Once you have identified all the weaknesses and vulnerabilities in a site’s physical protection system, how do you know which ones should be fixed first, and second, and third, etc.?

I’ve been experimenting with four-quadrant matrices, and I came up with this concept. We’ll start with definitions, then show the matrix, then some additional guidance. (Underlined words are listed in the definitions.)

Definitions

AOO – asset owner/operator.  The organization or its representative who makes operational and budgetary decisions related to the site, or asset.

Exploitable - refers to the potential for the W/V to be used to increase the chances of success of an attack that could achieve one or more of the unacceptable consequences as expressed by the AOO.  For example, a W/V that allows access an intruder to access a critical asset is more exploitable than a W/V that allows access to something of lesser importance.  In short, it’s on the attack path to achieving an unacceptable consequence.  (See Non-Exploitable.)

Insider -someone who has direct knowledge of a site that someone who has visited the site would have.  This includes employees, including ex-employees; contractors; and visitors.

Non-Exploitable - refers to the potential for the W/V to be used in an attack that does not include unacceptable consequences amongst the potential outcomes.  An example of this would be using copper grounding straps on a chain-link fence: it is a weakness that is easily exploitable, but the consequences of the loss of the straps are low and are likely unrelated to the unacceptable consequences for the site.  Its priority would therefore be less than a measure directly protecting a critical asset (an attack on which would likely be considered an unacceptable consequence). (See Exploitable.)

Observable - refers to a weakness or vulnerability (W/V) that is visible from outside the perimeter or documented on the internet.

Outsider - someone whose knowledge of the site extends only to what they can see through direct observation from outside the secure perimeter or what they can learn from the internet, and who does not have authorized access to the site.

Physical Protection System (PPS) – the collection of technology, personnel, policies, and procedures that work together to prevent the site from suffering one or more unacceptable consequences of an attack.  This definition should be interpreted as widely as possible and can include everything from secure fencing to human resource policies to liaison activities with local law enforcement.  The PPS does not include resources that the organization does not control.  For example, a neighbouring facility might use a mobile patrol that uses a shared access road, but as you do not control or communicate with the patrol you cannot count it as part of your PPS.

Security Measure – an activity, technology, policy, or procedure that contributes to the management of risk and ensuring a secure environment.  (See Physical Protection System (PPS).)

Site – the asset protected by the PPS.  An attack on the site could have the potential of achieving one or more of the unacceptable consequences.

Unacceptable Consequence - an attack outcome that is considered so grave that an AOO is willing to expend money to avoid.  Preventing these consequences is the purpose of the PPS.

Upgrade – in the context of a PPS, it refers to the mitigation of a W/V through the addition of a new security measure or the improvement of an existing one.

Video Surveillance System (VSS) – a network of cameras, monitors, recording devices, and other supporting sensors and software that provide an operator with a visual image of the area that the system covers.  A VSS can be monitored in real time to provide detection and assessment capability to the PPS, or it can simply record all activity for use later in an investigation of the attack. 

Vulnerability (V) - a gap in the PPS that could be exploited by an adversary in an attack. 

Weakness (W) - an inadequate security measure in the PPS that could be exploited by an adversary in an attack.

W/V – weakness and/or vulnerability

How to use this matrix:

List all vulnerabilities and weaknesses in their appropriate quadrants.

Re-order within quadrants by potential severity of consequence: those W/V that would directly support an attack that achieves one or more unacceptable consequences would have a higher priority.

Treat W/V in the order of Q1, Q2, Q3, Q4.  Again, exercise judgment.

Additional Guidance

Consider treating vulnerabilities before weaknesses because they represent a gap in the PPS.  Weaknesses represent an inadequate security measure (such as a fence in poor condition), but there is at least something – it’s just not as good as it should be.  This is not a hard and fast rule: as with all things, exercise judgment.  There may be vulnerabilities of lesser consequence than a weakness.

Q2 security measures are exploitable but not observable from outside the site or organization.  If it is exploited, it will likely be by an Insider.  If possible, Insider security measure upgrades should be referred to the company insider threat risk mitigation team for mitigation.

Why would #3 be in the first quadrant? How would an outsider know that there was no 2-person rule for critical site access after hours? Because this is the kind of information they are looking for when doing pre-attack surveillance of the site.

You’ll notice that if you can figure out the Word formatting of the numbered items, you will end up with a prioritized list of upgrades.

This is experimental. The most important thing to remember is to use it as a guide: not as a rule. Always exercise your judgment in security matters: that’s why they call it a profession.

Please let me know what you think.

I spent this past week in Quebec City. I was there for GridSecCon 2023, the electricity sector’s annual security conference, where I met a lot of old friends and made a few new ones.

One of the keynote addresses really resonated with me. Francis Bradley, the President and CEO of Electricity Canada (and a good friend for nearly 20 years) spoke about challenges we face today and in the future. He identified three. The first was identity politics, and the second was climate change.

