scores never exceed very low. Overall system effectiveness — defined as the highest of the step scores — is also very low. Based on this scenario, we assess that the PPS is not capable of protecting the site. In the next issue of Utility Security, we’ll explore what PPS upgrades are necessary to defeat this type of threat. About Ross Johnson Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio.. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. Reach him at ross@bridgeheadsecurity.com.
Editor Curtis Marquardt sat down with Hexagon’s Martin Vojtek to Discuss How its LiDAR and 3D Modeling Technology is Helping Utilities Improve Their Security, Safety & Maintenance
LiDAR & 3D Modeling: A Pathway to Smarter & More Precise Utility Security
Curtis Marquardt Jr.:
Thanks for joining me today to talk about utility security, Martin! Can you tell our readers more about yourself?
Martin Vojtek: Thank you. I am CEO of a company called Tacticaware, which became part of Hexagon in 2020. I’ve worked for more than 20 years in the security industry. My experience with LidarVision began while delivering specific projects for our troops based on passive infrared detectors. The PIR detectors had addressable pins, so when intruders were nearby, we could determine their direction and rotate PTZ cameras toward them.
However, we couldn’t pi…
Crossed Wires: The GRC Gap Threatening Critical Infrastructure
Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-source intelligence tools to give us a leg up when the feds are slow to share, and security information and event management (SIEM) platforms to better aggregate security information.
Often in these efforts, cybersecurity dominates the conversation. But I believe we can “walk and chew gum at the same time” and make sure that physical security efforts are equally addressed in these efforts.
For more than two decades, enterprises have leveraged advanced technology to automate IT governance, risk and compliance (GRC), ensuring regulatory adherence and safeguarding critical data. Yet when it comes to physical GRC—managing physical access reviews, recertifications and identity governance—many organizations still rely on manual processes that belong in the Stone Age.
This technological lag is particularly concerning as the threat landscape grows more complex and dynamic. Today’s adversaries adapt in real time, while many companies continue to operate with fragmented physical security frameworks, perpetuating silos between IT cybersecurity, physical security, and operational technology (OT) teams. These silos not only create inefficiencies but also increase the risk of security gaps that can be exploited.
The Importance of GRC
GRC is made up of deeply interconnected elements that together form the backbone of a robust security posture for organizations. Governance sets the strategic direction and policies for security; risk management identifies and mitigates potential threats to the enterprise; and compliance ensures that the organization meets external legal and regulatory requirements, as well as internal policies and standards. This synergy ensures that an organization’s security efforts are aligned with its business objectives, legal obligations and risk appetite.
The time to modernize is now. Organizations can no longer afford to treat physical security governance as an afterthought. Fortunately, the digital transformation wave—driven by the desire for security convergence, Artificial Intelligence (AI) excitement and increased regulatory pressures—presents an unprecedented opportunity to bridge these gaps. By integrating physical GRC into the broader IT and OT risk management ecosystem, enterprises can unlock holistic, real-time security capabilities. Automation in physical GRC means no more outdated, manual processes. Instead, we can leverage intelligent technologies to continuously validate access, manage risk dynamically and respond to threats faster.
Utilities operate at the heart of national security, economic stability and daily life. And yet, despite heavy investments in cybersecurity and compliance programs, many utilities are leaving themselves exposed to massive risk because they’re not addressing the gaps between physical access, identity governance, third-party risk management and regulatory compliance.
The truth is, failing to implement a modern physical governance, risk and compliance strategy is costing utilities millions in regulatory fines, operational disruption and potential reputational damage. Worse still, it’s opening the door to insider threats, sabotage and even coordinated attacks on critical infrastructure.
As we enter the AI era, integrating comprehensive cyber and physical security measures within the GRC framework is essential for modern organizations. By developing a holistic security strategy, implementing comprehensive risk assessments, enhancing incident response plans, ensuring regulatory compliance and promoting a culture of security awareness, organizations can effectively manage risks and uphold high standards of governance and compliance. As threats continue to evolve, these imperatives will help organizations stay resilient and secure in an increasingly complex security landscape.
