Travis Moran’s pathway into electric reliability was somewhat unusual, SERC Reliability’s senior reliability and security adviser recalled at the regional entity’s Fall Reliability and Security Seminar on Wednesday.
Unlike many people in the room, Moran began his career not as an engineer but in law enforcement, with stints at Interpol, the U.S. State Department, and the Bureau of Alcohol, Tobacco and Firearms.
His jump into electricity came after the attack on Pacific Gas & Electric’s Metcalf substation in California in 2013, when several gunmen opened fire on the facility, severely damaging 17 transformers. (See Substation Saboteurs ‘No Amateurs’.) Hired as an investigator by Dominion resources in 2014, he and his colleagues rapidly realized how little their years of experience had prepared them for the world they were entering.
“They hired [me], a former homicide detective from a big city, and an assistant chief of police,” Moran said. “We knew a lot about … evidence and security, but we didn’t know anything about electricity. So we found out the hard way: we stumbled into retention ponds; we had substation engineers slap our hands; we touched stuff we shouldn’t touch. … We learned the old-fashioned way, and quite frankly there is no other way to learn this industry.”
But Moran’s previous life in law enforcement proved an asset when the Electricity Information Sharing and Analysis Center tapped him to join the Physical Security Advisory Group, which created the Design Basis Threat (DBT) assessment in 2016. The DBT concept, which originated in the nuclear industry, is a tool to identify the intentions and capabilities of potential adversaries and determine appropriate, cost-effective defensive measures.
In his presentation Wednesday, Moran emphasized the advantages of conducting formalized, documented DBT assessments over the more ad-hoc way that many utilities responded after the Metcalf attacks. While these investments were, for the most part, based on legitimate assessments of security needs, in many cases the entities have not made use of them to the extent they might have hoped.
“Billions of dollars were spent on physical protection systems, and when we go out now, a lot of that stuff hasn’t been maintained, a lot of that stuff was unreasonable, some of that stuff may not have been needed,” Moran said. “Obviously some of it was, but … the reason you go through the DBT process is because … it helps you become knowledgeable about how you’re going to protect [yourself]. Number two, it helps save you money about what you do need to protect, what you don’t need to protect, and how to go about it.”
Threats Continue to Mount
The physical threat to the North American power grid has by no means slackened since the Metcalf attacks. As Moran noted, just this year a group of white supremacists pleaded guilty to plotting to destroy transmission substations in hopes of sparking a race war in the U.S. (See FBI: Conspirators Planned Grid Attack to Start Race War.) In such an environment, utility staff developing awareness of the threat landscape can achieve better results the closer their ties to law enforcement at multiple levels.
“I used to always teach my trainees … the only people that know what’s going on in the community really well are your state and local officers. They know the community, they know the informants, they know who the players are; they’re the people that you need to get in touch with,” Moran said. “So if you’re not talking to your local police department … you need to be talking to them because they can inform you.”
Moran noted that for utilities with facilities subject to NERC’s CIP-014-3 reliability standard, which governs physical security, DBT assessments are already a regular part of doing business because requirement R1 of the standard mandates that transmission owners “identify the transmission stations and … substations that if rendered inoperable or damaged could result in instability, uncontrolled separation or cascading.”
He strongly urged that those not covered by the standard make the practice a regular part of their operations anyway. Following a standard procedure will ensure both that utilities are aware of current and emerging threats, and that they have a strong documentation trail to inform all relevant parties in the case of emergency.
“Document, document, document what you did and how you got there,” Moran said. “Don’t be in the position of saying, ‘Well, we checked it, and we didn’t see any threats, or we didn’t see anything that mattered to us.’ Really? Well, when did you do it? What databases did you check? … Process that intelligence, and then you’ve got to produce it and disseminate it.”