Are Assumptions Compromising Your Substation Security?

Written by Jim Willis, CMAS, CHS-V on February 29, 2024. Posted in Facilities Security.

How many substation security or protection articles have you started reading, assuming the subject was one thing, only to discover it was something else? The problem stems from the fact that there are multiple definitions for substation security and protection: one digital/data, one electrical and another physical.

When utility professionals hear “substation protection,” many immediately think about electrical protection. Circuit breakers, fuses and switchgear come to mind; some visualize coordination study time & current graphs. But as crucial as electrical protection is, it’s only one aspect of protection. Since engineers, operations and maintenance staff and security specialists share substation responsibilities, we’ll have a smoother conversation if we clarify the subject. So, for now, think of the physical aspects of substation protection and security.

Why the long-winded explanation and clarification of the topic? It illustrates the first of many challenges we’ll discuss as we go forward: assumptions. I could have assumed we were all on the same page, topic-wise, and that the definitions of substation security and protection were clear and jumped straight into the message. But in the physical security realm, assumptions are both vulnerabilities and challenges. For the utility professional with security responsibilities, substation protection and security are issues that are steadily becoming more urgent and challenging. We’ll begin tackling these challenges today and in upcoming issues.

Challenge One: Assumptions
Why on earth am I calling assumptions a challenge? Because they’re some of the most hideous and prevalent dangers we face. Significant consequential assumptions can be traced to every disaster, from the Titanic to the Columbia Space Shuttle. Assumptions cloud your judgment and ability to define problems clearly, and they produce a false sense of security. They leave gaps in our knowledge and defenses, allowing vulnerabilities and threats to remain unidentified and unaddressed. Assumptions can be personal or institutional, and once made, they have a gravitational pull that draws people to them, and that can be challenging to overcome. No matter the form, function or pull—from a security perspective—assumptions are problems.

Personal assumptions can circumvent your ability to process a situation objectively. We’re all prone to making assumptions, and making initial assumptions isn’t wrong. However, taking those assumptions as fact without follow-up verification is wrong. The idea of validating assumptions may seem trivial or even overkill, but effective security requires fact, not conjecture.

Let’s look at a real-world example of how easily assumptions can be misleading and need to be validated. Just before the COVID lockdown, I was called to a substation site to help investigate the most recent of several substation break-ins and copper thefts. The substation fronted a rural road with woods on one side and a field at the back and other side. When I arrived, the utility’s substation crew and security team were on-site, along with a fence repair contractor and a local deputy sheriff who was completing his write-up. After a quick walk-through briefing and a look at the cut in the woodside fence about 50 feet from the gate and control house, I asked a few clarifying questions to confirm what was known and what was being assumed.

Of several unverified assumptions that were revealed, two had an impact. One was an easy fix. When I asked if anyone had inspected the remaining fence line, the utility employees shrugged and shook their heads, and the deputy mumbled about wasting time and walked away. So, I checked the remaining fence line to confirm it was intact and found not one but two additional breach points. We soon realized that someone had entered the station multiple times using the adjacent field drive and these fence openings.

As you probably gathered, everyone at the site made assumptions. The substation crew was the first to arrive and made some reasonable assumptions. There’s nothing wrong with that. However, everyone else arriving on the scene took those assumptions as fact. And that was a problem.

The other assumption that impacted the investigation occurred well before the incident and was more challenging to resolve. The surveillance camera maintenance contractor had completed a software update months prior, and it was assumed that all was functioning correctly, but the utility didn’t verify that. When the technician completed the software update, he failed to reset the date and time stamps, which had all reverted to zero. So, when the recording was pulled up, the time stamps were off, which, it turns out, is a prosecutor’s nightmare and a defense attorney’s dream.

You may think this wouldn’t be a big deal in a simple copper theft investigation, but this incident had caused over a quarter of a million dollars in equipment damage. The failure to validate an assumption caused an easily correctable error to become a significant issue that took weeks to resolve and made prosecution much more difficult.

When it comes to security, validation is critical. You need to verify the who, what, when, where and why of every situation. This leaves little room for assumptions. The key is not to make or take assumptions at face value. Verify everything. Overcoming the tendency to rely on assumptions takes work, but it can be done.

Institutional assumptions can have a tremendous gravitational pull that may be difficult to break. And since most utilities outside the generation and bulk transmission community have minimal security-focused institutional history, their lack of relatable experience often creates assumption breeding grounds. The problem is the asymmetrical way assumptions are made. Many assumptions are derived from a lack of historical criteria; you see this in statements like “We’ve always done it that way” and “That’s never been a problem for us.” Other assumptions stem from a lack of understanding of the subject’s rigors, requirements and complexities. But the most problematic assumptions originate from institutional laziness; sometimes these require a pry bar to overcome.

Some of the most challenging and institutionally lazy assumptions revolve around notions that size matters to threat actors. The belief that only major utilities, generation facilities, high voltage transmission and bulk power substations need threat protection is prevalent throughout the industry. Assumptions of being “too small, remote or otherwise inconsequential to be targeted” can lead to a nonchalant attitude and weak security. However, most recent domestic terrorist attacks have focused on small and medium utility transmission and distribution assets, especially substations.

Institutional assumptions also center on vendor and contractor activity and expertise. It’s a common assumption that everyone working for a vendor or contractor is a security expert. Sadly, no. Almost every security-related enterprise will have the same number of experts, amateurs, saints and charlatans as every other industry. Expertise and work ethic become even more obscure with subcontractors in the mix.

As the earlier example shows, contractor- and vendor-related assumptions can crop up at any stage, from design and construction to operation and maintenance. During design and construction, a lack of familiarity with security-related materials and installation practices can lead to poor installation that weakens security. Contractors with subpar work ethics often take shortcuts that impact security measure effectiveness. Problems can be created that, once in place, aren’t discoverable until they fail to provide the expected protection. OK, I know you’ve never had a contractor or vendor take a shortcut or deliver less than promised, but it happens … to other people.

In reality, even the most diligent and dependable organization has employees who produce shoddy work or make honest mistakes that impact outcome integrity. But as the saying goes, paint and spackle cover a multitude of mistakes, sins and shortcuts. So, use the proven trust-but-verify strategy to mitigate contractor- and vendor-related assumptions. The extra monitoring and verification expense will pale in comparison to an assumption-based security failure. Remember, the stakes are too high to assume anything when it comes to substation security.

Dealing with Assumptions
Now that we understand the problem, how do we address it?

Realize assumptions are made every day by everyone.
It’s OK to make assumptions; it’s not okay to accept them as facts.
Assumptions take on myriad forms: some are personal, others institutional, some obvious, others subtle, but security-wise, all are problems.
Understand that assumptions have a strong gravitational pull that draws people to them. It’s your job to overcome the gravitational effects of assumptions.
When dealing with security contractors and vendors, take a trust-but-verify approach.

Assumptions can be significant substation security challenges. From the planning and design stage to operations and maintenance, unchecked assumptions can have a devastating impact. Remember that verification is a critical component of security, and assumption validation is a crucial part of the verification process.

It’s the security professional’s duty to be thorough, even when it seems silly or wasteful to others or suggests a lack of trust, and expect to be resented when you prove an assumption false. Still, it’s more important to be professional than popular.

About the Author: Jim Willis is president of InDev Tactical, a security training and consulting firm. He is an electrical engineer, an experienced utility professional, and a credentialed homeland security specialist and anti-terrorism expert. If you want to discuss utility-focused security training or consulting assistance, reach Jim at 703-623-6819 or jim.willis@indevtactical.net.

MARCH-APRIL 2024

Featured