IEEE Standards - draft standard template
P1402™/D4
Draft Guide for Physical Security of Electric Power Substations
Sponsor
Substations
of the
IEEE Power & Energy Society
Approved
IEEE-SA Standards Board
Copyright © 2018 by The Institute of Electrical and Electronics Engineers, Inc.
Three Park Avenue
New York, New York 10016-5997, USA
All rights reserved.
This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject to change. USE AT YOUR OWN RISK! IEEE copyright statements SHALL NOT BE REMOVED from draft or approved IEEE standards, or modified in any way. Because this is an unapproved draft, this document must not be utilized for any conformance/compliance purposes. Permission is hereby granted for officers from each IEEE Standards Working Group or Committee to reproduce the draft document developed by that Working Group for purposes of international standardization consideration. IEEE Standards Department must be informed of the submission for consideration prior to any reproduction for international standardization consideration (stds.ipr@). Prior to adoption of this document, in whole or in part, by another standards development organization, permission must first be obtained from the IEEE Standards Department (stds.ipr@). When requesting permission, IEEE Standards Department will require a copy of the standard development organization's document highlighting the use of IEEE content. Other entities seeking permission to reproduce this document, in whole or in part, must also obtain permission from the IEEE Standards Department.
IEEE Standards Department
445 Hoes Lane
Piscataway, NJ 08854, USA
Abstract: Security issues related to human intrusion upon electric power supply substations are identified and discussed. Various methods and techniques presently being used to mitigate human intrusions are also presented in this guide.
Keywords: substation, sabotage, security, physical security, threat, intrusion, breach, theft, resiliency, reliability, security, wall, fence, camera, detect, detection, deter, deterrence, protect, protection
(
Important Notices and Disclaimers Concerning IEEE Standards Documents
IEEE documents are made available for use subject to important notices and legal disclaimers. These notices and disclaimers, or a reference to this page, appear in all standards and may be found under the heading “Important Notices and Disclaimers Concerning IEEE Standards Documents.” They can also be obtained on request from IEEE or viewed at .
Notice and Disclaimer of Liability Concerning the Use of IEEE Standards Documents
IEEE Standards documents (standards, recommended practices, and guides), both full-use and trial-use, are developed within IEEE Societies and the Standards Coordinating Committees of the IEEE Standards Association (“IEEE-SA”) Standards Board. IEEE (“the Institute”) develops its standards through a consensus development process, approved by the American National Standards Institute (“ANSI”), which brings together volunteers representing varied viewpoints and interests to achieve the final product. IEEE Standards are documents developed through scientific, academic, and industry-based technical working groups. Volunteers in IEEE working groups are not necessarily members of the Institute and participate without compensation from IEEE. While IEEE administers the process and establishes rules to promote fairness in the consensus development process, IEEE does not independently evaluate, test, or verify the accuracy of any of the information or the soundness of any judgments contained in its standards.
IEEE Standards do not guarantee or ensure safety, security, health, or environmental protection, or ensure against interference with or from other devices or networks. Implementers and users of IEEE Standards documents are responsible for determining and complying with all appropriate safety, security, environmental, health, and interference protection practices and all applicable laws and regulations.
IEEE does not warrant or represent the accuracy or content of the material contained in its standards, and expressly disclaims all warranties (express, implied and statutory) not included in this or any other document relating to the standard, including, but not limited to, the warranties of: merchantability; fitness for a particular purpose; non-infringement; and quality, accuracy, effectiveness, currency, or completeness of material. In addition, IEEE disclaims any and all conditions relating to: results; and workmanlike effort. IEEE standards documents are supplied “AS IS” and “WITH ALL FAULTS.”
Use of an IEEE standard is wholly voluntary. The existence of an IEEE standard does not imply that there are no other ways to produce, test, measure, purchase, market, or provide other goods and services related to the scope of the IEEE standard. Furthermore, the viewpoint expressed at the time a standard is approved and issued is subject to change brought about through developments in the state of the art and comments received from users of the standard.
In publishing and making its standards available, IEEE is not suggesting or rendering professional or other services for, or on behalf of, any person or entity nor is IEEE undertaking to perform any duty owed by any other person or entity to another. Any person utilizing any IEEE Standards document, should rely upon his or her own independent judgment in the exercise of reasonable care in any given circumstances or, as appropriate, seek the advice of a competent professional in determining the appropriateness of a given IEEE standard.
IN NO EVENT SHALL IEEE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO: PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE PUBLICATION, USE OF, OR RELIANCE UPON ANY STANDARD, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE AND REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE.
Translations
The IEEE consensus development process involves the review of documents in English only. In the event that an IEEE standard is translated, only the English version published by IEEE should be considered the approved IEEE standard.
Official statements
A statement, written or oral, that is not processed in accordance with the IEEE-SA Standards Board Operations Manual shall not be considered or inferred to be the official position of IEEE or any of its committees and shall not be considered to be, or be relied upon as, a formal position of IEEE. At lectures, symposia, seminars, or educational courses, an individual presenting information on IEEE standards shall make it clear that his or her views should be considered the personal views of that individual rather than the formal position of IEEE.
Comments on standards
Comments for revision of IEEE Standards documents are welcome from any interested party, regardless of membership affiliation with IEEE. However, IEEE does not provide consulting information or advice pertaining to IEEE Standards documents. Suggestions for changes in documents should be in the form of a proposed change of text, together with appropriate supporting comments. Since IEEE standards represent a consensus of concerned interests, it is important that any responses to comments and questions also receive the concurrence of a balance of interests. For this reason, IEEE and the members of its societies and Standards Coordinating Committees are not able to provide an instant response to comments or questions except in those cases where the matter has previously been addressed. For the same reason, IEEE does not respond to interpretation requests. Any person who would like to participate in revisions to an IEEE standard is welcome to join the relevant IEEE working group.
Comments on standards should be submitted to the following address:
Secretary, IEEE-SA Standards Board
445 Hoes Lane
Piscataway, NJ 08854 USA
Laws and regulations
Users of IEEE Standards documents should consult all applicable laws and regulations. Compliance with the provisions of any IEEE Standards document does not imply compliance to any applicable regulatory requirements. Implementers of the standard are responsible for observing or referring to the applicable regulatory requirements. IEEE does not, by the publication of its standards, intend to urge action that is not in compliance with applicable laws, and these documents may not be construed as doing so.
Copyrights
IEEE draft and approved standards are copyrighted by IEEE under U.S. and international copyright laws. They are made available by IEEE and are adopted for a wide variety of both public and private uses. These include both use, by reference, in laws and regulations, and use in private self-regulation, standardization, and the promotion of engineering practices and methods. By making these documents available for use and adoption by public authorities and private users, IEEE does not waive any rights in copyright to the documents.
Photocopies
Subject to payment of the appropriate fee, IEEE will grant users a limited, non-exclusive license to photocopy portions of any individual standard for company or organizational internal use or individual, non-commercial use only. To arrange for payment of licensing fees, please contact Copyright Clearance Center, Customer Service, 222 Rosewood Drive, Danvers, MA 01923 USA; +1 978 750 8400. Permission to photocopy portions of any individual standard for educational classroom use can also be obtained through the Copyright Clearance Center.
Updating of IEEE Standards documents
Users of IEEE Standards documents should be aware that these documents may be superseded at any time by the issuance of new editions or may be amended from time to time through the issuance of amendments, corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of the document together with any amendments, corrigenda, or errata then in effect.
Every IEEE standard is subjected to review at least every ten years. When a document is more than ten years old and has not undergone a revision process, it is reasonable to conclude that its contents, although still of some value, do not wholly reflect the present state of the art. Users are cautioned to check to determine that they have the latest edition of any IEEE standard.
In order to determine whether a given document is the current edition and whether it has been amended through the issuance of amendments, corrigenda, or errata, visit the IEEE Xplore at or contact IEEE at the address listed previously. For more information about the IEEE-SA or IEEE’s standards development process, visit the IEEE-SA Website at .
Errata
Errata, if any, for all IEEE standards can be accessed on the IEEE-SA Website at the following URL: . Users are encouraged to check this URL for errata periodically.
Patents
Attention is called to the possibility that implementation of this standard may require use of subject matter covered by patent rights. By publication of this standard, no position is taken by the IEEE with respect to the existence or validity of any patent rights in connection therewith. If a patent holder or patent applicant has filed a statement of assurance via an Accepted Letter of Assurance, then the statement is listed on the IEEE-SA Website at . Letters of Assurance may indicate whether the Submitter is willing or unwilling to grant licenses under patent rights without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination to applicants desiring to obtain such licenses.
