The small uncrewed aerial system (sUAS) ecosystem can seem overwhelmingly complex, but it doesn’t have to be that way. The wars in the Middle East, Nagorno Karabakh, Ukraine, and now Gaza have proven that we need to pay attention to the threat that drone technology poses to our critical infrastructure. The use cases of this evolution are abound on social media and events in the United States continue to show that it’s not a matter of “if” but “when” an event occurs.  Ukraine is the most prominent example of this evolution as we continue to see that drone technology is moving from battlefield application to critical infrastructure targets. This should concern the security professionals responsible for securing all of our key life systems to include our water supply. For example, the event last September where a drone operator modified a commercial off-the-shelf platform to drop chemicals into swimming pools, turning the water yellow and green highlighted the simplicity of the event but also the implications it brings.  Although this may seem harmless it does exhibit capability and did terrorize the residents of that township. Just think if this was a critical water supply and the act was not a harmless dye. Additionally, in Pennsylvania in July of 2020, a drone was used to disrupt an electrical substation. These two examples and many others in the United States indicate a trend and an awareness by nefarious actors that they have a new tool to use, but it also shows how far behind we are in developing our “ground game” to best address the coming “air domain” event.  All too often the easy button for a security problem is to add technology. This is an extremely shortsighted approach and often a costly mistake. We, as consumers, are being inundated with a myriad of technological solutions that claim to detect, monitor, track, locate, and even mitigate the sUAS platform in real time with precision and accuracy. This may be the case in ideal environmental conditions but trying to do all these operations simultaneously with an aerial platform that is relatively small and flies very fast is hard to do.  Additionally, security, safety, and emergency preparedness professionals are struggling with the concept of changing or updating their security programs. This is due to a stagnant playbook of physical security solutions and emergency response plans that haven’t evolved with the evolution of drone technology’s rapid maturity. Essentially, we are collectively trying to play catch up with a potential threat that has proven to be very capable, dangerous, and readily available. So, what is missing?   As General Eisenhower once said, “Plans are worthless, but planning is everything.” This statement has lasted the test of time and resonates well and directly with the gap we are seeing with this new security challenge. It would seem intuitive at this point to take a step back and make a sound attempt to understand what is happening and how your facility and ERP development will benefit from making a concerted effort to educate, assess and train.  The first goal is to gain a higher level of situational awareness before jumping into a capital investment regarding a technical solution that may not meet the requirements of current law. The second is to build your level of education around the ecosystem so that informed decisions can be made. So what does that look like?   There has been considerable thought put into a drone preparedness and training methodology that is easily adaptable to all environments, but is particularly relevant and a sound addition to the J100 framework and Safe Drinking Water Act (SDWA) Section 1433 compliance requirements. This methodology is made up of five key steps/frameworks and is inclusive of the three main tenets of the thought process presented here —educate, assess, and train.  Step 1:  Drone Vulnerability and Risk Assessment (DVRA)  The DVRA framework is designed to impart fundamental knowledge in carrying out a drone study that provides essential information to make future informed decisions. Skipping this step is not negotiable within the security program’s structure. The DVRA provides a foundational approach to drone assessment and introduces basic concepts to kickstart your ability to include it in your security program. The DVRA is beneficial for private sector and government operators responsible for detection and counter-uncrewed system understanding and any business looking to incorporate the “air domain” into their security protocols. The DVRA is designed to lay a solid foundation upon which you can further build risk and resilience into the program. It will serve as the bedrock for your comprehensive drone risk mitigation strategy and seamlessly integrate with your existing business security program. The framework consists of 11 steps that are tailored to technology operating in any environment. Step 2:  Support DVRA findings with Short-Term Technology Deployment  With DVRA findings in hand, the next step is to implement detection technology for a set period to get a better understanding of the real-time drone events over the business. Ideally, a 14-30-day deployment of a non-permanent asset will give the business additional data to support an informed decision about capital investment.  This effort—combined with the DVRA—is the foundation of the next three major considerations for the air domain program. It is also a way to demonstrate the potential for geo-location of a drone operator that allows for a proactive response while staying within the boundaries of current mitigation laws. The DVRA and technical airspace reconnaissance combine as the bedrock for understanding the drone threat. This is a comprehensive step that affords informed decision-making.  