Know Your Diamonds from Your Pencils: Talking All Things Physical Security with SERC’s Travis Moran

Curtis Marquardt Jr.:
Can you tell our readers more about your background and what you do for SERC Reliability Corporation.?

Travis Moran:
I began my career in law enforcement, first as an analyst with Interpol. After several years, I joined the U.S. State Department as a special agent, where I served for six-and-a-half years. I then spent 17 years at the Bureau of Alcohol, Tobacco, Firearms and Explosives dealing with violent crime, terrorism, bombs and murders.

Following my retirement in 2013, I joined Dominion Energy’s corporate security department. This tenure coincided with the aftermath of the Metcalf substation sniper attacks, which led to significant changes in physical security measures. Subsequently, I worked at NERC before coming to SERC, where I currently provide outreach training and education on security and reliability.

SERC covers the southeastern and central U.S., encompassing 17 states and a population of approximately 93 million.

Curtis Marquardt Jr.:
That’s quite a résumé. So, let’s talk about physical security. You mentioned the Metcalf substation attack and its impacts on the industry. As you are aware, physical attacks on utilities are on the rise, which is really pushing utility security professionals to adapt to that increasing risk. From your viewpoint as a physical security expert, what do utilities need to do to be ready for the increase in physical attacks?

Travis Moran:
Ballistic attacks continue to be very impactful throughout the nation on our infrastructure, particularly some of our critical assets. So, we need to understand and think more holistically about how to deal with and understand the threat posture. From the recent incidents we have seen, we are seeing that our adversaries are learning and evolving. But that’s always the case, right?

The key is to apply risk-based approaches to our critical assets. What happened in Moore County, North Carolina, in 2022 was just the beginning. Our adversaries are not only targeting the large entities but the small ones now as well. It’s important for all utilities, big or small, to understand what their diamonds—or critical facilities—are. Because even if you don’t have a really big critical facility, the loss of a smaller one can impact life-sustaining entities like hospitals, government facilities, fire, EMS dispatch and so on which is a diamond for them.

So, in understanding the threat picture, it will help us tier and rank our facilities so we know which ones to protect the most and that are the most impactful. I like to say you have to know your diamonds from your pencils. It’s a simple analogy, but one that works quite well.

Curtis Marquardt Jr.:
It does feel like the Moore County attack really underlined the fact that every utility is at risk and that no utility should view itself as too small to be attacked.

Earlier you mentioned that you do outreach training for SERC, teaching physical security concepts. What are some physical security concepts that utility security professionals are really good at? On the flip side, what are some areas you feel utilities should start focusing on more?

Travis Moran:
We’re really good at knowing our technologies. Whether it’s access control,  fencing, camera systems or so on, there are really bright people who know how to maximize those solutions. I think there is really good collaboration between the entities, integrators and manufacturers to better equip utilities with what specifically aligns with their needs. And I also know we are getting better about communicating with each other and sharing information.

But again, we have to pivot back to the question of, can we do better? And although I might risk sounding like a broken record, the way utilities can get better is to get a better holistic understanding of their diamonds and pencils. It’s the best pathway toward improvement.

Curtis Marquardt Jr.:
I’ve been asking people in the industry about the best solution to protecting substations, and the answer I get most often is, “It’s complicated.” What do you feel are the best security practices and strategies to make an organization’s substation a less desirable target?

Travis Moran:
Beyond the risk-based approach to protection, I think electric utilities really need to provide protection in depth. And if it’s a diamond you are protecting, you try to put more resources into protecting those. And when you add depth, what you are really also achieving is adding time to the detect, delay, assess, communicate, respond process.

The ideal first goal is to deter by making your facility so undesirable that the adversaries will want to go somewhere else. That’s a win. But again, it takes some understanding of what your adversaries  want to achieve to get to that point.

The Electricity Information Sharing Analysis Center (E-ISAC) has a great program that they teach called Vulnerability of Integrated Security Analysis (VISA) that has a really great process for understanding your assets and threats. SERC pivots off of that with what we call SERC University whereby we  train on physical security for utilities  using a building block approach all the way up so you first understand your threats, understand your assets, implement the technologies and test those technologies and mitigation techniques using the VISA process. The building block approach is key as we first want to level set with regard to skills, understand their true threat, mitigation tools that they can use against the threat, then test the mitigations they employed for effectiveness – all within the confines of the Critical Infrastructure Protection (CIP) Standards. We like to highlight in our course that although the CIP Standards may not apply to every entity, they do provide an excellent framework to help increase the security of your facilities and system.

