Protecting the Power Grid

Dec. 15, 2017
A look at NERC CIP-014 using video surveillance

The Department of Homeland Security said it well, “Everything is dependent on electricity. Without electricity, we’re basically back in the 1850s.”  It’s often hard to imagine the chaos that could ensue if the power grid were to experience a major issue. Most of us would find it extremely difficult to live without electricity, internet, television, refrigeration or telephone for a few hours, let alone days or weeks.   Unfortunately, it is not a remote scenario, as the power grid has many vulnerabilities and threats.  In addressing this concern, the use of intelligent video surveillance solutions, deployed using guidelines from industry oversight, such as NERC CIP014, has proven an effective approach to mitigating these power grid vulnerabilities. 

Threats on the power grid

When the security of the power grid is considered, the risk of terrorism typically rises as a major concern, with good justification.  Should a terrorist desire, there are many ways to target the grid.  A well-known vulnerability is the fact that less than three percent of all transformers in the U.S. are high-voltage, but 60 percent to 70 percent of the nation’s electricity passes through them.  An attack on one of these transformers would be significant, much less a coordinated attack on several.  The problem is the difficulty in predicting any type of terrorist attack; however, actions can be taken to reduce the likelihood and the resulting impact.

Another vulnerability is the threat of copper theft.  The annual monetary loss resulting from this activity, totaling to nearly $1 billion dollars in the U.S. each year, is itself a strong case for action, but there are many other mitigating reasons related to this type of theft, such as

  • the potential loss of life of repair people,
  • loss of power to customers and
  • the risk introduced to facilities and operations that provide critical services, such as hospitals, transportation, and financial institutions.

Unfortunately, the grid was never designed to withstand these types of attacks.  However, today’s reality is that actions must be taken to correct these deficiencies.

When we look at the distribution architecture, points of vulnerability exist within each segment of the distribution chain.   Typically, when we think about vulnerabilities, we look to the 57,000-plus substations and power generating facilities, but there are many other targets including transmission poles, switchyards, maintenance sites and even control centers.  The key is identifying the areas with the greatest risk and putting plans in place to remove those vulnerabilities.

Regulations to help mitigate risk

In the United States, that’s the main objective of the NERC physical security standard.  If terrorism, theft and property damage weren’t enough to incentivize actions, then there is the mandate for compliance with CIP014. The current standard is in place and will likely grow over time. It is, therefore, best to determine not only how to meet the standard, but also understand how to address vulnerabilities throughout the infrastructure and ensure a growth path to address these items over time.

The NERC guidelines are just that: guidelines of what should be addressed.  There is still the question of how to actually meet the guidelines, taking into account effectiveness, operations and budget.  There are several approaches to protect critical assets and meet NERC guidelines, and you should consider them in terms of their effectiveness and cost.  After all, the end game here is protecting the power grid and ensuring that the lights will turn on when we all get home this evening.  However, let’s focus specifically on intelligent video surveillance, and how to use it to address the five areas of concern outlined in NERC CIP014:

1.            Detection of Attacks

2.            Response to Attacks

3.            Communication

4.            Deterrence and Delay

5.            Assessment of Attacks

NERC #1 – Detection of Attacks

The key to robust detection is making the perimeter smart.  One means to achieve this is through the use of video analytics.  Video analytics has several advantages

  • It is reliable and affordable
  • It can use existing equipment including cameras, lighting and recording devices
  • It helps achieve both detection and “verification.” (Whereas other sensors may detect well, but may still require some type of visual confirmation)
  • It is intelligent and continues to become more intelligent.

Today’s technology also provides an additional level of intelligence when utilizing video analytics, mainly the ability to add geospatial capability.  “Geospatial” means each video pixel has associated location data – latitude, longitude and elevation.  This location data can be extremely beneficial for detection, situational awareness and reaction to an event.

The addition of “location information” to video isn’t that well known, but it has actually been around for quite some time and has consequently become extremely effective in the detection of attacks.  The alignment of pixels and physical location data also referred to as geo-referencing or geo-intelligence, provides information as to “where” each pixel resides in the terrain or map space.  The result allows the software to understand an object’s real size, regardless of how many pixels it claims in the image.  The result is a set of detection capabilities that are aligned with the types of vulnerabilities that occur along the power distribution architecture and other critical facilities.  These include:

  • Software-Based Video Stabilization
  • Detection by Various Camera Types (Thermal, Visible, Wide Angle, Mobile, Fixed, PTZ)
  • Object Left Behind Detection
  • Target Classification – Human, Car, Truck, Boat
  • Loitering
  • Tailgating
  • Camera Auto Follow

Another benefit of video analytics is that it is retrofittable into your current surveillance system.  This type of intelligence can be added to an existing surveillance system through the use of a small edge device which can typically handle all the cameras at a substation.  For a bigger facility, an add-on server can be used to accommodate dozens of cameras.  In other cases, it can be achieved through a software upgrade to your existing video management system.  This software then works in conjunction with your existing NVR and cameras, coordinating control and sharing alarm information.

