PSE Consulting, Design & Engineering



In the last two Technical Bulletins, we recommended addressing the physical security elements by making a tabulation of real property assets, current and possible physical security assets, and existing electronic and possible future assets. This provided a tabulation from which to base the second step, Threat and Vulnerability Analysis, in order to match needs – described in Technical Bulletin 2.

Threat and Vulnerability Analysis took a blend of social data, guided development, and prescribed steps to anticipate meeting protection using critical analysis of risk prevention and likelihood of being a target. Described in Technical Bulletin 2 was the blending of the likelihood of being a target and the susceptibility to become a successful target. The analysis included using computerized crime and insurance and other “big data” sources for historical susceptibility, to engaging critical law enforcement and applying transmission operator analysis of the (R2 instability and) cascade failure risk level.

We discussed the NERC CIP compliance steps. These steps are not application specific because they are universal in crime prevention. Specifically, the steps are the basis of Field Manual No. 3-19.30, issued by the Department of the Army in 2001, nine months before the 9/11 attacks. Appendix B, Section III – Command and Law-Enforcement Countermeasures, Item B‑126 summarizes in crystal clear detail nine steps necessary to actualize an end-to-end countermeasures program. It states in process language the following:

  • Analyzing the overall environment (neighborhood, block, and so forth).
  • Assessing the general vulnerability of the premises.
  • Defining the specific points of vulnerability.
  • Recommending specific security procedures.
  • Including specific remedial hardware recommendations.
  • Urging the implementation of the recommendations.
  • Conducting a follow‑up to ensure that recommendations have been implemented.
  • Keeping crime statistics to evaluate the survey’s effect and the implementation of recommendations.
  • Conducting a second survey of the premise’s statistical analysis to determine the alteration of criminal activity in the areas surveyed.

We discussed how the social aspects of behavior were intractably linked to social environment, personal events, and beliefs. Appendix C – Intelligence, Counterintelligence, and Threat Analysis, Item C‑5 states several factors complicate intelligence and counterintelligence collection and operations. The small size of terrorist groups, coupled with their mobility and cellular organization, make it difficult to identify the members. Unlike other criminals, terrorist cadres often receive training in counterintelligence and security measures from foreign intelligence agencies or other terrorists. Additionally, the traditional orientation of police organizations is toward individual criminals, while MI organizations focus on conventional forces. Terrorist activity, therefore, requires some degree of reorientation for police and MI and counterintelligence collection and operations.

Additionally, this focus on matching system needs to benefits produced provides responsible and sustainable implementation for all stakeholders. We also discussed how security engineering participation by a 3rd party with years of physical security assessment and design is mandatory for smooth accommodation within NERC CIP Guidelines and to meet objectives.

This Technical Bulletin will review our ability to Analyze Features and Benefits regarding technology whether physical or electronic. This will then prepare us for Bulletin 4 on costing and value engineering.

Coffee Anyone?

We can compare the features of security systems to the methods of preparation of a good cup of coffee, from the easiest preparation to the more technical, but perhaps less perfect. Each has its own technical objective, as well as complicated subjective aspect of satisfying one’s needs.

I group the differences in coffee preparation into Ethiopian, French press, Espresso, and K-Cup varieties – each using specific technologies – from legacy to technologically advanced. We will compare coffee preparation with perimeter fence security technology.

Applying the concept of analogies, a simple Ethiopian coffee that is prepared by roasting ground beans and steeping them in a handmade pot is the simplest nature of brewing coffee. It’s a legacy method. The same applies to perimeter “shaker” systems, ones which vibrate and give an alarm for detection and penetration. Tried and true, simple, inexpensive, works for years, using legacy technology.

The French press was the next invention for coffee and provides a method of screening the grounds and providing what’s considered a more nuanced cup of coffee. Likewise in perimeter security, electronic digital signal processing (DSP) provides greater stability and better detection, but is also more expensive and nuanced, especially when dealing with volumetric detection such as microwaves. Not as easy as preparing simple Ethiopian brews. Computers, algorithms, special fiber cabling, and integration may be needed. More technology, more cost, but better sensitivity.

Next is Espresso. It takes technology of between 10 and 15 bar of pressure (10-15x atmospheric pressure) to extract the tastiest Espresso or the thickest ristretto. Likewise in perimeter security, the more esoteric, the higher expense, and more expensive installation methods. This higher detection technology is directly associated with electrostatic line sensing systems and taut wire. It takes much more technical expertise, is more expensive, but provides finesse. Just as coffee comes in many flavors, so do options of electronic perimeter security reflect specific needs and sustainability expected by transmission operators.