Curtis Marquardt Jr.:
Attacks that are making the recent national news involve adversary nations that are hacking into utilities via information technology components. As convergence grows, where do you see the changes happening in the physical space to prevent remotely triggered physical attacks via IT/OT connections?

Travis Moran:
The world is heading toward convergence. On the physical side, outside of some simple padlocks, it is more and more likely that most every device comes with some Internet of Things or IoT component. I like to say to people we teach at our physical security workshop class that every cyber incident has a physical manifestation. I have people looking back at me cockeyed when I say that But the truth is somewhere The malware had to be written. The malware had to be injected somehow, whether somebody put a drive in or somebody hit send on a keyboard.

So, it’s imperative that physical security and cybersecurity are brought together and understand each other in ways that, if something happens, there are protocols and procedures that impact both. Some  smaller utilities don’t have cybersecurity. Some don’t have a dedicated physical security staff either. They may just have an IT department for cyber and one person wearing four or five different hats that is in charge of emergency response. Even in those instances, they have to find ways to work together.

One of the best ways to accomplish that is doing tabletop exercises to help both areas understand where those gaps are.

Curtis Marquardt Jr.:
On that topic, what changes are needed in laws and regulations to better empower critical infrastructure to guard against attacks?

Travis Moran:
After the Moore County attack, FERC directed NERC to do a reevaluation of its specific physical security standards, the CIP-14 standard. That process is still going on. Overall, the risk assessment process requirement within the standard is appropriate, but they wanted to look at how the initial assessment of applicable facilities might need to be refined. However, the risk-based approach—which is part of that particular standard—is still appropriate because every facility and the environment they operate in is different.

It may sound like a cop-out to say this, but it’s not: utilities need to have some flexibility in designing their physical security protection plans  because it’s not a one-size-fits-all solution for everybody. You can’t say everybody has to have fiber-optic networked cameras at every substation throughout the system because that would just be unreasonable for several reasons. So, that flexibility to know their system and design appropriate protection measures for those facilities is built into the standard.

I have seen state commissions, utility commissions and county commissioners take a greater interest since the Moore County attack to see what more they can do from the distribution-level assets piece of it. Overall, it’s a complicated system, but a brilliant one as well.

Curtis Marquardt Jr.:
So I want to stay on this topic, but drill down to a specific threat which is drones. Where do you see the changes in laws or regulations heading there?

Travis Moran:
So let me go back a bit to answer this question. Back in 2016, the FAA Extension Safety & Security Act was passed into law and within that was a provision called section 2209 which specifically enumerated the FAA was going to develop a process for certain covered facilities of which energy was a part of. The plan was to have a process for those entities to be able to apply for and get flight restrictions around their identified facilities. For a lack of a better term, the can has been kicked down the road and now it’s 2024.

Recently, in May 2024,  the FAA Reauthorization Act of 2024 was passed and signed into law. In that is section 929, which reinvigorated , section 2209 from the 2016 Act. So, they’re going to put out a notice of proposed rulemaking (NOPR) soon and, in that, it’s probably going to entail the process for applying and it’s going to define unmanned aircraft flying restrictions around certain levels of transmission and generation facilities. By levels, I mean there will probably be a total megawatt threshold for generation facilities to be applicable, and probably a kilovolt threshold for transmission facilities.

However, it will not provide any sort of mitigation ability whatsoever. A new bill was just introduced in Congress in May 2024 regarding mitigation authorities  but that’s going to be complicated and who knows how long it’ll take. But this new section 929 will at least be a tool in the toolbox of an electric utility. So, if they have a facility that meets the required thresholds, it would be designated as a facility that unmanned aircraft are not allowed to fly around if applied for and accepted under the program .

That would then most likely appear in the FAA’s “B4UFLY” application and the drone operator would be notified electronically that they are not allowed to fly around that facility. There’s lots of issues with it including questions about whether or not it could be enforced. But it’s the beginning of a tool and a process. When it comes out, our industry really needs to read through it and comment on it because our infrastructure and needs are obviously very complicated. The FAA is all about the safety of the air space and DHS is  about security of infrastructure, but neither are specifically understanding of all of the nuances of electricity security.

So, I urge all those in the industry to make sure we ingest this NOPR and comment on it, because they will read it. They will pay attention to what we say.

Curtis Marquardt Jr.:
So let’s shift to the topic of renewables. Many organizations are moving full steam ahead on solar, wind and so on. What new or different physical security challenges come with that shift to inverter-based resources?