Strategies That Lead to Better Resilience and Security
To overcome these challenges, organizations can adopt several strategies. Implementing a unified GRC platform can facilitate the integration of processes and data across governance, risk management and compliance functions, providing a holistic view of the organization’s cyber and physical security posture.
Additionally, establishing cross-functional teams can enhance communication and collaboration between departments, ensuring that GRC efforts are aligned and cohesive. Furthermore, ongoing training and awareness programs can help embed a culture of security throughout the organization, ensuring that all employees understand their role in supporting GRC objectives. With GRC software, companies can track resources, assess risks and implement policies based on real-time data, helping them make smarter decisions with confidence.
Features to Consider
As with every technology implementation, it’s important that you find a solution that aligns with your organizational needs. You’ll want to consider functionality that allows for:
- Automation for efficiency – The more you can remove the manual processes, the better
- Integration with existing systems – Application without communication leads to failure. Make sure you identify a platform that can “talk” to your existing systems.
- Ease of use – Complexity creates confusion and risk. Make sure your solution is something that your users can master using.
- Adoption of predictive analytics – By blending historical data, machine learning and statistical strategies, it gives your utility an edge to be ahead of the curve in identifying potential threats.
Substation Intrusion: Are You Ready To Response?
It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there are two men outside the fence with bolt cutters and backpacks. They are busy cutting through the chain-link fence. The operator concludes that an attack on the substation by two intruders is underway.
Now what?
Many security plans instruct the operator to “call 911” at this point and leave it at that. They are assuming that the police will arrive and the intruders will either run away or be arrested.
It’s not that easy.
The issues the police need to know must be covered long before the emergency call goes in. How do we do this? We meet with local law enforcement agency (LEA) leadership to explain our needs and coordinate our activities.
First, they need to know how important our substations are to the community. We can tell them that they are critical infrastructure, but it helps if they know what that means. If substations are damaged, what is the potential impact? Would local hospitals, shopping centers or other public infrastructure be left without power? How many residences might go dark? What would the impact be, especially during peak power usage times? During very hot or very cold weather?
The police will need to know what the typical threats to a substation are: trespassing, vandalism, theft of metals such as copper and aluminum, firearm attacks and sabotage. You should share details of recent attacks on substations in the area.
You know which of your substations are the most important, and you must share this information with the police. They need to know which substations have the greatest impact on the community for their own planning.
Discussions should include the need for elevated responses for gunfire or explosion reports; intrusions at high-voltage or transmission substations; and multiple intrusions across sites, as this suggests a coordinated attack.
If your procedures include dispatching a mobile patrol from a security company to assess the situation prior to calling 911, the police need to know so they don’t confuse the mobile patrol with the intruders.
You should explain that we don’t usually know the motive for the intrusion until after the damage is done, so any intrusion should be treated as a high-priority call due to public safety and grid stability risks.
In preparation for the meeting, you should be ready to give them maps or GPS coordinates for all your substations. Tell them what the best access routes are, any lock or gate systems, and who holds keys and access codes.
You should ask them if they use a mapping application called what3words. If they do, then give them the substation location data using that system. It allows much more precise description and coordination of staging areas, rendezvous points and gates. As of March 2025, more than 4,800 911 emergency coordination centers in the U.S. and Canada have access to what3words via integration partners RapidSOS and CAD providers. (For more information, visit what3words.com. If you aren’t using what3words, you should consider it.)
Tell the police the types of alarms you use, such as motion, infrared or gunshot detection. What does the security monitoring center see? What is the process they follow to assess an intrusion and verify that it is a security event?
Is it possible to give the police real-time access to your camera feeds? How can you facilitate this?
Do you expect the police to enter the site? Most police departments will refuse to enter an energized substation, so you will need an internal procedure to deenergize a site. Who is involved? How will you make the decision to deenergize the site in the middle of the night? Who needs to be involved? How will you contact them?
A good way to structure the discussion is through scenarios. Walk through typical intrusion scenarios with the police and both sides will learn what the other needs.
