Slide 1

Download Report

Transcript Slide 1 

Sabotage and CIP-001-1
SWEDE 2013
Don Roberts-San Bernard Electric Cooperative
SCADA Controlled
Four 500-watt lights
Siren with red strobe
Armed indicator light
Four cameras connected to
network video recorder
Three passive infrared
detectors
Withlacoochee River Electric Cooperative
The Great Northeast Blackout
November 9, 1965
To the chairman of the Federal Power Commission,
“Today’s failure is a dramatic reminder of the importance of the uninterrupted
flow of power to the health, safety, and well being of our citizens and the defense
of our country.
This failure should be immediately and carefully investigated in order to prevent a
recurrence. You are therefore directed to launch a thorough study of cause of this
failure. I am putting at your disposal full resources of the federal government and
directing to the Federal Bureau of Investigation, the Department of Defense, and
other agencies to support you in any way possible. You are to call upon the top
experts in our nation in conducting the investigation.
A report is expected at the earliest possible moment as to the causes of failure and
the steps you recommend to be taken to prevent a recurrence.
Lyndon B. Johnson”
EUROPEAN WORKSHOP ON INDUSTRIAL
COMPUTER SYSTEMS
TECHNICAL COMMITTEE 7
Reliability, Safety, Security WP: 5086 V1.1
“Towards the end of the 20th century electric
power systems (EPSs) emerged as one of the
most critical infrastructures in the sense that
all other critical and vital infrastructures
depend on reliable electricity supply. At the
same time they are considered as the most
vulnerable to physical and cyber attack.”
Critical Infrastructure Protection
Homeland Security
Official website of the Department of Homeland Security
Food and Agriculture
Banking and Finance
Chemical
Commercial Facilities
Communications
Critical Manufacturing
Dams
Defense Industrial Base
Emergency Services
Energy
Government Facilities
Healthcare and Public Health
Information Technology
National Monuments and
Icons
Nuclear Reactors, Materials
and Waste
Postal and Shipping
Transportation Systems
Water
How many aren’t dependent
on electricity?
Likely Sources of Sabotage
Terrorism and sabotage
Vandalism (Hunters)
Disgruntled employees and ex-employees
Malicious code and viruses
Insiders and associates
Labor conflicts
Customers(ROW, bills)
Economic conditions
Curiosity and ignorance
Fraud and theft
Extremism (environmental, political)
Organizations (separatists, political
radicals, anti-technology and/or antinuclear extremists, cartels)
 Blackmail/Extortion
 N.I.M.B.Y. (Not In My Back Yard)












Is the Energy Threat Real?
In fiscal year 2012,* the Industrial Control Systems-Cyber Emergency Response Team
(ICS-CERT), received and responded to 198 cyber incidents as reported by asset
owners and industry partners. Attacks against the energy sector represented 41 % of
the total number of incidents.
That's 65% more than the 120 attacks reported to ICS-CERT in 2011
Europe
France has experienced assassinations of energy officials
as well as bombings, arson, rocket attacks on energy
facilities, and grounding of transmission lines.
Germany has suffered similar acts from the Baader-Meinhof
group, Red Army Faction, and other groups. An intensive
campaign to destroy transmission lines by cutting or
bombing towers resulted in about 150 acts of such sabotage
in 1986 alone.
Transmission lines from nuclear reactors have been a major
focus, and the nuclear industry itself has been a target
The saboteurs included anarchic, separatist, and political
terrorists, and anti-nuclear extremists
What does a Terrorist Look Like?
Terrorism in America-Pipe Bombs and Pipe Dreams
Brent L. Smith
Demographic Characteristics of International Terrorists
•
Average Age at Indictment, 36
Youngest, 23; oldest, 48
Sex, All males
Education, Moderate
Only 8% had a college degree;
Over half (56%) had never attended college.
Occupation, Varied
Most Libyans were posing as students;
Only Omega 7 members held routine, full-time employment.
Ethnicity
50% Irish
34% Arab/Middle Eastern
13% Hispanic
3% Oriental
Includes members from the following groups or nationalities: Provisional Irish Republican Army,
Japanese Red Army, Omega 7, Amal, Libyans, and the Syrian Social Nationalist party.
