Electricity Sector
Protecting the North American Grid and helping our international partners
Background and Experience
S3 has worked within the Department of Energy’s safeguards and security community and has been a valued and trusted partner with North American Electric Reliability Corporation (NERC) and the Electricity Information and Analysis Center (E-ISAC) since 2017. Our deep background and experience are focused on physical security and vulnerability assessment and analysis using a proven systematic and methodical process. We have seats on the NERC, E-ISAC Physical Security Advisory Group (PSAG), and the Western Electricity Coordinating Council’s physical security forum.
Working with our valued E-ISAC partner and within the PSAG, S3 has helped deliver over twenty-five, week-long Vulnerability to Integrated Security Analysis (VISA) workshops to small, medium, and large asset owners and operators throughout the North American grid. This ultimately allows risk managers to make informed risk-based decisions on security upgrades or know where they must accept risk.
We can partner with you to provide threat and vulnerability assessment (TVA) of your critical assets, build your organization’s capacity by training you how to do it in-house, or find a hybrid solution to meet your needs.
Fortress Your Future: Cybersecurity Reimagined
As electric utilities become more interconnected, the risk of cyber threats targeting operational technologies (OT), such as Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS), increases significantly. Threat actors aim to disrupt power supply, manipulate grid operations, and exploit vulnerabilities in both IT and OT environments, making cybersecurity an essential element of resilience.
Our offerings begin with in-depth assessments to identify vulnerabilities across the utility’s infrastructure. We focus on both IT networks and OT assets, evaluating the security posture of critical systems, from smart grids to SCADA networks. By understanding these risks, we help electric utilities prioritize key areas to enable comprehensive cybersecurity measures.
Our services also include vulnerability management and regular scanning to identify emerging threats and weaknesses before they can be exploited. We help utilities build layered defenses through our advisory services, identity and access management, and the implementation of industry best practices.
In addition to technical safeguards, we align our services with regulatory compliance requirements such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards and NIST’s cybersecurity framework. This ensures that utilities meet the necessary cybersecurity protocols while enhancing the resilience of grid operations.
DBT - The foundation of security by design
- Bottom line: Know what you’re protecting against.
- By gathering relevant threat assessment information from trusted sources, a clear picture of the adversary’s attributes and capabilities can be documented.
- The DBT is the threat against which an asset must be protected and upon which the protective system’s design is based. It is the baseline threat that facilities and other high-consequence assets are designed to withstand. The DBT includes the characteristics, attributes, and tactics of outsiders and insiders that could be used against the asset. Furthermore, a DBT is derived from credible intelligence information and other relevant threat data and is updated annually.
Threat and Vulnerability Analysis
- NERC and the E-ISAC adopted the DBT methodology and VISA process to help their members provide reliable and secure power to the Bulk electric system and other generation, transmission, and distribution assets.
- S3 will work with your stakeholders and team using the VISA tool and methodology to thoroughly document the threat vulnerability analysis process. This enables your organization to make informed, risk-based decisions, and develop your roadmap.
- The VISA tool and methodology has been used within the Department of Energy for decades along with other tools to protect and safeguard critical and strategic nuclear assets. While not new, it is effective. S3 has applied VISA to the electricity sector and other critical infrastructure.
VISA Workshop - Train your professional security team
- For organizations with a dedicated professional security team in-house, we can train your team in the DBT and VISA methodology and tool to augment your current capabilities.
- There are many tools and methodologies an organization can use to assess its physical protection systems and the associated response. S3 offers a formal, customizable training program via hands-on workshops and mentoring to build risk management capacity within an organization. The VISA workshop provides the user with extensive training on a proven systematic and methodical vulnerability analysis process. The asset owner / operator will be able to apply the VISA process on its own.
Third party review of CIP 14 infrastructure
- S3 meets the requirements under CIP14-3 to provide R6 reviews.
- Excerpt: Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall have an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5.
The danger from within: cyber + physical
An insider is any person who has or had authorized access to or knowledge of an organization’s resources and operations including personnel, facilities, information, equipment, networks, and systems. This includes employees, contractors, and vendors and both physical access (e.g., facilities and substations) and cybersecurity domains (IT or OT access). Your insider threat is the potential for an insider to use their authorized access or understanding of your organization to cause harm or collude with outsiders.
S3 can help you develop an Insider Threat Mitigation Program to:
- Define the threats
- Identify and detect insider threats
- Assess insider threats
- Manage the threats