Rethinking Grid Security
Protecting critical substations is an expensive and difficult proposition given locations and topography, and the answer may lie in a Design Basis Threat approach.
Recent history has given rise to an almost feverish obsession with regard to thinking about “grid security” and large-scale national or regional cascading events. Ever since the Metcalf Substation attack of 2013, regulators, utilities and Congress have been almost single mindedly focused on just such an event — a large scale, multi-jurisdictional, simultaneously coordinated attack against numerous substations critical to interconnections. In these scenarios, an adversary would need to damage and disrupt the substations in question, in particular the extra high voltage (EHV) transformers, in order to trigger a regional to national cascading outage. Under this premise, the theory holds that the affected region, and by extrapolation nation, would be operating without, or with reduced power for months or possibly even years. The premise of such an attack is complicated, and not without strategic and logistical constraints — not the least of which is the adversary being able to accurately predict the correct timing (weather conditions), load, and correct substations to attack to accomplish a cascading event. Identifying and defining such a list is a difficulty that has not been lost on either the Government or utilities as true modeling for such an event is complicated and relies on numerous assumptions. Further complicating this effort has been the lack of trust between utilities and the Government after the ill-fated “critical substation” list was allegedly leaked by government regulators.
Even more troubling is the fact that some private actors have created and compiled their own “critical substations list” utilizing different methodologies to analyze open source information. For those that have seen the subscription service’s report, it is a point-by-point analysis of how to attack the identified substations — right down to asset owner, photos, and longitude and latitude identification. The accuracy and feasibility of the report is open for debate amongst transmission engineers but the point remains — information is out there.
In response to the Metcalf Attack, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop and implement a standard to protect the EHV substations from physical attack. The subsequent Standard, known as CIP-014, has since been implemented and will now be in both the FERC and NERC audit phase. A common criticism of CIP-014 is it is vague and non-specific, other than the identification of the voltage levels and combinations that place a substation within the requirement. The Standard requires utilities to conduct their own identification and subsequent modeling of which substations they feel are covered under the standard. The problem is, identifying which substations are “technically” covered under the Standard is relatively simple. However, identifying why those covered substations could lead to a cascading event outside of their individual system is not. Ask any transmission engineer for a precise identification of which substations could lead to such an event and you will almost invariably get the answer “under what conditions, and which interconnection?”
Under the Standard, utilities are conducting cascading modeling of their systems. They, for market and anti-trust reasons, do not have the ability to see within an adjacent operator’s system. They do their best and study loads and flows from their various sources but in the end, they are making assumptions as well because energy is consumed in real time. So, getting a firm grasp on this problem is pretty complicated, and these (transmission engineers) are some very smart people.
What does this have to do with rethinking grid security? Well, this short discussion about Grid modeling is not intended to downplay the significance of CIP-014 or its implementation. Rather, it is to highlight the true complexity of such an attack when our adversaries have been hinting to us for the last several years about their tactics and possibilities for success. Make no mistake, the Metcalf Attack and subsequent fallout and lessons learned served as an important wake up call for us all and is not to be understated with regard to the threat to Grid operations from a physical attack. However, utilities, security professionals, and the Government need to not lose sight of the more likely Grid attack. Which once again brings us back to Metcalf.
Rethinking Grid Security — One Substation at a Time
In rethinking the concept of Grid security, it is evident that some utilities, Government, and some security professionals may be missing the smaller, yet broader implications of Metcalf — that it was more than just an attack on the Grid — it was a relatively successful small scale coordinated attack. The fact that the Silicon Valley was not plunged into darkness for a prolonged period of time is a confluence of luck and technology that allowed Pacific Gas & Electric and the regional system to respond quickly and seamlessly. Although it is also often identified as a model of how the “Grid” or an individual utility’s system is supposed to respond via redundancy, it is also a perfect arbiter of an attack vector yet to come — the use of a substation attack as part of a targeted coordinated attack — not just taking the Grid down. Let me provide an example to highlight my point.
Imagine a hot September’s weekend somewhere in the United States whereby nearly a hundred thousand fans are gathered for a college or pro football event. During this event small scale improvised explosive devices (IEDs) begin to be detonated within the stadium, followed by the sound of gunfire. Now imagine that this is indeed a coordinated attack and the adversary has done their research — which they do — and have identified the distribution-level substation(s) that feed the stadium area and take them offline. Communications fail, up-to-and including cell towers that although some may have backup generation, simply cannot handle the volume. Traffic lights are also down as a result leading to a disastrous inability for first responders to get to the location, let alone communicate with each other regarding the burgeoning chaos. Now imagine this has occurred at night.
If anything has prepared us for this looming reality it should be at a minimum the Paris attacks of November 13, 2015. A stadium, a concert hall, and restaurants. The only difference is that they did not attack the local power system. Again, imagine if they had. Spring forward to Brussels, March 2016. The airport and a rail station. London, Boston, Paris, Ankara, San Bernardino, Mumbai, and now Nice. Smaller scale, coordinated. This unfortunate methodology, attacking areas of concentrated populations for mass casualties is nothing new, in fact it is the tactic of preference at this moment in history. Attempts at large-scale massive events have been replaced by a rapacious desire of terrorists to repeatedly show their relevance via small coordinated attacks aimed to kill and maim as many people as possible. It is in their DNA. And it is why we need to think about Grid security more holistically.
