Edmonton Bridge-.jpg

Experienced in:

  • Threat Vulnerability Assessments:

    • Energy Sector facilities

    • Office and Administrative Centres

    • Personnel

    • Travel

  • Electricity sector security

    • distribution, especially substations

    • generation

    • transmission

    • control centres

  • Insider Threat Risk Management programs

  • NERC CIP-014-2 R4. R5, and R6 (I represented Canada on the team that developed the Standard, and have competed 49 R6 assessments since it came into effect.)

  • Exercise design and facilitation

  • Critical infrastructure protection

  • Anti-terrorism planning

  • Security management program design and implementation

  • Security audits and assessments

  • Design Basis Threat development and implementation

  • Physical protection system effectiveness analysis

  • Contingency planning

  • Personal security

  • Security training

  • Photographic services

 

I have over four decades of experience in all aspects of security management. Most importantly, I have worked as a professional security manager for many years and know the pressures of regulatory requirements, budgets, personnel shortages, and an endlessly-expanding threat portfolio..

Having spent much of my career in the High Impact / Low Frequency quadrant, I can help you to develop programs that will ensure that your risks are given the appropriate level of attention and resourcing that they need.

I have worked in the electric sector since 2006, and have held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees. I am currently the co-chair of the E-ISAC’s Physical Security Advisory Group, and I co-facilitate the DBT/VISA workshop for NERC’s E-ISAC.

Please contact me if you have any questions about how Bridgehead Security Consulting, Inc. can help you to achieve your goals.

Ross-Low-res-5196.jpg

Over four decades in security & intelligence

Photo by cam fischer

My name is Ross Johnson, BMASc, CPP. I have over 45 years of experience in security and intelligence.  

I served for 24 years as an infantry and intelligence office in the Canadian Armed Forces, serving in Canada, Egypt, Israel, Rwanda, and the United States.  I left the service in 2001 at the rank of Major.  Since then, I have worked in travel security, safety and security in the offshore oil drilling industry, and in the electricity sector.

I have done security work or conducted security training in Canada, the United States, Guam, Ukraine, Israel, Egypt, Malaysia, Myanmar, Singapore, United Arab Emirates, Angola, and Equatorial Guinea.

In 2009 I joined Capital Power as their Senior Manager, Security & Contingency Planning.  I was active with the North American Electric Reliability Corporation's Critical Infrastructure Protection Committee and sat on their Executive Committee for over seven years.  In 2014 I represented Canada on the Standards Drafting Team that produced NERC CIP-014-2 Physical Security.  

I was active with the Electricity Canada's Security and Infrastructure Protection Committee for over ten years and I am currently Electricity Canada’s security advisor.

I am a strategic advisor for critical infrastructure with Awz Ventures, in Toronto, Canada.

In January of 2019 Iwas appointed to the position of the Co-Chair of the Physical Security Analysis Group (PSAG). The PSAG assists the Electricity Information and Analysis Center (E-ISAC) in providing critical subject matter expertise on threat mitigations strategies, incident prevention and response, training, emerging sector technologies, and other topics to electricity owners and operators across North America. Additional responsibilities include correspondence with the Physical Security Team at the E-ISAC to provide guidance and input on security projects and products. I am a co-facilitator of the E-ISAC’s scenario-based risk analysis workshop, which we have conducted in Canada, the US, Guam, and Ukraine.

I am currently the Critical Infrastructure Community Vice Chair with ASIS International.  I have a Baccalaureate in Military Arts and Sciences from the Royal Military College of Canada and am Board-Certified in Security Management.  I am the author of Antiterrorism and Threat Response: Planning and Implementation, published by CRC Press. 

I am an avid photographer, and my work can be seen at my website: rossjohnsonphotography.ca

 

Phone

+1 (780) 405-5542

EMAIL

ross@bridgeheadsecurity.com

 

A big lesson learned

Design Basis Threat / Vulnerability of Integrated Security Analysis methodology

The VISA process begins with the creation of a Design Basis Threat (DBT) document, detailing potential security risks, adversaries, attack methods, and motivations. This helps tailor effective security measures.

The DBT serves as a foundation for creating scenarios to test the physical protection system. If your organization lacks a DBT, we can develop one to identify and protect against threats.

The VISA process involves a diverse team from various parts of your company, such as Operations, Engineering, Security, Human Resources, etc.  If possible, we try to get a representative from local law enforcement to participate.  They tour the facility to gather information on its functions, critical components, and vulnerabilities. The team then creates and analyzes three scenarios: an outsider-only attack, an insider-only attack, and a combined attack.

Scenarios must be reasonable, credible, and align with the DBT. The analysis evaluates the physical protection system’s effectiveness, often revealing weaknesses. Recommendations for upgrades are usually low-cost or procedural changes.

This VISA process emphasizes looking at security from an adversary’s perspective to find and fix vulnerabilities.  The outcome includes an assessment of the physical protection system and necessary upgrades to meet acceptable risk levels, providing a business case for improvements.

The product of the workshop will be a core group of employees within your organization who can organize VISA assessments of your facilities when and where you choose.  Additional benefits include improved communication between operations and security, better understanding with local law enforcement, and heightened awareness of security measures and insider threats. 

The DBT/VISA methodology is effective for any critical infrastructure sector.

If you have any questions about this workshop and how it might help your organization, please contact me at +1 (780) 405-5542 or ross@bridgeheadsecurity.com.

 Security Management Programs

When I was hired by Atwood Oceanics in 2003, I was told that they didn’t have a security department, so I would be placed in the Safety, Health, and Environment department. I had no prior experience in any of these areas, but I learned quickly and found that industrial safety had a lot in common with security: they are both about the prevention of unwanted incidents.

I also learned about safety management programs. Never having seen a security management program before, I learned to adapt safety management to security management, and it has worked for me ever since.

A security management program is a systematic and strategic approach to identify, assess, and mitigate risks to protect people, assets, and information. It involves creating and implementing policies, procedures, and measures to safeguard against various threats, such as cyberattacks, physical intrusion, or insider threats. The program aims to ensure a safe and secure environment, maintain business continuity, and comply with relevant regulations. Regular monitoring, updates, and training are essential components to adapt to evolving risks and maintain an appropriate and effective security posture. The program involves collaboration amongst stakeholders, emphasizing prevention, detection, and response to potential security incidents.

The security management programs I have developed include:

  • Mission and vision

  • Security management program

    • governance,

    • accountability

    • competence

  • Security risk management

    • asset classification

    • threat & vulnerability assessment

    • risk mitigation

    • security information collection and management

  • Information security management

  • Information technology and operational technology security management

  • Personnel security

  • Security incident management

  • Monitoring and review

  • Management of change and corrective action

Kansas Tornado Cloud Windfarm -5586.jpg

This table shows the relationship between the impact of an event, its frequency, and how organizations treat them. I have found that the changing climate and a polarizing security environment is increasing the frequency and impact of events that were once far less common. Many of our critical infrastructure assets were designed for a world that no longer exists. This will require changes in funding and organization by many critical infrastructure owners and operators.

Goward SS Side Fence Repair-7345.jpg

 Clients

Alberta Electric System Operator

Alectra Utilities

AltaLink

Awz Ventures

BC Hydro

Electricity Canada

Electricity Information Sharing and Analysis Center

EPCOR

Haley & Aldrich

Pacific Northwest National Laboratory

Guam Power Authority

Ukrenergo

Util-Assist

Riverview Circuit Breaker-.jpg
 

For further information

 

Please complete the form below