The third issue really stood out for me. He said, “The scarcity of affordable options for basic needs, the challenges of urbanization and supply chain crises will set the economic agenda.” That first phrase, “The scarcity of affordable options for basic needs” is the most elegant description of modern poverty I’ve ever seen.

I used to work in an offshore drilling company in Houston called Atwood Oceanics. My boss was Jim Gillenwater, an ex-Vietnam War medic who spent the rest of his career on or around offshore drilling rigs. Every time someone did something that got them fired, (or in the language of the industry, ‘run off’ or ‘sent to the house’) he would say “some people just don’t like prosperity.”

So, I had to put together opening remarks for a panel I was facilitating on threats to the future grid, and I (clumsily) tried to weave these themes together. The North American electric grid is how we distribute and deliver prosperity today, through safe drinking water and food, entertainment, communication, transportation, etc. (In other words, critical infrastructure) A lot of people can’t participate in this prosperity, though, but they can see others enjoying it. It must be a terrible thing to tell your children that they must do without those things that their friends, and the rest of the world they see in social media, treat so casually. Prosperity must be shared, for all the good reasons: it’s the right thing to do, it’s the human thing to do, it reduces political conflicts that threaten us all, and it increases public safety. We need to find ways to increase prosperity for all. Fortunately, tech billionaires have found a way.

If you want to test your blood pressure medication, read ‘How Billionaire Philanthropy has turned selfish’ in Axios. The link is here: https://www.axios.com/2023/10/21/philanthropy-selfish-billionaires The argument is that some tech billionaires think they are philanthropists simply by doing the work that they do to make themselves billionaires, making them sort of like a self-licking ice cream cone for public good. The more we support tax and regulatory structures that created and support them, the better off we, and the future, will be. It’s a great read, and it got me out of bed this morning. I also recommend you click on the link in the article that refers to ‘the trolley problem.’ (Oh hell, here it is anyway: https://www.currentaffairs.org/2017/11/the-trolley-problem-will-tell-you-nothing-useful-about-morality)

Thank you for reading this.

This is the first of what I hope is many joint blog posts with my friend and colleague, John McClean, Director, Util-Assist Inc. John and I have worked together for many years now, and one of the things I really admire about him is that he not only understands security, but he has a deep background in utility operations. Whereas my understanding of electricity is limited to ‘it’s invisible, and it wants to kill me,’ he really understands how it works. I’ve spent many hours going through substations with him, and I always learn a lot.

I learned a lot about security management at Atwood Oceanics, an offshore oil company in Houston, where I worked in the safety department. I had never heard of a security management program, but they had a detailed safety management program that I soon convinced myself would work very well as the guts of a security management program. Both disciplines are really the same thing: the prevention of unwanted incidents.

And now on to the blog post.

From a societal perspective, electricity can be considered a cornerstone component of what is known as the “Iron Triangle”. The other two components are telecommunications and the banking system. Loss of any one of these three renders it difficult to support or make a functioning economy and society. Electricity services are provided by organizations called utilities. In the distribution of electricity to communities, towns and cities, electricity utilities are granted licenses to act as monopolies because of the substantial investment in infrastructure that is required to serve customers. Duplication of that expensive infrastructure is wasteful and difficult due to the limited rights-of-way available. The public's financial interests are protected through regulators in each state (and province.) Regulators can also be called “Public Utility Boards,” “Public Utility Commissions” and “Public Service Commissions.” Their role is to protect customers and regulate the price of the service, ensuring that a utility cannot take advantage of the monopoly status and overcharge the customers.

Because this structure is not like a competitive market that offers alternatives, regulators set specific measures within the following four key areas of performance: customer focus, operational effectiveness, public policy and responsiveness, and financial performance among many other requirements.

These requirements placed on utilities ensure that the public's needs are met to the greatest extent possible.  Utilities meet these obligations through:

·      Adopting active redundancy in asset design.  For example, several transmission lines may connect a power plant to a distribution network, and communities are served by several substations.  The loss of any single substation or transmission line would have minimal impact on customer service.

·      Plant maintenance, rehabilitation, and replacement programs. These efforts help ensure a well running network from the substation to the customer entrance.

·      Promoting resiliency, hardening, and response measures to enable them to continue to provide power to customers during and after a disruption, responded quickly to outages, and restore service as soon as possible.

·      Securing of electricity assets to ensure that adversaries have fewer opportunities to interfere with or stop the supply of power to the public, even if that is not their primary goal.  For example, preventing unwanted access to substations serves to stop both copper thieves and saboteurs.  Good asset security also reduces the risk to the public by preventing access to hazards and keeps electricity costs down by discouraging theft and vandalism.

Asset security is managed through a security management program.  Security practitioners are facilitators in this process, ensuring that all points of view are addressed, and that all risks are accounted for. 

·      The Executive approves the security management program, provides guidance on risk appetite, security priorities, supports the security program by through the budget process, and helps to focus the organization's resources.

