Infrastructure Security Archive

In the last issue of Utility Security Magazine, I mentioned a federal law that the United States has in place to combat attacks in the energy sector in my article on strategies to defeat copper theft in substations. In this article, I’m going to use the theft triangle to show how this law (and a similar one in Canada) can be used to deter substation attacks and intrusions.  This is how it works: in the theft triangle, there are three elements at play: motive, opportunity and rationalization. (This triangle is also called the fraud triangle. It’s versatile and can be adapted to most forms of criminal activity.) Motive is the reason the adversary has for the intrusion or attack. In theft, it could be money, or peer pressure. For radical gro…

President Eisenhower, the five-star general who commanded the largest invasion in history during World War II, stated, “In preparing for battle, I have always found that plans are useless, but planning is essential.” This philosophy directly relates to utility security for two reasons:  Establishing a robust security posture is a complex issue that requires planning Threats never materialize as planned In today’s environment, maintaining a strong security posture is essential and effective planning is key to achieving it. However, there are a few obstacles that can hinder the creation of a strong security stance that you’ll need to address. First, recognize that planning is a thankless and time-consuming task that is unappreciated and un…

Ross Johnson Continues His Series on Substation Security with an Exploration into How to Develop a Valid Scenario that Helps You Plan to Stop Unacceptable Consequences In the previous issue, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the column in the November 2024 issue of Utility Security magazine. You can read it at utilitysecurity.com.) In this issue we will examine how a scenario is developed. The first step is to assemble a vulnerability assessment (VA) team. An ideal team would include Security, Operations, Maintenance, Engineering, IT, OT, Networking, HR, Supply Chain and the responding law enforcement agency. If you have a third-party security sy…

Will your critical substation survive an attack? How would you know? We install security systems to protect our substations. Critical sites would likely include some kind of barrier, like a fence or a wall; a video surveillance system (VSS); an access control system, combining a locking mechanism with a card reader or PIN pad; lighting; a security monitoring center; and some kind of response force, such as a mobile patrol or police. How do you know that they will work? We commission systems after they are installed. We check that the fence was installed according to the contract. We examine the VSS cameras to see that they work by day and night and see where we want them to see. We visit the site at night to measure the amount of illuminat…

It is not “if” but “when” for a major and nefarious event happens involving Small Unmanned Aircraft (sUAS) like drones. There is a distinct lack of urgency across all levels of government about security, safety and emergency preparedness given the rise of drones and their rapidly maturing capabilities and demonstrated use cases. The question is: are we paying attention? Look at the increasing news reports about how these platforms are disrupting security and safety almost daily. In 2023 alone, there was an uptick in these events. Look no further than the New Hampshire incident during which a private citizen decided to use a drone to drop feces and eggs on homeless encampments. Or look at how in New Jersey, a man decided to drop chemicals i…

As the Assassination Attempt that happened on July 13th Demonstrated, a Failure of Clarity, Communication and/or Consistency Can Lead to Devastating Consequences. It’s Vital that Your Substation Security Strategy Offers Certainty in All Three Areas. Albert Einstein once said, “Any fool can know. The point is to understand.” I often refer to this quote in the training programs I conduct because I believe it holds true for utility security in general, especially when it comes to effective substation security. That’s why my previous articles have focused on the more abstract aspects of substation security rather than specific issues like ballistic barriers, fencing or lighting. While we will cover those topics later, it’s important to first g…

Threats of theft, vandalism and terrorism are a continual concern for those responsible for the security of the nation’s utilities. Regulations are becoming increasingly stringent, making perimeter security vital to maintaining safety, safeguarding assets, and ensuring business continuity. If critical assets are damaged or disabled, it can have a negative impact on the communities and businesses in the service area and may pose health and safety risks. For regulated sites, perimeter security is critical to meeting strategic and compliance objectives. For example, guidelines for utilities from the North American Electric Reliability Corporation’s Critical Infrastructure Protection plan (NERC-CIP) state that site owners and operators must be…

Whether it’s solar, geothermal, wind or hydro, utilities are implementing more renewable energy generation sources than ever before. But with their rapid march toward these green energy sources come some new and distinct security challenges.  To learn about what risks to consider and strategies to implement, I had a conversation with Idaho National Laboratory’s Emma Mary Stewart, an expert in renewable energy and security, and Courtney Samp from Avangrid, a security strategy expert who helped coordinate a strategy for the third-largest renewables operator in the nation.  Along the way, they shared why we need to better assess vulnerabilities, why building strong relationships matter, how to address the threats of cyberattacks and much more…