Travis Moran:
These resources are coming online fast and furious. Being able to manage the security on them comes in a wave of different modalities. Protecting them is interesting. Say for example you’re an an entity that is getting ready to put in a 5,000 acre solar farm. How do you protect that?  What’s your fence cost going to look like? And it’s a lot of generation. It’s a lot of megawatts. So, if it is a diamond for that organization, they’re going to need a lot of security by design – which simply means having security’s input at the very beginning..

Even if you put up a fence around 5,000 Acres, you need to think about it’s not just a one-time capital expenditure. There are ongoing maintenance costs. Are you going to have cameras? Do you have fiber that is out there to bring the data back from the cameras? ARe you just going to put some goats in there to handle the grass maintenance and leave it. It’s divergent and it really comes down again to a risk-based approach and each company’s individual philosophy. I caution those to make sure that they look forward and see what sort of levels of generation or transmission they will be creating because you don’t want to be behind the curve on CIP Standards if you start hitting levels that require greater security considerations.

Curtis Marquardt Jr.:
I just attended ISC West a couple months ago. The amount of technology choices that a utility physical security professional can use is overwhelming. And it’s growing. What technologies do you see as most impactful in physical security efforts and what are some new and emerging technologies are you most excited about?

Travis Moran:
For me, it’s ground-based robotics. I know there’s some utilities piloting these things and I cannot wait to see the results. These ground-based robots are going to be impactful. They never sleep. As long as the sensors and the technologies are working, they can respond. Your personnel are safe because the robots can go right up and confront and do things like video-based talk downs. As long as they get the bugs worked out on the geospatial stuff (go/no go areas), they will be very reliable solutions.

Curtis Marquardt Jr.:
Let’s talk about theft. More than a billion dollars of copper is stolen every year alone, and that does not factor in the costs of replacement. What are some best practices or strategies you’d recommend to utilities to better deter theft attempts?

Travis Moran:
I know I’ve kind of beat it into the ground, but it goes back to the risk-based approach. You have got to know your facilities and their value. If you have the facility that is in a high crime, high transient area and you’re having repeated thefts of copper and break-ins, you have to make that decision about whether or not you want to upgrade your fencing. Now, everything can be defeated, but upgraded fencing may add enough delay to allow for effective law enforcement or security response.

But you can also do simple things like take criminal draws away from your spaces. For example, don’t put a porta potty outside your fence line or even inside your fence line because potential thieves will see it as a place to use the restroom, but then, while there, will look at your facility a little closer than they might would have if not drawn in to use that porta potty. Don’t make it a crime of opportunity.

Another tip is to keep your facilities clean. Don’t have stuff laying around. Don’t have vehicles that look like they are sitting there unattended to. Don’t leave spools of copper or other construction materials laying out in the open. Vegetation management is also very important because it gets rid of places to hide or easier access in.

Sometimes, we  see pallets stacked outside of a substation fence which essentially is gifting a would-be thief and makeshift staircase up and over the fence. Look, I get it. Operations professionals are taxed with a lot of work these days and a lot of the work might be done by contractors. But these little things do matter and it really falls on the organization to have a culture of clean, maintained and secure facilities.

Curtis Marquardt Jr.:
I end every interview with a “crystal ball” question as it is vital for utility security professionals to work to be ahead of the next threat. So, I’ll ask you to look into the future 5 or 10 years from now and tell me what you think or hope you’ll see in the world of physical security at utilities. What changes do you see? What new threats?

Travis Moran:
On the threat side, the  IED drone improvised explosive device threat, especially the first person view (PFVs) that we’re seeing overseas, is something that is really concerning. Those things can fly 100 to 150 miles an hour right up to a facility, which is way too fast for any detection measures to be effective. The ballistic ground-based threats will always be persistent just because of the way that our infrastructure is set up and where it’s located.

So, on a more optimistic note, the emergence of artificial intelligence and its ability to predict and use AI and machine learning to be able to better respond is very exciting. And, as I mentioned prior, I’m excited about the future of robotics and where it is heading in terms of the response.

Curtis Marquardt Jr.:
Thanks so much for your time today, Travis! Can you let our readers know how they might participate in the training that you all offer at SERC?

Travis Moran:
Certainly! It’s called SERC University and you can learn more about it at sercuniversity.org. If you’re looking to learn about what the individual CIP standards are or other operations and planning pieces, there are a lot of options for you. We also offer an on-site in-person physical security workshop where we come to your organization and teach a building-block approach to physical security including methodologies, technologies, techniques, the standards that apply to them and how all of that is interwoven into a physical security program.

We also teach design-basis threat and the VISA process—as well as tour the facility to show learners what a true threat vulnerability assessment should look like.