Mitigation Moving Forward
Protecting critical substations alone is an expensive and difficult proposition given locations and topography, so how can owners and operators be expected to worry about distribution level stations as well? The answer is both complicated — and easy. In fact many have already thought about the potential mitigation, just not in a Grid specific way.
Many owners and operators are already aware of much of their reliant critical infrastructure (such as hospitals, nursing homes, key government facilities) and have modeled restoration and redundancy plans for them. The problem is, this modeling is done mostly with a view (and rightfully so) toward natural disasters. As such, resultant damage is mostly considered at the distribution and transmission level and is primarily focused on line, pole, and tower restoration — not transformer vulnerability. A 115 kV transformer does not get a lot of security love.until you start thinking of what it feeds. Take for example Google Maps and a popular outdoor concert venue in the Southeast that seats in excess of 20,000. A quick review of Google Maps reveals the primary distribution substation, but also reveals the pad mounted transformers as well as highlights that there is only one road in or out. Moreover, the larger distribution-level substation is identified and is less than a mile away. Lastly, another substation, also about a mile away can also be seen and is co-located with a cellular tower as is often the case. All three of the substations are highly visible and are minimally protected with nothing more than a standard chain link perimeter fence. This situation is at least unique in there are two additional substations nearby. In many cases there are not. Although one cannot see if there is fence sensing or other perimeter detection technology, odds are probably not as they are distribution substations. And quite frankly, there is nothing wrong with that. Which is precisely the point. Enhancing substation security is expensive — at all levels. For many municipals and cooperatives enhanced security expenditures are a luxury item.
Mitigation Strategies: Design Basis Threat — DBT
It all starts with a Design Basis Threat (DBT). You cannot protect your assets properly unless you know what you are protecting against. A DBT is the “threat against which an asset must be protected and upon which the protective system’s design is based. It is the baseline type and size of threat that buildings or other structures are designed to withstand. The DBT includes the tactics aggressors will use against the asset and the tools, weapons, and explosives employed in these tactics.” Luckily, this first step has already been done. The Electricity Information Sharing and Analysis Center’s (E-ISAC) Physical Security Advisory Group (PSAG) published an electricity subsector specific DBT in December of 2015. The PSAG DBT is a reference document that can be used by operators at all levels, from investor owned to cooperatives. Moreover it is a “living” document that will be reviewed and updated every year by the PSAG members to reevaluate and respond to emerging threats and trends. Lest anyone think the PSAG is self-serving, its membership is made up of approximately 20 industry security professionals from investor owned, municipals, DoE intelligence representatives, and private sector specialists. All told, the PSAG has more than 600 years of combined physical security experience in industry, the electricity subsector, law enforcement, military and intelligence. The DBT is available to any registered member of the E-ISAC.
Threat and Vulnerability Assessment — TVA
Perhaps no single tool can help you to mitigate the potential attack vector I have described above more that an adequately performed threat and vulnerability assessment (TVA). However, a word of caution: I am not advocating that you must conduct a TVA on every one of your distribution level substations. What I am advocating is that you identify those substations that feed critical assembly points like malls, sports and concert venues, regularly occurring seasonal events, etc. that draw large assemblies of people. Yes, you will have to rank them as some venues have outdoor festivals every week but that is part of the risk management process.
Once you have identified these sites, a TVA can then help you understand your ultimate vulnerability, which is whether or not the feed to the particular venue is resilient and whether or not you have quickly transferable redundant pathways. If so, you are way ahead of the game. If not, then you now know that at the very least, some interim physical security measures may be needed. At the very minimum, the addition of some type of intrusion detection, alarming and video surveillance may be warranted. In addition, engagement of your local law enforcement partners to help them understand the criticality of the facility is a must, coupled with table-top exercises (TTXs) that further help you and first responders understand the gravity of a potential coordinated attack on the venue and the responsible substation.
Perhaps the most often repeated phrase from physical security managers is “how do I sell more costs like this to management.” Repeat after me. Foreseeable reputational risk. Chaos is bad for business, especially if someone can make the argument that it was forseeable. It ultimately leads to investigations, finger pointing, state, local, and even federal inquiry — never a good thing. Additionally, ask for a show of hands from CFOs that want to renegotiate their insurance coverage after such an incident. This is an area where engagement with your risk management and legal team is crucial for they truly understand it. No one is more risk averse than a lawyer.
The End Game
The days of wondering about terrorist what ifs are over. There is no attack vector that we can imagine that they have not already thought of, or are continuing to think of. It is simply not enough to focus solely on the known. We must continue to strive to at least be thinking at the same pace. Identifying, evaluating, and implementing mitigation strategies for critical distribution-level substations is not just an exercise saved for investor owned utilities that have greater security resources; it must become a core physical security value throughout the electricity subsector.