Essential Patent Claims may exist for which a Letter of Assurance has not been received. The IEEE is not responsible for identifying Essential Patent Claims for which a license may be required, for conducting inquiries into the legal validity or scope of Patents Claims, or determining whether any licensing terms or conditions provided in connection with submission of a Letter of Assurance, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is entirely their own responsibility. Further information may be obtained from the IEEE Standards Association.
Participants
At the time this draft guide was completed, the E7 Working Group had the following membership:
Hamid Sharifnia, Chair
Arthur Graves, Vice Chair
Participant1
Participant2
Participant3
Participant4
Participant5
Participant6
Participant7
Participant8
Participant9
The following members of the balloting committee voted on this guide. Balloters may have voted for approval, disapproval, or abstention.
[To be supplied by IEEE]
Balloter1
Balloter2
Balloter3
Balloter4
Balloter5
Balloter6
Balloter7
Balloter8
Balloter9
When the IEEE-SA Standards Board approved this guide on , it had the following membership:
[To be supplied by IEEE]
, Chair
, Vice Chair
, Past Chair
Shelly Thompson, Secretary
SBMember1
SBMember2
SBMember3
SBMember4
SBMember5
SBMember6
SBMember7
SBMember8
SBMember9
*Member Emeritus
Introduction
This introduction is not part of P1402/D4, Draft Guide for Physical Security of Electric Power Substations.
This guide was revised by members of Working Group E7/Physical Security of Electric Power Substations and is under sponsorship of the Substations Environmental Subcommittee of the IEEE Power Engineering Society Substations Committee. This revision accounts for the segregation of physical and cyber security.
Contents
Add (Table of) Contents>
Draft Guide for Physical Security of Electric Power Substations
Overview
1. Scope
This guide establishes minimum requirementsdescribes recommended and practices for the physical security of electric power substations. It is designed to address a number of threats, including unauthorized access to substation facilities, theft of material, and vandalism. It describes the requirements recommendations for positive access control, monitoring of facilities, and delay/deter features which could be employed to mitigate these threats. This guide also establishes requirements recommendations for different levels of physical security for electric power substations. The guide does not establish requirements recommendations based on voltage levels, size or any depiction of criticality of the substation. The user will make these decisions based on threat assessment and criticality assignment by the substation owner.
Overt attacks against the substation for the purpose of destroying its capability to operate, such as explosives, projectiles, vehicles, etc. are beyond the scope of this guide.
2. Purpose
The purpose of this document is to define note sound suggested engineering practices for substation physical protection that could be applied to mitigate the risks associated with the fact that substations are typically unmanned, and thus susceptible to unauthorized access, theft and vandalism.
Normative references
The following referenced documents are indispensable for the application of this document (i.e., they must be understood and used, so each referenced document is cited in text and its relationship to this document is explained). For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments or corrigenda) applies.
IEEE C37.240 - Cyber Security Requirements for Substation P&C Systems
Definitions
For the purposes of this document, the following terms and definitions apply. The IEEE Standards Dictionary Online should be consulted for terms not defined in this clause. [1]
Threat aassessment
Threats can arise in many different forms. They can come from both outside and inside an organization, driven by location, be intentional (planned) or opportunistic; disruptive to operations, or simply for vandalism or theft. In order to provide the most effective site security, all potential threats can should be acknowledged and evaluated. This clause discusses the more probable causes and types of threats.
1. Social, ppolitical, and eeconomic bbackground of tthreats
All threats to assets are associated with some form of motivation that drives individuals to attempt to compromise a facility or its operations. The following discuss some of the more likely factors which can lead to threats.
1. Recession
Higher unemployment typically occurs during a recession. and aAnti-government, anti-business emotions can run high as these institutions, right or wrong, can be viewed as the part of the cause. Utilities, in turn, may be seen as an extension of either the government or as ‘big business’. In addition, utility rates and charges may contribute to people’s economic burden. Because of the high visibility of the utility infrastructure, including substations, substations can become a target for individuals or groups to vent their frustration or to draw media attention to their cause by inflicting various types of damage to a substation, from minor to major.
2. NeighborhoodSubstation location
The locationsite of a substation can also be an inherent risk for threat, particularly vandalism and theft (primarily of copper and aluminum). Lower socio-economic areas tend to have more unemployed and individuals with substantial idle time. Utilities may choose to review the history and level of illegal activity in the area and plan accordingly, especially during construction activities when tools and materials are used or stored on site.
3. Political or llabor uunrest
Political unrest can be very unpredictable in its occurrence and focus. SBut substations can be either the target of or collateral damage from acts of terrorism, warsabbotagesabotage, vandalism,, riots, civil disobedience and protests. Similarly, labor unrest within the utility by workers or contractors provides the basis for possible retribution by damaging assets or disrupting normal operations at substations.
4. Company downsizingDisgruntled employees
A growing concern of many companies, utilities included, is possible acts of sabotage or vandalism as retaliation by disgruntled employees or contractors affected by layoffs and downsizing. Individuals may feel unjustly singled out or otherwise not recognized for their work and dedication, and hence may seek ‘pay back’. This is of particular concern as such employees or contractors could take action while they still have access to the facilities.
2. Characteristics of the pperpetrator
Threats considered within this guide are those instigated by people. Understanding the human aspects of threats supports better security designs. Threats to assets and operations due to natural forces, poor asset management, human error, etc. are beyond this guide.
← Means of access - Perpetrators can attempt to gain access by scaling walls or fences, crossing moats, breaking down physical barriers, etc.
← Intentional, not accidental - Most threats that would significantly impact the assets or operations of a substation are deliberate in nature. Vandalism may be more spontaneous (e.g. crime of opportunity), but nonetheless also deliberate.
← Not authorized – The majority of threats and actions are caused by non-employees or contractors, and thus are individuals who are not authorized to be within the substation, . These individuals would need to breach physical security to gain access or generate damage from outside the perimeter security.
← Disgruntled former/current former employee – A disgruntled employee may or may not be one who is in the process of being released from employment. It may be someone who still has regular employment but feels they have been wronged in some manner.
← Terrorist – A terrorist is someone who has planned deliberate destruction of assets, services or even to take human life in order to further their cause. Their target (substation or the grid) may only be indirectly related to the cause.
3. Tools and methods used for destruction
There are various means that can be used to attempt to carry out a threat. These can include more traditional tools and explosives as well as cyber methods.
← Vehicular – Many types of vehicles can be used to attempt to breach perimeter security means. Frequently trucks (pickups, flatbeds and other large delivery trucks) can be used to knock down, pull down or otherwise open gates or sections of walls and fencing. Other vehicles can include construction equipment (e.g. back hoes) and defense (army) vehicles.
← Explosives – Explosives can be used to both gain access and to destroy equipment or control systems within the substation. This approach is considered not common. Vans or delivery trucks could easily conceal explosives. Unsuspected vehicles may even be allowed in during the course of regular business.
← Bolt cutters – Bolt cutters have been one of the more traditional means of gaining access through a chain link fence or gate. Bolt cutters can also be used to cut wire and cable for theft or interruption of operations.
← Portable power equipment – The prevalence and availability of portable power tools such as saws, grinders, etc. has led to them often being the tools of choice for much of the low level threats, such as for theft of copper and aluminum. These tools allow obtaining access at more secluded sections of the perimeter, rather than through the front gate.
← Ropes – Though not commonly used, ropes could be used to pull down fences or structures/bus work within the substation.
← Hacking – An increasing threat to utility operations is from breaking into and manipulating (hacking) computer based systems. In additional to concerns about grid operations (cyber security), hacking can also be used to control or override physical security systems (access systems, gates, cameras, etc.). Hacking can occur either at the physical site or remotely via the internet or other communications system.
← External ballistic attack – Somone outside the substation, shooting at electrical equipment or components inside the substation with firearms.
← Unmanned aerial vehicles – Many types of unmanned aerial vehicles (drones) can be used to attempt to breach perimeter security means. These vehicles can be used in them selves to cause damage or used to transport explosives.
← Unauthorized Access to a Substation – Most threats involve unauthorized access to a substation. But threats certainly can occur by either employees with authorized access or from persons remaining outside the substation and using guns or propelling objects or explosive devices to inside the substation.
4. Characteristics of an intrusion
A threat can take many forms or occur at various times. Below are some of the more common characteristics of threats.
← Time of day – Intrusions can occur at any time of day, depending of the nature of the event. However, most tend to occur in the late evening or nighttime when darkness affords more concealment, lessening the probability of early notice.
← Duration of the event – Most events are relatively short in nature. Gunshots or explosives can occur within a few minutes, thieves can be in and out in an hour or less. Quick response rates are imperative.
← Visible vs. surreptitious – As with almost all illegal activity, intrusion could most likely occur either at night or when no one else is around. Even acts of intentional terrorism or sabotage are generally not publicized ahead of time (though certain individuals or groups may claim responsibility afterward).
