NERC Physical Security Breakout Session

1
NERCPhysical Security Breakout Session

• George T. Miserendino

2
Table of ContentsNERC Physical Security
Breakout Sessions

• Vulnerability Assessment
• Threat Response
• Physical Security
• Countermeasures

2
3
NERCVulnerability Assessment

4
Vulnerability And Risk Assessment Guideline

• Purpose
• Identify and prioritize critical facilities and
  impacts of loss .
• Identify countermeasures to mitigate
  vulnerabilities of critical facilities.

4
5
Applicability

• All companies should perform 5-step vulnerability
  assessment on Critical Facilities.
• Focus is on facilities meeting the threshold
  definition for CRITICAL.

5
6
Implementation ConsiderationsBest Practices

• Use team approach Subject matter experts
  knowledgeable of system (brainstorming
  session)
• Security/Facilities/Safety
• Operations, Maintenance and Logistics
• Engineering
• I.T.

6
7
Best Practices, cont.

• Employ risk assessment worksheet process
• Identify assets (critical facilities) and loss
  impact.
• Identify and characterize the threat.
• Identify and analyze vulnerabilities
• Consider interdependencies.
• Asses risk (subjectively) and determine
  priorities.
• Identify countermeasures, costs and trade-offs.

7
Source DOE
8
Vulnerability and Risk Assessment Step 1
Identification of Critical Facilities

• Based on WEIGHTEDcriticality criteria
• Determine if facility meets CRITICALITY
  THRESHOLD
• Rank assets

8
9
Facility List -- Chart A
10
Criticality Criteria Chart B
Answer Yes/No Rate the Item
11
Facility List -- Chart C
12
Step 2 Identify and Characterize Threats

• Intelligence information
• Defines ThreatLaw Enforcement
• Identifies Potential Adversaries
• Brainstorming
• Assess intentions, motivations and capabilities
• What does a potential adversary look like?
• What resources does he have?
• Develop Threat Scenarios
• Is the threat credible?

12
13
Threat Analysis Chart D
Relative Ranking for Motivation Capability
100High, 1Low
14
Step 3 Identify and Analyze Vulnerabilities

• Assess susceptibility from scenarios
• Insider
• Outsider
• Identify possible exposure and weaknesses
• Consider interdependencies
• Apply RELATIVE RANKING for vulnerability

14
15
Vulnerability Analysis Chart E
Relative Ranking for Vulnerability 50 High,
1 Low
16
Step 4 Assess Risk and Prioritize

• Subjectively Quantify risk value for each
  CRITIAL FACILITY
• Assigned to Each
• Threat
• Consequence
• Vulnerability
• Prioritize Risks

16
17
Risk Values Chart F
18
Step 5 Identify Countermeasures, Costs and
Trade-offs

• Perform physical security survey
• Specific Weaknesses Identified
• Identify countermeasures and costs to implement
• Conduct cost-benefit analysis
• Prioritize options and recommend to decision
  makers.

18
19
Critical Facility Risk Value Table
19

20
Step 5, cont.

20
Source DOE VRAP
21
Implementation Process Examine setting

• History of security incidents
• Neighborhood
• Type of facility (operations, function)
• Visibility (High profile, Publicized)
• Identify assets
• Determine critical assets
• Prioritize assets

21
22
Identify threats (Spectrum of Threats)

• Weather - unintentional, natural, accidental
• Vandalism - intentional
• Activism - intentional
• Criminal - intentional
• Terrorism - intentional

22
23
Determine potential risks

• Prioritize consequences
• Cost impact
• Impact on the Company (based on Business Unit
  definition)
• Psychological impact (shock, fear, panic,
  perceived danger, adverse publicity)

23
24
Determine effectiveness of existing physical
security measures

• Access control (keys/locks, electronic card
  access system, ID cards, personnel)
• Physical barriers (fence, gates, walls, doors,
  windows, vents, vehicular barriers)
• Intrusion detection (perimeter sensors, interior
  sensors, annunciation)
• Assessment (guards, cameras)
• Response (guards, local law enforcement agencies)
• Deterrents (signs, lighting, environmental
  design, training)

24
25
Determine mitigating strategies

• Contingency plans
• Alternate plans
• Recovery plans
• Redundancies
• Emergency response and recovery
• Business continuity plans
• Critical spares

25
26
Recommend security enhancements

• Cost projections
• Cost-benefit analysis
• Recommendations
• Prudent baseline security measures (deterrence)
• Enhanced security measures

26
27
Key ConsiderationsIts not just the grid thats
critical.

