Substation Security Challenges: Conducting Threat Assessments

The Greek historian and general Thucydides stated, “Hope is an expensive commodity. It makes better sense to be prepared.” This statement is as true today as it was 2,500 years ago.

For utility security professionals, this maxim speaks to the nonchalant attitude toward substation and infrastructure security that many of us have or face from within our organization.

But hope is not a defense. We face serious threats that require serious responses. Regardless of location, size or organizational makeup, the threats we face are growing in intensity and sophistication. Some of these evolving threats can be traced to shifts in population and migration trends, which have introduced an array of new dangers and hazards into our service areas. Many within this new populace have unrealistic service and support expectations, and some harbor activist worldviews that see utilities as adversaries to be confronted, maligned and attacked. Other perils stem from threat actors emerging from an increasingly radicalized society and media-incited violence; the list goes on and on.

The reality is that we face a growing number of threats with limited resources. This reality presents the challenge of optimizing protection with continually restrained response capabilities. Our job as security professionals is to identify and focus our resources on the most significant and potent threats. Conducting a threat assessment is the most effective method of identifying and classifying what risks to mitigate and where to expend our resources.

A threat assessment clarifies and focuses our efforts and is the basis for effective planning. The result is better utilization of our limited time and financial resources.

Starting the security enhancement process without conducting a threat assessment is like building a house without blueprints. It can be done, but it will waste a lot of time, energy and resources. The results are always less than ideal and seldom candidates for the best design of the year. Without a comprehensive threat assessment, you will not know if your efforts and expenditures have actually changed the threat landscape. The problem is that, unlike a house you build without plans, where the results are easy to see, the results of poorly planned and implemented security enhancements remain unknown until they’re tested through a real-time critical event where failure can have lethal consequences.

Conducting a threat assessment isn’t an easy task. It’s a significant undertaking and an all-around thankless endeavor. It takes time and focus, and the effort will be largely unappreciated. However, it will pay tremendous resource allocation dividends and significantly improve protection.

The decision to tackle a threat assessment can be overwhelming and somewhat intimidating. And it may be a task that you want to hand off to a vetted security consultant. A thorough threat assessment requires a detailed investigation and analysis that takes a tremendous amount of time and focus, so serious consideration should be given to handing this task off to outside resources.

A threat assessment begins by examining company-wide threats and then continually sharpens its focus to a specific site and entity. The company-wide assessment looks at generalized threats that can impact the organization. This macro-level assessment will identify and classify non-targeted threats, including random acts of violence and unfocused threats that can impact the utility.

The macro-level assessment will identify the assets likely to be targeted by threat actors. These assets then become the focus of individual site- and entity-specific assessments. And yes, each critical asset (i.e., substation, critical infrastructure device, facility, individual structure, group or key individual) should be the focus of an asset-specific threat assessment. Now you can see the time-consuming reality of conducting a comprehensive threat assessment.

On a side note, if you’re facing a threat situation at a specific location against a particular asset, you can start with the asset-specific assessment and later back into the macro-level effort.

So, what types of threats need to be considered during a threat assessment? Three types of threats can impact a utility: consequential, indirect and direct. Each threat type can potentially damage utility assets.

• Consequential threats arise from perils in other areas or against other entities.
• Indirect threats are collateral hazards created by non-focused, unintentional threats.
• Direct threats are intentional, focused dangers aimed at the utility.

Though distinctly different, consequential and indirect threats can overlap.

Consequential threats typically originate from social, geopolitical or other public sector issues. These include items such as socially motivated instability and violence and radical societal issue responses. If the utility is not the specific target, then such events create collateral threats that still pose significant risks to the utility.

Indirect threats are non-focused threats to utility assets. This threat group includes natural hazards, environmental disaster threats, and geographic threats such as droughts, earthquakes, extreme temperatures, floods, forest fires, hailstorms, karst/sinkholes, landslides, mine/land subsidence, severe storms, severe winter storms and tornadoes. Indirect threats are area- and site-specific and will vary widely in scope. For example, I have clients in the Pacific Northwest who must consider the potential impacts of being in an active volcano region and others in the Southeast where karst or sinkholes present real threats.

