In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.) In this issue, we examine how the scenario is used to test the physical protection system (PPS). The Vulnerability of Integrated Security Analysis (VISA) methodology breaks the scenario into discrete steps and evaluates how likely the system is to detect, assess and stop the threat. Our scenario (outlined in the previous issue) is divided into steps, entered into a worksheet and timed accordingly. An…

Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-source intelligence tools to give us a leg up when the feds are slow to share, and security information and event management (SIEM) platforms to better aggregate security information. Often in these efforts, cybersecurity dominates the conversation. But I believe we can “walk and chew gum at the s…

It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there are two men outside the fence with bolt cutters and backpacks. They are busy cutting through the chain-link fence. The operator concludes that an attack on the substation by two intruders is underway. Now what? Many security plans…

The utility sector stands at a crossroads. As critical infrastructure providers, utilities face an unprecedented convergence of physical and cyber threats that traditional siloed security approaches can no longer adequately address. The time has come for a fundamental shift toward integrated security operations that break down organizational barriers and create a unified defense against increasingly sophisticated adversaries. The Evolving Threat Landscape Today’s threat actors don’t distinguish between physical and cyberattack vectors—they exploit whatever pathway offers the greatest opport…

Let’s just call it what it is—cybersecurity is no longer the awkward sidekick in the corner of the boardroom whispering about “threat surfaces” and “zero trust.” Regulators have officially given it a bullhorn, a front-row seat and a stack of expectations tall enough to block the view of your latest digital transformation project.  Federal regulators, including the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC), the U.S. Department of Energy (DOE) and the U.S. Environmental Protection Agency (EPA), are sending an unmistakabl…

I had the opportunity to talk with Burns Engineering’s security practice leader, René Rieder Jr., about his wealth of experience meeting with C-suite-level executives to discuss security strategies. During our discussion, he shared excellent insights on how executives can best reach security success by adopting key best practices and avoiding common pitfalls. CURTIS MARQUARDT JR.: Let’s talk about what C-suite and other leaders need to do during security meetings to be successful. First, let’s start with the bad. What are the most common missteps or unproductive strategies you have seen f…

CURTIS MARQUARDT JR: Thanks for joining us, Joe! Can you tell our readers more about yourself and your utility security background. JOE WEISS: I have spent more than 50 years in the utility industry. I started as a nuclear engineer focusing on instrumentation, controls and equipment diagnostics for nuclear safety and reliability. I spent almost 15 years at the Electric Power Research Institute (EPRI) managing multiple control systems programs. In 2000, I helped start the control system cybersecurity program for the electric utilities.  I was the managing director of the international…

I’m a panelist on an online monthly forum that is focused on safety—and sometimes security—in the utility industry. During the July session, someone asked what utilities are doing to prevent employees from being identified and harassed through trolling tactics such as stalking, swatting and doxing. The discussion offered few effective methods for minimizing threats and improving employee anonymity. Today, I want to expand on the conversation and introduce a solid approach for reducing the targeting and harassment of utility employees and their families. One option discussed during the s…

Way back on August 1, 1981, MTV launched its cable channel with the music video “Video Killed the Radio Star.” The concept of the video’s title proved to be true, as the channel soon became a pop culture phenomenon, creating music stars from videos that started out with simplistic production and evolved into movie-sized, multimillion-dollar creative projects. Gone were the days when music stars were made through radio airplay. The entire industry shifted to a new strategy that focused on the changing media consumption habits of its customers. It’s often shocking how quickly and massively i…

When a physical security incident is reported to your organization, where does that information go? What data is collected? What consistent factors, if any, are identified and documented? I encourage you to reflect on your own business practices and think about the data you can extract from the incidents reported. Is it organized? Is it clear? Is it meaningful? Incident tracking practices vary drastically across organizations. Some may take a less structured approach and manually log incidents with no consistent format or formal follow-up process. Others may use an incident management syst…

Although the framework of operational competence had been in place for decades, its use as a gauge of organizational strength in the utility sector began to gain traction in the 1970s. Over the decades, the focus and benchmarks of operational competence have changed dramatically, but it’s still missing one core element: utility security. So, what is Operational Competence? You won’t find an official definition, but you’ll see the term used in financial documents, regulatory filings, board reports, operational bulletins, statutory guidance documents and other materials where an understand…

The Security Industry Association (SIA) will host its Perimeter PREVENT security event this June at the National Housing Center in Washington, D.C. The event will focus on providing insights into critical issues relating to physical perimeter defense for critical infrastructure, public events, government facilities and beyond. The symposium will bring together policymakers, federal agency personnel, architects, engineers and security solution providers for a full day of educational sessions and networking opportunities. In addition to covering protective design strategies from the Cyber…

Ahead of my interview with Dominic Dillon, I visited the 3B Protection website and clicked on the section detailing how its products support utility security. I scrolled down the page to read the list. Then I scrolled down again. It struck me: This is a company that understands the depth and variety of safety and security threats utilities must address. During our conversation, I learned more about the evolving technology that is making barriers, walls and gates even more secure. We also discussed how a joint effort with Convergint is helping utilities reduce the cost of installing additio…

Infrared technology has long been viewed as a solution that allows utilities to see beyond haze and fog for security applications. However, as more utilities look for ways to expand the use cases for security solutions, many are now applying the technology to monitor assets like substations and transformers — spotting signs of overheating or other indicators of malfunction. At Convergint’s annual Unite event, I had the chance to speak with Jen Hones and Steve Sinclair about how thermal camera technology can help prevent wildfires, reduce maintenance costs and make remote locations more sec…