On the international front, Russia has been attempting to destabilize Ukraine for years, by using cyber-attacks against the power grid. Since the start of the war, the Russian forces are actively attacking the Ukraine power grid using both cyber and physical methods. The news headlines show how many articles there are about Ukraine’s struggles to keep the lights on from Russia’s constant attacks. Domestically, in North Carolina, extremists targeted multiple substations and other power facilities with physical attacks in an attempt to cause major blackouts and potentially create a panic in the area. We have
also seen similar tactics used for physical attacks on electric system facilities in Oregon and Washington. Attacking the electric grid is often seen as one of the easiest ways for an adversary to destabilize a country.
For many, when we think of physical security, we think of locks on doors, fences, sensors, or security cameras, but there are many more facets to a strong physical security program.
Facility design and landscaping can both be key components of physical security. For example, if you build a server room that is critical for your organization and you deploy a Physical Access Control System (PACS), the room seems to be physically secure, but if the walls of the room are made of only sheetrock, the PACS will not provide adequate security. Some physical security experts conduct what is called the kick test, if the expert can kick a hole in the wall, they fail the test. Attackers could simply break through the wall with little effort and access the room without even needing to touch the door. One way to prevent this physical security weakness is by adding additional wall protection, such as steel mesh or ballistic paneling. In many cases, physical security is not considered during the initial design process of a facility and then the utility is forced to make modifications to a critical facility to add new physical security controls. The post construction modification can be very costly and, in many cases, would have been much more economical and efficient if they were considered during the design phase.
When devising a physical security program, the designer should consider the facility location, the law enforcement response time, and the criticality of that facility. A remote critical facility may seem to be at a lower risk for a physical attack, but the law enforcement response time may be much longer than for a facility that is in a city. Physical security experts recommend that you take into consideration the average response time of law enforcement may be roughly 1.5 times greater than anticipated, especially if the facility is in a remote location. For example, if you have a major substation located inside the city limits, the law enforcement response time may within 30 minutes of receiving the notification of an event, but if that substation is located in a rural part of the county the repones time maybe hours and not minutes.
In addition to potentially delayed law enforcement response times, there are other easily identified weak points in most substation physical security controls. The first control that can be a weak point is the substation fence. Most facilities us a standard fence of 2-inch links with 9-gauge wire it which meets the minimum requirements for a safety and security but can easily be cut through in less than a minute. If the substation uses thicker gauge wire and a smaller link, such as a 6-gauge and 5/8-inch link, the delay in cutting through the fence can be increased by 6 minutes. Those 6 minutes could be vital to maintain the integrity of that facility and add more time for law enforcement to respond.
A second physical security control that can be a weak point is the locks that are used on the facility gates. Unfortunately, most standard pad and door locks are not very secure. The standard padlock that is commonly used throughout the United States can be compromised by anyone who has watched a YouTube video and spent 30 minutes learning how to lock pick. Many standard locks can also be broken or cut though. The best option for critical facilities is to use high security locks with pick resistant pins or a digital signature, such as smart locks. The high security locks can slow down an attacker and provide for more time for a law enforcement response.
A third control that can be both an enhancement and a determent to the physical security of a critical facility is landscaping. If utilized properly, landscaping can both add security controls to the facility and make the facility look aesthetically pleasing. For example, hard to walk on boulders or spikes around the facility will slow down a potential attacker and allow more time for the law enforcement response. Strategically planted bushes can be used to hinder line of sight attacks by gunfire. Landscaping can also be a problem for physical security as it can allow attackers to hide and avoid security cameras or even provide an easier way to climb a fence and enter the facility if it is not well maintained. Clearing trees and brush from around a facility removes the possibility of an attacker using the brush as cover or a method of breaching the physical security perimeter.
A key component to a good physical security program is coordination with neighboring utilities to jointly protect and monitor for security events at critical facilities. The neighboring utilities’ security controls also matter to your utility for multiple reasons: 1) electric utilities are part of the interconnected electric grid and damage to a neighbors’ facility may also cause outages for your customers; 2) many utilities have shared facilities and want to ensure that both entities have equally as strong security controls; and 3) strong coordinated physical security controls can help deter attackers from either entities’ critical facilities. The electric utility industry needs to continue to have conversations between entities about security events that have happened, the responses to those events, and security measures that they put into place to deter future events. Having industry wide transparency of threats and events allows for a better picture of what is happening in the broader scope. For example, there could be a pattern of multiple security events that was not noticed until all the information from multiple entities is gathered and analyzed.
A good way to stay knowledgeable about both physical and cyber security threats to the electric industry is through participation in the North American Energy Reliability Corporation (NERC) and Department of Energy (DOE) Electricity Information Sharing and Analysis Center (E-ISAC). The E-ISAC is open to all electric utilities and provides a secured platform form sharing information regarding potential and actual physical and cyber security events. Water and gas utilities have similar Information Sharing and Analysis Centers. The Department of Homeland Security launched the Cyber and Infrastructure Security Agency (CISA) in 2018 to assist critical infrastructure entities in protecting their facilities and systems. All of these industry and government groups provide information on ways to protect your entity from physical and cyber security threats and ways to coordinate with fellow utilities as well as local, state, and federal law enforcement entities.
To summarize, here are some key take aways that will be helpful in deploying an effective physical security program:
Enhanced physical security of your facilities not only protects you and your customers from potentially long outages but also helps take steps to secure the overall North American interconnected electric grid. In many cases the investments that are made for physical security enhancements to protect transmission facilities can be recovered through your Transmission Tariff or your Regional Transmission Organization (RTO) Tariff. Additional security enhancements on the critical facilities on the interconnected electric system are a win for all parties involved.
article, please contact:
Dex Underwood, Analyst
GDS Associates, Inc. - Marietta, GA
770-799-2395
dex.underwood@gdsassociates.com