I can remember our first utility project in 1990. It included the assessment and physical survey of approximately 175 sites of a 250-site project throughout Pennsylvania and Delaware. One site of particular interest was on Snake Mountain. The only accessible route was by way of Ford Bronco navigating 18 degree vertical terrain that only the knowledge of the local utility representative would have. Its security level was minimal, validated through vulnerability assessment due to its geographic position and context in relation to possible outage through breach of security. Certainly, Snake Mountain is no distribution or switching point as critical as one outside of say, Wilmington, Delaware.
Conversely, our work in the Washington/Baltimore area was not minimized for risk mitigation through physical security and access control improvement for what were felt to be mandatory upgrades necessary to provide critical infrastructure protection in mid-2000s post 9/11.
It is important to clearly Define the Assets, with in-depth analysis of real estate properties and their assets, the physical security elements that exist or need improvement, and the electronic security assets and improvements which exist or may be needed. These three (3) elements real property, physical security, and electronic security represent critical inventory spreadsheets that have been created by our significant experience, when assets need to be ascertained, evaluated, and analyzed for possible vulnerabilities. Referencing the published standards (available through links below), we need to understand the meaning of the elements of compliance. Importantly, it must be recognized by each user and owner that the identification of assets through R1 as the initial risk assessment to transmission analyses, does not automatically render an R4 to strongly link a threat and vulnerability element to each R1 asset. In fact, R2, R3, and R4 are simply co‑linked for identification of cascading failures or other incidents which may promote a physical security threat to the system.
Thus, it is important to take an approach to prepare clear and concise matrices to identify: first, the real estate property and physical attributes including the asset location and their applicability to the voltage requirements associated with CIP; second, a detailed matrix that should be established which identifies all physical security features including environmental features that offset the need for increased security such as natural barriers, inclines or berms, accessibility, and other physical attributes; and third, a detailed matrix which identifies the existing electronic security assets, as well as the possible increases that may be required due to the R4 threat and vulnerability systematized attack and outage scenarios.
These matrices would then drive the Reliability Standard Audit Worksheet from a physical security standpoint, documenting and summarizing areas of concern, recommendations, and positive observations. The recommendations by NERC for the critical infrastructure protection are clear that the third party affiliation and verification need not be conducted after the transmission owners or distributors are finished their R4 assessment but may be employed during the entire span of effort. Thus, third party verification of facilities with R2.2 or after R5, completion of the threat analysis and security plan, should not be finished “in the dark.” Doing so may only lead to more questions, critical findings of analysis or planning, or outright misuse of shareholder funds through extraordinary means extraneous to the true intent of critical infrastructure protection by excessive or inappropriate counter-measures.
In addition, nothing in the NERC Physical Security Planning requirements addresses the true life cycle costs and potential for return‑on‑investment with improvement to physical security assets and the reduction of likely scenarios if there was no likely scenario to begin with. Having true third party teaming from the beginning of the R4 assessment to bring evaluation, vulnerability testing, threat exposure analysis, and results will impact the bottom line investment costs, capital improvements, operational costs, and life cycle contingencies to drive down costs across all levels.
Doing so will meet what for many distributors will be an aggressive schedule while maintaining security at the properly addressed level extinguishing the possibility of a Violation Severity Level (VSL) under all circumstances.
PSE’s CIP Security Technical Assistance Reliability Team approach provides a launch pad for analysis and corrective measures to drive down the tight completion schedule, increase the level of compliance in accordance with NERC Standards, maximize the asset protection while efficiently decreasing the cost of installation and equipment; all while purposely and proficiently minimizing life cycle cost truly providing return-on-investment to shareholders through electrical reliability.No utility has an open pocketbook. It is important to realize the return-on-investment and its most critical function in the reduction of initial cost. While many sites are generalized with security improvements over $100,000, many can be studied and reduced significantly through third party evaluation. This cost savings is directly proportional to the knowledge of the third party and working directly with users and representatives to assess the true vulnerability and comply with necessary mitigation steps that offset the likelihood of both perceived and actual vulnerability. Private/public partnerships with local law enforcement on tactical response may represent a critcal component beyond throwing money at technology for technologies sake.
This CIP START Technical Bulletin was issued by Professional Systems Engineering, LLC and prepared by Jerry ‘Dutch’ Forstater, PE. Mr. Forstater is a Professional Electrical, Electronics, and Communications Engineer licensed in 12 states. The firm has provided independent consulting and security strategy, design, specification, and construction expertise for almost 30 years. He is a graduate of the ASIS International Security Management Program through University of Pennsylvania’s Wharton School of Business, a graduate of Worcester Polytechnic Institute, and has been providing significant corporate, utility, industrial, commercial, and related security and public safety programs since 1986. He is Co-chair of ASIS International Philadelphia/Delaware Valley Chapter and Board Member of the International Association of Professional Security Consultants (IAPSC). PSE has provided significant physical security, electronic security, security lighting, and public safety 9-1-1/agency monitoring for law enforcement and corporate clients/agencies throughout the United States on installations that are critical to Homeland Security, infrastructure protection, and the public at large.