·      Operations provide information on asset and component criticality and advise on resilience and redundancy strategies to ensure that the public's needs are met.  This helps to ensure that security can concentrate on those assets and components that are truly critical to the utility.  For example, a critical component that is expensive, has few spares, and takes a long lead time to obtain will likely be assigned a higher protection priority than an inexpensive component for which there are many spares and alternative sources of supply.

·      Human Resources provides information on employees, including training, and participates in insider threat risk management activities.

·      Law enforcement provides information on local criminal activity and cooperates in the task of security incident response.

·      Information Sharing and Analysis Centers, Security intelligence organizations, trade associations, and fusion centres provides information on criminal and national security threats related to the sector or component utilities.

·      The Public provide information on incidents and unusual activity in the vicinity of unmanned utility assets.

Similar to a safety management program, the security management program seeks to reduce the number and impact of unwanted incidents.

A security management program should address the following areas:

1.     Mission and vision of the security program, and how it aligns with the mission and vision of the utility

2.     Governance of the program, accountability, competence, and external relationships

3.     Security risk management (usually based on ISO 31000 or something similar) including asset classification, threat assessment, vulnerability assessment, risk mitigation, communications, and the security budget planning process

4.     Protection of information related to proprietary processes and technologies, personnel, security, and customers

5.     Security of automated information and operational technology systems

6.     Protection of employees, contractors, and visitors

7.     Audit, management of changes to the program, and corrective action

From my book, Antiterrorism and Threat Response, Planning and Implementation, there are five fundamentals to antiterrorism planning:

1   Threat vulnerability assessment. This is a realistic assessment based on the actual threat to your organization or installation, and your organization’s ability to defend against that threat.

2   Security measures. This is a mixture of procedural and physical barriers designed to reduce the vulnerability of the organization or installation to an attack identified in the threat assessment phase—in other words, fences, alarms, locks, guards, access control, etc. These measures will increase or decrease with the prevailing terrorism threat.

3   Observation plan. Your personnel should be trained to recognize the threat when they see it. Most terrorist attacks are preceded by an extensive period of surveillance, and this surveillance can be detected by trained observers. This information is used to modify security measures and alert counterterrorism forces.

4   Random antiterrorism measures. A terrorist organization conducting surveillance against your organization or installation will try to develop a picture of your security plans and procedures. It will seek to learn your layout and routine. In antiterrorism planning, routine is weakness. Random antiterrorism measures deter attack by sowing doubt in the minds of the attackers. By constantly changing details of your defensive posture, terrorists will not be able to form a clear picture of the target’s defences, and therefore cannot ensure a high probability of success. This in itself is often enough reason for a terrorist group to move on to another, less prepared target.

5   Response planning. What will you do if surveillance is detected? What will you do if your organization is attacked? Response planning is crisis response planning. If your personnel are well-trained and rehearsed, the effects of a terrorist attack can often be swiftly contained.

Design Basis Threat / Vulnerability of Integrated Security Analysis

The first two activities in antiterrorism planning, the TVA and security measures, are best conducted through the use of a design basis threat (DBT) and the Vulnerability of Integrated Security Analysis (VISA) process. The DBT describes the capabilities and resources available to potential insider and outsider adversaries, and is used to develop the physical protection system (PPS). To a large extent, your DBT is the threat assessment.

The VISA process uses the DBT to create reasonable and credible scenarios that achieve one or more of the unacceptable consequences of an attack while staying within the resources and capabilities described in the DBT. VISA is the vulnerability assessment and security measures part of antiterrorism planning.

Here is a four-minute YouTube video that describes the use of the DBT/VISA process in the electric sector.

For more information on the DBT/VISA process, please go to this page in my website.

If you want to stop criminals from damaging your assets, there is only one formula for success. You have to detect the intruders as early as possible, assess their activity as a threat as early as possible, and then delay them until law enforcement arrives with enough people and equipment to stop them.

Because the law enforcement response time is usually a significant factor, you need to get them started as early as possible: hence the early detection and assessment of the threat. You can’t do this unless you have a video surveillance system with live, trained operators.

Previously, network connection often made live CCTV monitoring prohibitively expensive, so many asset owner/operators would record the intrusion on a network video recorder, and then provide the video to law enforcement later, swelling their collection of ‘unidentifiable masked intruders wearing hoodies’ videos.

AI-powered object identification allows potential threats to be identified on the site, saving network costs. If an intruder is seen approaching the site, the object ID function will open a live feed to the monitoring centre, who will then assess the threat, and take the actions required by the asset owner/operator. This would likely include calling the police, and then the asset owner/operator.

Live video monitoring can be as simple as installing a video surveillance system and having a third-party service monitor the feeds when there is an incident occurring. The cost of this service is usually pretty small.

Part of the live video monitoring service includes ‘talk down.’ This enables the operator to talk directly to the intruders using a loudhailer. Some configurations include a strobe light. This combination of voice and a strobe light tell the intruder that the police are on the way, which is usually enough to stop the attack.

If anyone would like more information on live video monitoring, or just wants to see video of intruders caught in the act of cutting a substation fence and then fleeing when the operator turns on the strobe light, please contact me.