← Noisy vs. quiet – Since most individuals prefer not to draw attention to themselves or be seen, they could tend to be as quiet as possible.
5. Objectives of substation intrusion
The physical security features of a substation are intended to deter acts that affect the operation of the substation or compromise the integrity of the assets by damage or theft. The following are typical objectives of the intruder.
1. Unauthorized physical access of critical cyber assets
Modern microprocessor relays are typically an integral part of system operations and communications systems. Individuals intending to disrupt system operations as an act of terrorism or sabotage could target gaining access to these devices and the operations communication systems. Interfering with these systems can have significant impact on system operations causing grid instability or local to wide-area blackouts. Unauthorized physical access to cyber assests provides a way to compromise the sytem. See IEEE C37.240 for more information on cyber security.
In addition, enterprise records may be at risk. Enterprise business systems are typically separated from the operations and SCADA systems that are found in substations. Nonetheless, access into the business system may compromise asset records, financial records or customer data. Intrusion may include stealing, changing, deleting, or otherwise interfering with data and programs in the computer systems. This can compromise customer trust and put the utility at high risk of investigation and fines by its regulatory body. Enterprise business systems are thus just as critical to business operations as the grid operations systems.
2. Theft of material
An increasingly common objective of substation break-ins is for theft. Materials (particularly copper ground cable and cable on reels stored at the site), tools and equipment can be readily used, sold or ‘scrapped’ for cash. Any substation asset that is thought to be of hashave monetary value including landscaping or architectural enhancements, may be stolen for financial gain.
3. Vandalism and loitering
Some objectives are not particularly to incapacitate facilities, but may be intended to send a message or for personal reasons.
← Vandalism – May be done to cause economic loss to the owner, i.e. intentional destruction of property to inflict financial harm, or to take out frustration, not necessarily directed at the owner/operator.
← Sabotage - For personal satisfaction, retribution or to draw public attention to a cause.
← Personal comfort - e.g. seeking shelter or a warm place to sleep.
← Commercial or personal convenience – May include (illegal dumping, or a shortcut to the other side of the property.
← Thrill seekers & suicide – Those who like the thrill of taking a risk (e.g. target practice with guns, creating a fault within the substation, or other activities seen as challenges). Less likely, but possible, is an individual intending to perform acommit suicide.
← Sightseeing - Typically no malice is intended, but simply a desire to satisfy one’s curiosity.
4. Unauthorized use of substation facilities
Business convenience - Though not common, an individual (employee, contactor or unrelated person) may attempt to access a substation to utilize some of the facilities (e.g. phone, internet, tools, restroom, etc.), even though they are not authorized to do so.
Design Considerations for Threat Mitigation
Each utility planning to establish a physical security program may choose to perform a risk assessment and implement an appropriate mitigation program at each substation (or switchyard), recognized as being critical to the resiliency strategy of the utility’s and the region’s electric transmission system. Typical criteria for implementing substation physical security programs are based on probability and impact assessments of threats and vulnerabilities to:
• individual substations,
• neighboring substations or generation stations, the
• electric transmission system,
• customers served,
• equipment present inside the substation,
• criticality of load,
• ability to restore equipment and the electric transmission system to normal operation following an event,
• the response time for law enforcement personnel for criminal threats,
• and the response time for utility personnel as it relates to operational recovery and the mitigation of electrical hazards
.
For many years, utilities have centered their substation physical security programs on theft prevention. Recently utilities have had to also consider intentional sabotage, where a criminal element is organizing to target substations by damaging electrical substation equipment (or electrical components). Such an event could render the transmission system inoperable and possibly cause large scale power outages and/or public panic.
As utilities consider various threats and perform a risk assessment for each of their substations, the cost-to-benefit ratio of threat mitigation measures can be difficult to establish but should be considered because it is an important part of the decision making process. It is likely that each utility would assess threats differently and employ threat mitigation measures that may be unique and tailored to their own substation physical security program and the collective strategy for each substation.
Utilities may choose to consider any or all of the the following examples of threats to electric supply stations found in Section 4 of this guide.:
Unauthorized forced entry: someone forcibly entering the site with malicious intent to vandalize, sabotage or steal assets within the enclosed substation.
• Insider threat: someone who has legitimate access to the facility and uses that access to enter the site with malicious intent to vandalize, sabotage or steal assets within the enclosed substation.
• External ballistic attack: someone outside the substation, shooting at electrical equipment or components inside the substation with 5.56mm (.223 caliber) or 7.62mm (.308 caliber) semi-automatic rifles.
• Improvised Explosive Device: a person deploying explosive devices to damage substation components.
1. Principal Threat Mitigation Measures
In general, there are many security solutions that can address any one threat or vulnerability to electrical equipment, electrical components and the operational capabilities of an electric supply station. These threats are usually identified during threat assessments and evaluations. For a facility at risk, principal solutions can be viewed as an approach to deter, detect or delay the impact of certain types of events.
1. Perimeter security fences (steel)
Fences of various materials serve as the principal barrier that limits access to electric supply stations, where basic requirements are documented in current versions of various local codes such as the National Electric Code (NEC) and the National Electric Safety Code (NESC). Galvanized steel chain-link fences continue to serve as the most basic perimeter security fence for electric supply stations. In general, fences at electric supply stations have been six (6)-to-seven (7) feet tall and they often utilize top guard, such as strands of barbed wire. A common barrier/surface used has been 2 inch, chain-linked fabric. Traditionally, these fences provide a basic security barrier and a line of demarcation that identifies the enclosed electric supply station. By incorporating universal safety signs and building to physically comply with the requirements noted in local and national codes , such as the NESC, these fences serve to identify the borders of a facility that is generally considered hazardous to unauthorized personnel.
The benefits for standardizing on steel chain-link fence are low cost, resource availability, and ease of installation/modification/repair. In addition, the industry’s best practices for grounding chain-link fences at electric supply stations are well known and documented throughout industry references.
As owners of electric supply stations experience unauthorized forced entry events, other perimeter fence options have been employed to stop or mitigate activity at affected facilities. Owners of electric supply stations have realized that the materials traditionally used for perimeter fences (2” chain-link mesh) may not be considered a proper security barrier for perimeters that require heightened physical security features. The material used for the primary barrier would likely be commensurate with the evaluated threats and security risk assessment for that electric supply station. Chain-link fence is easily cut, easily climbed and provides very little screening for assets in the interior of the enclosed area.
For facilities that require heightened security features, the perimeter fence would serve as the principal component of the substation physical security system. The perimeter fence can serve as the platform for various levels of intruder detection, intruder identification, alarm and monitoring. The goal of the physical perimeter security system is to partially screen critical assets and to deter unauthorized forced entry. The fence system would be expected to facilitate the detection and confirmation of a criminal threat to the electric supply station and to delay the breach of the substation perimeter barrier. By helping to defend the property and critical assets within the facility against a criminal act, the high security fence system would could allow time for a coordinated response by law officials.
Electric supply stations that require heightened security features may implement perimeter fence requirements that include the following features:
• Climb resistant fabric: the openings are generally small enough to resist finger holds and foot holds.
• Cut resistant fabric: steel fabric can be comprised of steel wire or sections that are thick enough and strong enough to resist common cutting tools.
•
• Burn resistant fabric: fabric selection can include materials that are inherently resistant to flames.
• Asset screening: line-of-sight evaluations can help select the appropriate height for the fence of the electric supply station being considered in order to protect critical assets. Generally, security fence could be tall enough to screen critical assets in Extra-High Voltage substations. In other substations, security fence may need to be twelve-to-fifteen feet tall to screen other critical assets.
• Ballistic properties: fabrics selected can be tested to understand their performance under fire. It is important to remember what the owner is defending at the perimeter. The substation perimeter is generally defending steel assets (or equipment that is hardened as a part of its normal function in a substation) within the site at various distances from the barrier. Since substations are normally unoccupied, utilities are not considering the defense of people from a ballistic event. Therefore, military and government recognized ballistic testing criteria may not directly apply. A bullet may not be able to penetrate (contact) a steel fabric without being impacted. Different steel fabrics may perform differently, regardless of their screening abilities. The owners of electric supply stations may consider this aspect during their security fabric selection process.
• Forced entry resistance: fence systems can be tested in accordance with American Standards Testing Methods, like ASTM F2781, Standard Practice for Testing Forced Entry, Ballistic and Low Impact Resistance of Security Systems, to understand how their security fencesmaterials would perform during low, medium and aggressive attempts for unauthorized forced entry through the fence with hand tool and/or power tools. See American Standards Testing Methods, ASTM F2781, Standard Practice for Testing Forced Entry, Ballistic and Low Impact Resistance of Security Systems for more information. The owners of electric supply stations may choose to consider this aspect during their security fabric selection process.
