Skip to main content

© All rights reserved.

LOOKING FOR SOMETHING?

Ross Johnson

Will Your Critical Substation Survive an Attack (Part Two)

Written by Ross Johnson on . Posted in .

Ross Johnson Continues His Series on Substation Security with an Exploration into How to Develop a Valid Scenario that Helps You Plan to Stop Unacceptable Consequences

In the previous issue, we asked how you would know if your critical substation would survive an attack. (It might be a good idea to go back and re-read the column in the November 2024 issue of Utility Security magazine. You can read it at utilitysecurity.com.)

In this issue we will examine how a scenario is developed.

The first step is to assemble a vulnerability assessment (VA) team. An ideal team would include Security, Operations, Maintenance, Engineering, IT, OT, Networking, HR, Supply Chain and the responding law enforcement agency. If you have a third-party security system integrator, it would be helpful if they were there too.

Next, the team visits the site. They should be briefed on its function, critical assets, response procedures, access control and the perimeter. They need to see the physical layout of the systems involved, such as gates, card readers, cameras, lights, intrusion detection systems and so on. They look at related procedures such as: how access control cards are requested, made, and delivered; background checks; work authorization, access by day and by night; how is the response force called, how long does it take them to arrive, and what will they do when they get there?  

The team is also there to identify weaknesses and vulnerabilities. (A weakness is a security measure that doesn’t work well, such as a fence with a large gap at the bottom, and a vulnerability is a gap created by the absence of a security measure, such as a perimeter without an intrusion detection system. These are my definitions, though, and are probably interchangeable.)

All weaknesses and vulnerabilities should be examined and categorized as something that can be seen from outside the perimeter, and one that can only be seen from the inside. This helps to determine who is most likely to exploit them: outsiders or insiders.

The team returns to their conference room and creates the first scenario. Some decisions will need to be made:

  • What kind of scenario are you creating: outsider only, insider only, or outsider colluding with an insider?
  • What is the unacceptable consequence you are trying to achieve? (An unacceptable consequence is an outcome you are willing to spend money to ensure doesn’t happen)
  • How will you achieve the unacceptable consequence?  
  • Which weakness or vulnerability are you going to exploit?  
  • What is the pathway in to the objective, what will your adversaries do at the objective and how will they leave the site?

Here are the issues that need to be discussed before the scenario is written:

  • The team decides that the unacceptable consequence that they wish to achieve is to stop the site from supplying power for more than seven days. Through a discussion led by the operations representative, they determine that the best way to achieve this is by destroying Critical Component A. (I’m reluctant to discuss actual critical equipment in this public forum, so we will use a generic name instead. In reality, you would identify exactly what you had to damage or destroy to achieve the unacceptable consequence.)
  • The site tour revealed that there was an area where the foliage had overgrown the perimeter fence, creating a spot where an adversary could hide while they cut through the fence fabric, and that there is a video surveillance system (VSS) with live video monitoring on the perimeter and inside the yard. There is an electronic card access system, and lighting in the operational area. They also determined that the response time for law enforcement (from the live video monitoring (LVM) Operator call to police until they arrive on site) was ten minutes (600 seconds).
  • They decide on the pathway to the critical component to be attacked (a direct route that will take them 60 seconds to traverse), and how they will disable or destroy it (a small explosive charge, placed underneath it.)
  • Referring to the design basis threat (DBT), what is the minimum size of adversary force required to complete this attack? (In this case, one Outsider.)

Example Scenario

It is 11 p.m. on the Fourth of July. The adversary drives to a spot 50 yards from the site and parks near some trees. Carrying a backpack with a five-pound explosive charge and a pair of bolt cutters, he walks to the point on the northwest corner of the perimeter where the foliage grows close to the fence. Using the foliage to cover him from casual observation, he cuts a hole in the fence and crawls through it.

The adversary quickly walks the 30 yards to Critical Component A. He takes off his backpack, removes the explosive charge and sets the timer to 15 minutes. He places it on the ground underneath Critical Component A.

The adversary walks back to the hole in the fence. He crawls through the hole, then returns to his vehicle and drives away. Fourteen minutes later the charge explodes, destroying Critical Component A.”

At this point the team validates the scenario by answering three questions:

  1. Is the scenario reasonable and credible?
  2. Does it accomplish one or more of the unacceptable consequences?
  3. Does it only use resources available in the DBT?

If the answer is ‘yes’ to all three, then we have a valid scenario to work with. 

In the next issue, we will show you how to run the scenario against the PPS and analyze the results.

About Ross Johnson:
Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. Reach him at ross@bridgeheadsecurity.com.