Changing the Physical Security Mindset: Perspective from the Power Industry
A dedication to continuous improvement is only one mark of a forward-thinking critical infrastructure security leader.
The state of physical security in the power and utility industry is in an era of realization. Recent events, such as the PG&E Metcalf transmission substation shooting and the Entergy attempted train derailment using a transmission tower in Arkansas, have induced uncertainty and fear, not only in the power industry but also in the general public. Additionally, events such as these are amplified by the media’s drive to exploit, catastrophize and politicize any hint of security deficits. We as an industry must transcend this and hold ourselves accountable to ensure that everyone in the U.S. has reliable power delivered to their meter. Failure to secure the power grid is not an option.
The future of physical security will not be a relentless arms race to see who can acquire the most advanced sensors, cameras or even drones that autonomously detect and neutralize threats. Physical security in the power industry is not just about securing company assets, as it also includes protecting employees and company reputation. The future of power grid security will be reliant on the core values of the next generation. The core values of work ethic, accountability, integrity, teamwork, forward thinking and the spirit to create and constantly improve must be prevalent in all who aspire to participate in this unique industry. To grow stronger, the industry must begin now, as our enemies are constantly preparing. The industry must take steps to establish a broader foundation for unity between business units, companies, and the entire industry. Security managers must lead from the front by setting the example and convincing the rest of the industry to change.
The cornerstone of this foundation for change is ownership. This means to assume responsibility for the success and failure of the assets of people and property. This also means improving these assets by upholding an environment of constant learning and evolution within the business unit. Ownership of physical security entails demonstrating vigilance during times when others are complacent. Thoughtful ownership means learning from mistakes and improving on design. The owner of physical security must set an example for all others to follow.
Physical security practitioners must improve their methods to meet future threats against the power grid, which are sure to evolve, becoming more dynamic than they are today. Improved design must constantly evaluate and measure the operational capabilities of assets, searching out weaknesses to turn them into strengths. Physical security practitioners must invest more heavily in performance improvement programs. Such programs consist of specially trained individuals, both internal and external to an organization, which should objectively review a business unit to identify and resolve areas of weakness. Ideally, physical security should never cease to improve and should constantly explore new horizons.
To facilitate exploration requires an established baseline, a common platform identifying the minimal level of security while maintaining effectiveness. The recent NERC CIP-014 Physical Security Standard has allowed physical security managers to conduct threat and vulnerability assessments and build security plans based off of a baseline of minimum criteria. Industry as a whole must move past the concept of satisfaction with just the bare minimum. The industry must force itself to concur with the standards and strive to exceed them. Understandably, the financial impact of exceeding standards is significant, and therefore, physical security must become more creative and resourceful to affordably meet the challenges of our adversaries. Regulation itself must no longer serve as the crutch for entities lacking imagination and resourcefulness. Regulators must assume the role of champion, more advanced than that of our actual enemies, and persistently challenge the existing status quo. Regulators of the power industry must cultivate an environment of progression, information sharing and innovation. Finally, regulators must emphasize and reiterate the crucial importance of the bonds between federal partners, intelligence agencies and power companies.
Physical security of the power grid may never reach its full potential, due in part to the fragmented nature of the industry. To lead the industry, physical security must become a catalyst for change by enhancing the network of information sharing. Broadening the dialogue between security practitioners at different companies, including those not affiliated with the power industry, can lead to ingenuity. Communication within the industry where companies regularly practice benchmarking creates the path to forging strong relationships and enabling trust. Welcoming fresh eyes during Root Cause Analysis, Quality Assurance Audits, participating in drills and exercises are just a few methods of benchmarking. Fresh eyes allow for new ideas to form and grow into best practices, as well as to harness the power of a strong network.
The utility industry and grid regulators should not be controlled by the actions of its enemies. The responsibility belongs to physical security practitioners to create an environment where the enemy no longer has opportunity. Ultimately, the industry must assume a proactive posture, which means entities across the industry must improve their intelligence collecting capabilities. Intelligence, as it applies to physical security, is performed by creating a level of situational awareness by legally acquiring information. Entities collecting their own information contribute to a clear portrait of the threat landscape. As information is gathered over time, the portrait can identify the repetitive nature of criminal activity and the cyclical approach to planning used by adversaries to develop their unconventional strategies.
The power industry must challenge government agencies (FBI, DHS, State Fusion Centers, local law enforcement, and the Electricity ISAC) to assist the industry in further enhancing the daunting task of information collection. Most utilities lack the experience and tools to implement an effective intelligence collecting mechanism. Such inefficiency is exemplified when employees are unaware of what information they should report to corporate security or regulators. Corporate security managers are often reluctant to report information to DHS or the E-ISAC for fear of penalization for non-compliance. Corporate security often becomes disenfranchised with government agencies overloading email inboxes with non-pertinent information. In turn, security managers who provide agencies with requested information often receive a poor return on their investment, resulting in agencies failing to provide the entity with relevant information. While information-sharing websites such as InfraGard and HISN have tried to push information, they are often found to be untimely, not user friendly, and poorly resourced.
As these agencies increase their involvement in the industry, it is the responsibility of the agency to improve relationships with entities. It’s also the responsibility of federal agencies to enhance their information sharing tools to expedite the flow of relevant information to security managers across all industries. Also, it is important for agencies to become all-inclusive and to consider outreach to all NERC registered and non-registered entities. The power grid is a highly valued target for adversaries, and the timely delivery information is necessary so that security managers can take steps to mitigate and/or neutralize the threat.
Success for our adversaries requires that they exploit weakness, find targets of opportunity, and actively seek “soft” infrastructure targets. They are actively preparing and improving on their design to realize this success, and it is evident that we as nation have only witnessed a small sample of their capabilities with the events in France and San Bernardino. The magazine published by Al Qaeda of the Arabic Peninsula known as Inspire Magazineencourages prospective operatives to undertake studies in power systems and engineering. The goal is to build a network of young men and women employable in the field, to serve as insiders providing information back through the Deep Web. Realizing this, it’s imperative to understand our adversaries are becoming more forward-thinking and have removed many boundaries in terms of ways to strike us.
What does the physical security of the power grid of tomorrow look like? We can rest assured that new and amazing technology is being developed, and it is certain – companies will invest in these tools used to multiply guard forces. Beyond the hardware, the software, and the gadgetry, however, the most important element is the human one. Only this human element, can register the urgency to forge a once fragmented industry into a community, a network so robust and so dynamic that the idea of an infrastructure vulnerable to attack will never cross the minds of the American public.