• Anti-graffiti coatings: protective coatings (hot dipped galvanizing, zinc plating and/or powder coatings) on steel fences may be guarded from the harmful chemicals that could damage the structure or aesthetic appeal. Clear coat products, applied before and after an event provide a good option for creating and maintaining a barrier against graffiti. In some cases, when caught in time, paint can be removed by soft brushing with soap and water or other basic cleaning products, even a power washer.
In conclusion, Ffences that incorporate security features could help prevent externally inflicted vandalismsecure for the equipment inside an electric supply station, such as gunshot damage. The height of the fence, types of fabrics/panels selected, surrounding terrain and elevation of equipment are key decision points for owners of electric supply stations. Putting Installing security this type of screeningfences on the perimeter could defend protect the majority of eequipment inside the substation, with proper consideration of design parameters.
2. Perimeter security walls (masonry, steel and other materials)
Solid walls are generally more difficult to breach, than chain-link fence and perhaps most types of security fences. With their ability to reduce direct line-of-sight assessments of the equipment inside the substation, solid walls are excellent barriers for ballistic events. Perimeter walls are often requested by community officials during local permitting meetings to enhance community appeal and/or reduce the industrial appearance of an electric supply station.
There are many types of materials that can be used to assemble a perimeter wall with security features. In general, concrete (block walls, cast-in-place, or precast panels) are the most common. Steel and other materials (like structurally reinforced fiberglass panels) are common where the owner needs a perimeter barrier that performs a certain function, like serving as asuch as serving as an acoustical noise barrier with sound absorptive capabilities.
Owners of electric supply stations may have the most experience with concrete walls, for the following reasons:
• Low maintenance requirements
• The understanding of costs to engineer, procure and construct the wall is familiar to utility engineers. Common availability of fabricators and installers allows owners of electric supply stations to search for ready solutions and to establish an evaluation process that can einsure value for rate payers and shareholders
• Ability to incorporate a variety of decorative features, to best blend with a community
• Integrates into the substation environment relative easily, as a non-conductive surface where steel components are generally easy to bond to the substation’s ground grid.
Solid perimeter walls can help prevent externally inflicted vandalism for the equipment inside an electric supply station, such as gunshot damage. The height of the wall, wall material make-up, surrounding terrain and elevation of equipment are key decision points for owners of electric supply stations. Putting this type of screening on the perimeter could protect the majority of equipment inside the substation, with proper consideration of design parameters. Perimeter barriers can limit the requirement for secondary, internal ballistic barriers for key assets thereby giving better access to equipment for operation and maintenance activities.
3. Passive anti-ram barriers
Owners of electric supply stations may choose to consider the vulnerability of the perimeter barrier to a vehicle impact. The following site conditions can be reviewed:
1. Design basis for the speed of a vehicle.
i) Consider alignment of crash points with county and state roads
ii) Consider the shape and length of the substation access road and the surface condition, in relation to gates and any other crash point along the perimeter
iii) Consider speed limiting barriers (existing or to be installed), some may be installedsuch as (drainage ditches, speed bumps, cattle gates, jersey barriers, guard rails, or) or environmental barriers like water or vegetation.
2. Design basis for vehicle size or payload.
3. Design basis for vehicle payload penetration.
4. Maintenance activities need be considered in the design of passive barriers
The most common crash point, and the part of a perimeter barrier that is traditionally the most vulnerable to unauthorized forced entry, is a drive gate. All entrances to substations can be locked or monitored. All equipment located outdoors, within the substation perimeter, may have provisions for locking cabinets and operating handles where an intruder could cause an operational problem. Padlocks could be of a type that can utilize a key that cannot be reproduced outside of owner control or approval. Similar locking devices may be used at all gates and/or entrances to buildings or enclosures within the electric supply station.
Passive anti-ram barriers are specifically engineered to manage a threat, at an established design basis. Many fabricators have engineered solutions that have been tested and/or certified. A proven system would be certified byAn example of a testing criteria is listed in ASTM F2656, Standard Test Method for Vehicle Crash Testing of Perimeter Barriers.
1. Active entry point barriers
Active entry point barriers are commonly considered to be any type of moving barrier, such as a swinging, sliding, raising, lowering, rolling element that is a stand-alone passage barrier, or is any portion of a perimeter wall or fence system that physically controls entrance and/or egress by persons or vehicles, and when closed completes the perimeter of an electric supply station.
Tthe utility may choose to enhance their level of responsibility for the design by requiring compliance with industry and national recognized standards, such as UL325 Standard: Door, Drapery, Gate, Louver and Window Operators and Systems; and ASTM F2200: Standard Specification for Automated Vehicular Construction. The UL325 standard primarily addresses the design, manufacturing, and installation of the active entry point barriers. The ASTM F2200 Standard provides additional recommendations on barrier construction and design of different types of automated barriers.
2. Supplemental Mitigation Measures
In general, there are many security solutions that can address any one threat or vulnerability to electrical equipment, electrical components and the operational capabilities of an electric supply station. These threats are usually identified during threat assessments and evaluations. For a facility at risk, supplemental solutions can be viewed as an approach to monitor and detect the occurrence of certain types of events.
1. Electronic access control (card readers)
Electronic access control systems are used to restrict access to electric supply stations. These systems are typically designed to control access to the electric supply station perimeter, control houses and other critical assets. These systems provide the ability to effectively manage and document access. Personnel screening would likely be a prerequisite to the issuance of access credentials.
There are various types of access controls readers, which are classified by their technology and the functions they perform.
• Barcode: is a series of alternating dark and light stripes that are read by an optical scanner. Barcode technology is inexpensive and easy to generate the credential. The simplicity of this technology makes it more susceptible to fraud.
• Magnetic Stripe: usually called mag-stripe, is so named because of the stripe of magnetic oxide tape that is laminated on a card. There are three tracks of data on the magnetic stripe. Typically the data on each of the tracks follows a specific encoding standard, but it is possible to encode any format on any track. A mag-stripe card is inexpensive compared to other card technologies and is easy to program. The magnetic stripe holds more data than a barcode can in the same space. While a mag-stripe is more difficult to generate than a bar code, the technology for reading and encoding data on a mag-stripe is widespread and easy to acquire. Magnetic stripe technology is also susceptible to misreads, card wear, and data corruption. These cards are also susceptible to some forms of skimming where external devices are placed over the reader to intercept the data read.
• Wiegand: is a patented technology using embedded ferromagnetic wires strategically positioned to create a unique pattern that generates the identification number. Like magnetic stripe or barcode technology, this card would be swiped through a reader. Unlike the other technologies, the identification media is embedded in the card and not susceptible to wear. This technology once gained popularity because it is difficult to duplicate, creating a high perception of security. This technology It is being replaced by proximity cards, however, because of the limited source of supply, the relatively better tamper resistance of proximity readers, and the convenience of the touch-less functionality in proximity readers. Wiegand technology is available in a common 26 bit format and larger bit formats with added security features. The 26 bit format uses a common site code and is susceptible to card number duplication across unknown entities. The 35 and larger bit format provides a more secure proprietary site code to protect against card duplication.
• Proximity Card: uses Wiegand upstream data so that the new readers are compatible with older existing systems. The proximity reader radiates a 1" to 20" electrical field that interacts with the card technology to read the card and allow access to authorized users. Most of the industry has moved to the use of proximity readers.
• Biometric Readers: could include numerous forms of biometric identification, some include fingerprinting, hand geometry, iris and facial recognition. The systems work by comparing the biometric template stored in the user record with the biometric data presented to the reader. These systems can be used to protect against unauthorized access from lost, stolen or loaned card/pins. Biometric systems can be designed in one-to-one or one-to- many configurations. The one-to-many mode allows access based solely on the biometric data which is stored in the user record template. This approach is preferred by some users as it eliminates the need to for access cards or pins. However, access authentication is slower, as the system would have to perform thousands of comparison operations to find a match. The one-to one mode requires the use of an access card or pin with the biometric scan. The biometric data is stored in the user record template with the card or pin number. This mode provides and added layer of security as it requires dual authentication. It operates faster because the card/pin number allows a one-to-one comparison of the biometric scan with data stored in the user record template.
2. Perimeter intrusion detections systems (PIDS)
Perimeter intrusion detection systems (PIDS) are designed to detect unauthorized activity and provide situational awareness at the perimeter of electric supply stations. Detection and situational awareness are a key component to effective emergency response plans. The PID package would likely include some level of redundancy and likely be designed to work well with site perimeter barriers and known normal activity at the facility.
There are a vast number of PIDS including the following technologies:
• Fiber-Optic Intrusion Detection Systems (FOIDS): are installed on perimeter fencing to detect unauthorized activity. These systems use light pulses that are transmitted through fiber optic cable that can be programmed to distinguish between environmental noise and intrusions. This capability minimizes inadvertent alarms which is a critical component of intrusion detection.
