Operators need to take steps to protect their facilities from drone security breaches by outsiders. The costs an attacker incurs in developing tools to break into and control infrastructure is low compared to the costs an operator incurs in defending against those tools.
Drones can be a useful tool for energy companies, particularly in the area of facility inspection, but a trio of experts argued that these vehicles present unique emerging security challenges that must be addressed in the near future.
A panel discussion held at the Stone Fort Group’s Energy Drone Coalition Summit examined the threat analyses, best practices, and technologies available for protecting facilities from malicious drone activity. Featuring three security and infrastructure specialists, the panel looked at the ways companies can identify and mitigate physical threats, as well as other monitoring and countermeasure concepts that take industry operations into account.
Travis Moran, managing consultant at Navigant Consulting and moderator of the discussion, emphasized the need for industry to address surveillance concerns on new and existing facilities. Operators will face increasing threats from attackers, such as protestors and terrorist organizations, as their knowledge and use of drone technology increases. Surveillance of site surveying, facility construction, and facility operation may become commonplace. Moran said companies should adopt a mindset of constant vigilance.
“When you’re doing your operations, teach your people out in the field that you’re being watched,” he said. “If you have any project that’s controversial, you’re under surveillance. You don’t know what’s going on out there.”
Taking the surveillance issue further, Bruce Martin said operators should re-examine their security procedures to account for drone capabilities. Previously, companies could maintain secure perimeters around their facilities either through fencing or, in the case of an offshore facility, natural aquatic boundaries. Cameras and security personnel could spot developing problems and address them in a reasonable amount of time.
Drone technology allows for surreptitious development of a potential attack. Martin, enterprise security director at Duke Energy, said that a drone can fly over a facility and closely examine vulnerabilities in perimeter defenses such as weak spots in a fence line, camera systems, and the guard force being used on-site.
“You can start to build a pretty good feel for what you have on-site and how you can penetrate that site,” Martin said. “Now, when you look at it from the perspective of a terrorist group or an extremist group, what you’re seeing more and more is that they’re becoming increasingly more physical in their destructive desires.”
Martin said that, while it is one thing for an operator to know the threats posed by an unaccounted drone flying over a facility, taking steps to mitigate those threats requires a shift in thinking but that does not mean that companies should be wary of drones in general. Martin and Moran said drones have potential for significant growth as operators advance current government regulations in a way that serves commercial and security interests. However, Martin said that growth will require companies to develop a better understanding of drone capabilities.
“We’re going to see this continue as a growth industry where the devices get more complex,” Martin said. “We’re going to start to see devices that can carry heavy payloads and have longer flight times. So, it’s going to expand. It’s going to change. From a security professional’s perspective, I have to know what that means to me.”
David Kovar, founder of Kovar and Associates, called facility security a “cat-and-mouse game.” He said the costs an attacker incurs in developing the tools to break into and control infrastructure is low compared to the costs an operator incurs in defending against those tools. In addition, attackers can use the solutions developed to secure operations against the operators; for example, an attacker can protect its data with encryption capabilities operators develop to protect their data from attackers, thus making it difficult for operators to determine potential threats.
“That’s part of the cat-and-mouse game,” Kovar said. “The more we develop those encryption capabilities, the more we empower those attackers to use the same capability.”
Also speaking at the panel discussion was Carl Herron, principal critical infrastructure physical security advisor at North American Electric Reliability Corporations (NERC)—Electricity Sharing Information and Analysis.