Defense at a Distance
Would you be upset if I said that substations are like the tires of your car?
By Paul Hull
Products and attitudes are important for substation security
Would you be upset if I said that substations are like the tires of your car? They have been providing good service for so long that it is easy to forget them, to forget that they are vulnerable to interference or attack? Just as your tires need care and attention of a specific type, so do your substations. You may not have suffered any terrorist attacks in the last seven or so years, when people were trying to sell you all kinds of solutions and remedies for those events. You may not have had anybody so annoyed at your utility that he tried to destroy installations, nor any employee so disgruntled that he hacked and abused the data relevant to your substations.
When attacks don’t happen, when events that were heralded as sure to happen tomorrow don’t happen, we can become lethargic in our attempts to protect ourselves. The person parading down the street on Monday with a placard that says The End of The World is Coming Tomorrow is proven wrong when tomorrow (Tuesday) comes, but the original premise is not wrong. The end of the world will come. Your substations will be subject to events that cause their deterioration or failure.
There are some procedures and policies related to substations that must be observed. If you don’t know them, your most helpful source of information may be your insurance company. Most of the rules are obvious but (like your car’s tires?) easy to forget or forget to update. Does everybody in your utility know what is required at a particular substation? Who has access to the facility, and to its hidden data? Who is responsible for specific procedures? Does he or she know that? Are all the procedures and responsibilities defined clearly in your utility’s policy? In the apparently simple matter of physical access to a substation, are the permitted access points identified and recorded? What happens if something or somebody unimagined finds access unlawfully? (This may sound silly to many of you, but some locations are far from human dwellings and the only neighbors tend to have four legs or two wings. Are there opportunities for non-human visitors to get into your substation?)
How do you monitor access to a substation? Will you know if somebody or something has entered illegally? Control may be electronic and reliable, but it is recommended that a personal visit be made at sensible, regular intervals throughout the year. Again, your insurance company may be your best source for advice and information about this. You can be sure that the product you require for protection is available; it is more often a question of knowing which product your particular situation requires.
Some people who are not your employees may require legitimate access to the substations, people like contractors and their crews, and anybody associated with servicing the equipment there. Did you ever read the story by G.K. Chesterton in which nobody entered a building but there were clear footprints in the snow? The “nobody” was the mailman... but, to most people, he didn’t count. Anybody who has access to your substation, legitimate or not, counts. Those people, of course, should be allowed access but (of course!) you should know who they are, whom they represent, and any details, written and visual, that you would demand of a visitor to your head office. It’s not being too fussy to know ALL the people who will be visiting the substation for a particular job; don’t have them recorded as “You know, Ted Birzer and his electrical service crew”. It may be required by your insurance company that all such people who will be given access to a substation should have passed a background screening test and be issued with identity badges (ones that you can monitor from your office miles away).
There will always be accidents at remote substations, just as there are at home offices. There are incidents that can be determined to be the results of typical electromechanical failures, but there are others that can be described as malicious, incidents caused by a person or persons intent on doing harm to your property and services. Most utilities will keep a log of all incidents and classify them as accidental or malicious.
Your response to an event may depend on its designation as normal malfunction or malicious attack. If you are certain that the problem monitored was a simple failure of some component of the system at the substation, you can send the right technicians to do the corrective work. If malice is suspected, it is good sense to involve law enforcement agencies. They will ask you for your reasons for suspecting dirty work at the substation, so that’s another aspect of everyday procedures that should be available. What happened? How did it happen?
All this protection of your substations benefits not only you, the utility, but the communities involved, too. Any impediment at your substation is a menace to the community. In the fall of 2008, Xcel Energy announced the beginning of their Smart Substation project in St. Paul, Minnesota. At Xcel Energy’s Merriam Park substation the utility will deploy a Serveron Transformer Monitoring Solution (from BPL Global) to provide continuous information on the health of the power transformer, the key energy asset in most substations. The Serveron Transformer Monitoring System is expected to bring improved reliability to the substation, lower maintenance costs, extended transformer life, and better safety for employees. “An intelligent electric grid is vital to meet the growing energy needs of people reliably and cost effectively,” comments Keith Schaefer, BPL Global’s CEO. Included in the system are the testing and demonstration of newly developed security technology. Xcel Energy’s project will enable operators to perform almost all functions remotely and will eliminate much of the need for hands-on monitoring and control.
Can Outside Sources Help Your Own Efforts?
You can hire a company expert in security to evaluate your substations. Before they inspect your installations, inspect theirs! What kind of reputation do they have? Have they experience in situations similar to your own? When there is a general malaise about matters such as security we always expect some “experts” to appear suddenly, people who can sell you just what you need etc., etc. (It has been the same with investments in recent years. What happened there?)
What will a security consultant look at? What protection and history are you expected to have? How many events have you had that reflect broken security at a substation? Were they unusually dangerous to your service and customers? How much did they cost you? How severe was the damage at the substation? What kind of equipment was damaged? Was there anything in the location of the substation that made it easier for intruders? Can you correct that? How likely is it that there will be another disruption at the same place? How critical to your service was the event? The security consultants will ask questions like that and you may have the answers for most of them; the consultants will earn their fee when they suggest successful remedies for you.
When Industrial Defender, Inc. acquired Teltone Corporation recently, it increased the breadth of its offering for what is known as cyber security. It has added the Gauntlet secure communications solution so that power utilities can secure both legacy and future communications infrastructure, and comply fully with the mandatory NERC CIP critical infrastructure cyber security requirements. In the 1980s and 1990s, when industrial expansion was strong, security was apparently not foremost in the minds of the designers of legacy installations. With the advent of recent developments, impelled by such desires as interoperability and real-time business intelligence, the preservation of the high availability and reliability of these mission-critical system installations is essential. Industrial Defender addresses this problem with expertise from its 17 years in real-time process control and SCADA industries. It could be worthwhile contacting the company about a complete Risk Prevention Lifecycle solution for your substation challenges today, and tomorrow.
As for so many of our security problems, the tools to correct them are available. It becomes a matter of doing some homework (among advertisers in helpful magazines, on the Internet, or with your established vendors, for example) and deciding what level of security you are seeking for a particular substation. Ask people at other utilities. One of your best opportunities for good information will be at the Utility Products Conference & Expo, in San Diego early next month. Talk with both exhibitors and other attendees. There should be a wealth of useful advice available about approaches to substation security and products or services to be in excellent condition for the coming year.