• Passive InfraredR (PIR) Motion Sensors: incorporate detectors that sense changes in the amount of infrared (IR) radiation passing between the sensor and the background. There are a variety of IR sensors that can be deployed to detect intrusion along a straight line over 100 feet, or cover a wider area at less distance.
• IR Photo Beams: or active infrared technology uses a transmitter and receiver installed opposite each other to provide perimeter protection. These devices are activated when the beam is broken. IR Photo beams have a lower false alarm rate and are less sensitive to weather than PIRs. Therefore, they can be installed in a variety of configurations to effectively manage intrusion detection.
• Ground Based Seismic Detection: can be designed to protect secured perimeters and unfenced assets. These systems use algorithms to decode ground vibrations to detect, locate and classify threats. These systems can detect pedestrian traffic, vehicle traffic, digging and numerous other activities. They do not require line of sight to the intruder and are not obscured by weather, darkness, topography and physical structures.
Caution: False or nuisance alarms need to be considered as a part of the design and decision process. Valid detections may be disregarded if monitoring technicians are overwhelmed with invalid alarms.
3. Video mMonitoring sSystem
Video Monitoring Systems may include a combination of high definition and thermal cameras to provide high quality images to effectively monitor site activity and assess alarms at electric supply stations. Cameras can be selected and applied to assess the substation perimeter, critical components and unauthorized and/or criminal activity outside of the perimeter, preferably covering the entire substation. This assessment provides quality information to assist first responders in the event of attacks on the electric supply station. It further provides owners/operators situational awareness to support safe and reliable operation of the electric supply station.
There are numerous types of video monitoring systems including:
• Analog Camera: An analog surveillance camera has a Charge-Coupled Device sensor and digitizes the image for processing. Before it transmits the video, it converts it to analog and transmits it over coaxial cable so it can be received by an analog device, such as a video monitor or recorder. Unlike Internet Protocol (IP)IP cameras, analog cameras have no built-in web servers or encoders. A standard resolution analog camera has no more than 345,600 pixels of resolution. The maximum resolution a conventional analog camera can provide is 720x480 pixels.
• Internet Protocol (IP) Camera: IP cameras are equipped with an embedded web server and is accessed and controlled over IP networks such as a WAN and LAN. An IP camera is a “network appliance”. It has its own IP address, connects to a wired or wireless network and by utilizing, client software users can view an IP camera’s video output from a local or remote location. All HD (high-definition) IP cameras have at least 1,000,000 pixels. An IP camera can produce resolution of 1280x1024 pixels. This is more than 3 times the resolution that can be provided by analog Closed-Circuit Television (CCTV) cameras. T, therefore, providing enhanced assessment and forensic capability. Cyber security should be considered with these cameras.
• Thermal Camera: A thermal imaging camera is a device that forms an image using infrared radiation. Thermal security cameras make images from the heat energy that is around us all the time, not from reflected visible light, giving you true 24/7 imaging capability without lights or illuminators. Thermal energy penetrates atmospheric obscurants better and farther than visible light, allowing you to see through haze, smoke, dust, some vegetation, and light fog.
4. Video Analytics
Video analytics perform a number of functions that enable users to effectively and efficiently manage alarms and assess activity at electric supply stations. They enhance numerous functions of video management including system supervision, monitoring, forensic analysis, system and incident management. These systems recognize changes and patterns in the environment and can be programmed and/or tuned to increase situational awareness, minimize inadvertent alarms and alert on identified anomalies such as; abnormal pedestrian/vehicle traffic, items missing or left behind and system tampering.
5. Video Management Systems
Video management software provides remote video monitoring, recording and event (alarm) management functionality. Its API (application-programming interface (API)) allows the integration with other systems such as access control, detection and monitoring to enhance the incident assessment and response process at electric supply stations. It allows the user to efficiently manage requirements for bandwidth consumption and access to video retrieval.
6. Gunshot detection
Gunshot detection may be another key detection tool at electric supply stations, as it alerts owners of activity that may pose a serious threat to station equipment and operations. Integration of gunshot detection with other detection and monitoring systems enhances the assessment process and supports rapid emergency response to attacks on electric supply stations. This component provides key data to operators and first responders to mitigate threats and consequences in the event of an attack. Owners of electric supply stations, considering this technology, may should choose to evaluate and test the various types of gunshot detection to determine which system(s) works best with their security technology plan.
7. Security lighting
Security lighting is used to increase visibility to aid in the detection of intrusion ders, and to deter intruderssion, and to increase visibility in electric supply stations. A commonly recognized security lighting level for perimeter lighting at restricted areas is 0.5 foot-candles measured horizontally, as noted in industry references, like the Guide for Security Lighting for People, Property and Critical Infrastructure Infrastructure that is published by the Illuminating Engineering Society (IES G-1-16). This level of evenly dispersed lighting is not always practical in a substation and it could conflict with local permitting requirements and/or ordinances. The owners of substations may choose to design station lighting to meet operational and permitting requirements; and, install additional security lighting to deter and detect unauthorized activity. To accomplish these objectives, the security lighting may be integrated with security systems and be designed to account for the individual characteristics of each substation. Any lighting can be designed to work to the best advantage of the cameras that are selected by owners of substations.
The following types of lighting are available:
1. Incandescent Lamps: for CCTV purposes, bulb life is limited and they are very inefficient. They are generally expensive to run (typically 500 watts) and expensive to maintain (up to 3 bulb changes per year).
2. Fluorescent Lamps: for CCTV purposes, is limited because they produce a flicker imperceptible to the human eye but visible to cameras as a “beat” effect making fluorescent illumination unsuitable for video surveillance. Light output is also affected during cold weather which may make this type of light unsuitable for security purposes.
3. Hight-Intensity Discharge (HID) Lamps: can be used in CCTV. They are efficient, provide good color rendition and they provide a relatively long life – up to 12,000 hours. However, they suffer from a slow start (2-3mins) and cannot be turned on immediately after being turned off. HID includes low pressure sodium (unsuitable for CCTV due to its yellow tinge), high pressure sodium (which is more acceptable but produces worse color rendition than Metal Halide) and Metal Halide. Metal Halide HID bulbs provide a very natural, cool clear White-Light with excellent colour rendition.
4. InfraredR Illuminator: emits an invisible infrared light that can be used to enhance video monitoring in low light environments.
5. Light-Emitting Diodes (LED): type lighting (as a relatively new option) generally works better than some of the traditional lighting solutions, for a number of reasons, including:
1. Lower energy consumption
2. Superior quality illumination (even spread of light, no dark or bright spots, better targeting, especially with higher-end LED lighting products)
3. Longer product life and reliability, (up to 100,000 hours. - in comparison fluorescent bulbs typically last 10,000 hours and incandescent bulbs 1,000; the best LED products available today deliver 10 years life, with warranty)
4.
5. No Low maintenance (no bulb failure, no down-timedrivers are typically the part that fails most often)
6.
7. Instant start (no warm up time for full light output)
8.
9. Suitable for challenging environments (higher-end products are weather-hardened, hot and cold climate tolerant, vandal resistant)
10.
11. These are available as a “Smart Light” that allow flexibility in color-temperature selection and lumen levels, among other features.
12.
2. Power and cCommunications
Owners of substations may choose to design power and communication systems that support the requirements of the technology incorporated in the security system. The engineered solution would need to provide adequate power and bandwidth to manage security systems. The design may want to also consider redundant paths for power and network communications to mitigate single points of failure.
The components used by owners of substations, as supplemental mitigation measures in the perimeter security system, may require consideration of primary, secondary and emergency back-up power sources. Generally, the components that make up the technology package for a facility are fed from power supplies that convert 48 or 120VACAC voltages to 12, 24 or 48VDCDC voltages. For owners of electric supply stations, these AC-DC converters may present a new challenge for the auxiliary AC systems (generally supplying the basic low-voltage power support systems for substation building power, battery chargers, yard equipment heaters, and maintenance load) in the form of a large demand or significant increase in continuous load. See IEEE standard 1818 for guidance on design of AC and DC auxiliary systems.
Owners of substations need to consider load management at each facility, by balancing the existing infrastructure that is used (requirement to support basic operational requirements) and the new security power infrastructure. For example, some technology packages may increase auxiliary AC system load requirements by 60kVA-to-116kVA at facilities with enhanced supplemental mitigation. In some instances this load increase can be substantial and require In most cases , at this level of supplemental system monitoring, a new source may be required to manage the additional load of a security system.
8. Internal barriers (masonry or other materials)
Owners of electric supply stations could choose to consider additional barriers where critical power equipment or electrical components in substations are not screened from a ballistics attack, or from direct line-of-site from outside the facility. In general, substation equipment with excessive lead times, items that could be critical to system resiliency if rendered inoperable, or equipment that directly supplies critical customers may need to be screened by using barriers internal to the electric supply station. Owners of electric supply stations may choose to establish performance criteria for the placement of tall barriers inside a substation.
