Nick Weber, CPP Compliance Auditor, Cyber Security

Salt Lake City, UT

Substation Security: Thinking Outside the Fence

2

• 17 Years first responder, military, and security experience o US Army Reserve Information Operations (Cyber)

Network Defense Team Leader Dynamic Defense Deputy Team Leader

o US Department of Homeland Security Energy Sector Specialist Site Assistance Visit Team Leader

o US Army Cavalry Officer OIF veteran Bronze Star Medal National Training Center (NTC) Opposing Force (OPFOR)

o Account Manager at a security guard provider o Wildland firefighter

Speaker Intro: Nick Weber, CPP

3

CIP-014-1 (Draft) R4 Threat and Vulnerability Assessment CIP-014-1 (Draft) R5 Physical Security Measures

Applicability

4

Purpose

5

• Zero tolerance society o It used to be that the power going out was an adventure o Now it’s a national event

• Provide an alternative to the 3G approach (gates, guns, guards)

• Spur discussion to address Beltway concerns

• Spur discussion to shape future physical security standards

Purpose

6

• Metal theft • Vandalism • Cyber • Ballistic Attack • Coordinated Physical Attack • Coordinated Cyber-Physical Attack • Trampolines

Predominant Substation Threats

7

Trampolines?

8

• Security by obscurity

Average Current Substation Defense

9

• Single high speed avenue of approach

Average Current Substation Defense

10

• Chain link fence with barbed wire topper

Average Current Substation Defense

11

• Control house

Average Current Substation Defense

12

• Cameras • Intrusion Detection

• System redundancy

• Defense in depth for cyber assets

Average Current Substation Defense

13

• Situational Awareness • Vulnerability Assessments

o Terrain Analysis o Methodology o Surveillance Detection

• Solutions o Deterrents o Delay o CPTED o Emerging Technologies o Information Sharing

The Way Ahead

14

• Know your environment

• Know what’s normal for your environment

• Key in on deviations from that norm

• Listen to your “spidey sense”

Situational Awareness

15

• Understand what components or assets are critical to your mission

• Understand the vulnerabilities that could interrupt your mission

• Understand your adversaries

o Who they are o What motivates them o How they prefer to attack

Assessment Objectives

16

• Resources o Physical Security Personnel o Local Law Enforcement o Federal Agencies o State Emergency Management

• Methodologies o ECIP/SAV oCARVER

Assessments

17

• Enhanced Critical Infrastructure Protection o Conducted by a DHS Protective Security Advisor o Somewhat checklist-driven o Finished product is a dashboard

Compares posture to like facilities Allows for temporary adjustments to show security posture

impact from proposed changes • Site Assistance Visit*

o Facilitated by a DHS Protective Security Advisor o Conducted by team of physical security experts o Finished products:

Dashboard Written report

ECIP/SAV

*Likely discontinued in September 2014

18

• Approach combines metrics and subjectives • Scalable • Evaluates:

oCriticality – importance of the target o Accessibility – ease of access to the target oRecuperability – ability to recover o Vulnerability – ease of successful attack o Effect –direct loss from attack oRecognizability – ease of target recognition

CARVER

19

CARVER Value Criticalit

y Accessibility Recuperability Vulnerability Effect Recognizability

9-10 Loss would stop operations

Easily accessible, not secured

Replacement lead time 1 year or more

Attack vector requires no training or special tools

Extreme socioeconomic impact

Easily recognized with no training and no confusion

7-8 Loss would significantly reduce operations

Easily accessible, limited security

Replacement lead time 6-12 months

Attack vector requires little training or special tools

Significant socioeconomic impact

Easily recognized by most with minimal confusion

5-6 Loss would reduce operations

Accessible, but secured

Replacement lead time 2-6 months

Attack vector requires training and special tools

Noticeable socioeconomic impact

Recognized with some training

3-4 Loss may reduce operations

Difficult to access

Replacement lead time 2-8 weeks

Attack vector requires intensive training and special tools

Minimal socioeconomic impact

Difficult to recognize without extensive training

1-2 Loss would not affect operations

Very difficult to access

Replacement lead time less than 2 weeks

Attack vector requires well-trained team with numerous special tools

No noticeable impact

Extremely difficult to recognize without training and surveillance

20

CARVER

Asset C A R V E R Total

Transformer 8 8 10 8 9 5 48 Control House 6 5 5 5 6 7 34 Transmission Tower 5 10 1 9 1 9 35

