New threats to utilities bring new challenges and solutions, says Ron Hawkins, Director of Industry Relations, Security Industry Association (SIA).

On 3 December 2022 in Moore County, NC the lights went out.

As tens of thousands of people suffered through the next few days without power, it quickly became clear what had caused the blackout – vandals/attackers/saboteurs (the perpetrators and their motives remain unknown) used firearms to damage critical equipment at electrical substations.

The incident was reminiscent of a 2013 attack when rounds were fired at a substation near San Jose, California. The North Carolina attackers, though, were either luckier, better informed about vulnerabilities or more skilled with their weapons than their California counterparts: the result in 2013 was $15 million in damage, but minimal impact on the local power supply. The people responsible still have not been identified.

Protecting critical infrastructure from criminals, terrorists and nation-state actors is one of the country’s most essential security priorities. However, while it is one thing to harden a single facility, securing countless (often remote) sites and connective lines makes this effort exponentially more difficult. In the energy sector alone, in the US, there are about 12,000 power plants, 55,000 substations and 240,000 miles of high-voltage transmission lines.

Of course, physical threats are not the only concern. In 2021, a ransomware attack on the computers that operate Colonial Pipeline forced what is the largest oil pipeline system in the US to shut down for five days. This caused short-term fuel shortages and economic disruption, but most significantly, highlighted how second and third-order effects, such as public panic, can exceed an attack’s direct impact. This was seen most clearly in images of people using any container they could find, even plastic bags, to hoard gasoline.

Tackling the threat

To help address these types of threats, both online and off, in early 2022 the SIA launched the Utilities Advisory Board. This panel, which is chaired by Joey St Jacques, director of global business development for ACRE, focuses the expertise of security professionals and utilities security practitioners on the development of guidance and solutions.

“Drones, insider threats, copper theft, sabotage and even terrorism are just a few components of the threat environment that utilities security practitioners must address 24/7,” Jacques said following the North Carolina attack.

“For these practitioners, it is vital to deploy resources that enable real-time detection and response and to utilize tabletop exercises, penetration testing and audits to manage risk exposure. The use of technology plays a critical role, from the outer perimeter to the most sensitive inner workings – as well as at sites that are separate from the main facility and thus, have additional vulnerabilities, such as substations.”

The board, so far, has produced advisory content in the form of a six-session SIAcademy Live! course on “Securing Utilities and the Energy Sector” and a December webinar on “Leveraging Technology to Protect Utilities” (now archived for free on-demand viewing).

The issue of drones

Much of the webinar focused on the threat posed by drones. Although unmanned aerial systems (UAS) have not yet been used in a major attack in the US, the war that resulted from Russia’s invasion of Ukraine has demonstrated how effective weaponized drones can be at destroying targets, including power facilities and other critical infrastructure.

While Ukraine has had some success with air defense systems, this counter-UAS option is, obviously, not available to utility practitioners. In fact, outside of certain federal agencies – the Departments of Defense, Energy, Homeland Security and Justice – all kinetic and electronic countermeasures are prohibited.

Casey Flanagan, a former FBI technician who is now the president of AeroVigilance, explained during the webinar that, under federal law, drones “are afforded the same rights as a commercial aircraft.”

In addition, he said, some mitigation efforts would currently violate federal laws against wiretapping, computer fraud and abuse and even interference with the operation of a satellite, among other statutes. As a result, civilian organizations can do little more than deploy technology to detect drones and if possible, identify the pilot.

“I know it’s frustrating when you have these issues around your facilities and you’re wondering, ‘Why can’t I do anything about this?’” Flanagan said.

Scott Gross, the security manager at Consolidated Edison in New York and a member of the SIA Utilities Advisory Board, is doing what he can. Gross runs a drone detection program in Manhattan that, he said in a November interview, has detected about 8,500 drone flights since February 2021 – this despite the island being a no-fly zone.

These were not all unique systems and operators and the overwhelming majority were likely careless recreational users, but the statistic demonstrates the potential for incursions with nefarious purposes.

“This is a serious thing that’s in its infantile stages as far as the technology is concerned,” Gross said, noting that he has worked with the US Coast Guard in their counter-UAS efforts, as well as with law enforcement and other city authorities to provide counter-UAS support for events such as the New York City Marathon and the Macy’s Thanksgiving Day Parade.

An additional challenge is that bad actors can defeat commonly used radio-frequency detection, for example by setting a drone to autopilot so that there are no RF transmissions between the drone and the operator on the ground. Other detection measures are available, including radar, but no system is perfect. Radar, for instance, needs line of sight and even then, might not be able to distinguish between a drone and a bird. So, a full solution often involves the combination of various technologies.

“If you take away anything from the use of counter systems, it’s that, unless you’re layering them, you’re not going to find any success,” said Master Sergeant Jarrod Kologinsky, flight chief with the US Air Force 87^th Security Forces Squadron at Joint Base McGuire-Dix-Lakehurst, during SIA’s 6 December webinar.

Considering cooperation

Jacques, who previously worked for 30 years at Hydro Ottawa, expanded on the layering theme during the webinar, saying that, to have the best chance of defeating threats, risk mitigation must be comprehensive and include programs, standards, frameworks, policies, procedures, people, processes and technology as well as collaboration with other organizations.

“When we look at critical infrastructure, coming from the energy sector, there are a lot of plans in place and we rely on the interdependencies [with other critical infrastructure sectors],” Jacques said.

“It all comes together,” he concluded, “in resilience through partnership.”

This article was originally published in the January edition of Security Journal Americas. To read your FREE digital edition, click here.