Skip to main content

LOOKING FOR SOMETHING?

Infrastructure Security Archive



Will Your Critical Substation Survive an Attack? (Part Four)

In the previous three issues, we asked how you would know if your critical substation would survive an attack.  (It might be a good idea to go back and re-read the columns: PART 1 | PART 2 | PART 3) In this issue we will examine how we choose and test upgrades to the physical protection system (PPS). Upgrades Our analysis in the previous issue has revealed two problems in the PPS: the video surveillance system (VSS) cannot cover the full fence line adequately because of the overgrown foliage, and the fence does not delay his progress for enough time to allow the police to arrive. The team decides to re-run the analysis with two changes to the PPS: the foliage is trimmed back from the fence for three yards around the full perimeter, and the…
Ross Johnson

Will Your Critical Substation Survive an Attack? (Part Three)

In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.) In this issue, we examine how the scenario is used to test the physical protection system (PPS). The Vulnerability of Integrated Security Analysis (VISA) methodology breaks the scenario into discrete steps and evaluates how likely the system is to detect, assess and stop the threat. Our scenario (outlined in the previous issue) is divided into steps, entered into a worksheet and timed accordingly. Analysis Step 1: This activity occurs outside the range of any security systems. The probability of detection and assessment is very low. Because the response f…

Crossed Wires: The GRC Gap Threatening Critical Infrastructure

Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-source intelligence tools to give us a leg up when the feds are slow to share, and security information and event management (SIEM) platforms to better aggregate security information. Often in these efforts, cybersecurity dominates the conversation. But I believe we can “walk and chew gum at the same time” and make sure that physical security efforts are equally addressed in these efforts.  For more than two decades, enterprises have leveraged adv…

Substation Intrusion: Are You Ready To Response?

It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there are two men outside the fence with bolt cutters and backpacks. They are busy cutting through the chain-link fence. The operator concludes that an attack on the substation by two intruders is underway. Now what? Many security plans instruct the operator to “call 911” at this point and leave it at that. They are assuming that the police will arrive and the intruders will either run awa…

Worlds Colliding: Why Physical and Cybersecurity Convergence Is Critical for Utility Protection

The utility sector stands at a crossroads. As critical infrastructure providers, utilities face an unprecedented convergence of physical and cyber threats that traditional siloed security approaches can no longer adequately address. The time has come for a fundamental shift toward integrated security operations that break down organizational barriers and create a unified defense against increasingly sophisticated adversaries. The Evolving Threat Landscape Today’s threat actors don’t distinguish between physical and cyberattack vectors—they exploit whatever pathway offers the greatest opportunity for disruption. Utilities present particularly attractive targets due to their critical role in society and the cascading effects that successful…

Every Incident Tells a Story—Are You Listening?

When a physical security incident is reported to your organization, where does that information go? What data is collected? What consistent factors, if any, are identified and documented? I encourage you to reflect on your own business practices and think about the data you can extract from the incidents reported. Is it organized? Is it clear? Is it meaningful? Incident tracking practices vary drastically across organizations. Some may take a less structured approach and manually log incidents with no consistent format or formal follow-up process. Others may use an incident management system (IMS) or ticketing tool to capture several required details. In each case, there is opportunity to transform and adapt these practices to produce stra…

Sign of the Times: Using Federal Law to Help Deter Substation Attacks

In the last issue of Utility Security Magazine, I mentioned a federal law that the United States has in place to combat attacks in the energy sector in my article on strategies to defeat copper theft in substations. In this article, I’m going to use the theft triangle to show how this law (and a similar one in Canada) can be used to deter substation attacks and intrusions.  This is how it works: in the theft triangle, there are three elements at play: motive, opportunity and rationalization. (This triangle is also called the fraud triangle. It’s versatile and can be adapted to most forms of criminal activity.) Motive is the reason the adversary has for the intrusion or attack. In theft, it could be money, or peer pressure. For radical gro…

Plan Your Path to Security Success: How Strategic, Tactical & Operational Planning are Essential to Creating a Strong Security Posture

