Energy infrastructure is one of the most critical asset classes for a modern society. Its effective operation is a pre-condition for securing energy supply to a wide range of economic and social activities and thus enables social welfare and stability. Due to the overarching need to tackle climate change and the necessary transition to a low-carbon economy as well as the rapidly increasing digitalization, the energy sector is undergoing a very rapid transformation in terms of infrastructure and market functioning. An additional factor that stimulates changes in the sector is the active participation of citizens in the energy market as consumers and decentralized producers of energy
Threats to electricity supply fall into three categories:
Weather (e.g., drought, earthquake, flood and storm surge, hurricane, ice storm, tornado, tsunami).
Anthropogenic (e.g., cyberattack, physical attack, intentional electromagnetic pulses (EMPs), major operation error).
Other events (e.g., volcanic event, space-based electromagnetic event, natural fuel supply disruption).
The most pervasive forms of renewable energy generation, wind turbines and solar photovoltaic (PV) panels, have fundamental characteristics that make them uniquely capable of withstanding many of these threats.
Not all assets and activities warrant the same level of protection. The cost of reducing risk to an asset must be reasonable in relation to its overall value. The value, however, does not need to be expressed in dollars. A potential loss can be stated in terms of human lives or the impact on the local or state economy.
Identify Critical Assets and the Impacts of Their Loss,
Energy organizations need to identify the critical functions of the facility and determine which physical and cyber assets perform or support the critical functions.
Possible critical assets include people, equipment, material, information, installations, and activities that have a positive value to an organization or facility.
Set of questions is designed to guide the process of identifying the critical functions of the energy facility and the assets that perform or support them and evaluating the potential consequences of disruptions or loss of these critical assets.
Identify What Protects and Supports the Critical Assets,
Physical Security Systems, Infrastructure Interdependencies (energy facilities depend on many different infrastructures to support their critical functions and assets. These infrastructure interdependencies must be identified and the adequacy of security measures that are in place to protect and back up these infrastructures must be evaluated).
Sensitive Information-Protecting operating procedures and other sensitive information.
Set of questions designed to guide the process of identifying the existing components of the physical security system that protect the critical assets.
Identify and Characterize the Threat,
Set of questions to be used to identify and evaluate the threat environment to which an energy facility may be exposed to.
Identify and Analyze Vulnerabilities,
In addition to identifying the critical assets of the energy facility, the impact of their disruption, the present protection provided, and the potential threats against them, the vulnerability of those assets to the potential threats must be quantified, at least to some extent, to determine the overall risk to the assets
A set of questions is to be used to evaluate the vulnerability of the critical energy infrastructure assets to the potential threats and to establish qualitative or quantitative vulnerability ratings for each asset.
Assess Risk and Determine Priorities for Asset Protection,
Using the individual rating values assigned to each combination of asset criticality, threat, and vulnerability, a relative degree of risk or a risk rating can be established for each asset for one or more postulated adverse events or consequences that could result from an attack by the identified adversary.
Risk Rating = (Impact Rating) × (Threat Rating) × (Vulnerability Rating).
Identify Mitigation Options, Costs, and Trade-offs,
The ultimate goal of a risk management process is to select and implement security improvements to achieve an acceptable overall risk at an acceptable cost.
Measures to prevent damage
Measures to simit consequences
Measures to speed recovery
Mitigation measures to reduce vulnerability
Key Definitions
Adversary: An individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities, detrimental to the assets. adversaries include intelligence services of host nations, political or terrorist groups, criminals, and private interests.
Asset: Any person, equipment, material, information, installation, or activity that has a positive value to an organization or facility. The asset also may have value to an adversary.
Cost-Benefit Analysis: Part of the management decision-making process in which the costs and benefits of each alternative are compared, and the most appropriate alternative is selected.
Mitigation or Protective Measure: An action taken, or a physical entity used to reduce or eliminate one or more vulnerabilities
Impact: The amount of loss or damage that can be expected. The impact may be influenced by time or other factors.
Risk: The potential for damage or loss of an asset. The level of risk is a condition of two factors: • the value placed on the asset by its owner and the consequence, impact, or adverse effect of loss or change to the asset and • the likelihood that a specific vulnerability will be exploited by a particular threat.
Risk Assessment: The process of evaluating threats to the vulnerabilities of an asset to give an expert opinion on the probability of loss or damage and its impact, as a guide to acting.
Risk Management: The process of selecting and implementing security protective measures to achieve an acceptable level of risk at an acceptable cost.
Threat: Any indication, circumstance, or incident with the potential to cause the loss of or damage to an asset. Threat categories include insider, terrorist, intelligence service, environmental, criminal, and military.
Undesirable Event: Any incident with the potential to cause the loss of or damage to an asset. Undesirable events can be due to actions such as theft, compromise, destruction, sabotage, assault, assassination, and kidnapping or due to occurrences such as non-availability or impaired operation of an asset.
Vulnerability: Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can result from the following: • building characteristics; • equipment properties; • personal behavior; • locations of people, equipment, and buildings; and • operational and personnel practices.
Summary
A short article which I have summarized from a number of information sources that gives a glimpse into the world of security and renewable energy the above policies and methods are just some of the basic guidelines we use to build successful security programs. There are many more that a CSO’s will develop as their organization matures and the security program expands.
We can provide the best tailor made security solutions to make your facility more safe and secure.
Referance:
https://www.energy.gov/ceser/office-cybersecurity-energy-security-and-emergency-response
https://www.cisa.gov/national-infrastructure-protection-plan