The following items can be considered when designing internal barriers:
1. Equipment access: should be considered for maintenance and replacement.
2. Height above grade: can be selected to protect parts of equipment that is critical to maintaining the health of the transformers. The placement of the barrier, in relation to the component it is protecting, is critical to selecting the proper height.
3.
4. Placement: around critical equipment such as (power transformers or circuit breakers) is important when attempting to maintain equipment access and the ability for the equipment to self-cool. The movement of ambient air may be considered. In addition, the barrier may not be installed in electrical clearance zones, but maintaining minimum approach distances when working/installing the barrier could be difficult around existing equipment.
5.
6. Structural requirements: for any barrier would likely be required by the owner to be consistent with industry best practices for substation structures. The American Society of Civil Engineer’s guide, ASCE 113 Substation Structure Design Guide, is a good reference for ensuring the load cases for these structures meet the utilities expectations for structures around critical equipment and components.
7. Ballistic performance: can be selected by owners of electric supply stations based on their own evaluation and testing of the materials they plan to use as an internal barrier. Generally, a threat assessment of the facility can help determine the appropriate design basis based upon credible threat identification. UL 752 may be used as a guide in selecting levels of ballistic protection.
8. Material: types used for internal ballistic barriers could be made of steel, structurally reinforced steel, concretes, fiber-glass structural reinforced fiberglass panels, and other materials. Owners of substations may choose to consider material life, maintenance requirement and material integration in substation environments.
9.
10.
11.
Analysis Process
This section describes how design features may be applied when reviewing threats to a substation.
1. General features of a substation design analysis
The methods used to analyze the design of a security system are assessment of advantages and dis-advantages of each feature and combination of features and determination of the probability of success or failure. An assessment of technologies for physical security may include various components and methods such as varying degrees of access control; and equipment and substation yard monitoring via cameras, sensors and other technologies which can be incorporated into the design criteria considerations.
The design advantages and disadvantages are measured against the design criteria.
For example, a design feature of video cameras would have advantages and disadvantages when measured against the criterion of theft of security system equipment. The disadvantage is the greater expected economic loss than the theft of other design features. When measured against the criterion of reliability, the advantage of a video camera is positive detection of intrusion.
The advantage of a motion detection scheme when measured against criterion of theft of security system equipment may be lower economic loss, but the disadvantage is spurious indication and lower reliability.
Some criteria can be set to determine the probability of success. Criteria of “no injury to the intruder” or “electrical service outage” would lead towards the determination of the probability of design feature(s) meeting the criteria.
Statistical data on performance of design features is sometimes not available a quantitative probability assessment may not be possible. A judgment made by knowledgeable persons is a reasonable and practical alternative.
For a quantitative assessment of probability of success of design feature(s) will have a numerical probability. For a qualitative assessment, the comparison with the criteria may be a “yes” or “no” judgment of the effectiveness of the design feature(s).
An evaluation matrix could be used to capture the advantages, disadvantages, and success probability of security system design features. An example is given in Annex ?
The dynamic of an intrusion event can be used as an aid in determining the advantages and disadvantages of the features of a security system design.
As an example, an objective may be copper conductor, and one link of the nature of the intruder may be a high school student with a pickup truck. Another link of the nature of the intruder may be a skilled IT professional with hacking code of corporate financial records.
A physical security system that deters the high school student is acceptable for that link to copper conductor. The physical security system design may not deter the IT professional from copper theft, but it’s unlikely that the IT professional will steal the copper and the consequences are acceptable.
There are obvious analysis short cuts that can be made by making only the more likely links, e.g. teenager and copper, but not IT professional and copper. Or IT professional and communication paths to enterprise records, and not teenager and communication paths to corporate records.
In addition to advantages and disadvantages of particular security solutions, it is also important to consider Owner and Operator concerns when determining the most applicable security solution. Depending on an Owner’s or Operator’s specific needs, not all security solutions necessarily make sense from the perspective of cost or installation logistics. These types of considerations might include the following:
• Is damage to a facility’s equipment or security measure an acceptable outcome to thwart an intrusion?
• Does the cost of damage or theft of substation equipment and material outweigh the cost of the security measure? This could be interpreted as either monetary cost or resource cost.
• Is an interruption of service or reduction in service reliability acceptable?
• Is the probability of a customer outage or effect an acceptable risk? For example, are there areas within a substation that can be considered an acceptable risk if it is lost?
• Are there concerns about the damage or theft of the physical security equipment itself?
• Does the security assessment require a redundancy of protection? For example, multiple power sources to equipment, multiple detection devices to help mitigate false alarms, etc.
• Are operation or maintenance tasks affected by the installation of security system?
2. Design criteria considerations for physical security
This section describes some environmental and geographical considerations that may impact physical security features.
1. Site location and environmental considerations
Consideration can be given to substation site selection. Higher levels of crime, vandalism, and graffiti may be common behaviors in certain neighborhoods. School properties or other public areas adjacent to or near a substation or substations located in remote areas may also present additional opportunities for intrusions.
Uses of adjacent property may lead to intrusions onto substation property. Commercial activities, construction, storage, equipment and material locations, and building structures can facilitate intrusions onto substation property.
Driveway barriers (gates, guardrails, ditches, etc.) at the property line for long driveways can help limit vehicular access to the substation property.
Substation geographical location accessibility, i.e., flood zones, mountain locations, etc., and facility visibility can be considered. Local climate and weather including ambient temperature, wind, ice, rain, snow, and/or lightning may influence the physical security design considerations. Substations located on slopes can be subject to erosion and wash out, which can create openings under the fence or inhibit drainage flow due to debris buildup and compromise security.
2. Substation construction and operation
Substation construction whether indoor or outdoor facility, substation area/footprint, and/or transmission line construction considerations (overhead or underground) will affect physical security considerations. Various components of these criteria may also be considered for the overall design. For instance, an indoor substation may include vulnerable outdoor GIS potheads or GIL which require additional or different considerations than the indoor substation equipment.
Consideration may also be given to whether the substation is normally attended or not attended.
3. Fence and wall barriers
This section discusses fence and wall criteria that can be used to mitigate threats to a substation.
1. Fences
Fences of various materials, most common being chain link construction, provide primary security to limit access to substation property; refer to the National Electrical Safety Code® (NESC®) (IEEE Standard C2) for electrical substation fence requirements in the United States. In addition, reference can be made to ASTM International Standard F2611, Standard Guide for Design and Construction of Chain Link Security Fencing for recommended specific design and construction details. Addition of top, intermediate and/or bottom rails on fence sections: closed track roller systems to sliding gates: methods such as welding to prevent hinge pins and bolts from being easily removed; and use of smaller chain link mesh sizes may improve the overall integrity of the fencing system. Based on the height of the fence, deleting the installation of the top rail may be considered as it may provide a handhold for the intruder. For added security for fences using a top rail, the top rail can be installed one foot below the top of the mesh. Also, the extension of materials above and below grade, such as concrete curbing, has been used to reduce the possibility of erosion and dig-ins under the fence.
Double fencing (enclaving), increased fence height, use of fence barbed wire doubled in a “v” pattern, and smaller-dimension mesh fabric that impedes climbing may also be considered to avoid access over the fence. For installations requiring higher security, expanded metal higher security style of fencing material may be considered. Areas that experience large snow accumulations can consider use of higher fences or walls.
Opaque fencing may also be considered to shield view of equipment within the fence enclosure from the outside for the entire fenced facility or for areas of higher concern. However, once an intruder is inside, an opaque fence may work to limit view of an intruder from outside the fence which may be a concern to security personnel. An opaque fence may be a chain link fence with slats woven in the chain link, or fencing utilizing other material.
The material utilized for the fence can be commensurate with the evaluated security risk of the area. A standard chain-link fence is easily cut and most purposeful intruders use this method to gain access. Chain-link fences are therefore of limited value against this type of intruder. A detection system integrated within the chain link fence mesh may be added to detect if the fence has been cut. Expanded metal fencing is more difficult to cut, climb, or breach.
Consideration can be given to the fence location to provide a sufficient distance from the fence to minimize the potential use of these items to scale the fence.
Consideration can be given during the design of the fence to ensure that it will properly support the application of added intrusion detection devices if they will be included as part of a security design.. An integrated system using lighting with video surveillance requires a specific fence layout, for example, the fence can be located to avoid blocking the view and reduce shadows.
A method to enhance security, signs could be installed on the perimeter fence to warn the public that:
5. Alarm systems are providing security for the substation.
6. Camera systems are in use.
7. Entry is not permitted.
2. Walls
Solid masonry or metal walls can provide an additional degree of security over standard substation chain link fence. Solid walls are generally more difficult to breach and also limit direct line-of-sight view to equipment inside the substation. Solid walls may deter vandalism, such as gunshot damage, depending on the height of the wall, surrounding terrain, and elevation of equipment inside the substation.
