7/22/2015
1
2015 PHC2015 PHC
Physical Asset Security
Edward DicksonPresident
MSA Investigations
2015 PHC
• Director, New Jersey Office of Homeland Security and Preparedness
• Director of Investigations, Depository Trust & Clearing Corporation, New York
• Federal Bureau of Investigation – 25 year career
– Assistant Special Agent in Charge of the Newark Division’s National Security Branch
– Senior Executive over the FBI’s
• National Joint Terrorism Task Force
• Domestic Terrorism Program
• Counterterrorism Division’s Operational Support Services
Experience
7/22/2015
2
2015 PHC
• Remote substation near
San Jose, CA
• Does not directly serve customers, but
acts as major source of power to
distribution area
PG&E Metcalf
transmission
substation
Source: Google Earth
Metcalf, CA: What happened?
2015 PHC
Shots in the Dark
*Sources: Wall Street Journal; PG&E; Santa Clara County Sheriff’s Dept; California Independent System Operator; California Public Utilities Commission; Google (image)
1 12:58 am, 1:07 am
Attackers cut telephone cables
2 1:31 am
Attackers open fire on substation
3 1:41 am
First 911 call from power plant operator
4 1:45 am
Transformers all over the substation
start crashing
5 1:50 am
Attack ends and gunmen leave
6 1:51 am
Police arrive but can’t enter
the locked substation
7 3:15 am
Utility electrician arrives
A look at the April 16 attack on PG&E’s Metcalf transmission substation
7/22/2015
3
2015 PHC
• Two fiber communications cables
severed, disrupting landline 911
service
• Attackers had sophisticated knowledge
of communications system
Damage Assessment
2015 PHC
• Overall defense
• Alarm system
• Response capability
What Went Wrong?
7/22/2015
4
2015 PHC
The Four G’s of Physical Security
Guards
Gates
Guns
Gadgets
2015 PHC
Scalable
Sustainable
Economical
Effective
7/22/2015
5
2015 PHC
Pole-
mounted
CCTV
camera
Video & data
Thermal fence /trip line
Thermal security cameras
2015 PHC
• Using natural barriers to impact line of sight
– Trees, berms, etc.
• Where necessary ballistics protection
• Surveillance analytics
• Acoustic shot detection
• Remote alarm monitoring
Efficient Loss Prevention Solutions
7/22/2015
6
2015 PHC
• Physical security assessments
• Research & intelligence services
• Social media monitoring
• Cyber security
• Hostile surveillance specialist response
Additional Security Suggestions
2015 PHC
• Important substations with poor lighting
• Access gates unlocked
• Desirable materials stored near site perimeters
• Large transformers with fire break protection only
• Unsecured control rooms
MSA Security: CIP 14 Initial Findings
7/22/2015
7
2015 PHC
Bolstered Physical Security
Deters
Detects
Delays
Assesses
Communicates
Responds
2015 PHC
9 Murray Street, 2nd Floor
New York, NY 10007
212.509.1336
http://www.msasecurity.net/
Ed Dickson (Pres, MSAI) [email protected]
William Flynn (MSA Strategic Advisor) [email protected]
Hugh O’Rourke (CAO) [email protected]
Matt Dimmick (Dir, CI/KR) [email protected]
7/23/2015
1
2015 PHC2015 PHC
Physical Asset Security
Joe MeaneyVice President – Global Insurance and Risk Engineering
The AES Corporation
2015 PHC
Values-Driven Company and Always Will Be
Put safety first
Act with integrity
Honor commitments
Strive for excellence
Have fun through work
7/23/2015
2
2015 PHC
Holistic Security Methodology
Infrastructure security
Physical security
Training, compliance & internal audit
Cyber-security
2015 PHC
Layer of defense
• Physical perimeters
• Logical separation for industrial controls
• Resilient central monitoring 24/7/365
Single failure does not mitigate security controls
“Defense in Depth” Security Model
7/23/2015
3
2015 PHC
ICS are separate from business systems
• Sandboxing – access to one system does not provide access to other systems
• AAA – Authentication, authorization and accounting logs are restricted and monitored
• ICS environments are separate from USB or other media
• Incident response & BCP activities
Industrial Control System (ICS) Security
2015 PHC
Perimeter security
• Fencing and barbed wire at all locations
• Gate access and key management systems
Electronic surveillance
• Fixed, dome and PTZ camera systems
• Motion and heat detection systems
• Alarm systems monitored 24/7/365
Access and monitoring
• Strict access control procedures
• Unauthorized access and breach investigations performed by guard staff and law enforcement
Physical Security
7/23/2015
4
2015 PHC
Training
• Security is everyone’s responsibility
• Training for all employees, contractors and security contractors
Compliance
• Reputational due diligence on security providers
• Engagement of local police or military
• Counterparties increasingly require representations
Internal Audit
• Independent review
• Third party – vulnerability assessment
How Integrate Security
2015 PHC
Low Hanging Fruit
7/23/2015
5
2015 PHC
Why We All Need Physical Security!
