The U.S. Department of Homeland Security defines “critical infrastructure” as assets that provide “the essential services that underpin American society and serve as the backbone of our nation’s economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, the stores we shop in, and the communication systems we rely on to stay in touch with friends and family.”
Overall, the DHS considers 16 sectors to be critical infrastructure: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, transportation, waste and wastewater, and nuclear reactors, utilities and waste.
These sectors, several of which contain or intersect with public utilities, face ever-growing list of security threats ranging from copper theft, to financial crimes, to terrorism that span both traditional physical security as well as cybersecurity. Each has a sector-specific government agency assigned to it, for most it is DHS, but for example, the financial services sector is assigned to the Department of Treasury, while the Environmental Protection Agency covers water and wastewater.
These sectors are making significant progress individually in building resilience against cyber-attacks and other hazards; however, cross-sector vulnerabilities haven’t received nearly enough attention, says Paul Stockton, managing director of Sonecon LLC, and a former assistant secretary of defense for homeland defense, whose firm recently submitted a report to Homeland Security Secretary Jeh Johnson on the topic.
For example, Stockton says, if the electricity grid were attacked and was taken out across several states, the communications sector would go down quickly – but the electric power industry needs communications to be able to restore itself. “They need to be able to send out crews and be able to communicate where the power is out,” he says. “These [cross-sector vulnerabilities] are ubiquitous and very poorly understood compared to what’s required to restore power within a sector.”
From his vantage point as CSO at DTE Energy in Detroit, Michael Lynch has observed the same set of strengths and vulnerabilities. “Within the sector, there’s good sharing of information,” says Lynch, who handles physical security for the electricity and natural gas company that serves more than 2 million customers. “If something were to happen today in an electricity or gas site in El Paso, Texas, I would know about it pretty much in real time.” But, he adds, “If something happened locally, at a chemical facility, I wouldn’t know about it at all. Which in my mind is just as important because if you’re a bad guy, you might look at multiple attack scenarios.”
And while information sharing between private companies and the government has greatly improved, Lynch would like to know more from public agencies about what they perceive the top threats to be at any one time. “We can speculate that the threat is the lone offender, highly motivated and acting independently,” he says. “But we’re not really given that guidance, so each company is on its own to figure it out. That may not be the best approach.”
Devon Streed, security department head for PacifiCorp, notes that unlike some other critical infrastructure sectors, utilities must protect a wide variety of environments that range from 20-story office buildings in central cities, to small distribution substations in the middle of the mountains. “Taking into consideration and coming up with security philosophies and strategies that you can implement in all of those environments is an interesting challenge,” he says.
As a diverse industry, utilities face a dizzying array of threats from low-level copper thefts, to an active shooter taking out expensive transformers with a rifle, Streed says. As a result, companies need to adapt to a range of threats and attack vectors, and to prioritize the potential threats and resulting remedies. “I tend to shy away from measures that only address one threat,” he says. “I like to look at overlapping security measures, like intrusion detection [that works] whether for copper theft or terrorism.”
Streed agrees that information sharing and collaboration is key. “It’s amazing how often I go to meetings or have conferences where I meet my colleagues and other utilities, and somebody will bring up a conflict, and everybody else at the table has gone through it,” he says. “You start trading best practices, or [information about] emerging threats.”
Lynch has developed a program at DTE to deal with multiple-site attacks that cascade from one facility to the next in a planned pattern. If a bad actor sabotages one facility and then moves on to the next, or has a partner in crime waiting to do so, DTE has developed memoranda-of-understanding (MOUs) with local law enforcement that identify their most critical facilities so that if a suspicious event occurs at one of them, there is an automatic, preventative response at the others.
Companies must prioritize and identify “just a handful out of thousands of facilities,” Lynch notes. “I see this as very powerful because that would prevent the scenario I described with a serial attack,” he says. “Imagine an emergency management group in a county that identifies a dozen facilities that are critical – a bridge, a tunnel, a communication building, a power plant. You’d have to have some rigor and discipline because you have to keep the number of facilities small. And then get law enforcement to agree to respond to the other ones.”
There’s little additional cost to such a scenario, he says. “It just requires robust communication and a willingness to work together as a team. Right now, we have like 8- to 10-year-old soccer players. The whole team runs toward the ball instead of playing positions.”
The DHS is drafting a cyber-incident response plan that will clarify and update the government’s role in combating potential cross-sector attacks that will also cover how industry and government can work better together, Stockton says. “This is a much needed and long overdue initiative,” he says. “It’s going to be a very important and valuable initiative if it’s done right.”
Individual sectors have been gradually improving their readiness to combat both physical and cyber attacks, Stockton says, but the capabilities of adversaries also continue to become more sophisticated. “We need to accelerate progress first of all for prevention and secondly, to restore service,” he says. “Weapons keep getting more sophisticated, and there’s a greater number of actors, including potentially terrorist threats. … It’s not time to rest on our laurels.”
Physical and cybersecurity threats are increasingly interlinked in a way that companies must account for and defend, says Paul Koebbe, senior systems consultant with Faith Group in St. Louis, which mostly works with airports (about 80 percent) but also has clients in the utility and healthcare sectors. Until about a decade ago, they were completely separate, but now physical security systems are running over the network, which means they have “the same vulnerabilities as data,” he says.
“The people running and maintaining those systems have to be aware of those vulnerabilities,” he adds. “If [bad actors] have the desire to penetrate into a facility, they can use a data-network vulnerability to penetrate into the security system. Whereas if they want intellectual property, they can use the security system as a front door into that. It depends on the threat vector.”