NERC #2 – Response to Attacks

The second NERC guideline is having a means to “Respond to an Attack.”  We don’t often think of a video management systems (VMS) as having the capability to “respond”, but in fact, a system based on intelligent video surveillance can address this guideline.  The key to a video surveillance system’s capability to actually “respond” lies in its ability to share data between sensors.  We’ve discussed how the use of location-based video analytics provides insights such as target position, real-size, and object movement, but there are other types of sensors within a typical surveillance system that are geospatial - meaning they can share and receive location data.  When these sensors collaborate on target type and location, they can effectively react to various types of intrusions. To demonstrate this capability, let’s look at a typical detect and respond scenario.

The scenario shown involves the use of two sensors and a map-based VMS.  The first sensor is a detection camera, enabled with video analytics.  The second camera is a PTZ camera, enabled with a camera auto follow video analytic.  

Action 1: The scenario starts with an intrusion at the fence monitored by a fixed perimeter camera. Enabled with intelligent video software, this camera has the ability to not only detect an intrusion, but classify it as a human, and provide the intruder’s location to the VMS.

Action 2:  The system can immediately display the object, what it is (e.g. human) and its exact location. It can also dynamically update its position on the map-based display using a class-specific icon.

Action 3: Simultaneously, a detection alarm is issued which includes the alarm description, alarm image, looping video, live camera view, and a map location based on the detection sent by the fixed camera. 

Action 4: An intelligent system has the ability to share this alarm data to other geospatially aware sensors, in this case, a PTZ camera.  Sharing the location data of the target allows the system to control the pan and tilt of a PTZ camera to swing to the exact location of the intruder and use the distance between the camera location and the intruder to automatically calculate the proper zoom level for best viewing.

Action 5: With the intruder now centered in the view of the PTZ camera, the system may invoke a camera auto follow algorithm which will keep the intruder centered within the camera’s view during the duration of the event. 

In real time, this entire scenario takes just over 5 seconds and involves no operator interaction.

NERC #3 – Communication and Notification

The key to the successful communication of an intrusion is the ability to provide a large amount of data in a method that is quickly understood.  What happened, where did it happen and what’s happening now.   A map-based surveillance system has the advantage of providing a wealth of alarm information in a single, easy to understand interface.  In this case, the intruder is detected in the live video and is also dynamically shown on the map with an icon indicating that it is a human.  “Breadcrumbs” denote his track and direction of movement.

Additionally, an alarm window instantly provides a textual description of the event, an image capture of the detection, a looping video of the alarm, the live camera of the event and quick access to any PTZ cameras which have been assigned to follow the intruder.  Within a few seconds of the alarm, the operator has all the important alarm information automatically displayed.

If desired, this information can then be sent to assets in the field, providing them with live information on their mobile devices at the point of intervention.  Likewise, information obtained at the scene can be captured by the first responder and instantly shared at the central control station and any other remote monitoring locations.

NERC #4 – Deterrence and Delay

Typically, when we think of deterrence and delay we don’t envision those actions being taken by the video surveillance system.  But in fact, intelligent video combined with audio and other devices provides a very effective method for deterrence and delay.  One of the primary means of deterrence using video surveillance is referred to as intelligent audio talk down.  This is the capability to effectively follow an intruder with video and issue intelligent audio commands to deter their progress.

Much like the scenarios already described, audio talk down starts with target detection, automatically steering a PTZ to the target location, locking onto the target and beginning camera auto-follow.   Then, utilizing a loud hailer or other audio devices along with knowledge of the intruder’s actions, recorded commands are intelligently issued to deter their actions.

In some cases, the audio device may be directional, being steered at the target using the same PTZ follow algorithm. In other cases, non-moveable speakers can provide the commands.

The key to successful audio talk down is the video intelligence, which allows accurate detection, tracking and selection of automated or live audio response. Knowing they have been detected and are actively being monitored is often enough to deter most intruders.  However, critical facilities can further enhance the solution with loud hailers and dazzlers, which are designed to physically incapacitate the intruder with deafening alarm tones and/or blinding dazzler lights.

NERC #5 – Assessment of Attacks

The final area of concern is the assessment of an event, in both real-time and post-mortem, to aid in investigations, pursue prosecution and analyze potential improvements.  Video comprises a very large matrix of data, updated 15 to 30 times every second.  Intelligent video analyzes this video data - continuously converting it into meta-data - which is then assigned to specific frames of video making it easily searchable and protected for purposes of evidence submittal.

Forensic video searches are another key capability that supports the ability to assess events.  Most investigations need to understand where the intruder came from, or perhaps obtain different views of the intrusion to fully understand the details of the intrusion.  A forensic video search allows a user to select any camera or just a portion of a camera’s view, and quickly search that video over a defined time period for specific types of activity.   It also has the ability to ignore specific sections of the video image, to speed up the search by avoiding regions of high motion.  This results in huge time savings and a higher accuracy search over the traditional method of fast forwarding through the recorded video.  Video clips that meet the search criteria are quickly displayed as thumbnails, which can then be reviewed for relevance and then exported as evidence to support the incident.

There are many solutions that can be used to comply with the tenants of NERC CIP-014.  One approach is the use of intelligent video surveillance and complementary sensors, as presented in this article and summarized in the figure above.  All of these capabilities don’t need to be implemented to meet NERC CIP014, but it’s worth taking the time to consider each and the benefits it can provide in protecting critical portions of the power grid. 

About the Author: Eric Olson is vice president of marketing and product management for PureTech Systems, a leader in video analytics and geospatial video management systems.  He can be reached at [email protected] or follow him on twitter @PureTechSystems.