Curtis Marquardt Jr.: Can you tell our readers more about your background and what you do for SERC Reliability Corporation.? Travis Moran: I began my career in law enforcement, first as an analyst with Interpol. After several years, I joined the U.S. State Department as a special agent, where I served for six-and-a-half years. I then spent 17 years at the Bureau of Alcohol, Tobacco, Firearms and Explosives dealing with violent crime, terrorism, bombs and murders. Following my retirement in 2013, I joined Dominion Energy’s corporate security department. This tenure coincided with the aftermath of the Metcalf substation sniper attacks, which led to significant changes in physical security measures. Subsequently, I worked at NERC before coming to SERC, where I currently provide outreach training and education on security and reliability. SERC covers the southeastern and central U.S., encompassing 17 states and a population of approximately 93 million. Curtis Marquardt Jr.: That’s quite a résumé. So, let’s talk about physical security. You mentioned the Metcalf substation attack and its impacts on the industry. As you are aware, physical attacks on utilities are on the rise, which is really pushing utility security professionals to adapt to that increasing risk. From your viewpoint as a physical security expert, what do utilities need to do to be ready for the increase in physical attacks? Travis Moran: Ballistic attacks continue to be very impactful throughout the nation on our infrastructure, particularly some of our critical assets. So, we need to understand and think more holistically about how to deal with and understand the threat posture. From the recent incidents we have seen, we are seeing that our adversaries are learning and evolving. But that’s always the case, right? The key is to apply risk-based approaches to our critical assets. What happened in Moore County, North Carolina, in 2022 was just the beginning. Our adversaries are not only targeting the large entities but the small ones now as well. It’s important for all utilities, big or small, to understand what their diamonds—or critical facilities—are. Because even if you don’t have a really big critical facility, the loss of a smaller one can impact life-sustaining entities like hospitals, government facilities, fire, EMS dispatch and so on which is a diamond for them. So, in understanding the threat picture, it will help us tier and rank our facilities so we know which ones to protect the most and that are the most impactful. I like to say you have to know your diamonds from your pencils. It’s a simple analogy, but one that works quite well. Curtis Marquardt Jr.: It does feel like the Moore County attack really underlined the fact that every utility is at risk and that no utility should view itself as too small to be attacked. Earlier you mentioned that you do outreach training for SERC, teaching physical security concepts. What are some physical security concepts that utility security professionals are really good at? On the flip side, what are some areas you feel utilities should start focusing on more? Travis Moran: We’re really good at knowing our technologies. Whether it’s access control,  fencing, camera systems or so on, there are really bright people who know how to maximize those solutions. I think there is really good collaboration between the entities, integrators and manufacturers to better equip utilities with what specifically aligns with their needs. And I also know we are getting better about communicating with each other and sharing information. But again, we have to pivot back to the question of, can we do better? And although I might risk sounding like a broken record, the way utilities can get better is to get a better holistic understanding of their diamonds and pencils. It’s the best pathway toward improvement. Curtis Marquardt Jr.: I’ve been asking people in the industry about the best solution to protecting substations, and the answer I get most often is, “It’s complicated.” What do you feel are the best security practices and strategies to make an organization’s substation a less desirable target? Travis Moran: Beyond the risk-based approach to protection, I think electric utilities really need to provide protection in depth. And if it’s a diamond you are protecting, you try to put more resources into protecting those. And when you add depth, what you are really also achieving is adding time to the detect, delay, assess, communicate, respond process. The ideal first goal is to deter by making your facility so undesirable that the adversaries will want to go somewhere else. That’s a win. But again, it takes some understanding of what your adversaries  want to achieve to get to that point. The Electricity Information Sharing Analysis Center (E-ISAC) has a great program that they teach called Vulnerability of Integrated Security Analysis (VISA) that has a really great process for understanding your assets and threats. SERC pivots off of that with what we call SERC University whereby we  train on physical security for utilities  using a building block approach all the way up so you first