• Computer Centers
• Control Centers
• Call Centers
• Treasury Department
• Mail Processing Facilities
• Equipment Storage Facilities
• Transportation Centers
• Each play a major roll in sustaining and
  restoring operations and should not be
  overlooked.

27
28
Critical Facilities Change

• A process of evaluating critical facilities on an
  ongoing basis should be in place.
• Recommend..an Annual re-evaluation.

28
29
NERCThreat Response Guideline

30
Homeland Security Advisory System
SEVERE Severe Risk of Terrorist Attacks
HIGH High Risk of Terrorist Attacks
ELEVATED Significant Risk of Terrorist Attacks
GUARDED General Risk of Terrorist Attacks
LOW Low Risk of Terrorist Attacks

Source Office of Homeland Security
30
31
DHS Advisory SystemLow Condition - Green

• Definition
• No known threat exists of terrorist activity
• General concern about criminal activity
• Security measures maintainable indefinitely
• Response
• Normal security operations procedures
• Occasional workforce messages
• Annually review all security, threat and disaster
  recovery plans
• Focus deterrence

31
32
DHS Advisory System, cont.Guarded Condition -
Blue

• Definition
• General threat exists for terrorist or criminal
  activity
• Additional security measures recommended
• Maintainable for an indefinite period of time
• Response
• Workforce awareness messages Observe and
  Report
• Review all security plans
• Focus deterrence

32
33
DHS Advisory System, cont.Elevated Condition -
Yellow

• Definition
• General threat exists for terrorist or criminal
  activity directed against the electric industry
• Response
• Implementation of additional security measures is
  expected
• Measures to last for an indefinite period of time
• Increase surveillance
• Coordinate emergency plans with Law Enforcement
• Notify key responders and on-call personnel
• Focus deterrence and response

33
34
DHS Advisory System, cont.High Condition - Orange

• Definition
• Credible threat exists of terrorist or criminal
  activity directed against the electric industry
• Response
• Ensure all gates and doors are locked and
  monitored
• Enhance security screening for all personnel,
  deliveries and packages
• Conduct table-top exercises
• Review all plans response, recovery, and
  business continuity
• Focus Prevention

34
35
DHS Advisory System, cont.Severe Condition - Red

• Definition
• Incident occurs or credible intelligence
  information is received targeting electric
  industry
• Attack is imminent or has occurred
• Response
• Send non-essential personnel home
• Stop all non-alert tours and visits
• Stop all mail and package deliveries directly to
  the site
• Inspect all vehicle entering sites
• Brief and review all emergency plans with all key
  personnel on their responsibilities
• Focus Prevention

35
36
Threat Condition Factors

• Is the threat credible?
• Is the threat corroborated?
• Is the threat specific or imminent?
• How grave is the threat?

36
37
DHS Threat Conditions

• May apply
• Regionally
• By Sector
• Potential Target
• Response actions are cumulative as threats
  increase in severity
• Actions are intended to
• Reduce Vulnerability
• Deter or Prevent Incidents
• Improve Recovery

37
38
Implementation Considerations

• Integrate NERC threat levels in all security and
  emergency response plans
• Notify local law enforcement (County Sheriff) of
  threat level changes.
• Company security awareness briefings should
  address
• The NERC Threat Response procedures and their
  responsibilities
• Vigilance
• Observe and report

38
39
Recommendations

• Subscribe to the Critical Infrastructure Open
  Source Daily Report through NERC
• Register to be a participant in the ESISACs
  Critical Infrastructure Protection Information
  System (CIPIS)

39
40
NERCPhysical Security

41
Elements of Physical Security
Signs, Patrols, Lighting, Fencing
Deter
Barriers, Security Officers, Police
Sensors, Patrols, Door Alarms
Delay Respond
Detect
Assess Communicate
Cameras, Central Alarm Station Monitoring
41
42
Implementation StrategyPhysical Security Site
Survey

• Document Status critical facilities
• NERC Guidelines
• Security plans
• Assists in I.D. priorities for security projects
• Checklist format
• Sample Topics for Survey Checklist
• Access Controls (entry exit)
• Key control, signage
• Visitor policies
• Badging
• Signage
• Escort policies

42
43
Physical Security Site Survey, cont.

