Will Your Critical Substation Survive an Attack?

Will your critical substation survive an attack? How would you know?

We install security systems to protect our substations. Critical sites would likely include some kind of barrier, like a fence or a wall; a video surveillance system (VSS); an access control system, combining a locking mechanism with a card reader or PIN pad; lighting; a security monitoring center; and some kind of response force, such as a mobile patrol or police.

How do you know that they will work?

We commission systems after they are installed. We check that the fence was installed according to the contract. We examine the VSS cameras to see that they work by day and night and see where we want them to see. We visit the site at night to measure the amount of illumination cast by our lighting system. We test the gates and the card readers. We ensure that the monitoring center can see everything they need to see. We walk the site with local law enforcement.

How do you know that they will work together?

The security measures protecting the site actually involve a lot more than the measures we’ve mentioned above. Each site has a physical protection system (PPS) that goes far beyond the technical systems listed above, including any policies, procedures and personnel that have an impact on the site. For example, a background check policy protects the site by reducing the likelihood that you will hire a criminal who would later access the substation. Employee assistance programs can provide counseling and financial assistance that will reduce the probability that an employee could be coerced into providing support to an adversary who wants to damage the site. Supervisor sign-off on work orders can reduce the chance that an employee will go rogue and use their access and authority to damage critical equipment.

A PPS is made up of many components, but it is a lot like a piano. You can’t tell if it’s in tune by looking at it. You have to play it. That’s where scenario-based testing comes in.

But how do you know what you’re trying to protect against?

According to the International Atomic Energy Agency, a design basis threat (DBT) is “a comprehensive description of the motivation, intentions and capabilities of potential adversaries against which protection systems are designed and evaluated. Such definitions permit security planning on the basis of risk management. A DBT is derived from credible intelligence information and other data concerning threats, but is not intended to be a statement about actual, prevailing threats.”  In other words, it describes the likely threats you face, but it makes no predictions about when or if an attack is likely to take place.

The North American electric sector has a DBT, created in 2016 by a team of 25 security leaders from the sector and a facilitator from Pacific Northwest National Laboratory (I represented Canada on the team). This DBT, updated yearly and available to E-ISAC portal members, is made up of several sections. The first, “Definitions,” describes the terms used in the document to ensure that confusion is minimized. The second, “Threat Levels,” describe in detail the maximum number of adversaries and how they are armed and equipped; their knowledge and skill levels; their intentions; their tactics; and their motivation. This is done for three levels of threat: high, moderate and low. The last section is a list of the unacceptable consequences of an attack on the site—literally, the outcomes of an attack that you are willing to spend money to ensure doesn’t take place. The DBT is for the bulk power system, and it should be examined by utilities and modified to fit their needs, particularly the section on unacceptable consequences.

A critical site, such as a CIP-014 transmission station, would be rated as a high-threat facility, so the highest threat level would apply. The least important substations would likely be rated as low-threat facilities, and most of the ones in between would be considered moderate-threat facilities.

We have our site, and we have our DBT. Now we need to use the DBT to test the site’s PPS. To do this, we need to assemble a vulnerability assessment team, create a scenario and walk through the scenario to see how the PPS performs at each step.

To be a valid scenario, it must meet three criteria. First, it must be reasonable and credible. It must be something that someone can look at and say, “I could see that happening.”  Second, it must meet one or more of the unacceptable consequences, and third, it must only use resources listed in the DBT.

In the next issue of Utility Security magazine, we will go into more detail on scenario development and analysis of the PPS’s capabilities.

About Ross Johnson
Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio.. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. Reach him at ross@bridgeheadsecurity.com.