By Rich Heidorn Jr.
ATLANTA — Peter Scalici, manager of security outreach programs for Northeast Power Coordinating Council, still speaks with the blunt, no-nonsense demeanor of the New York City police detective he once was.
“I was never a fan of academia telling us how to handle real-world situations. I felt that many times we reached paralysis through analysis, where we were analyzing things so much that we never took action, we never solved the problem,” he said.
But when he learned about NERC’s Design Basis Threat (DBT) assessment, he was very impressed, he told NERC’s GridSecCon 2019 last week. “I said, ‘Now here’s something that really has value.’”
Based on a concept that originated in the nuclear power industry, NERC’s DBT was created in 2016 by the Physical Security Advisory Group. It is a tool for identifying the intentions and capabilities of potential adversaries and determining appropriate, cost-effective defensive measures.
Sam Chanoski, director of intelligence for the Electricity Information Sharing and Analysis Center, noted that hackers’ motives can vary depending on who they are: nation states seeking to affect geopolitics; extortionists seeking financial gain; or nihilists that “might want to break something or set it on fire.”
“It really gets down to imagination bounded by the laws of physics,” he said.
David Godfrey, critical infrastructure protection manager for Garland Power & Light, summed up the DBT this way: “What does winning look like for them? What does losing look like for us?
“It doesn’t always cost a lot to protect something, but it does take the knowledge of a good group of experienced folks,” Godfrey explained. “And that’s not just security folks. That is your substation people. That is engineers; your cyber folks; operations. Get them all in the room, and put their heads together.”
Scalici agreed, saying NPCC will integrate the DBT into the voluntary physical security assessments it offers its members. “This opens up everybody’s eyes to how everything is connected,” he said.
David Jarrett, Southern California Edison’s senior adviser for physical security, said the tool can be used by anybody within a utility’s security organization with some training.
The E-ISAC offers workshops to utilities to help them implement the program, which focuses on the functions of “detection, delay and response” to baseline a physical protection system and determine cost-effective upgrades.
One key step is comparing the amount of time adversaries require in their attacks (task time) with the time the response force requires to engage or neutralize the attack (response time).
Ross Johnson, president of Bridgehead Security Consulting, talked about the need to update the DBT in the face of new technologies, such as the battery-powered Metabo 36-V angle grinder, which he said can cut through a chain link fence in about 30 seconds.
Johnson noted that the ASTM International standards for fence penetrations for low- and moderate-threat facilities do not identify battery-operated tools as concerns because they were written when batteries were extremely heavy and not very powerful.
“They didn’t work very well so it wasn’t really an issue,” he said. “Today it’s different. Tools like this are affordable: That’s $450 at Home Depot. And it will go through anything very, very quickly.”
The ASTM standards are being updated accordingly, he said. “Which is really good news for us because what we don’t want to use is fencing that we think is good enough but doesn’t actually protect us against this particular tool.”
The other good news: New fencing can withstand such tools. “Sometimes, depending on the quality of the steel used in the fence, it’s so hard to cut that it wears the grinding wheel out or wears the battery out before it can get through,” Johnson said. “So that kind of fencing is your friend.”
Godfrey said the best fences can provide up to an hour of deterrence. “We have substations that take law enforcement an hour to get to,” he said.
War Games
Johnson said E-ISAC’s DBT implementation workshop is the best security training he’s ever had. “The first time I took it, by the end of the five days, I was embarrassed at the amount that I learned,” he said.
Johnson said the DBT implementation “teaches you how to … take all of the various pieces of the physical protection system … and use them together in order to defeat an adversary.”
“In the old days, which weren’t that long ago, we would design these security facilities … put a fence up here, put cameras here … but we didn’t ever really war game it out against an adversary. We just hoped it worked. And it almost always does, because you actually rarely get attacked by determined adversaries. So, we’re never faced with our own failure.”
One thing to avoid, the speakers said, is having too many participants in a DBT workshop or participants who will dominate the discussions.
“If you get the right five or six people in the room you can solve a lot of scenarios,” Godfrey said.
“The best number is about 20,” said Michael Bowen, associate director of physical security for the E-ISAC.