• Barriers
• Walls, fences, gates, locks, etc
• Yard areas and vehicle parking
• Lighting
• Perimeter and gates
• Facility entrances
• Policies and Procedures
• Pre-employment
• Evacuation
• Bomb threats
• Mail room
• Deliveries
• Property control

43
44
Physical Security Site Survey, cont.

• Closed Circuit Television (CCTV) and Recording
• Alarms and Surveillance Systems
• Testing
• Maintenance
• Communications
• Liaison with Police Agencies
• Incident Reporting
• I.T./Cyber Security
• Control Rooms

44
45
Physical Security Site Survey, cont.

• Security Operations and Procedures
• Guard force Supervision, policies, training,
  etc.
• Policies and procedures
• Security Awareness Programs
• Vulnerability Assessment and Risk Mitigation
• Threat definitions
• I.D. of critical assets
• Emergency planning
• Recovery plans
• Critical spares
• Countermeasures

45
46
Implementation StrategyCritical Substation

• Company Developed Standard addresses
• Perimeter Security
• Masonry walls
• Micro-mesh fencing
• Razor ribbon
• Heavy gates
• Access Control
• Proximity badges for site access
• Access cards integrated with
• Perimeter alarm
• Intrusion alarm on control house
• CCTV
• Keys only for Emergency Access
• Very limited distribution
• High security cores
• Controlled key blanks

46
47
Critical Substation, cont.

• Perimeter Alarm System
• Microwave IDS
• Integrated with card access and CCTV
• Control building entrances
• Door contact switches
• CCTV System
• Monitors
• Vehicle entrances
• Building entrances
• Substation yards
• Communication and Recording Security operations
  center
• Digital recording
• Video streaming on computer monitors
• 24X7 security operations center
• Proprietary
• Subcontract

47
48
Critical Substation, cont.

• System Monitoring Card access, alarms and CCTV
• Provides Assessment
• Assures notification
• Implements response
• Site Security Staffing
• Employees trained to observe and report
• Roving patrols
• Police
• Subcontract service

48
49
NERCConsiderations for Countermeasures

50
Mitigation and Countermeasures for
Vulnerabilities

• Security Countermeasures
• Badging System
• Visitor Escorting
• Electronic Card Keys
• Locking Procedures
• CCTV (Recorded)
• Vehicle Control and Accountability
• Alarms

51
Law Enforcement

• System Orientation
• Patrol Support
• Response Plan Inclusion
• Key Telephone Numbers (7x24)
• Facility Orientation

51
52
Annual Plan Review and Orientation

• Business Continuity
• Emergency Response
• Security Plan (Physical and Cyber)
• Control Room Procedures

52

53
Security Awareness Program

• Observe and Report Suspicious Activity
• Vigilance at Critical Facilities
• Protection of Company Assets
• Security Procedures
• Threat Response (Bomb, Letter, Package, Etc.)
• Security Threat Response Levels

53
54
Proper First Response Training

• HAZMAT
• Explosion
• Security / Law Enforcement Coordination
• Routine and Scheduled Maintenance of Security
  Equipment
• Lighting
• Fencing
• Alarms
• CCTV
• Access Equipment

54
55

• Assessing Spare Parts
• Identify Critical Components
• Properly Secured in Storage
• Periodically inventoried
• Key Personnel and Responders
• Orientation on Notification Procedures
• Wallet Card
• Knowledgeable of All Emergency Plans, Assessments
  and Surveys.

55
56
Recovery and Restoration

• Mutual Assistance Agreements
• Business Continuity Plans
• Annual Review and Testing of Response Plans
• Documenting Lessons Learned after an incident
• Critical Spares Inventory

56

57
Pre-Employment Screening

• Mitigates Insider Threat
• Serves as a Deterrent

57