Consideration can be given to the wall location to provide a sufficient distance from the wall to minimize the potential use of these items to scale the wall. The wall design could be such that the wall is not going to be used as a climbing aid.
Solid walls can offer some of the most effective protection against the highest impact and most likely physical threats to substations:
8. Storms
9. Fire
10. Physical Attacks
For example, a properly engineered wall with a minimum four-hour fire rating per IEEE Std. 979, and a minimum UL 752 Level 5 ballistics rating can contain, shield, and limit damage to critical substation components. This type of best practice contributes significantly to the substation’s resiliency by making it possible to recover quickly after a fire and/or shooting event.
Some substation owners add razor wire or metal spikes to the top of station wall to further enhance security.
3. Entrance/Equipment locks
All entrances to substations can be locked. All equipment located outdoors within the substation fence can have a provision for locking cabinets and operating handles where unauthorized access could cause a problem. Padlocks can be of a type that can utilize a non-reproducible key. Similar locking devices can be used on gates and doors to any buildings within the substation fence. Maintenance of equipment alignment is important to ensure proper installation of locks. In places where it is difficult to keep equipment in alignment, the use of chain and lock is a practical method to secure the gate. However, avoid the substitution of chains where possible, since they may compromise the security of a locking system.
Consider enhanced access authorization via multiple mechanical locks; magnetic card keys and/or smart cards; or biometric access devices for facilities requiring increased access security.
4. Other barriers
Driveway barriers (gates, guard rails, ditches, etc.) at the property line for long driveways can help limit vehicular access to the substation property.
4. Landscaping and aesthetics
Any landscaping treatment around substations can be carefully designed so as not to create potential security problems. Walls, plantings, or screening treatments may make substations an attractive and secluded meeting spot for various recreational or illicit activities. Perimeter bushes can provide cover for unauthorized entry.
5. Buildings
Most substations include buildings which house the substation control and communications equipment. These buildings can be located inside the substation fence perimeter and not constructed as part of the perimeter fence enclosure reducing enclosure security where the fence abuts the building. Normally a building is not constructed as part of the perimeter fence. It would not be ideal to have outside doors to the public side of the substation.
Construction of a building to enclose the entire substation (indoor substations) or exposed equipment and materials can provide an additional layer of protection against intruders. Buildings (or trailers) in outdoor substations used to enclose material stored at construction sites may deter theft.
In general, most building materials provide adequate security protection. Selection of the type of building construction can be suitable for the level of security risk. Typically, features that can be included are steel doors with tamper-proof hinges and roof-mounted heating/air conditioning units. Any wall openings (i.e wall air conditioners) may have security bars over and around the unit.
6. Building alarm systems
One of the more common methods utilized is an intrusion alarm on control buildings. These systems include, at a minimum, magnetic contacts on all the doors, and have the provisions to communicate through the existing telephone network or SCADA systems. A local siren and strobe light may be located on the outside of the building to indicate the alarm condition. The system could be capable of being activated or deactivated using an alphanumeric keypad, key switch, or a card reader system located inside the building. All siren boxes and telephone connections can have contacts to initiate an alarm if they are tampered with.
7. Building interior equipment considerations
Building design and construction can consider protection of equipment, including information and software contained therein, from theft, vandalism, natural and manmade disasters, and accidental damage. Consideration can be given to building construction for IT concerns, room assignments, emergency action procedures, regulations that govern equipment placement and use, energy and water supplies, product handling – and relationships with employees, outside contractors, other courts, and state and federal agencies. Solutions may require installation of interior locks, fire extinguishers, surge protectors, window bars, automatic fire equipment, and alarm systems.
Table 1 and Table 2 document examples of minimum security and optimum security features for substation buildings.
Minimum security features could include:
11. Physical security of all computer equipment could be maintained in a locked and low visibility location.
12. Personnel could be trained to challenge unfamiliar individuals in the area housing computer hardware.
13. Provide “surge protectors” for all computer equipment to prevent electricity spikes or drops from causing system downtime.
14. Rack mounted equipment can be used where practical (computing equipment and racks can be bolted down) to prevent accidental damage and prevent equipment from theft.
15. Rack mounted equipment enclosures can be used where separate rooms are not practical (they can be locked)
16. Computer chassis and cases can be secured from access using case locks.
17. Unused floppy drives, USB ports, and access ports could be disabled or secured to prevent access.
—Minimum security option
|Description |Benefits |Disadvantages |
|Place computing equipment in a locked |Low cost (requires only some employee |Does not provide effective physical |
|physical location with low visibility. |education and a discrete and locked |security or environmental protection of |
|Train employees to challenge unfamiliar |hardware location). |the computing equipment. |
|individuals. Use surge protectors for | | |
|electricity spikes and drops. | | |
Optimum security features could include:
For those locations that have a network, all critical networks computing equipment can be located in a physically controlled environment, with access limited to personnel responsible for equipment administration and maintenance only. The room would likely need to be equipped with heat, air conditioning, and smoke/heat/water alarms to assure proper environmental protection of computer network hardware.
Secured rooms may have the following features:
18. Full-height walls and fireproof walls and ceilings.
19. No more than two doors. Doors can be solid, fireproof, lockable, and observable by computing or other staffers.
20. Effective key control is an effective security strategy when appropriate authorities properly maintain keys (card-keys or hard keys or a combination of both types).
Also, good practice includes:
21. Fire extinguishers may be kept near equipment and employees can be trained in their proper use. The placement and recharge of fire extinguishers can be checked on an annual basis.
22. An uninterruptible power supply (UPS) can be used to protect critical computing equipment in the event of power outage. Line filters can be installed to control voltage spikes.
23. If personnel use laptop computers, then mechanisms such as laptop locks and alarms can be used to reduce the risk of theft. Employees can be instructed not to leave laptop computers unattended or unsecured while in the office or while traveling to other locations.
24. Equipment can be labeled in an obvious, permanent, and easily identifiable way. Up-to-date logs of all equipment, with serial numbers, would need to be maintained in a secure location.
25. When personnel terminate employment, all keys would need to be collected, access cards would need to be returned and deactivated, and access codes will be changed. All employee access codes can also be changed on a regular periodic basis (at least annually).
— Optimum security option
|Description |Benefits |Disadvantages |
|Computing equipment can be placed in a |Provides increased physical and |More costly than minimum-security option |
|physically controlled environment with |environmental computer protections. |but improves computer physical access and |
|access limited to personnel who are | |environmental controls significantly. |
|responsible for administering the | | |
|equipment. The room may need to have | | |
|proper environmental controls. | | |
In addition to the Optimum Security Option standards, the following features can be configured for Maximum Security of physical hardware:
26. Video surveillance cameras could be placed throughout the premises, especially at computer room doors and within the computer room.
27. Access to the computer room can be restricted with a cipher-lock or a magnetic-card locking mechanism or an advanced system, such as biometrics, and all accesses to the room can be captured and reviewed.
8. Yard equipment location and arrangement
Designs can consider as a minimum electrical clearance of equipment and exposed live parts from substation enclosures as identified in the National Electric Safety Code® (NESC®) (IEEE Standard C2). An increased buffer area between the fence and equipment is desirable in most instances. This alleviates items from close proximity to the substation enclosure tempting vandalism.
Consideration may be given to locating transformers or other high value equipment away from the substation perimeter and view. Sensitive items such as transformer radiators can be aligned away from the view if possible. Additional protection for high value equipment such as transformers may include the installation of protective barriers around the equipment. Barriers may integrate acoustic or fire protection considerations, however, equipment cooling requirements may likely be considered. Expanded metal fencing may be considered for an equipment barrier. Transformers and other oil filled equipment containing flammable liquid can be located separated from structures, buildings, etc. in accordance with IEEE Standard 979, Guide for Substation Fire Protection.
The use of polymer bushings, surge arresters and insulators may be considered versus porcelain styles.
For distribution voltage substations, metal clad switchgear will provide increased security over outdoor bus distribution feeder rack design.
Access to energized equipment and bus may be of concern if the perimeter security measures are breached. Polycarbonate or other barriers on ladders and structure legs can be considered in order to prevent inadvertent access. Refer to the NESC and Occupational Safety and Health Administration (OSHA) requirements.
For locations in flood zones, hurricane zones, etc., the design could consider elevating buildings, structures and equipment above the flood zone where possible.
If cameras are used, it is recommended that they be placed at each corner of the substation perimeter to provide line of site down the fence line. The mounting height of the camera can be designed to provide the required range of sight. With this increased height, attention could be given to any clearance concerns for nearby equipment or overhead lines.