understand your threats, understand your assets, implement the technologies and test those technologies and mitigation techniques using the VISA process. The building block approach is key as we first want to level set with regard to skills, understand their true threat, mitigation tools that they can use against the threat, then test the mitigations they employed for effectiveness – all within the confines of the Critical Infrastructure Protection (CIP) Standards. We like to highlight in our course that although the CIP Standards may not apply to every entity, they do provide an excellent framework to help increase the security of your facilities and system. Curtis Marquardt Jr.: Attacks that are making the recent national news involve adversary nations that are hacking into utilities via information technology components. As convergence grows, where do you see the changes happening in the physical space to prevent remotely triggered physical attacks via IT/OT connections? Travis Moran: The world is heading toward convergence. On the physical side, outside of some simple padlocks, it is more and more likely that most every device comes with some Internet of Things or IoT component. I like to say to people we teach at our physical security workshop class that every cyber incident has a physical manifestation. I have people looking back at me cockeyed when I say that But the truth is somewhere The malware had to be written. The malware had to be injected somehow, whether somebody put a drive in or somebody hit send on a keyboard. So, it’s imperative that physical security and cybersecurity are brought together and understand each other in ways that, if something happens, there are protocols and procedures that impact both. Some  smaller utilities don’t have cybersecurity. Some don’t have a dedicated physical security staff either. They may just have an IT department for cyber and one person wearing four or five different hats that is in charge of emergency response. Even in those instances, they have to find ways to work together. One of the best ways to accomplish that is doing tabletop exercises to help both areas understand where those gaps are. Curtis Marquardt Jr.: On that topic, what changes are needed in laws and regulations to better empower critical infrastructure to guard against attacks? Travis Moran: After the Moore County attack, FERC directed NERC to do a reevaluation of its specific physical security standards, the CIP-14 standard. That process is still going on. Overall, the risk assessment process requirement within the standard is appropriate, but they wanted to look at how the initial assessment of applicable facilities might need to be refined. However, the risk-based approach—which is part of that particular standard—is still appropriate because every facility and the environment they operate in is different. It may sound like a cop-out to say this, but it’s not: utilities need to have some flexibility in designing their physical security protection plans  because it’s not a one-size-fits-all solution for everybody. You can’t say everybody has to have fiber-optic networked cameras at every substation throughout the system because that would just be unreasonable for several reasons. So, that flexibility to know their system and design appropriate protection measures for those facilities is built into the standard. I have seen state commissions, utility commissions and county commissioners take a greater interest since the Moore County attack to see what more they can do from the distribution-level assets piece of it. Overall, it’s a complicated system, but a brilliant one as well. Curtis Marquardt Jr.: So I want to stay on this topic, but drill down to a specific threat which is drones. Where do you see the changes in laws or regulations heading there? Travis Moran: So let me go back a bit to answer this question. Back in 2016, the FAA Extension Safety & Security Act was passed into law and within that was a provision called section 2209 which specifically enumerated the FAA was going to develop a process for certain covered facilities of which energy was a part of. The plan was to have a process for those entities to be able to apply for and get flight restrictions around their identified facilities. For a lack of a better term, the can has been kicked down the road and now it’s 2024. Recently, in May 2024,  the FAA Reauthorization Act of 2024 was passed and signed into law. In that is section 929, which reinvigorated , section 2209 from the 2016 Act. So, they’re going to put out a notice of proposed rulemaking (NOPR) soon and, in that, it’s probably going to entail the process for applying and it’s going to define unmanned aircraft flying restrictions around certain levels of transmission and generation facilities. By levels, I mean there will probably be a total megawatt threshold for generation facilities to be applicable, and probably a kilovolt threshold for transmission facilities. However, it will not provide any sort of mitigation ability whatsoever. A new bill was just introduced in Congress in May 2024 regarding mitigation authorities  but that’s