The small uncrewed aerial system (sUAS) ecosystem can seem overwhelmingly complex, but it doesn’t have to be that way. The wars in the Middle East, Nagorno Karabakh, Ukraine, and now Gaza have proven that we need to pay attention to the threat that drone technology poses to our critical infrastructure. The use cases of this evolution are abound on social media and events in the United States continue to show that it’s not a matter of “if” but “when” an event occurs.  Ukraine is the most prominent example of this evolution as we continue to see that drone technology is moving from battlefield application to critical infrastructure targets. This should concern the security professionals responsible for securing all of our key life systems to…

Curtis Marquardt Jr.: Can you tell our readers more about your background and what you do for SERC Reliability Corporation.? Travis Moran: I began my career in law enforcement, first as an analyst with Interpol. After several years, I joined the U.S. State Department as a special agent, where I served for six-and-a-half years. I then spent 17 years at the Bureau of Alcohol, Tobacco, Firearms and Explosives dealing with violent crime, terrorism, bombs and murders. Following my retirement in 2013, I joined Dominion Energy’s corporate security department. This tenure coincided with the aftermath of the Metcalf substation sniper attacks, which led to significant changes in physical security measures. Subsequently, I worked at NERC before comin…

In my previous article, I discussed how dangerous unverified assumptions can be when it comes to substation security issues. Now, we will consider the impact of our decision-making process on substation security. Critical decision-making has nothing to do with “criticizing”. In critical decision-making, we’re using the third definition of “critical” in the Merriam-Webster Dictionary: “exercising or involving careful judgment or judicious evaluation”. At first glance, critical decision-making appears to be a complicated, overly sophisticated, technical process. In reality, it’s a learnable skill that anyone can employ. However, the methodical application of a rigorous problem-solving approach does require focus and discipline, so it isn’t e…

There’s a great quote by Confucius that says: “Our greatest glory is not in never falling, but in rising every time we fall.” And it’s truly applicable for security professionals because no matter how much one plans, strategizes and fully commits to preventing an incident, along comes something that challenges those efforts in ways that can help an organization grow, evolve and achieve an even better security posture. On Dec. 3, 2022, Duke Energy experienced a “something” in the form of an unprecedented and sophisticated attack on a low-level substation that knocked out power to more than 40,000 residents in Moore County, North Carolina. Remarkably, Duke Energy had the power back on to all residents only a few days after the attack, a test…

If you search for “Andrew Bochman” on Amazon’s website, the first listing to appear is a book he co-authored about countering cyber sabotage. If you search his name on YouTube, you’ll find videos of him presenting on topics including managing risk and operational technology cybersecurity. Bochman dedicated much of his career to helping with the security and resiliency of utilities. But as the years passed, he watched—along with the rest of us—climate event after climate event continuously wreak havoc on utilities. In bearing witness to those events, Bochman saw a threat so alarming that it inspired in him a new passion to educate and inform the industry about how to start planning today for the challenging days ahead. Some call it climate…

  With attacks on utilities growing every year, it is more important that ever to have a sound bomb threat response program in place. A key element to that program is to work together with state and local law enforcement to establish lines of communication about potential threats as well as establishing an effective response plan. Utility Security magazine’s Editor-in-Chief, Curtis Marquardt Jr., had a chance to sit down with the Office of Bomb Prevention’s Operation’s Chief, Charles Leas, to talk about how utilities can create or improve their bomb threat program.  Curtis Marquardt Jr.: At the time of this interview, it’s National Police Week. So, it’s great that Utility Security magazine gets to talk about the value of utilities par…

As I sat down to write this article, the town of Flint, Michigan, popped into my head. For anybody who works in the water sector, the mere mention of Flint is likely to spark mental images of a water crisis, national news coverage, footage of angry citizens, and a glimpse into what the fallout from a water crisis looks like. And while Flint’s 2014 water management fiasco was not borne from the impacts of a security breach, it certainly does forecast what could happen should a water utility suffer an attack that impairs its ability to deliver potable drinking water to its communities. To paraphrase a line from the hit Broadway production “Hamilton,” the question of a future attack on a water utility that leads to a Flint-like crisis is not…

In July 2020, someone fitted a DJI drone with two long ropes; both ropes had a long copper wire tied to the end of it. That person then attempted to fly the drone into a substation in Pennsylvania. Through luck or perhaps operator error, the drone never reached the substation, instead crashing onto the roof of an adjacent building. But as the U.S. Department of Homeland Security reported, this effort was done with the intent to disrupt the grid. Since then, we’ve seen the use of drones in military conflicts overseas ramp up considerably, including an instance where Ukraine sent drones into Russia and used them to drop explosives on a substation. The technology and innovation of drones are improving faster than ever before. Because of these…