From an interview with Larry Mallory, senior director of physical security and crisis management, New York Power Authority
Awareness of a problem, especially one as complex as grid security, can be both good and bad. From the utility perspective, what affects one system can impart lessons to others across the industry. From the public perspective, putting attention on attacks to infrastructure can lead to undue panic or encourage copycat incidents.
While recent attention on attacks against electrical infrastructure isn’t necessarily indicative of a surge in terms of incidents themselves, utilities can benefit from increased awareness that such attacks happen. This awareness also helps utilities to constantly readdress and understand their risks as things change. By nature, grid security is a little bit reactive. This is in part helpful, as the nature of attacks is constantly changing, so our responses need to be nimble as well.
Just as with other facets of our sector, grid security is not just about what happens to NYPA or any other entity, regardless of size. While our set of assets might differ, remaining aware of what’s going on across the industry helps utility leaders to learn from others’ experiences.
Utility to utility, risk analysis should focus on what’s important to you, and what risks your organization is willing to take. However, it’s important for public power leaders to recognize that public power isn’t immune to threats seen by the rest of the industry. There’s not a separate threat landscape, and the landscape evolves quickly. Utilities need to make sure their toolsets are appropriately tuned accordingly. For example, utilities have focused on measures that keep people from being able to climb fences around critical facilities. But access to technology such as drones has made it so that other mitigation tools might be needed.
Awareness is more than just understanding threats, it involves assessing where you are and how well your controls work. The American Public Power Association’s primer on physical security, Physical Security Essentials, can help with this assessment. Utilities should have a good handle on how to define the threat (e.g., by using the design-basis threat, or DBT, approach), and clear metrics to evaluate. This includes metrics related to threat detection, to ensure vulnerability plans work, and being realistic about what’s a success and what’s a near miss. The most successful organizations evaluate near-misses.
Tracking successes and failures is also helpful for benchmarking, to see what has and hasn’t worked for others, and why. I’m a big believer in awareness and information sharing. Public power is a perfect venue for sharing lessons learned and gaining knowledge from others.
Reducing risks isn’t always a major endeavor. In fact, if you address the small things, then threats are less likely to become big things. And oftentimes, simple measures can have double benefits, such as good, robust lighting, which can help safety as well as security.
For a long time, there was a line between physical security and cybersecurity, but the line has gotten so small. They are separate disciplines, but they support one another. Keeping your cyber hygiene up to date in turn protects your physical assets, and vice versa. An incident could also easily be both a cyber and physical threat, so most successful organizations work together across everyone who deals with any aspect of security. Some utilities have consolidated both lines of effort under a Chief Security Officer or related executive function.
For small utilities, which are less likely to have an internal team dedicated just to security, maintaining a level of awareness means leveraging the suite of resources available. That includes signing up to get information and updates from industry partners such as the Electricity Information Sharing and Analysis Center, or E-ISAC, and being comfortable in reaching out to organizations with more resources for help. This is a community – it’s not just the grid that is interconnected, but the people who work within it. Just like the mutual aid we provide for storm response, we are willing to help each other and to share what we have learned. In that spirit, APPA members can share insights on the security community group on APPA Engage, or in discussions at various public power events.
APPA and other utility organizations are also hosting a free physical security workshop in conjunction with the E-ISAC September 25 in Illinois, which will include a rundown of the current threat landscape, review of mitigation strategies and practices, and discussion of available resources to reduce risk. Sign up to participate.
