7/22/2015

1

2015 PHC2015 PHC

Physical Asset Security

Edward DicksonPresident

MSA Investigations

2015 PHC

• Director, New Jersey Office of Homeland Security and Preparedness

• Director of Investigations, Depository Trust & Clearing Corporation, New York

• Federal Bureau of Investigation – 25 year career

– Assistant Special Agent in Charge of the Newark Division’s National Security Branch

– Senior Executive over the FBI’s

• National Joint Terrorism Task Force

• Domestic Terrorism Program

• Counterterrorism Division’s Operational Support Services

Experience

7/22/2015

2

2015 PHC

• Remote substation near

San Jose, CA

• Does not directly serve customers, but

acts as major source of power to

distribution area

PG&E Metcalf

transmission

substation

Source: Google Earth

Metcalf, CA: What happened?

2015 PHC

Shots in the Dark

*Sources: Wall Street Journal; PG&E; Santa Clara County Sheriff’s Dept; California Independent System Operator; California Public Utilities Commission; Google (image)

1 12:58 am, 1:07 am

Attackers cut telephone cables

2 1:31 am

Attackers open fire on substation

3 1:41 am

First 911 call from power plant operator

4 1:45 am

Transformers all over the substation

start crashing

5 1:50 am

Attack ends and gunmen leave

6 1:51 am

Police arrive but can’t enter

the locked substation

7 3:15 am

Utility electrician arrives

A look at the April 16 attack on PG&E’s Metcalf transmission substation

7/22/2015

3

2015 PHC

• Two fiber communications cables

severed, disrupting landline 911

service

• Attackers had sophisticated knowledge

of communications system

Damage Assessment

2015 PHC

• Overall defense

• Alarm system

• Response capability

What Went Wrong?

7/22/2015

4

2015 PHC

The Four G’s of Physical Security

Guards

Gates

Guns

Gadgets

2015 PHC

Scalable

Sustainable

Economical

Effective

7/22/2015

5

2015 PHC

Pole-

mounted

CCTV

camera

Video & data

Thermal fence /trip line

Thermal security cameras

2015 PHC

• Using natural barriers to impact line of sight

– Trees, berms, etc.

• Where necessary ballistics protection

• Surveillance analytics

• Acoustic shot detection

• Remote alarm monitoring

Efficient Loss Prevention Solutions

7/22/2015

6

2015 PHC

• Physical security assessments

• Research & intelligence services

• Social media monitoring

• Cyber security

• Hostile surveillance specialist response

Additional Security Suggestions

2015 PHC

• Important substations with poor lighting

• Access gates unlocked

• Desirable materials stored near site perimeters

• Large transformers with fire break protection only

• Unsecured control rooms

MSA Security: CIP 14 Initial Findings

7/22/2015

7

2015 PHC

Bolstered Physical Security

Deters

Detects

Delays

Assesses

Communicates

Responds

2015 PHC

9 Murray Street, 2nd Floor

New York, NY 10007

212.509.1336

http://www.msasecurity.net/

Ed Dickson (Pres, MSAI) edickson@msainvestigations.com

William Flynn (MSA Strategic Advisor) wflynn@msasecurity.net

Hugh O’Rourke (CAO) horourke@msasecurity.net

Matt Dimmick (Dir, CI/KR) mdimmick@msasecurity.net

7/23/2015

1

2015 PHC2015 PHC

Physical Asset Security

Joe MeaneyVice President – Global Insurance and Risk Engineering

The AES Corporation

2015 PHC

Values-Driven Company and Always Will Be

Put safety first

Act with integrity

Honor commitments

Strive for excellence

Have fun through work

7/23/2015

2

2015 PHC

Holistic Security Methodology

Infrastructure security

Physical security

Training, compliance & internal audit

Cyber-security

2015 PHC

Layer of defense

• Physical perimeters

• Logical separation for industrial controls

• Resilient central monitoring 24/7/365

Single failure does not mitigate security controls

“Defense in Depth” Security Model

7/23/2015

3

2015 PHC

ICS are separate from business systems

• Sandboxing – access to one system does not provide access to other systems

• AAA – Authentication, authorization and accounting logs are restricted and monitored

• ICS environments are separate from USB or other media

• Incident response & BCP activities

Industrial Control System (ICS) Security

2015 PHC

Perimeter security

• Fencing and barbed wire at all locations

• Gate access and key management systems

Electronic surveillance

• Fixed, dome and PTZ camera systems

• Motion and heat detection systems

• Alarm systems monitored 24/7/365

Access and monitoring

• Strict access control procedures

• Unauthorized access and breach investigations performed by guard staff and law enforcement

Physical Security

7/23/2015

4

2015 PHC

Training

• Security is everyone’s responsibility

• Training for all employees, contractors and security contractors

Compliance

• Reputational due diligence on security providers

• Engagement of local police or military

• Counterparties increasingly require representations

Internal Audit

• Independent review

• Third party – vulnerability assessment

How Integrate Security

2015 PHC

Low Hanging Fruit

7/23/2015

5

2015 PHC

Why We All Need Physical Security!