Step 3: Develop a Drone Emergency Response Plan (DERP)  With the DVRA and short-term technology data defined, the next step is to develop a DERP. It will serve as the anchor for your comprehensive drone risk mitigation strategy and seamlessly integrate with your existing business security program, ERP components, and strengthen SDWA 1433 compliance.  Water facilities thinking about this threat and technology will be far ahead of their peers as the J100 matures and technology continues to evolve. Additionally, the DERP will establish a framework for “response” and “action” during a drone event. The DERP is the beginning of operationalizing against drone-related risks, it will provide you with the essential tools to enhance your security protocols in the evolving “air domain.”  Step 4: Left of Drone Launch (LoDL) Concept The LoDL is the natural follow-on concept following the formalization of the DERPas it builds on the DVRA and DERP and operationalizes the analysis to support a proactive security posture as it pertains to the “air domain.” It also provides additional framework components that support an active documented standard operating procedure (SOP) concerning a drone event at any facility.  At this point in the process, staff will work to define the environmental and technical analysis of the operating environment. By bringing together internal and external stakeholders, staff can put the focus on facilities as well as determine the best proactive actions toward their overal security program development. The LoDL step in the process will assist with the process of preparing, detecting, locating, and identifying potential left-of-launch locations as well as determine the proactive actions that need to be taken during or for any scenario.  The goal is to create an executable plan that puts security in action and creates this proactive posture for the security team. The LoDL removes the potential for being purely reactive and gives security operations a mechanism in a restrictive mitigation environment to act if an event is identified through the air domain.In essence, the LoDL is the action arm of the security program as it pertains to sUAS events.  Step 5: Develop an Exercise Program The fifth step in the process is the development of an exercise program that includes training, rehearsals, and programmed exercise events that follow a crawl, walk, and run format. As you are aware, exercises keep a security posture strong even if staff turnover occurs—and it keeps the security program and your ERP up to date as threats evolve, stakeholders change and technology matures.  This step cannot be under-emphasized. A staff that goes through a thoughtful repetitive training process based on analysis, assessment results, environmental conditions and SOP training will be a ready and resilient facility.  Lastly, there is also a sub-task associated with this methodology and that is fundamental knowledge needed to understand Counter Uncrewed Aerial Systems (CUAS), including current United States law and legislation. This technological ecosystem consists of detection and mitigation options that—while not overly complicated—requires a deeper knowledge base. The sub-task is peppered throughout each of the major frameworks, but experience has shown that understanding this provides a great start for drone inclusion as a component of the ERP.  Taking the time to gain a better understanding of the fast-paced evolution of commercial drones and how to begin implementation of the “air domain” in your security approach and program should be considered in every environment, especially those life systems that are critical to the daily needs of the people they serve.  In the end, educate, assess, and train as you build your ERP and meet the SDWA 1433 compliance requirements. Simply purchasing technology to solve a problem that isn’t understood is a poor course of action.  About Bill Edwards: Bill Edwards is the Executive Vice President of Security Services at PMY Group. He leads the National Institute of Drone Security Standards and Training (NIDSST) and is a retired U.S. Army Colonel and Veteran of the Iraq War. 

Curtis Marquardt Jr.: Can you tell our readers more about your background and what you do for SERC Reliability Corporation.? Travis Moran: I began my career in law enforcement, first as an analyst with Interpol. After several years, I joined the U.S. State Department as a special agent, where I served for six-and-a-half years. I then spent 17 years at the Bureau of Alcohol, Tobacco, Firearms and Explosives dealing with violent crime, terrorism, bombs and murders. Following my retirement in 2013, I joined Dominion Energy’s corporate security department. This tenure coincided with the aftermath of the Metcalf substation sniper attacks, which led to significant changes in physical security measures. Subsequently, I worked at NERC before coming to SERC, where I currently provide outreach training and education on security and reliability. SERC covers the southeastern and central U.S., encompassing 17 states and a population of approximately 93 million. Curtis Marquardt Jr.: That’s quite a résumé. So, let’s talk about physical security. You mentioned the Metcalf substation attack and its impacts on the industry. As you are aware, physical attacks on utilities are on