Michael Fortier
Terry Nichols
Timothy J. McVeigh
Convicted Co-Conspirators
Oklahoma City Bombing
EMETIC
The Evan Mecham Eco-Terrorist
International Conspiracy
On May 30, 1989, three members of the group were
caught cutting through a support tower that
delivered electricity to a local substation. David
Foreman was named with the others in the federal
indictment released the following month. Charged
with conspiracy (among other things), the group
apparently intended to use the May 30 vandalism at
Wenden, Arizona as a practice session before
simultaneously attacking the power transmission
lines at three separate nuclear facilities in California,
Arizona, and Colorado.
Power Line Raid Clouds Security : Sabotage
Believed Aimed at Troubled Reactor Site
WINTERSBURG, Ariz. — It was a death-defying act
of sabotage.
In what a Nuclear Regulatory Commission
inspector calls a "well-coordinated assault," at least
three people climbed more than 100 feet up on widely
separated, high-voltage power transmission
stanchions--towers literally tingling with electricity-and in 25 minutes knocked out three of the four
transmission lines supplying power to the Palo Verde
nuclear plant here.
Reward offered in sabotage of Mason
County power lines
By Noelene Clark
Seattle Times staff reporter
A utility company is asking the public to help identify the person who shot
down a major power line, causing a fire near Hoodsport, Mason County.
Firefighters were able to extinguish the blaze before it threatened local
homes, said Doug Johnson, spokesman for Bonneville Power Administration.
Another line was also damaged by firearms. The utility estimates repairs will
cost more than $50,000.
"Obviously it was done intentionally," Johnson said, calling the shooting an
act of sabotage. It takes multiple shots to bring down a 230-kilovolt line, he said.
Bonneville Power Administration is offering a reward of up to $25,000 for
information leading to an arrest and conviction.
The utility is working with the Mason County Sheriff's Office as well as
federal law enforcement, said Pete Jeter, the utility's director of security, in a news
release. He said deliberately shooting the power lines is a federal offense because
the lines are considered Homeland Security infrastructure.
USA Today - Two transmission towers
intentionally knocked over
As federal agents scoured the area where two 80-foot
transmission towers toppled over the weekend, the
company that owns them offered a $10,000 reward
Monday for information about the person who
tampered with them. Oak Creek Police Chief Thomas
Bauer said bolts had been removed from the base of at
least one of the towers before they fell over Saturday
evening, cutting power to 17,000 customers, including
Milwaukee's airport.
Labor Disputes
In July 1989, a tower on a 765-kV line owned by the Kentucky
Power Co. was bombed, temporarily disabling the line: in
1987-88, power line poles and substations were bombed or
shot in the Wyoming-Montana border area. Later in 1988,
similar attacks were experienced in West Virginia (all during a
Coal Mine Strike).
In January 1999, members of the International Brotherhood
of Electrical Workers union toppled two transmission line
towers at Thompson Pass, Alaska, depriving 400,000 Alaskans
of power in the dead of winter.
N.I.M.B.Y.
The CU Powerline Project
Cooperative Power Association and United Power Association
"Bolt Weevils“
• August 1978, a group that called themselves the "Bolt Weevils"
began to sabotage power line towers and shoot out electrical
insulators.
• The General Assembly to Stop the Powerline (GASP) put out a
regular newsletter called “Hold That Line”.
• The electrical co-ops hired outside security officers that used
helicopters and vehicles to patrol the line.
• UPA and CPA launched a public relations campaign to communicate
to customers that vandalism would lead to electric bill increases.
• In the end, Bolt Weevils tore down 14 power line towers and shot
out nearly 10,000 electrical insulators
You are here: Home » Time is Short: The Bolt Weevils and the Simplicity of Sabotage
February 20, 2013 | DGR News Service | 4 Comments
Time is Short: The Bolt Weevils and the Simplicity of Sabotage
By Alex Budd / Deep Green Resistance Redwood Coast
Resistance against exploitation is nothing new. History is full of examples of people—
perfectly ordinary people—fighting back against injustice, exploitation, and the
destruction of their lands and communities. They move through whatever channels for
action are open to them, but often, left with no legal or political power, they turn to
militant means to defend themselves.