President Eisenhower, the five-star general who commanded the largest invasion in history during World War II, stated, “In preparing for battle, I have always found that plans are useless, but planning is essential.” This philosophy directly relates to utility security for two reasons:  Establishing a robust security posture is a complex issue that requires planning Threats never materialize as planned In today’s environment, maintaining a strong security posture is essential and effective planning is key to achieving it. However, there are a few obstacles that can hinder the creation of a strong security stance that you’ll need to address. First, recognize that planning is a thankless and time-consuming task that is unappreciated and un…
Ross Johnson

Will Your Critical Substation Survive an Attack (Part Two)

Ross Johnson Continues His Series on Substation Security with an Exploration into How to Develop a Valid Scenario that Helps You Plan to Stop Unacceptable Consequences In the previous issue, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the column in the November 2024 issue of Utility Security magazine. You can read it at utilitysecurity.com.) In this issue we will examine how a scenario is developed. The first step is to assemble a vulnerability assessment (VA) team. An ideal team would include Security, Operations, Maintenance, Engineering, IT, OT, Networking, HR, Supply Chain and the responding law enforcement agency. If you have a third-party security sy…
Ross Johnson

Will Your Critical Substation Survive an Attack?

Will your critical substation survive an attack? How would you know? We install security systems to protect our substations. Critical sites would likely include some kind of barrier, like a fence or a wall; a video surveillance system (VSS); an access control system, combining a locking mechanism with a card reader or PIN pad; lighting; a security monitoring center; and some kind of response force, such as a mobile patrol or police. How do you know that they will work? We commission systems after they are installed. We check that the fence was installed according to the contract. We examine the VSS cameras to see that they work by day and night and see where we want them to see. We visit the site at night to measure the amount of illuminat…

Danger from Above: The Time is Now to Address Drone Risks

It is not “if” but “when” for a major and nefarious event happens involving Small Unmanned Aircraft (sUAS) like drones. There is a distinct lack of urgency across all levels of government about security, safety and emergency preparedness given the rise of drones and their rapidly maturing capabilities and demonstrated use cases. The question is: are we paying attention? Look at the increasing news reports about how these platforms are disrupting security and safety almost daily. In 2023 alone, there was an uptick in these events. Look no further than the New Hampshire incident during which a private citizen decided to use a drone to drop feces and eggs on homeless encampments. Or look at how in New Jersey, a man decided to drop chemicals i…

Mastering the three “Cs” of Security: Clarity, Communication and Consistency

As the Assassination Attempt that happened on July 13th Demonstrated, a Failure of Clarity, Communication and/or Consistency Can Lead to Devastating Consequences. It’s Vital that Your Substation Security Strategy Offers Certainty in All Three Areas. Albert Einstein once said, “Any fool can know. The point is to understand.” I often refer to this quote in the training programs I conduct because I believe it holds true for utility security in general, especially when it comes to effective substation security. That’s why my previous articles have focused on the more abstract aspects of substation security rather than specific issues like ballistic barriers, fencing or lighting. While we will cover those topics later, it’s important to first g…
Person Classified at Fence Line

The AI Push to Smart and Speedy Security

Threats of theft, vandalism and terrorism are a continual concern for those responsible for the security of the nation’s utilities. Regulations are becoming increasingly stringent, making perimeter security vital to maintaining safety, safeguarding assets, and ensuring business continuity. If critical assets are damaged or disabled, it can have a negative impact on the communities and businesses in the service area and may pose health and safety risks. For regulated sites, perimeter security is critical to meeting strategic and compliance objectives. For example, guidelines for utilities from the North American Electric Reliability Corporation’s Critical Infrastructure Protection plan (NERC-CIP) state that site owners and operators must be…

Green Protection: Two Perspectives on How to Effectively Plan and Implement a Security Strategy for Renewable Energy Sources 

Whether it’s solar, geothermal, wind or hydro, utilities are implementing more renewable energy generation sources than ever before. But with their rapid march toward these green energy sources come some new and distinct security challenges.  To learn about what risks to consider and strategies to implement, I had a conversation with Idaho National Laboratory’s Emma Mary Stewart, an expert in renewable energy and security, and Courtney Samp from Avangrid, a security strategy expert who helped coordinate a strategy for the third-largest renewables operator in the nation.  Along the way, they shared why we need to better assess vulnerabilities, why building strong relationships matter, how to address the threats of cyberattacks and much more…

