The primary objective of this report is to evaluate the various security risk reduction techniques and produce a best practices guide that addresses security risk evaluation, mitigation techniques commonly used by utilities to reduce these risks, the effectiveness of these techniques, and common performance measures for Risk Evaluation, Mitigation Techniques, Effectiveness Monitoring, and Performance Measures.
Many technical standards of physical security measures exist for the electric utility industry, providing guidance for reducing security risks at dam sites, generating stations, substations, switchyards, and, to a limited extent, linear assets such as transmission and distribution lines. For decades, utilities have been applying these standards to their assets and have, through various means, measured their effectiveness. In recent years, physical security has attained a high level of visibility in the industry due to various major facility breaches that have occurred.
This paper was developed through research of available industry documentation, as well as surveys of various types of utilities, identifying some of the key findings and guidance regarding physical security practices. The use and consideration of various Risk Assessment Methodologies and tools are discussed, suggesting that some type of quantifiable risk assessment methodology is needed to fully develop a physical security action plan, most likely to be coupled with a cybersecurity plan in an overall “bigger picture” perspective.
From the information gathered and industry findings, a set of conclusions and recommendations are developed that can provide guidelines to assist the utility in implementing a physical security solution, roadmap, and risk assessment program.
Physical security, NERC, NIST, risk assessment methodology, cost/benefit, physical access control, risk mitigation, industry practices