CIP-014 Physical Security Planning

Implementing a new standard will always pose some level of operational tumult, and CIP-014 will be no exception. Here at ONTRAXSYS we believe that the greatest challenge with CIP-014 is the broad scope that requires expertise outside of the realm of even most experienced transmission operator’s normal scope of responsibilities. Additionally, retrofitting multiple substations to withstand air blast shockwaves and high-powered rifles could prove to be a costly endeavor.

On the surface, CIP-014 seems straightforward. However, in reality it is challenging. The goal of the new standard “is to identify and protect specific transmission substations and their associated primary control centers that if rendered inoperable or damaged by a physical attack, could result in widespread grid instability, uncontrolled separation, or cascading within an interconnection.”

After twenty years and trillions of dollars spent fighting the GWOT, the United States has not been able to stamp out terrorism completely. Some experts may be reluctant to admit it, but the truth is, if a terrorist is fully committed to their cause, preventing the terrorist attack is impossible. This is true for virtually all forms of security and protection. However, the good news is, with proper planning, damages can be mitigated and the return to normalcy can be expedited.

The goal of this article is simply to provide basic guidance on things to think about when evaluating threats and developing your CIP-014 security plan. At the end of the day, the most important thing to remember is that no two plans should be the same because no two sites are the same. And a good plan begins with a careful and realistic analysis of the threats specific to the area.

How We Got Here

The CIP-014 requirement came about as the result of an April 16, 2013 attack on the Metcalf Transmission Substation, by a sophisticated team of gunmen using high powered rifles. The gunmen opened fire on the substation, severely damaging 17 transformers resulting in damages values at $15MM. Although power facilities are vandalized or damaged fairly frequently, this particular attack was different. Prior to the attack, fiber optic lines running near the facility were cut and it is presumed that whoever executed the attack, knew firing at the oil-cooling systems would cause the transformers to leak oil and overheat.

Metcalf Attack Timeline

  • 12:58 a.m. – AT&T fiber-optic telecommunications cables were cut not far from U.S. Highway 101 just outside south San Jose.
  • 1:07 a.m. – Some customers of Level 3 Communications an Internet service provider, lost service. Cables in its vault near the Metcalf substation were also cut.
  • 1:31 a.m. – A surveillance camera pointed along a chain-link fence around the substation recorded a streak of light that investigators from the Santa Clara County Sheriff’s office think was a signal from a waved flashlight. It was followed by the muzzle flash of rifles and sparks from bullets hitting the fence.
  • 1:37 a.m. – PG&E received an alarm from motion sensors at the substation, possibly from bullets grazing the fence.
  • 1:41 a.m. – Santa Clara County Sheriff’s department received a 911 call about the gunfire, initiated by an engineer at a nearby power plant that still had phone service.
  • 1:45 a.m. – The first bank of transformers, riddled with bullet holes and having leaked 52,000 US gallons (200,000 l; 43,000 imp gal) of oil, overheated, whereupon PG&E’s control center, approximately 90 miles (140 km) north, received an equipment-failure alarm.
  • 1:50 a.m. – Another apparent flashlight signal, caught on film, marked the end of the attack. More than 100 expended 7.62 x 39mm cases were later found at the site.
  • 1:51 a.m. – Law-enforcement officers arrived but found everything quiet. Unable to get past the locked fence and seeing nothing suspicious, they left.
  • 3:15 a.m. – A PG&E worker arrived to survey the damage.

Outdoor Physical Security

With as much time as we spend thinking about cybersecurity, the inclusion of outdoor perimeter security is usually an afterthought. What most companies fail to realize is that a well-planned outdoor security perimeter can improve the overall effectiveness of a facility’s total physical security posture resulting in lower overall cost. Physical security is one of the larger line items on a budget, yet even small investments in perimeter security can provide a significant amount of protection benefit to a sub-station, well before more costly countermeasures are employed.

Stand-off barriers, both manmade and natural, can prove to be valuable and serve as additional lines of defense by adding distance, time and scale between the outermost perimeter and the facility, thereby lowering the probability that the facility will be breached. In order to effectively leverage an outdoor perimeter security solution, the security plan must be developed in a holistic manner, taking a complete assessment of the site and surrounding area topography. A holistic perimeter design focuses on a key objective for each layer of security. Think of it as your security onion and work from outside the facility towards the inside of the secured buildings.

The 5D’s, beginning from the outermost point of approach are: Deter, Detect, Deny, Delay and Defend. The idea behind this framework is to create overlapping rings and increasingly robust lines of defense. The basic concept has been in use for centuries. It was originally meant to repel invaders and criminals. Note the term criminals and not terrorists. Terrorism adds a wrinkle to the normal security framework because a terrorist is not there to steal and they do not necessarily worry about getting caught. These two facts should cause you to rethink some of the design. There is still much debate on this topic, and while some people believe terrorism and criminal violence are the same, or at least share common traits, I agree with Dr. David Goldstein who developed criteria that distinguishes the two as separate types of crime and therefore should be treated differently in terms of how you must go about defending against them.