It is hardly a simple decision, and rarely the first or preferred option, but when all other
paths have been explored and found to lead nowhere, militant action becomes the only
realistic route left. Movements and communities come to that truth in many different
ways, but almost without fail, they come to it borne by a collective culture of resistance.
One inspiring example is the Bolt Weevils.
•What if some forms of limited resistance were undertaken? What if there was a serious
aboveground resistance movement combined with a small group of underground networks
working in tandem?
•The abovegrounders would …… use both direct and indirect action to try to curb the worst
excesses of those in power, to reduce the burning of fossil fuels, to struggle for social and
ecological justice.
•The undergrounders would engage in limited attacks on infrastructure (often in tandem with
aboveground struggles), especially energy infrastructure
•These attacks would not be symbolic attacks. They would be serious attacks designed to be
effective but timed and targeted to minimize the amount of “collateral damage” on humans.
•They would mostly constitute forms of sabotage. They would be intended to cut fossil fuel
consumption by some 30 percent within the first few years, and more after that.
• There would be similar attacks on energy infrastructure like power transmission lines.
Because these attacks would cause a significant but incomplete reduction in the availability of
energy in many places, a massive investment in local renewable energy (and other measures
like passive solar heating or better insulation in some areas) would be provoked.
Ecodefense: A Field Guide to Monkeywrenching
Powerlines
However, there have been successful and justifiable ecotage actions against major
powerlines. The most successful was in western Minnesota in the mid- to late1970s, when a group of farmers, the “Bolt Weevils,” continually monkeywrenched a
500 KV powerline under construction. Although that powerline was ultimately built,
a dozen other projected powerlines were never built. The following guidelines on
monkeywrenching powerlines come from anonymous Bolt Weevil veterans.
Powerlines are highly vulnerable to monkeywrenching from individuals or small
groups. The best techniques are:
1) Removing bolts from steel towers;
2) …….if tower bolts are welded to the nuts, cutting steel towers with hacksaws,
torches (be careful not to breathe the vapors of galvanized metal — see the
“Cutting Torch” section in the Vehicles and Heavy Equipment chapter), or cutting
wheels; and
3) …….shooting out insulators (with a shotgun), and shooting the electrical
conductor itself (a high-powered rifle is best) which frays it and reduces its
ability to transmit electricity.
Standard CIP-001-2a
Sabotage Reporting
Purpose: Disturbances or unusual occurrences, suspected
or determined to be caused by sabotage, shall be reported
to the appropriate systems, governmental agencies, and
regulatory bodies.
Applicability
–
–
–
–
–
–
–
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Transmission Owners (only in ERCOT Region).
4.7. Generator Owners (only in ERCOT Region).
As presently written, the CIP-001-1 standard does not
apply to TO and GO entities
• Requirements
•
•
•
•
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for
making their operating personnel aware of sabotage events on its facilities and multi-site
sabotage affecting larger portions of the Interconnection.
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of
information concerning sabotage events to appropriate parties in the Interconnection.
R3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage
response guidelines, including personnel to contact, for reporting disturbances due to
sabotage events.
R4. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as applicable,
with local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP)
officials and develop reporting procedures as appropriate to their circumstances.
ERCOT Interconnection-wide Regional Variance
• Requirements
•
•
•
•
•
EA.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator, and Load Serving Entity shall have
procedures for the recognition of and for making their operating personnel aware of
sabotage events on its facilities and multi-site sabotage affecting larger portions of the
Interconnection.
EA.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator, and Load Serving Entity shall have
procedures for the communication of information concerning sabotage events to
appropriate parties in the Interconnection.
EA.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator, and Load Serving Entity shall provide its
operating personnel with sabotage response guidelines, including personnel to contact, for
reporting disturbances due to sabotage events.
EA.4. Each Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission
Operator, Generator Owner, Generator Operator, and Load Serving Entity shall establish
communications contacts with local Federal Bureau of Investigation (FBI) officials and
develop reporting procedures as appropriate to their circumstances.
Note also that the references to the Royal Canadian Mounted Police are removed
in the regional variance, because the variance only applies in Texas.
SBEC
Sabotage Evaluation and Response Procedure
Rev 6 (1/21/2013)
1.
