3 Ways to Build an Early-warning System

UTILITY SUBSTATIONS ARE ideal targets for attack.

They're often in open and unmanned locations, and many aren't equipped to relay signals. These key shortcomings were exposed in 2013 when snipers cut telephone wires and opened fire on PG&E Corp.'s Metcalf substation, taking down 17 transformers funneling power to Silicon Valley and costing Metcalf $15 million in damage.

To avoid another Metcalf incident, the North American Reliability Corp. is developing new security standards for bulk transmission owners and operations -- most notably, a set of regulations called CIP-014, requiring substations to deter, detect, delay, assess, communicate and respond to physical security threats. Penalties could range from $10,000 to $1 million per day of violation, and compliance will be strictly enforced by 2017.

To prepare for this aggressive reform, substations must have a sustainable early-warning system that can reduce risk and meet CIP-014's demands. This involves mastering a three-pronged approach of perimeter intrusion detection, video management and access control, highly integrated into a single, central management system.

Perimeter intrusion

The earliest detection of danger happens at the perimeter, and should have capabilities that go far beyond chainlink fences and padlocks. To prepare for response, utilities should establish a network of advanced sensors that not only keeps unauthorized persons off property, but also -- coupled with video analytics -- can notify authorities up to two minutes in advance of an approaching threat. NERC often requires detection capabilities beyond the perimeter line, so a highly defined buffer zone of at least 30 yards is recommended.

Today's radar equipment offers many additional capabilities: it can be ruggedized to withstand the perimeter's often harsh and unstable environments -- such as corrosion, high heat or extreme cold -- and offers enhanced false alarm filtering, saving significant money and resources in the long run. Look for open communication architecture over a wide variety of media, such as wire, fiber, Ethernet and wireless. This will ensure a sustainable system that can adapt to evolving regulations and communications platforms, avoiding costly re-installments.

Video surveillance

Video is another key component to any security system. While camera quality is important, embedded video analytics coupled with a central management system will provide valuable intelligence to help substations comply with CIP-014, allowing an operator to locate views and navigate within any site, as well as verify events. Live-time assessment capabilities reduce false alarms and allow operators to select the next courses of action, arming or locking areas as needed.

Recording devices should be self-redundant with duplicate power, hard-drive and network connections so they can operate independently of the central management system in case of communications failure. While the devices should record via incident-only and real-time frame rates, they don't need to be expensive. In fact, overly sophisticated firmware may just prove more difficult to manage and program, not to mention pose a greater risk if damaged.

Access control

The goal of an access-control system is to authorize which individuals can enter specific areas at what time (for example, logging entry and exit, key control, etc.). Most utilities have assets secured at the corporate level, the NERC/FERC level and perhaps even the nuclear level, and each branch will have separate requirements on how this is managed. The ideal access-control solution should integrate with HR and IT systems, ensuring that employees who leave the company immediately have access privileges revoked, for example. Security information and event management (SIEM) or other aggregation software can facilitate this. Always establish backup sites and edge-level logging systems for data recovery, should data centers fail.

In fact, the management of data is as valuable as the physical security of facilities; the top source of regulatory fines comes from inadequate reporting under audit. Some security companies have additional services that offer testing, consulting and more sophisticated reporting capabilities to reduce human error, such as the ability to retrieve deleted or modified data.

Arguably the most critical element of designing an effective solution is the ability to combine these features via a central management system, bringing each security subsystem together into one platform. Having a common user interface helps keep track of all substation activity, minimizing IT and training expenses. The central management system provides comprehensive 24/7 visibility and reporting tools to ensure regulatory compliance. Look for an "open" central management system that can integrate with third-party systems and different manufacturers, allowing substations to leverage existing hardware as the system grows.

NERC's standards are evolving to require more than just a single fence and alarm. A high level of integration between multiple systems gives utilities the best defense against malicious attacks and regulatory fines, ultimately helping to secure the national grid.

Angela Oberman Sr. is a customer marketing manager in the critical infrastructure unit at Honeywell Security.