the rise, which is really pushing utility security professionals to adapt to that increasing risk. From your viewpoint as a physical security expert, what do utilities need to do to be ready for the increase in physical attacks? Travis Moran: Ballistic attacks continue to be very impactful throughout the nation on our infrastructure, particularly some of our critical assets. So, we need to understand and think more holistically about how to deal with and understand the threat posture. From the recent incidents we have seen, we are seeing that our adversaries are learning and evolving. But that’s always the case, right? The key is to apply risk-based approaches to our critical assets. What happened in Moore County, North Carolina, in 2022 was just the beginning. Our adversaries are not only targeting the large entities but the small ones now as well. It’s important for all utilities, big or small, to understand what their diamonds—or critical facilities—are. Because even if you don’t have a really big critical facility, the loss of a smaller one can impact life-sustaining entities like hospitals, government facilities, fire, EMS dispatch and so on which is a diamond for them. So, in understanding the threat picture, it will help us tier and rank our facilities so we know which ones to protect the most and that are the most impactful. I like to say you have to know your diamonds from your pencils. It’s a simple analogy, but one that works quite well. Curtis Marquardt Jr.: It does feel like the Moore County attack really underlined the fact that every utility is at risk and that no utility should view itself as too small to be attacked. Earlier you mentioned that you do outreach training for SERC, teaching physical security concepts. What are some physical security concepts that utility security professionals are really good at? On the flip side, what are some areas you feel utilities should start focusing on more? Travis Moran: We’re really good at knowing our technologies. Whether it’s access control,  fencing, camera systems or so on, there are really bright people who know how to maximize those solutions. I think there is really good collaboration between the entities, integrators and manufacturers to better equip utilities with what specifically aligns with their needs. And I also know we are getting better about communicating with each other and sharing information. But again, we have to pivot back to the question of, can we do better? And although I might risk sounding like a broken record, the way utilities can get better is to get a better holistic understanding of their diamonds and pencils. It’s the best pathway toward improvement. Curtis Marquardt Jr.: I’ve been asking people in the industry about the best solution to protecting substations, and the answer I get most often is, “It’s complicated.” What do you feel are the best security practices and strategies to make an organization’s substation a less desirable target? Travis Moran: Beyond the risk-based approach to protection, I think electric utilities really need to provide protection in depth. And if it’s a diamond you are protecting, you try to put more resources into protecting those. And when you add depth, what you are really also achieving is adding time to the detect, delay, assess, communicate, respond process. The ideal first goal is to deter by making your facility so undesirable that the adversaries will want to go somewhere else. That’s a win. But again, it takes some understanding of what your adversaries  want to achieve to get to that point. The Electricity Information Sharing Analysis Center (E-ISAC) has a great program that they teach called Vulnerability of Integrated Security Analysis (VISA) that has a really great process for understanding your assets and threats. SERC pivots off of that with what we call SERC University whereby we  train on physical security for utilities  using a building block approach all the way up so you first understand your threats, understand your assets, implement the technologies and test those technologies and mitigation techniques using the VISA process. The building block approach is key as we first want to level set with regard to skills, understand their true threat, mitigation tools that they can use against the threat, then test the mitigations they employed for effectiveness – all within the confines of the Critical Infrastructure Protection (CIP) Standards. We like to highlight in our course that although the CIP Standards may not apply to every entity, they do provide an excellent framework to help increase the security of your facilities and system. Curtis Marquardt Jr.: Attacks that are making the recent national news involve adversary nations that are hacking into utilities via information technology components. As convergence grows, where do you see the changes happening in the physical space to prevent remotely triggered physical attacks via IT/OT connections? Travis Moran: The world is heading toward convergence. On the physical side, outside of some simple padlocks, it is more and more likely that most every device comes with some Internet of Things or IoT component. I like to say to people we teach at our physical security workshop class that every cyber incident has a physical manifestation. I have people looking back at me cockeyed when I say that But the truth is somewhere The malware had to be written. The malware had to be injected somehow, whether somebody put a drive in or somebody hit send on a keyboard. So, it’s imperative that