Incorporating the concept of instant coffee, we come to the more technical but commoditized “K-Cup.” The K‑Cup is practically instant but provides a more technical and nuanced preparation that balances technology. But its being simplified compromises flavor and brew quality when compared with more expensive preparations. Several manufacturers have now commoditized what is perhaps instant fence detection. Easy to set up, very little remarkability, but technically advanced enough to reflect great security with self-setting DSP adjustment at a low price and high sustainability. It provides no frills. But again, like the K‑Cup, it has tremendous tradeoffs when it comes to accuracy, and perhaps greater protection.

Threat Levels

Before we get into features and benefits, and to finish the Threat and Vulnerability Analysis, it’s best to take a key element of Army Manual 3-19.30 from Table C‑1. Threat levels are defined as follows:

Threat Level



Existence, capability, and targeting are present. Intentions and history may be present.


Existence, capability, intentions, and history are present.


Existence, capability, and history are present.


Existence and capability are present. History may be present.


Existence and capability may be present.

The explanation of threat level factors are as follows:

Factor 1: Existence – A terrorist group is present, assessed to be present, or able to gain access to a given locale.

Factor 2: Capability – The acquired, assessed, or demonstrated level of capability to conduct terrorist attacks.

Factor 3: Intentions – Recent demonstrated terrorist activity or stated and/or assessed intent to conduct such activity.

Factor 4: History – Demonstrated terrorist activity over time.

Factor 5: Targeting – Current credible information or activity indicative of preparations for specific terrorist operations and/or specific intelligence that shows an attack is imminent.

Features ≠ Benefits

So here’s the most important part of this coffee analogy. Having features does not equate to having direct benefit. Features do not equal benefits.

As much as we like to listen to manufacturers of technical gadgets, very often the features themselves do not translate into direct benefits that provide transmission operators and those in charge of security the direct and associated fundamental need to provide identifiable benefits. And remember, expense does not mean better security. Better security equals appropriation of technology multiplied by direct benefits to the security of the transmission operators.

Better Security = Appropriate Technology x Benefits to Security

This simple equation states that a technology that does not apply is “zero” and provides no better security. If there are “zero” benefits, again no security improvement. Applying more appropriate technology with benefits improves security. How can an example and foundational research balancing features and benefits both help our progress in meeting NERC CIP goals?

Security Zoning

For technical purposes, we’re going to break down a standard substation into four (4) distinct elements. First is the far field. That is the site surrounding the substation to within 3,000’; about the average accurate range of a high-powered telescopic sharpshooter weapon aimed at a critical asset. This ring defines the far field of the site. The next ring is the near field of the site. This near field perimeter varies depending on access and boundary between public and private property. It may extend into the public property or associated commercial, private or even local government-tended space. Depending on the transmission operator, this ring can either be extremely important or less important than the next ring, the perimeter enclosure itself. After determining the Threat and Vulnerability Analysis, the transmission operator security personnel with the third party reviewer will determine if the near field site is as significant as the perimeter enclosure or if they both bear the burden of early warning. If near field sites need to be protected, technology considerations make it the most difficult to protect due to distractions from my nuisance alarm rates.

Finally, the asset enclosure – the transformer’s jacket as an example – is the last ingredient of the security feature. The asset enclosure may provide absolutely no level of protection against a threat; however, the enclosure can be upgraded with a number of methods discussed in Technical Bulletin 2 such as armor plate or applied anti‑ballistic materials. However, ricochet effects may be as jeopardizing as doing nothing.


For each technology, system, feature, design aspect, or promoted convenience, each direct benefit to the transmission operator can be associated on either a direct basis or a weighted basis as a measure of its performance. Each physical security attribute, electronic security attribute, or social attribute (as in deterrence or other social modes) can be directly listed as benefits that are associated with gaining a rung up the ladder of security with its associated investment. In no particular order are listed benefits of good security systems; their ability to monitor, reduce risk, or provide/communicate threatening activities in real time:

• Detection

• Environmental

• Delay

• Infrastructure

• Energy Consumption

• Sustainability

• Deterrence

• Integration Capability

• Protection from Attack

• Communications (two-way)

By example, its detection benefit needs to be based on the type of activity being detected, what kind of detection can be compromised versus what kind of protection can increase the probability of detection. Energy, on the other hand, identifies the amount of energy that would be required to monitor the system or the capacity required to provide energy at all times, even during power outage. So, for instance, an electrified fence with a stun capability may not be the appropriate course of action for a substation that has very little threat.

We’ve provided Table 1 to address the estimate of probability of detection for various systems. It has been updated to provide better information for 2015.

