Summary: A recent report by the Department of Homeland Security has shed light on an often unnoticed danger – the threat coming from domestic threat actors. The vastness of the electric grid created many vulnerabilities, which are amplified by the connection of traditional physical security devices to the internet and the commercialization of drones with advanced capabilities. Critical infrastructure entities must take a holistic in-depth approach to their security integrating physical and cyber security plans.

When we mention the threats to the US critical infrastructure, such as the electric grid, we usually refer to external threats, originating either from malicious individuals or state-sponsored actors. However, there is another source of risk that often goes unnoticed. The risk from domestic threat actors.

The domestic threat is credible

This is a credible threat according to the Department of Homeland Security (DHS). In fact, in January 2022, DHS issued a security bulletin where the Agency stated that domestic extremists “have developed credible, specific plans to attack electricity infrastructure since at least 2020, identifying the electric grid as a particularly attractive target given its interdependency with other infrastructure sectors.”

Although the memo highlights that these extremist groups do not have (yet) the sophistication or the technical expertise to launch a large-scale attack against the electric grid, however, such an attack could still cause physical damage, putting people and operations at risk.

It is worth noting, though, that this kind of threat is not a new one. Back in 2013, a sniper attack on the Pacific Gas & Electric Company’s Metcalf Transmission Substation in an isolated area southeast of San Jose, California, damaged 17 transformers. DHS noted the Metcalf incident in the report along with more recent incidents, including a suspected plot by white supremacist extremists to attack power stations in the southeastern U.S. as part of an effort to cause havoc if they disagreed with the outcome of the November 2020 election.

The same DHS report also mentioned four suspected extremists who were accused in October 2020 of a plot to damage transformers in Idaho and nearby states and the arrest in May 2020 of three alleged militia extremists, tied to the antigovernment Boogaloo movement, who were charged in a conspiracy to attack an electrical substation in Las Vegas.

After the Metcalf attack, FERC pressed the utilities to harden defenses at their most critical substations – erect walls and sensors to prevent similar attacks – there’s now a wall around Metcalf. But many substations remain vulnerable targets. Dr. Granger Morgan, a Carnegie Mellon University professor of engineering who chaired three National Academy of Sciences reports on the power grid for the U.S. government, said in a recent episode of the show “60 Minutes” in CBS News that “Anybody who knows about power systems knows that the grid is physically spread all over the countryside. There are a lot of vulnerable places.”

What is the profile of the domestic threat actors?

Some organizations may ignore domestic and insider threats, but operations personnel often have access to the castle’s crown jewels and proverbial keys. Disgruntled employees definitely pose risks. However, numerous other domestic threat actors exist on American soil. These individuals may favor a particular political party, cause, religion, or more.

The DHS report warns that extremists “adhering to a range of ideologies will likely continue to plot and encourage physical attacks against electrical infrastructure.” They feel that disrupting the electrical supply will disrupt the ability of the government to operate.

Cyber-physical attacks can bypass security controls

Adversaries may also leverage multi-pronged attacks from anywhere in the world, targeting surveillance systems, badge readers, etc. Like OT/ICS systems, the technology used for physical security controls is many times older, less robust, and less secure. These physical security devices were previously isolated from the internet, but now domestic threat actors may leverage inherited vulnerabilities to connect remotely to a utility PACS system or camera and manipulate data or video feeds. Electronic visitor logging systems could also be compromised. The bottom line is that anything connected to the internet poses a risk and electric grid companies should apply the same rigorous cybersecurity standards to their physical security devices.

Drones pose an increasing threat

The military has been using drones for decades, gathering intel, capturing video and photos, and entering secure areas due to their low visibility. As barriers to entry become lower and costs decrease, drones with advanced capabilities are now available to the worldwide public, increasing risks to critical infrastructure everywhere.

Reports have highlighted the risk of penetrating highly secure critical infrastructure, such as nuclear facilities. In accordance with DHS, commercial drone flights “produce challenges for law enforcement as they try to identify and interdict illicit activity.” This “illicit activity” surfaced after the chaos at Gatwick airport just before Christmas 2018 when the airport closed down due to unknown drone flights.

Drones using advanced off-the-shelf components available to the public can fly over fences and enter smaller, less visible areas, threatening utilities and other critical infrastructure. Critical infrastructure entities can counter the threat of drones by focusing primarily on space protection. High-frequency radars, thermal cameras, RF scanners, acoustic sensors, and sophisticated machine learning and AI algorithms are used for this purpose. However, drones’ small size and low speed make their detection difficult within a highly cluttered environment.

Critical infrastructure companies must integrate physical security plans with cybersecurity

Cyber warfare is everywhere. Advanced information sharing, cloud services, etc., have facilitated or expanded the threat landscape in favor of new and existing threat vectors, both foreign and domestic. A holistic defense-in-depth approach includes physical and cybersecurity components. IT to OT convergence has been taking place for more than a decade. With the growth of IoT, BYOD, and other initiatives to increase Internet connectivity, physical devices are growing to have advanced network capabilities.

Therefore, utilities and grid companies must take a more proactive stance moving from detection to prevention of these attacks. Software vendors are seeing opportunities and beginning to leverage physical security capabilities in their offerings. The merger between physical and electronic security capabilities is becoming more commonplace, and critical infrastructure companies must evolve to keep pace.

Do you want to discuss this topic with one of our experts? Please visit our Contact Us page to request more information or connect with a Subject Matter Expert (SME).