going to be complicated and who knows how long it’ll take. But this new section 929 will at least be a tool in the toolbox of an electric utility. So, if they have a facility that meets the required thresholds, it would be designated as a facility that unmanned aircraft are not allowed to fly around if applied for and accepted under the program . That would then most likely appear in the FAA’s “B4UFLY” application and the drone operator would be notified electronically that they are not allowed to fly around that facility. There’s lots of issues with it including questions about whether or not it could be enforced. But it’s the beginning of a tool and a process. When it comes out, our industry really needs to read through it and comment on it because our infrastructure and needs are obviously very complicated. The FAA is all about the safety of the air space and DHS is  about security of infrastructure, but neither are specifically understanding of all of the nuances of electricity security. So, I urge all those in the industry to make sure we ingest this NOPR and comment on it, because they will read it. They will pay attention to what we say. Curtis Marquardt Jr.: So let’s shift to the topic of renewables. Many organizations are moving full steam ahead on solar, wind and so on. What new or different physical security challenges come with that shift to inverter-based resources? Travis Moran: These resources are coming online fast and furious. Being able to manage the security on them comes in a wave of different modalities. Protecting them is interesting. Say for example you’re an an entity that is getting ready to put in a 5,000 acre solar farm. How do you protect that?  What’s your fence cost going to look like? And it’s a lot of generation. It’s a lot of megawatts. So, if it is a diamond for that organization, they’re going to need a lot of security by design – which simply means having security’s input at the very beginning.. Even if you put up a fence around 5,000 Acres, you need to think about it’s not just a one-time capital expenditure. There are ongoing maintenance costs. Are you going to have cameras? Do you have fiber that is out there to bring the data back from the cameras? ARe you just going to put some goats in there to handle the grass maintenance and leave it. It’s divergent and it really comes down again to a risk-based approach and each company’s individual philosophy. I caution those to make sure that they look forward and see what sort of levels of generation or transmission they will be creating because you don’t want to be behind the curve on CIP Standards if you start hitting levels that require greater security considerations. Curtis Marquardt Jr.: I just attended ISC West a couple months ago. The amount of technology choices that a utility physical security professional can use is overwhelming. And it’s growing. What technologies do you see as most impactful in physical security efforts and what are some new and emerging technologies are you most excited about? Travis Moran: For me, it’s ground-based robotics. I know there’s some utilities piloting these things and I cannot wait to see the results. These ground-based robots are going to be impactful. They never sleep. As long as the sensors and the technologies are working, they can respond. Your personnel are safe because the robots can go right up and confront and do things like video-based talk downs. As long as they get the bugs worked out on the geospatial stuff (go/no go areas), they will be very reliable solutions. Curtis Marquardt Jr.: Let’s talk about theft. More than a billion dollars of copper is stolen every year alone, and that does not factor in the costs of replacement. What are some best practices or strategies you’d recommend to utilities to better deter theft attempts? Travis Moran: I know I’ve kind of beat it into the ground, but it goes back to the risk-based approach. You have got to know your facilities and their value. If you have the facility that is in a high crime, high transient area and you’re having repeated thefts of copper and break-ins, you have to make that decision about whether or not you want to upgrade your fencing. Now, everything can be defeated, but upgraded fencing may add enough delay to allow for effective law enforcement or security response. But you can also do simple things like take criminal draws away from your spaces. For example, don’t put a porta potty outside your fence line or even inside your fence line because potential thieves will see it as a place to use the restroom, but then, while there, will look at your facility a little closer than they might would have if not drawn in to use that porta potty. Don’t make it a crime of opportunity. Another tip is to keep your facilities clean. Don’t have stuff laying around. Don’t have vehicles that look like they are sitting there unattended to. Don’t leave spools of copper or other construction materials laying out in the open. Vegetation management is also very important because it gets rid of places to hide or easier access in. Sometimes, we  see pallets stacked outside of a substation fence which