21

CARVER Possible Threat Values 9-10 – Attack has recently successfully been carried out in close proximity or intelligence warnings specifically mention the asset 7-8 – Attack has recently successfully been carried out in a distant location or intelligence warnings mention the asset type 5-6 – Attack has been unsuccessfully attempted in close proximity or attack has been attempted some time ago or intelligence warnings mention similar facilities 3-4 – Attack has been unsuccessfully attempted in a distant location or attack has been successful some time ago or intelligence warnings mention the sector/industry 1-2 – Attack has not been attempted on a like facility

22

CARVER

• Repeat for all applicable attack vectors • Nick’s suggested attack vectors:

oDirect Fire Ballistic o Indirect Fire o Explosive o Forced Entry o Surreptitious Entry o Vehicular Attack o Incendiary/Arson

23

• Observation • Avenues of Approach • Key Terrain • Obstacles • Cover and Concealment

Terrain Analysis

24

• Where can adversaries observe me? • What can I see? • More importantly, what can’t I see?

Observation

25

Observation

Hill

Hill

26

• How can adversaries get to me? o Vehicle o Foot

Avenues of Approach

27

Avenues of Approach

Hill

Hill

28

• What do I really need to keep adversaries away from?

• Where can adversaries conduct surveillance?

• Where can adversaries launch an attack?

Key Terrain

29

Key Terrain

Hill

Hill

30

• What do I have available to block adversaries from getting to or seeing me? oNatural Cliffs Ravines Trees Large Rocks

oMan-made Fences Gates Bollards

Obstacles

31

Obstacles

Hill

Hill

32

• What is keeping me from seeing adversaries watching me or approaching me? o Vegetation o Structures o Terrain

Cover and Concealment

33

Cover and Concealment

Hill

Hill

34

• Identifies a lot to think about

• Let’s start to pare that down

Terrain Analysis

35

• What is critical? o Low redundancy o Long lead times o Stops operation within a short time oGoing to make your life miserable

Self Assessment

36

• What is vulnerable? o Ballistics paths o Susceptible to blast o Susceptible to sabotage

• How could I be attacked? o Beware a “failure of imagination” oDo not think about the likelihood of an attack

vector at this point

Self Assessment

37

Self Assessment

Hill

Hill

38

• The following few slides are a very small slice of a free three-day course that DHS provides*

• If interested in the full course contact your DHS Protective Security Advisor

Surveillance Detection

*The presenter is not responsible for curriculum changes over the past four years or the effects of time on memory.

39

Attack Planning Cycle

When can the attacker best be defeated?

Planning Cycle Target Identification Surveillance Target Selection Pre-attack surveillance and planning Rehearsal Attack Escape

40

Types of Surveillance • Fixed • Mobile • Technical • Photographic • Combination

Surveillance Detection

41

Where can an adversary effectively conduct surveillance on your facility?

Hostile Surveillance Points

42

Hostile Surveillance Points

Hill

Hill

43

Where can an adversary see something vulnerable or exploitable?

Hostile Surveillance Points

44

Hostile Surveillance Points

Hill

Hill

45

Q: Ok, we’re down to six big areas, that’s still a lot of ground to cover… A: Where will someone look out of place and be easily noticed if they’re conducting surveillance?