physical security and cybersecurity are brought together and understand each other in ways that, if something happens, there are protocols and procedures that impact both. Some  smaller utilities don’t have cybersecurity. Some don’t have a dedicated physical security staff either. They may just have an IT department for cyber and one person wearing four or five different hats that is in charge of emergency response. Even in those instances, they have to find ways to work together. One of the best ways to accomplish that is doing tabletop exercises to help both areas understand where those gaps are. Curtis Marquardt Jr.: On that topic, what changes are needed in laws and regulations to better empower critical infrastructure to guard against attacks? Travis Moran: After the Moore County attack, FERC directed NERC to do a reevaluation of its specific physical security standards, the CIP-14 standard. That process is still going on. Overall, the risk assessment process requirement within the standard is appropriate, but they wanted to look at how the initial assessment of applicable facilities might need to be refined. However, the risk-based approach—which is part of that particular standard—is still appropriate because every facility and the environment they operate in is different. It may sound like a cop-out to say this, but it’s not: utilities need to have some flexibility in designing their physical security protection plans  because it’s not a one-size-fits-all solution for everybody. You can’t say everybody has to have fiber-optic networked cameras at every substation throughout the system because that would just be unreasonable for several reasons. So, that flexibility to know their system and design appropriate protection measures for those facilities is built into the standard. I have seen state commissions, utility commissions and county commissioners take a greater interest since the Moore County attack to see what more they can do from the distribution-level assets piece of it. Overall, it’s a complicated system, but a brilliant one as well. Curtis Marquardt Jr.: So I want to stay on this topic, but drill down to a specific threat which is drones. Where do you see the changes in laws or regulations heading there? Travis Moran: So let me go back a bit to answer this question. Back in 2016, the FAA Extension Safety & Security Act was passed into law and within that was a provision called section 2209 which specifically enumerated the FAA was going to develop a process for certain covered facilities of which energy was a part of. The plan was to have a process for those entities to be able to apply for and get flight restrictions around their identified facilities. For a lack of a better term, the can has been kicked down the road and now it’s 2024. Recently, in May 2024,  the FAA Reauthorization Act of 2024 was passed and signed into law. In that is section 929, which reinvigorated , section 2209 from the 2016 Act. So, they’re going to put out a notice of proposed rulemaking (NOPR) soon and, in that, it’s probably going to entail the process for applying and it’s going to define unmanned aircraft flying restrictions around certain levels of transmission and generation facilities. By levels, I mean there will probably be a total megawatt threshold for generation facilities to be applicable, and probably a kilovolt threshold for transmission facilities. However, it will not provide any sort of mitigation ability whatsoever. A new bill was just introduced in Congress in May 2024 regarding mitigation authorities  but that’s going to be complicated and who knows how long it’ll take. But this new section 929 will at least be a tool in the toolbox of an electric utility. So, if they have a facility that meets the required thresholds, it would be designated as a facility that unmanned aircraft are not allowed to fly around if applied for and accepted under the program . That would then most likely appear in the FAA’s “B4UFLY” application and the drone operator would be notified electronically that they are not allowed to fly around that facility. There’s lots of issues with it including questions about whether or not it could be enforced. But it’s the beginning of a tool and a process. When it comes out, our industry really needs to read through it and comment on it because our infrastructure and needs are obviously very complicated. The FAA is all about the safety of the air space and DHS is  about security of infrastructure, but neither are specifically understanding of all of the nuances of electricity security. So, I urge all those in the industry to make sure we ingest this NOPR and comment on it, because they will read it. They will pay attention to what we say. Curtis Marquardt Jr.: So let’s shift to the topic of renewables. Many organizations are moving full steam ahead on solar, wind and so on. What new or different physical security challenges come with that shift to inverter-based resources? Travis Moran: These resources are coming online fast and furious. Being able to manage the security on them comes in a wave of different modalities. Protecting them is interesting. Say for example you’re an an entity that is getting ready to put in a 5,000 acre solar farm. How do you protect that?  