9. Ballistic Hardening of Equipment
These requirements cover materials, devices, equipment and location used to protect against small arms attack. When specifying bullet resistant systems, one could determine the bullet resistant protection level rating for their design. The UL 752 Standard for Bullet Resistant materials is the most common standard used for specifying bullet resistant materials.
One of the most effective methods of providing protection against ballistics is the concealment of assets in question. This can be accomplished by providing screening in the form of a wall, fence, landscaping or choosing a location that uses the surrounding terrain for concealment. This could be accomplished by selecting an elevated area rather than an area that is over looked by higher terrain.
Site location can be chosen to help eliminate or minimize line of sight to equipment from outside of the substation fence. Fencing can be installed to screen the view of equipment or can be installed with a thickness that only allows visual line of sight to equipment from limited locations.
Some materials that maybe readily available to assist in the ballistic hardening of a substation are Ballistic fiberglass laminate panels, steel walls or heavier duty equipment housings designed to mitigate damage caused by small arms fire as well as helping to provide an effective deterrent to forced entry. Panels can be added to equipment or buildings to meet the level of resistance required. This protection can be added to equipment specifications to insure the additional protection does not cause unintended consequences such as equipment heating issues.
10. Lighting
Some utilities prefer either continuous facility area lighting or maintenance task only lighting. Maintenance only lighting does not draw attention to the substation, however, conversely it results in lack of sight for intruders or vandalism. In addition, dedicated security lighting (active lighting), or detection control, may be installed to turn on substation lights automatically upon detection.
The entire interior of the substation may be provided with duskt-to-dawn lighting to provide a minimum light level of 21.52 Lux (2 foot-candles). Placement of lighting posts could should be designed to not assistprevent an intruder from who may climbing the posts to enter the substation. All wiring to the lighting posts could should be in conduit or concealed to minimize tampering by an intruder. In addition, areas outside the substation, but within the facility property, could should also be considered for lighting to deter loitering near the substation.
Zoning and other local regulations may restrict or prohibit lighting.
11. Copper Theft
Copper theft has become a serious problem for electrical substations. In addition to a loss of required asset of the substation, it can provide a dangerous condition for operation of the substation, as well as for the copper thief. Several methods can be considered to deter copper theft within the substation.
28. Use tinned copper for fence and/or equipment grounding. Tinned copper reduces the appearance of the copper wire as copper.
29. Use steel clad copper which makes the theft value of the copper wire less.
30. Paint the copper wire to identify it as specific from local installation.
31. Use identifiable copper wire with identification codes etched or with sprayed identifier only visible to ultraviolet light in strands from a manufacturer.
32. Minimize the exposure and accessibility of copper such as perimeter fence copper ground wires can be located inside the fence and can be placed within fence pole concrete footings.
33. Incorporate SCADA alarm wires with copper cables.
34. Substation control and power cable systems can be located in a protective system that deters easy accessibility to the cables.
12. Joint Use Facilities
Establishment of a substation on or adjacent to a facility that is shared, owned, or used by others could provide additional opportunity for intrusions as the potential for legitimate access by unqualified personnel increases. Additional means of identification could be considered for identifying the individual or individuals accessing a joint use facility.
13. Storm Drain Systems
All sewer and storm drains that are located inside the substation perimeter, with access from the outside could be spiked or fitted with vertical grillwork to prevent entry. Manhole covers or openings can be located on the inside of the substation perimeter fence.
14. Remote Monitoring
Including remote monitoring of substation access points, equipment, systems and control circuitry in the design will provide the substation operator with information that indicates problems within the substation that may include access by unauthorized persons or an intruder action. These may include:
35. Video or other detection means with alarming.
36. Monitoring of gates or doors.
37. Cut fence (if monitored).
38. Transformer temperature or oil level of cooling systems.
39. Control power circuits to equipment such as transformers and power circuit breakers.
40. Monitoring of power circuit breaker interrupting gas pressure.
41. Battery voltage and charger operation.
42. Monitoring of substation current, voltage and power values.
In addition to consideration what to monitor, consideration also needs to be made for securing of support facilities such as the communications company infrastructure. Communications from the substation to the monitoring and operations center could be redundant and diversely routed to avoid loss of monitoring information due to attack upon support facilities.
Physical security plan
Utilities and other operators of electrical substations can plan the implementation of substation physical security. A plan not only provides an action guide but it provides a means of evaluating the implementation of substation physical security.
1. Identify personnel
Identify the persons responsible for developing and implementing the physical security plan.
Identification of the persons responsible for security implementation and administration is critical to the effectiveness of the plan. Defined levels of responsibility and specific tasks are required for each level. Each company may have someone assigned responsibility for facilities security. This responsibility could include implementation of Security Plan. The plan could be regularly reviewed, at a defined interval, and updated as needs change. Regular inspection of facilities to assure that security measures are in effect may be part of the security plan, along with initial and ongoing employee training at a defined interval. Methods for employees to report irregularities or breaches of security can be defined and included in the training.
2. Define the objectives and requirements
Define the Objectives and Requirements of the substation physical security plan. These oObjectives will should include methods to deter, detect, and delay theft, vandalism, and intentional damage. Requirements will address prosecution and conviction of perpetrators. Additionally the objectives could address reliability of service to critical customers and other nationally critical infrastructure. The plan will should address security and stability of the overall bulk electric system, as well as security measures and requirements for operations and maintenance that may be required by regulatory agencies (such as NERC in the United States).
Security requirements will likely vary at individual substations based on criteria such as historical incidents, industry threats, distribution or transmission voltage, and the facilities’ role in the bulk electric and power distribution system.
3. Identify the substation vulnerabilities
An initial vulnerability assessment of substations and the overall system could be conducted to identify threats such as theft, vandalism, and terrorismsabotage. The assessment could also identify specific vulnerabilities of individual substations, both distribution and transmission, and the bulk electric system as a whole. The survey of vulnerabilities will should include a review of the historical incidents such as theft, vandalism etc. at each substation and as well as industry substations. An example of a vulnerability assessment checklist is included as Appendix TBD.
4. Prioritize improvements
Improvements can be pPrioritized improvements based on available funding and most important assets and available funding.
Security upgrades can involve large expenditures of capital, which can impact implementation of security projects. Security improvements can involve large expenditures of capital, which is often in limited supply. Some security improvements are accounted as operations and maintenance rather than capital, which could further constrain efforts. Priorities are tomay be based on such things as number of customers served, customer criticality, and the role of a particular substation in the energy transmission and distribution system. For example, high voltage transmission substations can be ranked by the number of lines coming into the substation. Another way of ranking transmission substations is to do load flow studies to evaluate the effect upon the system of the loss of various substations.
Security upgrades at existing substations are relatively expensive compared to building security into the construction of new substations. Security requirements could be developed for new substation construction and existing substation site expansion projects. These requirements can follow criteria similar to improvements at existing sites as previously described.
5. Incident response plan
Depending upon the particular substation and type of incident, different response plans are appropriate. For example, the theft of copper ground tails from substation equipment is a safety issue. While the theft may be documented, the main priority would likely be repair. Other incidents, such as an attack aimed at destroying or shutting down a substation, may require law enforcement investigation before any changes are made to the crime scene in order to preserve evidence. Having incident response planned in advance helps insure that each incident is responded to consistently and appropriately. Incident response stakeholders who need to be involved in developing a response plan include transmission and distribution operations, substation maintenance, and local and state law enforcement.
6. Plan review
Periodically review the Plan at a defined interval and make modifications circumstances change.
Personnel, threats, vulnerabilities and attack methods, as well as available technology, change over time. Regular review is required to insure that appropriate resources are devoted to securing energy transmission and distribution in an ever changing environment.
(informative)
Bibliography
Bibliographical references are resources that provide additional or helpful material but do not need to be understood or used to implement this standard. Reference to these resources is made for informational use only.
(informative)
Physical Security Checklist (Example)
This checklist has not been transferred yet. Please refer to Excel file. I suspect this checklist will be reviewed by working group prior to transferring it into document.
Bibliography
Bibliographical references are resources that provide additional or helpful material but do not need to be understood or used to implement this standard. Reference to these resources is made for informational use only.
-----------------------
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
Copyright © 2018 by The Institute of Electrical and Electronics Engineers, Inc.
All rights reserved. Published . Printed in the United States of America.
IEEE is a registered trademark in the U.S. Patent & Trademark Office, owned by The Institute of Electrical and Electronics
Engineers, Incorporated.
PDF: ISBN 978-0-XXXX-XXXX-X STDXXXXX
Print: ISBN 978-0-XXXX-XXXX-X STDPDXXXXX
IEEE prohibits discrimination, harassment, and bullying.
For more information, visit .
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission of the publisher.
[1]IEEE Standards Dictionary Online is available at:
.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.