Power plants are attractive targets for those looking to impart chaos and disrupt national power grids. Adding a robust physical security system has made these facilities less vulnerable, but they still remain at risk.
To truly ensure an effective power plant security program has been implemented, Luke Bencie, Director, and Paige Morrison, Junior Associate, at
Security Management International (SMI) said it must adhere to the principles of deter, detect, delay, respond and mitigate.
SMI recommends power companies utilize the CARVER Target Analysis and Vulnerability Assessment Methodology to determine the probability of attack against each critical asset within the system. SMI explained CARVER was originally created by the CIA in the 1970s as a predictive tool to identify where terrorists may strike next; it was revived after 9/11, this time by the private security sector. “Only until you have conducted an assessment can you truly set a baseline for how secure your facility is. CARVER does this for you,” they added.
One growing concern at the forefront of the threat landscape relates to the detection and deterrence of drones, or unmanned aerial systems (UAS), according to Darin Dillon, Energy Principal at
Convergint Technologies.
Ernie Hayden,
Founder and Principal,
443 Consulting
In July 2018, the environmental group Greenpeace crashed a Superman-shaped drone into the side of a nuclear power plant near Lyon, France. The stunt, which caused no damage, was meant to show how vulnerable these facilities are to drone attacks. Currently, technologies related to the detection of
UAS are still evolving, as are the written policies and counter measures for UAS deterrence.
Ernie Hayden, Founder and Principal of
443 Consulting also pointed to the threat against Safety Instrumented Systems (SIS), the system that would shut systems down if all personnel were unable to respond to plant calamities. In 2017 the Triton malware (also known as Trisis or HatMan) attack targeted a Saudi petrochemical plant. Hayden explained that this attack disables the SIS of a plant. “By taking the SIS away, this results in the plant operating without automated shutdown capabilities — which could be very dangerous to the plant and to the general population,” he said. The
malware was discovered again earlier this year.
The precise ways to prevent such modifications to SIS, and therefore prevent future attacks, are still vague. Hayden recommends physical barriers to prevent casual access to the SIS, as well as placing the SIS under “lock and key” and/or posting guards in order to ensure more positive control. Training onsite staff, including vendors and contractors, to ensure they are aware of the threat and aware of the necessity to be more diligent about the threat should also be considered.
Michael Rothschild, Senior Director of Product Marketing at
Indegy highlighted how utilities are modernizing power plants and grids to enhance reliability, lower costs and ensure regulatory compliance. “Operational technology (OT) networks are increasingly
connected to their IT networks, which together with increased automation increases their attack surface for vulnerability to cyberattacks. Securing automated SCADA generation, transmission and distribution networks from cyberthreats is paramount for improving grid performance and resiliency,” he said.
While as a whole countries around the world have continued to step up power plant security, there is still a lot of disagreement as to who is responsible for the overall security of power plants, according to Rothschild.
“Power plants point to the government, yet not all power plants are government run or owned. As a result, the government points back to the plant operators,” Rothschild explained. “Due to the interconnected nature of the grid system, its resilience to cyberthreats will only be as strong as its weakest link.”
As a result, power, along with other industries considered part of the
critical infrastructure sphere, must band together in order to address security vulnerabilities in the system before they are exploited.