What’s your fence cost going to look like? And it’s a lot of generation. It’s a lot of megawatts. So, if it is a diamond for that organization, they’re going to need a lot of security by design – which simply means having security’s input at the very beginning.. Even if you put up a fence around 5,000 Acres, you need to think about it’s not just a one-time capital expenditure. There are ongoing maintenance costs. Are you going to have cameras? Do you have fiber that is out there to bring the data back from the cameras? ARe you just going to put some goats in there to handle the grass maintenance and leave it. It’s divergent and it really comes down again to a risk-based approach and each company’s individual philosophy. I caution those to make sure that they look forward and see what sort of levels of generation or transmission they will be creating because you don’t want to be behind the curve on CIP Standards if you start hitting levels that require greater security considerations. Curtis Marquardt Jr.: I just attended ISC West a couple months ago. The amount of technology choices that a utility physical security professional can use is overwhelming. And it’s growing. What technologies do you see as most impactful in physical security efforts and what are some new and emerging technologies are you most excited about? Travis Moran: For me, it’s ground-based robotics. I know there’s some utilities piloting these things and I cannot wait to see the results. These ground-based robots are going to be impactful. They never sleep. As long as the sensors and the technologies are working, they can respond. Your personnel are safe because the robots can go right up and confront and do things like video-based talk downs. As long as they get the bugs worked out on the geospatial stuff (go/no go areas), they will be very reliable solutions. Curtis Marquardt Jr.: Let’s talk about theft. More than a billion dollars of copper is stolen every year alone, and that does not factor in the costs of replacement. What are some best practices or strategies you’d recommend to utilities to better deter theft attempts? Travis Moran: I know I’ve kind of beat it into the ground, but it goes back to the risk-based approach. You have got to know your facilities and their value. If you have the facility that is in a high crime, high transient area and you’re having repeated thefts of copper and break-ins, you have to make that decision about whether or not you want to upgrade your fencing. Now, everything can be defeated, but upgraded fencing may add enough delay to allow for effective law enforcement or security response. But you can also do simple things like take criminal draws away from your spaces. For example, don’t put a porta potty outside your fence line or even inside your fence line because potential thieves will see it as a place to use the restroom, but then, while there, will look at your facility a little closer than they might would have if not drawn in to use that porta potty. Don’t make it a crime of opportunity. Another tip is to keep your facilities clean. Don’t have stuff laying around. Don’t have vehicles that look like they are sitting there unattended to. Don’t leave spools of copper or other construction materials laying out in the open. Vegetation management is also very important because it gets rid of places to hide or easier access in. Sometimes, we  see pallets stacked outside of a substation fence which essentially is gifting a would-be thief and makeshift staircase up and over the fence. Look, I get it. Operations professionals are taxed with a lot of work these days and a lot of the work might be done by contractors. But these little things do matter and it really falls on the organization to have a culture of clean, maintained and secure facilities. Curtis Marquardt Jr.: I end every interview with a “crystal ball” question as it is vital for utility security professionals to work to be ahead of the next threat. So, I’ll ask you to look into the future 5 or 10 years from now and tell me what you think or hope you’ll see in the world of physical security at utilities. What changes do you see? What new threats? Travis Moran: On the threat side, the  IED drone improvised explosive device threat, especially the first person view (PFVs) that we’re seeing overseas, is something that is really concerning. Those things can fly 100 to 150 miles an hour right up to a facility, which is way too fast for any detection measures to be effective. The ballistic ground-based threats will always be persistent just because of the way that our infrastructure is set up and where it’s located. So, on a more optimistic note, the emergence of artificial intelligence and its ability to predict and use AI and machine learning to be able to better respond is very exciting. And, as I mentioned prior, I’m excited about the future of robotics and where it is heading in terms of the response. Curtis Marquardt Jr.: Thanks so much for your time today, Travis! Can you let our readers know how they might participate in the training that you all offer at SERC? Travis Moran: Certainly! It’s called SERC University and you can learn more about it at sercuniversity.org. If you’re looking to learn about what the individual CIP standards are or other operations and planning pieces, there are a lot of options for you. We also offer an on-site in-person physical security workshop where we come to your organization and teach a building-block approach to physical security including methodologies, technologies, techniques, the standards that apply to them and how all of that is interwoven into a physical security program. We also teach design-basis threat and the VISA process—as well as tour the facility to show learners what a true threat vulnerability assessment should look like.