Evaluation of the Threat or Sabotage
1.1 Sabotage threats may be received by telephone, written notes, through a
third party such as the media or the police department, or by actual discovery of a
suspicious package or a suspected explosive device at an SBEC facility or
substation (including customer and/or mutually owned substations).
While few Sabotage threats are in written form, those that are should be handled
by as few persons as possible once they have been identified as a threat. To
minimize handling, the note should be placed in a clean, clear plastic bag and
given to local law enforcement authorities.
All sabotage threats will be treated as serious. However, as a guideline, most
prank calls contain very general information which makes it difficult to develop an
appropriate response. When the threat contains specific information and has
positively identified a target within the facility, the threat will be treated as very
serious and immediate action taken to remove workers from the threatened area.
2. If a call is received from any source indicating that a bomb or
other explosive device has been placed or hidden within the facility,
the individual receiving the call should assume that the threat is real.
2.1 In the event of a sabotage call or threat:
If so equipped, hit the “Record” feature on your phone, otherwise,
write down their exact words
Keep the caller on the line as long as possible
Ask the caller to repeat the threat
Stay calm, do not make the caller angry
2.2 Any of the information collected may provide clues as to whether
or not the caller is familiar with the facility. Make every effort to get
the caller to indicate:
The type and location of the device;
Appearance, including size, shape, color, etc.;
The time of detonation;
Why is the threat being made, and who is responsible; and
The caller’s name and where they are calling from.
2.3 Pay particular attention to any strange or peculiar background noises
such as music (type), voices, motors running, machinery, laughing or any
noise that might provide clues as to the place from which the call is being
made.
2.4 Listen closely to the voice (male or female), voice quality (nervous,
confident, pitch, etc.), accents, speech impediments, approximate age
(young or old), etc.
2.5 When a sabotage threat is received or a worker finds a suspected
explosive device or any package that looks suspicious:
Never attempt to touch or shift the position of the object;
Notify 911 and give all pertinent information;
Notify your immediate supervisor;
The supervisor will notify the Facility Manager, the Safety/Loss Control
Specialist, and any available Staff Member;
The Safety/Loss Control Specialist will also notify the target area
supervisor so that all affected workers may evacuate the building/area.
DANGER; NEVER MOVE OR ATTEMPT TO MOVE A PACKAGE SUSPECTED OF CONTAINING AN
EXPLOSIVE DEVICE. BOMBS MAY BE DESIGNED TO EXPLODE WHEN THE PACKAGE IS TAMPERED
WITH. IN THE EVENT THAT A BOMB OR EXPLOSIVE DEVICE IS LOCATED, NO ATTEMPT WILL BE
MADE TO DISARM OR NEUTRALIZE THE DEVICE.
2.6 When a “Positive Target Identification” has been made, the following
additional actions shall be taken:
Evacuate workers to the following locations or at least one-thousand
(1000) feet from the targeted area;
Bellville Office- Follow standard evacuation procedures but meet on the opposite side of the Fire Department
Building (use building for protection from flying debris)
Field Store- Follow standard evacuation procedures but meet on the opposite side of the Fire Department
Building (use building for protection from flying debris)
Columbus – Drive toward Columbus to Robert and Charlene Little’s residence at 4230 Hwy 71. If possible, park
cars so as to observe the SBEC facility as well as watching for responding law enforcement.
Hallettesville - Drive west ¼ mile to the beige Ehler’s Mini Storage building on the right. If possible, park cars so
as to observe the SBEC facility as well as watching for responding law enforcement.
If possible, establish a security perimeter at a distance compatible with the
evacuation distance to prevent unauthorized entry. If this proves unfeasible,
follow directions of local law enforcement. At a minimum, place cones at the
entrances to prevent members/visitors from coming onto premises.
Suspicious Field Activity
Note: While wire theft is much more likely an occurrence than sabotage, in either
event the perpetrator is likely to be armed. DO NOT confront anyone found in the act
and consider them to be armed and dangerous.
