Proposed guidelines submitted to the Federal Energy Regulatory Commission by the North American Electric Reliability Corporation (NERC) will result in increased efforts to protect the nation’s electrical grid from physical attacks, according to The Anfield Group, an Austin-based consultancy specializing in cyber security for the electric, oil and gas industries.
The need for additional physical security for the grid was dramatically demonstrated on April 16, 2013 when a sniper attack on a Pacific Gas and Electric substation near San Jose, California, knocked out power temporarily for thousands of customers. As reported by KPIX-TV in San Francisco, the attack was originally thought to be vandalism, but an FBI investigation determined that the incident was a well-coordinated act of sabotage conducted by several persons working in unison. On February 5 of this year,The Wall Street Journal provided an in-depth look at the incident and revealed it took nearly a month and $15 million to repair the substation and that even though Pacific Gas & Electric offered a $250,000 award for information about the assailants, no arrests had been made. In addition, the Journal article suggested that a small number of similar attacks could cause widespread power blackouts throughout much of the United States.
Although the proposed standards have no yet been approved by FERC, their content leaves no doubt that some utilities will soon have to address additional physical security concerns,” said Stacy Bresler, Managing Partner of The Anfield Group. Basically, the new standards will require the industry to come up with plans to protect critical substations from a wide range of possible physical attacks.
Bresler explained that at their most basic level, the new standards will require electric transmission owners and operators to perform risk assessments to identify critical transmission stations and substations, as well as the control centers for each. Next, they will have to prepare a detailed plan for their protection. This plan must then be reviewed by “an unaffiliated” third party.
“This ‘unaffiliated third party’ is definitely a concern for us,” said Bresler. “With regard to security, we have seen instances in which the firm hired to review or audit a utility company lacks the experience and expertise needed to provide a comprehensive look at the security situation. As a result, the utility not only has to eventually pay hefty fines for violations discovered by federal auditors, they can go for months without addressing unknown security vulnerabilities.” He furthered noted that the proposed standards allow for other utility companies to perform this review. “The ‘you look at mine and I’ll look at yours’ approach is not often the best for getting an in-depth review,” he said.
Bresler suggested the industry should concentrate on getting the best and most experienced firms to conduct these important physical security reviews. For example, The Anfield Group specializes in both cyber and physical security and has staff with experience as division managers, policy authors and mission leaders for Critical Infrastructure Protection efforts by the Department of Defense and the Department of Homeland Security. Combined with their experience within the electric utility industry, The Anfield Group can easily create defense-in-depth strategies that are logical, sustainable and economical.
Required implementation of the soon-to-be approved standard for physical security could still be as much as one-year in the future. The key to successfully addressing these new requirements, however, is to start as soon as possible to assure time to address the potential budgetary and implementation challenges.
NOTE: The Anfield Group’s Patrick Miller was recently selected by Forbes magazine as one of the world’s 20 best cybersecurity experts to follow on Twitter. Follow Patrick at @PatrickCMiller and @TheAnfieldGroup