Protecting Water Utilities from Drone Threats: Understanding the Steps of a Drone Security Methodology that Support the J100 framework

The small uncrewed aerial system (sUAS) ecosystem can seem overwhelmingly complex, but it doesn’t have to be that way. The wars in the Middle East, Nagorno Karabakh, Ukraine, and now Gaza have proven that we need to pay attention to the threat that drone technology poses to our critical infrastructure. The use cases of this evolution are abound on social media and events in the United States continue to show that it’s not a matter of “if” but “when” an event occurs.  Ukraine is the most prominent example of this evolution as we continue to see that drone technology is moving from battlefield application to critical infrastructure targets. This should concern the security professionals responsible for securing all of our key life systems to…
Know your Diamonds from your pencils

Know Your Diamonds from Your Pencils: Talking All Things Physical Security with SERC’s Travis Moran

Curtis Marquardt Jr.: Can you tell our readers more about your background and what you do for SERC Reliability Corporation.? Travis Moran: I began my career in law enforcement, first as an analyst with Interpol. After several years, I joined the U.S. State Department as a special agent, where I served for six-and-a-half years. I then spent 17 years at the Bureau of Alcohol, Tobacco, Firearms and Explosives dealing with violent crime, terrorism, bombs and murders. Following my retirement in 2013, I joined Dominion Energy’s corporate security department. This tenure coincided with the aftermath of the Metcalf substation sniper attacks, which led to significant changes in physical security measures. Subsequently, I worked at NERC before comin…
Critical Decision Making Progress - Substation Security

Substation Security Challenges: The Importance of the Critical Decision Making Process

In my previous article, I discussed how dangerous unverified assumptions can be when it comes to substation security issues. Now, we will consider the impact of our decision-making process on substation security. Critical decision-making has nothing to do with “criticizing”. In critical decision-making, we’re using the third definition of “critical” in the Merriam-Webster Dictionary: “exercising or involving careful judgment or judicious evaluation”. At first glance, critical decision-making appears to be a complicated, overly sophisticated, technical process. In reality, it’s a learnable skill that anyone can employ. However, the methodical application of a rigorous problem-solving approach does require focus and discipline, so it isn’t e…
Duke article illustration

Forging a Secure Tomorrow: Duke Energy’s Path to a More Resilient Future

There’s a great quote by Confucius that says: “Our greatest glory is not in never falling, but in rising every time we fall.” And it’s truly applicable for security professionals because no matter how much one plans, strategizes and fully commits to preventing an incident, along comes something that challenges those efforts in ways that can help an organization grow, evolve and achieve an even better security posture. On Dec. 3, 2022, Duke Energy experienced a “something” in the form of an unprecedented and sophisticated attack on a low-level substation that knocked out power to more than 40,000 residents in Moore County, North Carolina. Remarkably, Duke Energy had the power back on to all residents only a few days after the attack, a test…
infrastructure-security-july-article

How ‘Global Weirding’ is Creating New Threats for Utility Security Professionals

If you search for “Andrew Bochman” on Amazon’s website, the first listing to appear is a book he co-authored about countering cyber sabotage. If you search his name on YouTube, you’ll find videos of him presenting on topics including managing risk and operational technology cybersecurity. Bochman dedicated much of his career to helping with the security and resiliency of utilities. But as the years passed, he watched—along with the rest of us—climate event after climate event continuously wreak havoc on utilities. In bearing witness to those events, Bochman saw a threat so alarming that it inspired in him a new passion to educate and inform the industry about how to start planning today for the challenging days ahead. Some call it climate…

Partnering with Law Enforcement to Improve Bomb Threat Prevention and Response: A Conversation with the Office for Bomb Prevention’s Charles Leas

  With attacks on utilities growing every year, it is more important that ever to have a sound bomb threat response program in place. A key element to that program is to work together with state and local law enforcement to establish lines of communication about potential threats as well as establishing an effective response plan. Utility Security magazine’s Editor-in-Chief, Curtis Marquardt Jr., had a chance to sit down with the Office of Bomb Prevention’s Operation’s Chief, Charles Leas, to talk about how utilities can create or improve their bomb threat program.  Curtis Marquardt Jr.: At the time of this interview, it’s National Police Week. So, it’s great that Utility Security magazine gets to talk about the value of utilities par…