essentially is gifting a would-be thief and makeshift staircase up and over the fence. Look, I get it. Operations professionals are taxed with a lot of work these days and a lot of the work might be done by contractors. But these little things do matter and it really falls on the organization to have a culture of clean, maintained and secure facilities. Curtis Marquardt Jr.: I end every interview with a “crystal ball” question as it is vital for utility security professionals to work to be ahead of the next threat. So, I’ll ask you to look into the future 5 or 10 years from now and tell me what you think or hope you’ll see in the world of physical security at utilities. What changes do you see? What new threats? Travis Moran: On the threat side, the  IED drone improvised explosive device threat, especially the first person view (PFVs) that we’re seeing overseas, is something that is really concerning. Those things can fly 100 to 150 miles an hour right up to a facility, which is way too fast for any detection measures to be effective. The ballistic ground-based threats will always be persistent just because of the way that our infrastructure is set up and where it’s located. So, on a more optimistic note, the emergence of artificial intelligence and its ability to predict and use AI and machine learning to be able to better respond is very exciting. And, as I mentioned prior, I’m excited about the future of robotics and where it is heading in terms of the response. Curtis Marquardt Jr.: Thanks so much for your time today, Travis! Can you let our readers know how they might participate in the training that you all offer at SERC? Travis Moran: Certainly! It’s called SERC University and you can learn more about it at sercuniversity.org. If you’re looking to learn about what the individual CIP standards are or other operations and planning pieces, there are a lot of options for you. We also offer an on-site in-person physical security workshop where we come to your organization and teach a building-block approach to physical security including methodologies, technologies, techniques, the standards that apply to them and how all of that is interwoven into a physical security program. We also teach design-basis threat and the VISA process—as well as tour the facility to show learners what a true threat vulnerability assessment should look like.

The most commonly used decision-making process is conjecture-based; we use it countless times daily. We go through life making decisions based on assumptions, speculation and whimsy, with little thought to impact or outcomes. However, when it comes to security, especially substation security, our decisions have consequences. For these decisions, we need a better decision-making method. We need a reliable technique that can produce sound decisions and stand up to intense scrutiny.

General Colin Powell once said: “You can’t make good decisions unless you have good information and can separate facts from opinion and speculation. Facts are verified information, which is then presented as objective reality. The rub here is the verified. How do you verify verified?” In my previous article, I discussed how dangerous unverified assumptions can be when it comes to substation security issues. Now, we will consider the impact of our decision-making process on substation security. Critical decision-making has nothing to do with “criticizing”. In critical decision-making, we’re using the third definition of “critical” in the Merriam-Webster Dictionary: “exercising or involving careful judgment or judicious evaluation”. At first glance, critical decision-making appears to be a complicated, overly sophisticated, technical process. In reality, it’s a learnable skill that anyone can employ. However, the methodical application of a rigorous problem-solving approach does require focus and discipline, so it isn’t effortless. But, if you want easy, don’t pursue a career as a utility security practitioner; it’s not easy or glamorous. It’s underappreciated hard work that can be extraordinarily satisfying. Okay, back to critical decision-making. So, why is critical decision-making important? Its importance lies in its impact. Whether you are a member of a large security team with dozens of substations or the team is you and a cup of coffee with a couple of substations to deal with, you’re responsible for protecting the most critical infrastructure assets your organization possesses. (Generation protection is another story). If a security breach shuts down a substation, it shuts down a system. Shut down enough substations; you shut society down. Now add the axiom I’m continually repeating: when it comes to utility security, you have to get it right every time; a threat actor only has to get it right once. With this level of impact and responsibility, your decisions are important, so they need to be fact-based, reasoned, and defendable. Critical decision-making is involved in every aspect of substation security. It is crucial in conducting security assessments, planning, and resource allocation. It’s an essential skill for investigations and forensic analysis and provides