Direct threats are intentional threats directed at any class of utility asset. These are the threats that we typically think of when discussing threats. And just like consequential and indirect threats, the types and origins of direct threats are vast and varied. The goal of the threat assessment is to identify and focus on the most significant ones. The threat assessment will identify threat specifics such as the threat actor or source, provocation, resources, opportunity potential, probability, impact, duration and response.

A Threat Assessment is a Four-Step Process
The first step is to identify, inventory and prioritize critical assets. Critical assets include anything of significant value or importance to the organization, such as people, information, facilities, high-value equipment, and materials and infrastructure. Some critical assets are easy to identify, (e.g., employees, offices, operation centers, substations). Others, like a remote repeater tower or a strategic infrastructure junction, may not come to mind as quickly.

Each asset must be evaluated to determine its place in our asset priority ranking system. This ranking is accomplished by evaluating each asset against criticality, impact and vulnerability criteria. Several assessment methodologies can be applied to this process. Some are excellent, some are adequate, and some are, for various reasons, less than adequate.

The excellent methodologies are comprehensive and easy to understand, employ and explain. The adequate ones get the job done but can be complex and less user-friendly. The inadequate ones are convoluted, complicated and render unsatisfactory results that are difficult to process or explain. We’ll take a closer look at some of these methodologies in a future article.

The second step is identifying and characterizing threat sources (i.e., our adversary). As stated earlier, some threat sources are natural hazards and phenomena that create unintentional threats. However, the consequences of an unintentional threat can be just as severe and devastating as the outcome of a targeted threat.

Other threat sources are malicious actors targeting other entities whose actions create a spillover threat to our assets. These spillover threats are typically due to proximity, similarity or locality. And though we may not be the intended target, collateral damage is still damage, and a collateral threat is still a threat.

The last threat source is the most common and disconcerting of the three. These are threat actors who are focused on us and whose intention is to attack us. This group includes anyone who presents a direct threat of harm or exploitation to our assets, such as criminals, disgruntled employees, emotionally engaged people, terrorists and so on.

The third step in the assessment process is determining the specific threat means, methods and mechanisms. Once we’ve identified the threat source (adversary), we can extrapolate how the attack would occur. This challenges us to think like the assailant, something that’s easier said than done. Thinking like a “bad guy” requires a different mindset and moral frame of reference. You have to seriously consider how you would hurt someone or damage something.

This bad-guy mindset shift requires you to seriously consider the hows, whys and wheres of taking irrational actions, inflicting intentional harm or exploiting vulnerable assets without moral restraint or regard for the consequences. Some find thinking this way difficult and disturbing, so take the exercise seriously and don’t stay down the rabbit hole too long. Better yet, hand this off to someone who’s practiced and perfected the approach.

The value of this exercise is that it will identify asset vulnerabilities and security gaps, which can be mitigated once identified. That leads to step four.

The fourth step is finding solutions and remedies for the vulnerabilities identified in step three. The goal is to determine the best option for overcoming the vulnerability and improving protection. Expect this task to be time-consuming as some assets will have several potential remedy options. For example, the same remedy for rectifying a substation vulnerability in one location may not be effective at another site. Hence, each asset must be evaluated separately.

Conclusion
The key is understanding the importance of conducting a threat assessment and why we should go through the trouble of conducting one, even though others may not recognize the effort or its significance. In future articles, we’ll explore conducting a threat assessment in more detail and introduce a practical analysis and assessment model.

About the Author: Jim Willis is president of InDev Tactical, a security training and consulting firm. He is an electrical engineer, an experienced utility professional, and a credentialed homeland security specialist and anti-terrorism expert. If you want to discuss utility-focused security training or consulting assistance, you can reach Jim at 703-623-6819 or jim.willis@indevtactical.net.