Environmental benefits are very important. For instance, in Florida along the coast, microwave heads have a severe challenge due to the cool evenings and the hot sun radiating direct sun energy with conduction of heat directly to the enclosure. This creates tremendous moisture and condensation of fog or mist that is intrusive to microwave enclosures. This fine mist then converts to water which condenses on sensitive electronics and can destroy the internal workings of microwave systems and is conducive to corrosion effects, which infrastructure specialists statistically identify as responsible for over 30% of all failures. Likewise, heat, cold, rain, snow, ice, and even tumbleweeds play into the environmental effects of certain systems with certain and substantial benefits being able to counter these environmental obstacles – providing needed sustainability with lower maintenance and life cycle costs.

The next step in determining applicable systems that would be required is to identify appropriate systems that are necessary in the far field such as video systems and whether analytics or historical video records are required. Perhaps even Lidar, a combination of laser and radar, to monitor changes in the far distance. Because nuisance alarms are distractors to effective security monitoring, we’ve provided Table 2, updated to include a number of external effects detrimental to systems from various sources.

Near field perimeter needs include the application of video systems, shock detection technologies, and volumetric detection technologies.

Threat and Vulnerability AnalysisThe physical perimeter of the substation could also benefit from a number of technologies such as physical fences, access control systems, fence detection, volumetric protection, anti‑ballistics, and anti‑ram inertial barriers (which were discussed in Technical Bulletin 2). The same type of table can be formulated with good results.

The assets physical enclosure can be addressed with anti‑ballistic or anti‑ram associated deterrents. And, of course, the transmission operator cannot forget more simple attacks to the lines themselves. This is a more complicated and nuanced need of security and can be addressed individually and independently, as needed.

Once a tabular formulation matching Threat and Vulnerability with the needed Benefits, including possible future technology of systems, cost and value engineering must both be applied to the possible solutions. Cost of installation, testing, and ability to efficiently maintain are clear and sustainable benefits. Cost has several elements and will be reviewed in Technical Bulletin 4. Costs include upfront capital costs, the cost of borrowing or investing money itself, operational cost, its installation cost, and sustainability costs such as monitoring costs, communication transmission cost, daily testing, licensing fees, and maintenance and overhaul life cycle cost (the cost to remove).

As any security executive well knows, asking for millions can be a considerable corporate endeavor. Showing return‑on‑investment (ROI) is especially important. The security team needs to have confidence, perhaps supported by third-party efforts, to substantiate the performance benefits and lowest cost per security dollar spent over the life of the system. We’ll address ROI in Technical Bulletin 4.

Likewise, in Technical Bulletin 4, value engineering will be reviewed to associate less expensive or less esoteric technologies, but ones which are sustainable and provide long‑term remedies to protection of assets for transmission operators.

This CIP START Technical Bulletin was issued by Professional Systems Engineering, LLC and prepared by Jerry ‘Dutch’ Forstater, PE. Mr. Forstater is a Professional Electrical, Electronics, and Communications Engineer licensed in 12 states. The firm has provided independent consulting and security strategy, design, specification, and construction expertise for almost 30 years. He is a graduate of the ASIS International Security Management Program through University of Pennsylvania’s Wharton School of Business; he is a graduate of Worcester Polytechnic Institute, and has been providing significant corporate, utility, industrial, commercial, and related security and public safety programs since 1986. He is co-chair of ASIS International Philadelphia/Delaware Valley Chapter and Board Member of the International Association of Professional Security Consultants. PSE has provided significant physical security, electronic security, security lighting, and public safety 9-1-1/agency monitoring for law enforcement and corporate clients/agencies throughout the United States on installations that are critical to Homeland Security, infrastructure protection, and the public at large.


Physical Security Assessment and Design
Threat and Vulnerability Analysis
Home - Security Systems EngineeringInfo - Security Systems Designemail - Communications EngineeringPSE LinkedinPSE Facebook - Security Systems Engineering
Reproduction in whole or in part in any form or medium without express written permission of
Professional Systems Engineering, LLC is prohibited.
Copyright © 2000-2016 Professional Systems Engineering, LLC. All rights reserved.

Technical Bulletins

Technical Bulletin #1 - "Define the Assets"

Technical Bulletin #2 -"Identify Threats and Vulnerabilities"

Technical Bulletin #3 - Analyze Features and Benefits"

Technical Bulletin #4 -"Justify Costs and Value Engineering"

Technical Bulletin #5 -"Specify"

Technical Bulletin #6 -"Implement"\

Technical Bulletin #7 -"Test and Confirm"

Technical Bulletin #8 -"Monitor (and Maintain)"

Technical Bulletin #9 -"CIP START Technical Bulletins Compendium"

Security & Communications Engineering