Hostile Surveillance Points

46

Hostile Surveillance Points

Hill

Hill

47

Q: We’ve identified three areas where adversaries could recon the facility and exploit vulnerabilities. This substation is still remote and I can’t reasonably post a guard there 24/7. A: Great point! Let’s mitigate those without breaking the bank.

Now What?

48

Addressing Hostile Surveillance Points

Hill

Hill

49

Q: We’ve mitigated all the hostile surveillance points, but what about those ewoks and that storm trooper? A: It depends • Delay • Detect • Deter • Defend

Now What?

50

Avenues of Approach

Hill

Hill

Delay

Detect

Delay

51

Q: Why didn’t your last ewok picture have any deter or defend mitigations?

A: There are a number of deterrents available at little or no cost

• Random security measures

• Every visible security control*

• Police patrols

Now What?

*Double-edged sword, showing all controls makes your controls easy to recon.

52

Q: What do you mean by random security measures?

A: Random security measures allow you to implement security controls that wouldn’t be fiscally possible if they were implemented across your facilities 24/7. The key to successful random security measures is to avoid any discernible pattern and to ensure the measures are enough of a departure from your standard security posture that they throw off an adversary. Random security measures are the bane of a recon scout’s existence!

Deterrents

53

Q: What are some examples of random security measures?

A:

• Flexing security guard postings

• Vehicle searches

• Random security patrols

• Additional personnel/vehicle searches

• Temporary vehicle barriers

Deterrents

54

Q: Do random security measures make any difference?

A: When I was in Iraq, my platoon was responsible for operating and defending an entrance control point (ECP)* to the III Corps HQ and was co-located with the entrance to Baghdad International Airport. All 365 days we held that mission we were identified as a high-value target by various insurgent groups. We were successful in our mission largely because of random measures.

Deterrents

*Fancy Army term for a gate

55

Q: How do I get the police to patrol my remote sites?

A: Information sharing!

• Teach your first responders what’s critical

• Invite first responders out for tours/site familiarity

• Where possible offer some desk space and/or a pot of coffee

Deterrents

56

Q: How can I defend my site without hiring a small army?

A: Do you have armed drones available? If not, you’re likely limited to your response plan.

Some questions to address in your response plan:

• Will controls allow for attack intervention or merely forensics?

• Who will respond? o Guard force o LLE o Operations personnel

• How long can you delay vs how long will your response take to get on site?

o 15 minute delay + 30 minute response = problem

Delay

57

• Define your space • Shape your environment • Improve lighting • Observation • Direct foot and vehicle traffic

CPTED Concepts

58

• Use clear boundaries to define your property.

Defined Space

59

• Put yourself in the attacker’s position, which location would you prefer to attack?

Shape Your Environment

60

• Put yourself in the attacker’s position, which location would you prefer to attack?

Lighting

61

• Remove areas of concealment and visual barriers.

Observation

62

• Use barriers and controls to redirect all approaches through highly visible areas.

Control Traffic

63

• Acoustic sensors • Anomaly detection software • Unmanned Aerial Vehicles (UAVs)

Available Technologies

64

• Get to know your neighbors

o Ask them to keep an eye out for things out of the ordinary

o Share your knowledge, experience, and resources when feasible

• Take the full Surveillance Detection class

• Get involved in local and/or industry-based security groups

• Participate in GridEx

• Attend GridSecCon

• Get to know your first responders, state emergency management personnel, and Protective Security Advisor

• Tap into available threat information sources

Other Good Ideas

65

• Interest in a CIP-014-1 Roadshow? o Contact Brent or Laura

• PSWG- Get plugged in! http://www.wecc.biz/committees/StandingCommittees/OC/CIIMS/PSWG/default.aspx

• Phone call away-

We want to help.

• Always willing to provide our audit approach

At Your Service

Nick Weber, CPP Compliance Auditor, Cyber Security Western Electricity Coordinating Council 155 North 400 West, Suite 200 Salt Lake City, UT 84103 (801) 386-6288 nweber@wecc.biz

Questions?