Among other angles, that means security personnel cannot simply leave in place the generic username and password for their security devices, Koebbe says. “You can go out and Google the user’s manual for any camera, any security device out there, and get the default username and password,” he says. “If I want to bust into your system, I’m going to start there and try that.”
Grant Christians, CIP-physical security specialist for Georgia System Operations, which is owned by 38 electric distribution cooperatives in Georgia, works in a collaborative environment where information and best practices regarding critical assets are shared and implemented among its affiliated companies and member-owners.
The new federal CIP rules that went into effect on July 1 mean that companies need to tighten their security procedures to stay ahead of fines that can be as high as $1 million per day per occurrence, Christians says. “There’s obviously a tremendous incentive to comply,” he says. “The last thing we want to do is explain to our board of directors why we were hit with a large fine due to noncompliance on our part.”
Employees also sometimes let their guard down when offline, Koebbe says. Phishing sometimes takes the form of phone calls. “It would not be at all unusual to expect somebody would call a command center and say, ‘This is Jimmy Bob in IT, we need administrator rights to your security system,’ and somebody would give it to them,” he says. “Or you meet somebody at a bar, and you’re tipping a few with them, and they say, ‘Oh, yeah, I’m a network engineer, too. How do you guys do this?’ And all of a sudden, the cat’s out of the bag.”
On the physical security side, to help ensure the proper safeguards are in place, Georgia System Operations has 65 manuals that cover the policies, procedures and plans for physical and cybersecurity attacks, and Christians speculates that large public utilities likely have hundreds of such documents.
“Georgia System Operations has a rigorous training program in place designed to familiarize employees with the latest in safety and security standards,” Christians says. “Employees who fail to go through training in the required amount of time may find their access privileges revoked.”
In addition, Georgia System Operations has been putting in place cybersecurity and physical security analytics tools that will better help the company see the big picture. The company has upgraded its access control platforms through Honeywell and has multiple products with multiple video platforms. “Our efforts depend on the site we’re supporting and what we’re trying to accomplish there,” says Christians. “Some platforms use video analytics to detect personnel on the move, for instance.”
PacifiCorp works to ensure that its employees are well trained and on high alert at all times, Streed says. The company develops an active shooter awareness response course last year that’s been offered as a “brown bag lunch” more than 2,000 employees have attended.
“Having people thinking about what they would do in the event of an incident gives you that edge, not just security people but the entire company,” he says. “What you can’t do is say, ‘I’m going to work in an unsafe manner, and it’s OK because there’s a safety department that’s going to protect me.’ … It’s about getting people to realize they have a stake in this.”
In terms of equipment, Streed says the company has rolled out biometric badges from Zwipe at certain locations and access points, which havesworked with PacifiCorp’s existing servers. “That was a pretty big selling point for us,” he says of the system’s adaptability. PacifiCorp uses ground-based radar and is investigating newly developing thermal video intrusion detection functionality, he says.
But the diversity of environments requires a range of solutions, Streed says. “Technologies that we’ve used to great effect that work well in a rural environment, where we can look outside the fence for hundreds of yards and see somebody approaching, doesn’t work so well in an urban environment with joggers on the sidewalk, and cars, and people,” he says. “It’s not a one-size-fits-all. And then you have to get it to all integrate and come back to a monitoring center, so security personnel can respond if there’s an incident.”
DTE undertakes regular employee trainings, as well as tests and exercises that consider not just preventative security but also resiliency when an attack does occur, Lynch says. For example, a company could protect a critical facility with expensive, hard to acquire pumps with guns, guards, gates and other access controls – but then ensure resiliency by having such pumps strategically placed so they can be moved from one location to another, or potentially shared between facilities, in the event of a successful attack.
Whatever equipment a company deploys, security personnel need to accept the fact that there will always be false alarms but need to ensure that nuisance rate is under control, Koebbe says. “You can stack systems in such a way that you minimize the nuisance,” he says. “But it would be poorly advised for the owner to think that they’re going to get away from all nuisance alarms.”
To keep them under control, Koebbe advises making sure that fence areas are unencumbered by vegetation that might set off alarms. This is more important for the utility sector than, say, airports because of the widely dispersed facilities and resulting reliance on local law enforcement, he says. “Aviation is going to have a security force relatively available within five to 10 miles, as opposed to a utility environment with hundreds of square miles,” he says. “Local law enforcement is not going to be happy to be responding to false alarms on a regular basis.”
Cameras and other equipment are necessary to track these incursions until a human can arrive on the scene, Koebbe says. “To have to roll an officer on an immediate need basis to some place that’s four miles away – there is no such thing as ‘immediate’ unless the officer happens to be on his rounds and in the vicinity of the event,” he says.
Fifteen years ago, utility and other critical infrastructure companies mostly concerned themselves with nuisance issues like vandalism or trespassing, or occasionally workplace violence, Lynch says. Terrorism might not even have appeared on the list. That’s all changed. “I don’t think any of us can afford to think we have a check mark when it pertains to security,” he says. “We’ve made great strides, but there’s much more work to do.”
Christians believes utility and other critical infrastructure companies are becoming increasingly aware of the array of threats, and they’re becoming more open to exploring new solutions. “The topic most recently discussed at our board meeting and at the board meetings of our sister companies concerns the protection of cyber infrastructure,” he says. “You can never get too confident about what you’re doing, but we think we’re in a pretty good place. At the same time, we remain vigilant. Someone is always trying to figure out how to get around what we’ve done. We just have to try to stay ahead of them.”