a strong foundation for litigation defense. It is also our mental best defense in a crisis. If you have a solid grasp of critical decision-making, you can make sound, quick, and decisive decisions even under duress. What is Critical Decision-Making? It’s the process of objectively analyzing and evaluating information to form a qualified and defendable judgment. It involves gathering relevant information, interpreting it, assessing its value, and formulating ideas, theories, and solutions. Critical decision-making is crucial to making informed judgments and reaching rational conclusions. The process that leads the critical decision-making process is known as Critical Thinking. Critical decision-making is based on a technique known as critical thinking. Trust me, we’re not going in circles. Critical thinking is essential for verifying information and making informed decisions. It helps identify mistakes, flawed conclusions, and misrepresentations. It allows you to sort through the fog of information overload to spot errors arising from unverified assumptions, unsubstantiated conclusions, and less rigorous decision-making processes. It also provides proven and defensible problem-solving methods, incident investigation approaches, and data analysis methods. However, in the critical decision-making process, critical thinking is not a stand-alone technique; it is best used in concert with analytical thinking and reasoning techniques. Effective decision-making skills require understanding three information-processing techniques: analytical thinking, critical thinking, and reasoning; each is a specific information-gathering and deciphering method. The good news is that it doesn’t take a PhD to use these techniques, and you don’t need to master them in their entirety; you just need to understand the concepts, how they relate to each other, and how to put them into practice. Is it possible to give you a complete lesson in the art of critical decision-making in one introductory article? Sadly, no; it’ll take a little more effort than that. However, I can introduce the key terms and concepts you need and point you in a direction for acquiring these skills to make informed decisions based on solid criteria, not conjecture. Analytical Thinking – Fact Based Analytical thinking involves data harvesting and breaking down complex information into smaller parts. Analytical thinking is the logical and systematic breakdown of information. While the critical thinking process considers external criteria and knowledge, including institutional history, personal experience, and perspective, analytical thinking focuses on linear information processing. It’s the task of dispassionately collecting and sorting data to arrive at a conclusion. For those who have watched the television series, Star Trek, think of Mr. Spock. Analytical Thinking:

• Breaks down complex information into smaller parts
• Is the systematic, linear, and logical sequencing of information
• Uses facts within the information gathered to support conclusions

The need to employ analytical thinking techniques should be your first consideration in the critical decision-making process. When you have a complex problem to solve or overwhelming amounts of information to process, you should put your analytical skills to work first. The goal will be to ensure that all relevant data or information is collected and evaluated without consideration of the information’s impact on the final analysis. Then, with all relevant data collected, compiled, and sorted, it’s time to shift gears and employ critical thinking skills. Critical Thinking – Judgment Based Unlike analytical thinking, critical thinking involves making opinion-based judgments, which are arrived at by evaluating various sources of information, including expertise, knowledge, and experience. Where analytical thinking is data harvesting, critical thinking is an investigative technique that involves assessing, questioning, verifying, inferring, interpreting, and formulation tasks. It also involves breaking down information into smaller parts and analyzing each part logically and systematically, but not in the dispassionate manner of analytical thinking. In critical thinking, even “gut feelings” count. In the critical thinking process, every form of information, including open-sourced data, subject-matter-expertise, and personal experience, is used to arrive at a well-considered decision or to produce an innovative solution. Think Sherlock Holmes. Critical Thinking:

• Considers outside knowledge, including your own, when evaluating information
• Assesses, questions, verifies, infers, interprets, and formulates to be more holistic
• Uses other information to make judgments or find solutions
• Evaluates a myriad of sources to form an informed opinion

The critical thinking process verifies evidence, whether it supports or contradicts your initial assumptions and conclusions, before making a final judgment. It includes the consideration and unbiased evaluation of alternative possibilities to form a clear line of reasoning that leads to reasoned conclusions. To give you an idea of the complexity of the critical thinking discipline, there are 14 commonly used tools or techniques in the critical thinking process. There are many more, but these fourteen will suffice. Personally, there are four I use regularly, and there are several that I’ve never used. 14 Critical Thinking tools:

1. Problem Restatement;
2. Pros, Cons, and Fixes;
3. Divergent/Convergent Thinking;
4. Sorting, Timelines, and Chronologies;
5. Causal Flow Diagramming;
6. Matrixes;
7. Scenarios;
8. Weighted Ranking;
9. Hypothesis Testing;
10. Devil’s Advocacy;
11. Probability Trees;
12. Utility Trees;
13. Utility Matrixes;
14. and Advanced Utility Analysis

In investigative analysis situations, I usually start with hypothesis testing. In contrast, I often begin with weighted ranking for criteria-based decisions. One of the basic principles of Hypothesis Testing is a great example of how a proven critical thinking technique can help guide your decision-making process. In proving a hypothesis to be true, the number of consistencies isn’t as significant as the number of inconsistencies. In almost every case, when you apply hypothesis testing, you will find several potential outcomes that will have many of the same consistencies. The evidence will point to them. However, it’s the outcome or conclusion with the fewest inconsistencies that will prove to be the correct one. By the way, this is why an innocent person is often accused and sometimes convicted of a crime they didn’t commit. Once the investigators found evidence pointing to a person as the culprit, they stopped looking. They either failed to consider or discounted any evidence that didn’t support their decision (i.e., inconsistent evidence). As a security professional, it is your responsibility to expend the energy and time resources needed to evaluate all the evidence or data provided until it is absolutely clear that you have reached the correct, defendable conclusion. Critical thinking provides the tools needed to do just that. Reasoning Reasoning is the technique used to pull everything together. It takes the data-based results of analytical thinking and the opinion-based results derived from critical thinking, verifies tests, and critiques them to ensure a sound conclusion has been reached. By consciously applying reasoning to your decision-making process, you’ll minimize adverse consequences, ensure the accuracy of your outcomes, and achieve better results. The reasoning process involves eight essential elements:

1. purpose,
2. problem/question clarification,
3. information,
4. interpretation,
5. concepts,
6. assumptions,
7. point of view,
8. and implications

Applying these elements as a reasoning checklist can be a valuable tool for breaking down complex problems, identifying causes, and finding solutions. The Role of Intellectual Standards As a utility security professional, you are responsible for collecting, analyzing, and evaluating security-related data, investigating incidents, and creating reliable reports to aid your leadership’s decision-making. This includes security-related decisions regarding substations and other key infrastructure assets. You are the expert; it’s your responsibility to provide the best information and recommendations possible. To achieve this, you must apply critical thinking processes and intellectual standards to analyze and report information. Professional rigor demands a systematic approach and comprehensive research from all available sources, identification of trends and patterns, accurate summaries of issues, and qualified recommendations for courses of action. The role of critical decision-making in substation security cannot be overstated. Whether you’re evaluating security-related expenditures, investigating an incident, judging surveillance evidence, or conducting a threat assessment, your ability to gather, organize, and assess information and produce concrete and actionable decisions and recommendations is an essential but often overlooked skill. In a crisis, your ability to make quick, decisive, and defensible choices and institute effective damaging-mitigating countermeasures will be tied directly to your critical decision-making skills. By utilizing critical thinking and analytical thinking techniques and adhering to intellectual standards, you can generate informative and accurate reports that keep your team informed of incidents, offer sound advice to leadership, and provide expert support to your utility on potential threats. So, make sure you have a firm grasp of critical decision-making techniques and expend the time and effort needed to apply them. As a utility security practitioner, the only decisions you may come to regret are those you didn’t critique through the critical decision-making process. About the Author: Jim Willis is president of InDev Tactical, a security training and consulting firm. He is an electrical engineer, an experienced utility professional, and a credentialed homeland security specialist and anti-terrorism expert. If you want to discuss utility-focused security training or consulting assistance, you can reach Jim at 703-623-6819 or jim.willis@indevtactical.net.