One of the most important pieces of information you can get from the police is how long they expect it to take to respond to a security event at a substation. This information is important to the design of a site’s PPS, as it tells you how long your perimeter barriers will have to delay the intruders. This brings us to the 911 call. The 911 operator is your connection to the police response. If the SOC operator doesn’t convey the importance of the substation and the danger that an intrusion poses to both the intruders and public safety, there is a risk that the incident will be logged and treated as a simple trespassing. With that assumption can come a long police response time. Talk to the police about what language the operator needs to use to ensure a priority response, and create scripts for your SOC operators to ensure that nothing is missed. Several years ago, I was part of a substation security workshop in a small town in the Pacific Northwest. Besides the leadership from the local Public Utility District (PUD), participants included five members of the local police department and two people from the town emergency management department. At the beginning of the workshop, the police estimate for the response time to the site we were using as a training aid was 12 minutes. By the end of the workshop, the police, emergency management and PUD personnel had sat down together and coordinated their information requirements, response protocols and identified the substation information to be preloaded into the 911 system. This effort reduced the response time to only five minutes. Good outcomes follow detailed preparation, coordination and unimpeded communication between the utility and the police. It all starts with a meeting. About Ross Johnson: Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. He is also a Senior Fellow at Electricity Canada, and advises them on security and emergency management. Reach him at ross@bridgeheadsecurity.com.
One of the most important pieces of information you can get from the police is how long they expect it to take to respond to a security event at a substation. This information is important to the design of a site’s PPS, as it tells you how long your perimeter barriers will have to delay the intruders. This brings us to the 911 call. The 911 operator is your connection to the police response. If the SOC operator doesn’t convey the importance of the substation and the danger that an intrusion poses to both the intruders and public safety, there is a risk that the incident will be logged and treated as a simple trespassing. With that assumption can come a long police response time. Talk to the police about what language the operator needs to use to ensure a priority response, and create scripts for your SOC operators to ensure that nothing is missed. Several years ago, I was part of a substation security workshop in a small town in the Pacific Northwest. Besides the leadership from the local Public Utility District (PUD), participants included five members of the local police department and two people from the town emergency management department. At the beginning of the workshop, the police estimate for the response time to the site we were using as a training aid was 12 minutes. By the end of the workshop, the police, emergency management and PUD personnel had sat down together and coordinated their information requirements, response protocols and identified the substation information to be preloaded into the 911 system. This effort reduced the response time to only five minutes. Good outcomes follow detailed preparation, coordination and unimpeded communication between the utility and the police. It all starts with a meeting. About Ross Johnson: Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. He is also a Senior Fellow at Electricity Canada, and advises them on security and emergency management. Reach him at ross@bridgeheadsecurity.com.
Will Your Critical Substation Survive an Attack? (Part Four)
In the previous three issues, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3)
In this issue we will examine how we choose and test upgrades to the physical protection system (…
Will Your Critical Substation Survive an Attack? (Part Three)
In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.)
In this issue, we examine how the scenario is used to test the physical protection system (PPS).
The Vulnera…
LiDAR & 3D Modeling: A Pathway to Smarter & More Precise Utility Security
Curtis Marquardt Jr.:
Thanks for joining me today to talk about utility security, Martin! Can you tell our readers more about yourself?
Martin Vojtek: Thank you. I am CEO of a company called Tacticaware, which became part of Hexagon in 2020. I’ve worked for more than 20 years in the security in…
Crossed Wires: The GRC Gap Threatening Critical Infrastructure
Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-s…
Will Your Critical Substation Survive an Attack? (Part Four)
In the previous three issues, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3)
In this issue we will examine how we choose and test upgrades to the physical protection system (…
Will Your Critical Substation Survive an Attack? (Part Three)
In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.)
In this issue, we examine how the scenario is used to test the physical protection system (PPS).
The Vulnera…
LiDAR & 3D Modeling: A Pathway to Smarter & More Precise Utility Security
Curtis Marquardt Jr.:
Thanks for joining me today to talk about utility security, Martin! Can you tell our readers more about yourself?
Martin Vojtek: Thank you. I am CEO of a company called Tacticaware, which became part of Hexagon in 2020. I’ve worked for more than 20 years in the security in…
Crossed Wires: The GRC Gap Threatening Critical Infrastructure
Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-s…