Physical security at power plants has received renewed concern of late, owing to a spate of gunfire vandalism events in the U.S. However, power plants have long-fielded several other physical security risks, including from terrorism, sabotage, natural disasters, insider threats, and physical breaches. Power plants have typically employed a set of physical security tools, such as perimeter fencing, access control, surveillance systems, and security personnel. And guided by federal reliability standards, all power plants also implement reliability standards for physical security.
But according to Chris Hurst, vice president of Value Engineering at Alpharetta, Georgia-headquartered OnSolve, the value of acting proactively to mitigate physical threats has a critical function, and emerging digital tools can make this easier, he said. As part of this interview, POWER also asked Hurst about the current state of the physical security threat profile, emerging physical security risks, and measures the power industry can take to protect itself against physical security risks.
POWER: What is OnSolve, and how is it involved in the power generation industry?
Businesses and governments across the world are seeing spikes in natural disasters and various physical threats, like power outages and train derailments. OnSolve automatically detects these risks, enabling companies to proactively mitigate them and immediately communicate with their people and protect operations. By helping organizations anticipate and proactively mitigate physical threats, we save lives, protect communities and safeguard the critical infrastructure that power our economy.
One example of this work is our involvement with FPL Group, one of the largest national electricity-related service providers. With a presence stretching across 27 states, the group’s main facilities are located in the hurricane belt of Florida. The potential for a storm is always present for hurricane season and FPL Group must remain prepared at all times in these scenarios. If there is a grid failure or facility issues, OnSolve powers robust communications to keep employees, facilities and communities safe and feeling secure.
POWER: The U.S. power industry suffered a spate of grid-related physical security incidents in recent months. How do these compare to previous years, and why is this now beginning to become a concern? Why do you think they will continue?
The grid powers nearly every aspect of our day-to-day lives, which unfortunately makes it a prime target for both hackers and physical attackers. Based on recent data from the U.S. Energy Department, physical attacks on the grid rose 77% in 2022. This should be a top concern for every utility provider and lawmakers as these events such as in North Carolina have occurred and left communities out of power for days on end.
Additional security and response measures such as physical deterrents and crisis communications should be set in place to mitigate attacks from causing prolonged harm. For example, with proper risk intelligence and emergency communications technology in place, a utility company could know when a grid in one area is under threat and add additional precautions to nearby ones to ensure the issue remains contained.
POWER: Cyber risks and vulnerabilities remain topmost when we consider power-related risks, and vulnerabilities have been underscored by the participation of nation-state entities. How and why are physical vulnerabilities different in their impact on the BPS?
Physical threats can be severe due to their rippling after-effects, like loss of power, physical harm and property damage. There are cascading dependencies and contingencies that play into this concept of a ‘butterfly effect’ of risk, particularly as physical and cyber threats continue to intersect.
We call this trend, “dynamic risk”—and it appears to be on the rise, across our customer base, and across industries.
Both physical and cyber threats have their own after-effects, but one thing in common is a degrading reputation. Threats can diminish public trust in companies and providers despite not being solely at fault. Threats will always be present, so it’s imperative to have as many preparedness measures in place as possible: emergency response, a crisis playbook, and a firm understanding of present threats.
POWER: What kind of physical security safeguards are in place so far? Do they generally align with the North American Electric Reliability Corp.’s (NERC’s) standards? From OnSolve’s perspective, are current standards effective?
NERC reliability standards rightly call for a risk-based approach in the implementation of physical security safeguards. We recommend updating risk models and mitigations to account for recent threats – including threats from shooting critical infrastructure. Since [the fourth quarter of] 2022, at least nine substations in North Carolina, Washington, and Oregon have been attacked. While the NERC reliability standards obviously call for Access Control (key cards, alarms, roving security, etc), these standards are frequently framed in relation to improving cyber security—which remains a key priority. New threats suggest additional protections may be needed, such as additional perimeter setbacks (where possible), removing sight lines, additional roving security and monitoring, and hardening protective barriers.
POWER: Do rapid changes to our energy infrastructure pose new physical security risks?
According to Black and Veatch, 60% of U.S. distribution lines have long lived past their 50-year life expectancy. According to OnSolve’s upcoming Global Risk Impact report, infrastructure failures (including power outages), were up significantly from 2020 to 2022 in the U.S.
The Brattle Group estimates that $1.5 to 2 trillion will be spent by 2030 to modernize the grid, just to maintain reliability. With this rate of change, we must consider if infrastructure such as our grid systems will be able to withstand our shifting climate and rising physical threats. Beyond updating for reliability, energy providers need to ensure that modern security measures, both physical and cyber, are in place.
POWER: Could legislation help mitigate physical security risks? What else can the industry do to mitigate physical security risks?
As of now, there is no federal legislation on the matter, but state lawmakers are beginning to see that change needs to occur with instances such as the North Carolina grid attack. Energy grid crises must be managed and mitigated differently than they are now. Industry standards are not fully concrete for how and when to manage a physical attack on the grid. In implementing federal or state-level changes, daily lives are less likely to be massively interrupted by attackers. It’s time for critical communications and risk intelligence to have a seat at the table.
There may be enough incentive within the industry to self-regulate, rather than guide and enforce with legislation. However, legislation has the advantage of leveling the playing field, to the extent that competition matters, whereby those who make extensive investments are not penalized over peers who do not.
Best practices include the following:
- Data. Using data in real-time to understand changing risks proactively and in the moment – from extreme weather to substation attacks.
- Information sharing. The sharp rise in successful substation attacks suggests that the industry may not be learning and responding fast enough, vicariously.
- Automating emergency response communications. Manually operated response paths (calls, texts, and emails) can add unnecessary delays to recovery.