3.1 During the course of routine line and/or substation inspections, employees
should look for any suspicious activities such as;
Broken or open locks on gates and/or substation doors
Damage to security fences
Obvious damage to equipment
Switches inexplicably left open or in the wrong setting
Any other evidence of entry or missing items
3.2 If an SBEC employee suspects possible attempts at sabotage, the employee
should immediately;
Treat the area like a crime scene and make every attempt to minimize disturbing any
possible evidence
Contact the SBEC Dispatcher and report the activity
Contact his/her immediate supervisor
Contact local law enforcement if directed to do so by SCADA Dispatcher
4.0
Dispatcher responsibilities
Upon receiving any field report of suspicious activity, the SCADA Dispatcher
shall
Notify his/her immediate supervisor. The Dispatch Supervisor will immediately
confer with both the reporting employee and that employee’s supervisor to
determine the severity of the suspicion
Upon agreement that the event should be reported, the Dispatch Supervisor shall
either contact local Law Enforcement, or direct the reporting employee to do so.
Local Sheriff Departments are;
Waller County – 979 826 8282
Austin County – 979 865 3111
City of Bellville Police-979 865 3122
Colorado County – 979 732 2388
Lavaca County – 361 798 2121
Dispatcher-361 798 5250
Harris County (Northwest) Precinct 5 – 281 290 2100
Grimes County – 936-873-2151
Montgomery County – 936 760 5871
See additional emergency numbers in Appendix A
Notify LCRA SOCC of any sabotage or suspected sabotage event. Information provided
in the notification shall include:
Location
Time event occurred (if known)
Any detailed sabotage information as available
Information about which authorities were/are being contacted
The LCRA has their own Ranger division which may respond if an LCRA sub is
involve. Inform SOCC if anyone else is expected to be on site when the Rangers
arrive.
Maintain documentation of event for audit purposes
If considered a possible act of sabotage, the Dispatch Supervisor will immediately
notify the Houston office of the FBI, Weapons of Mass Destruction (WMD) Division
Joel Holmes
O. 713-936-8827
M. 713-819-1858
[email protected]
Supervisor
Brian Rasmussen
O. 713-936-8800
M. 602-725-1172
[email protected]
Amanda Koldjeski
O. 713-936-8826
M. 713-725-6455
[email protected]
If unavailable at these numbers, call the FBI main switchboard at 713-693-5000
Appendix A
EMERGENCY PERSONNEL PHONE NUMBERS
ALL EMERGENCIES - DIAL 911
BELLVILLE
EMERGENCY COMMUNICATION DISTRICT
AUSTIN COUNTY SHERIFF AND AMBULANCE SERVICE
CITY OF BELLVILLE POLICE
BELLVILLE FIRE DEPARTMENT
979-865-1911
979-865-3111
979-865-3122
979-865-2323
FIELDSTORE
WALLER COUNTY SHERRIFF
HEMPSTEAD VOLUNTEER FIRE DEPT.
WALLER COUNTY EMS AND MONAVILLE VOLUNTEER FIRE DEPT.
PRIAIRE VIEW VOLUNTEER FIRE DEPT.
WALLER VOLUNTEER FIRE DEPT.
979-826-8282
979-826-2963
979-826-8527
OR 979-826-6581
936-857-9522
936-372-9512
COLUMBUS
COLORADO COUNTY SHERRIFF
COLUMBUS FIRE CHIEF
COLUMBUS POLICE DEPT.
AFTER HOURS EMERGENCIES
COLORADO COUNTY EMERGENCY MANAGEMENT
979-732-2388
979-732-7736
979-732-3351
979-732-2388
979-733-0184
HALLETTSVILLE
LAVACA COUNTY SHERIFF
LAVACA COUNTY SHERIFF DISPATCHER
LAVACA COUNTY EMS
LAVACA CO. EMERGENCY MANAGEMENT
361-798-2121
361-798-5250
361-798-5111
361-798-5628
Operation Circuit Breaker
An Examination of Vulnerabilities in the Electric
Transmission Infrastructure of the United
States and How They Could Set the Stage for
the Next 9/11
By David Omick
More than a decade into the new millennium,
it’s still September 10, 2001 in America.
France heat wave death toll set at
14,802
The 2003 European heat wave was the hottest
summer on record in Europe since at least
1540.[1] France was hit especially hard. The
heat wave led to health crises in several
countries and combined with drought to
create a crop shortfall in parts of Southern
Europe.
Peer reviewed analysis places the European
death toll at 70,000.[