ONTRAXSYS specializes in CIP-014 physical security planning.

Author and subject matter expert, Dr. David Goldstein (2007) explains the concept further by showing the intricate differences between criminals and terrorists and says that the “terrorist” is often well trained and state-supported or homegrown. Terrorists have a specific goal in mind, often more symbolic than opportunistic. On the other hand, it is a fair statement that the “ordinary” criminal is one who seeks opportunistic targets, has little backing, is selfish, lacks discipline, and may be deterred relatively easily. Dr. Goldstein goes on to say, in general, terrorists are assumed to be well trained as opposed to a regular criminal. In my opinion, well-trained is a matter of perspective. Therefore, the propensity for violence and level of destruction can be much greater.

Terrorists are more likely to believe in their cause, so much so that they are even willing to die for it (Goldstein, 2007). This is very unlike mainstream violence, where for example, the criminal perpetrator runs for cover when being chased by the police, while the terrorist may confront the police with a bomb strapped to his/her chest. For these reasons, I feel that criminals and terrorist should be binned separately when designing your security system.

There are no hard and fast rules for how to achieve the objectives of each but rather more generally accepted best practices. The single most important thing to know when you build a system is to know what you are trying to protect and what you are protecting it from. Without a clear understanding of the threat and probability, your project is doomed. You’ll either overdesign your solution resulting in the Taj Mahal of substations or you will miss the mark entirely. Try not to get tunnel vision or become overly focused on past recent events. Terrorist continually adapt their tactics. A well thought out protection design can reduce the overall project cost and improve its overall effectiveness.


The outermost perimeter is designed to make criminals think twice before advancing. Some of the best deterrents range from signage, lighting, and high-fencing. According to several ASIS vulnerability assessment models, indicate that a chain-link fence with barbed wire atop will delay an intruder for less than 10 seconds. However, there are new innovations in fencing that provide some anti-cut, anti-crime characteristics and it will provide structure for your PIDs system and ballistic standoff protection.

A secondary line of fencing may be warranted for nuclear facilities and it should be a minimum of 30 feet from the first fence line. Lighting, CCTV, and bilingual signage are all helpful deterrents. While all of these measures may deter some would be, vandals and intruders, it will not stop a highly motivated attacker. After all, a shiny new fence doubles as a neon sign that screams that there must be something of great value on the other side. Deterrence is literally psychological warfare and some estimates say that fences may deter up to 30% of the crime.


The detection perimeter’s object is simply to detect an unauthorized intrusion with enough time to respond. High-end, long-range surveillance cameras outfitted with the latest thermal and infrared technology can be effective detection tools. Strategic placement of the cameras is an important consideration as well as having the ability to quickly, tilt pan and zoom to the area of intrusion. Robust surveillance cameras can also be used inside the delay perimeter to provide security personnel visibility and a record of events. In our experience, we have found that one of the most effective detection tools to be a wireless dual sensor, perimeter intrusion detection system that can be installed without available shore power.

To prevent false alarms, the military grade system uses dual sensor technology that must be simultaneously triggered to produce an alarm. Detection and assessment systems and perimeter barrier can be monitored by a single monitoring center. Monitoring team personnel are trained in video analytics and can assess patterns and events real-time and communicate with local EMS and operators. When deployed as part of holistic solution, ONTRAXSYS believes that dual sensor technology is best to prevent false alarms.


The objective at the Deny perimeter is simply to keep unauthorized persons out while allowing authorized persons to enter. This is typically done by use of access control technology or a manned security gate at the point of entry. The intention of surveillance at this point is to provide verification of identity. An additional layer of defense can be achieved through use of anti-terrorism barricades such as those manufactured by Delta Scientific. Delta barricades greet visitors at a Westinghouse nuclear fuel processing plant in Idaho Falls, ID., and at a South African nuclear reactor site and at most of our nations embassies.

Anti-terrorism barricades can stop an 18 wheeler traveling at 50mph but this level of security doesn’t come cheap. A Delta Scientific-made barricade designed to stop determined terrorists will cost between $20,000 and $40,000 and serve as secondary line of defense behind the main gates of a guard post. There many other albeit less ascetically pleasing way to deny entry.

Going back to WWII, the Czech hedgehog was a static anti-tank obstacle made of metal angle beams or I-beams (that is, lengths with an L- or I-shaped cross section). The hedgehog was is very effective in keeping light- to medium tanks and vehicles from penetrating a line of defense and it even maintains its function even when tipped over by a nearby explosion. These could be used on the outermost perimeter to prevent vehicles from getting inside your inner perimeter.


The Delay perimeter’s objective is to slow down an active intrusion in such a manner that you force the intruder to give up or afford the security team more time to respond. Common criminals or trespassers DO NOT want to get caught, so typically, they know how long they can stay on scene before law enforcement shows up and ruins their day. Every jurisdiction has a different response time and you can bet that most criminals know exactly what that response time is.

Nationwide, the average police response time to verified audio or video alarm is around seven minutes. Anti-cut, anti-climb, barbed-wire fencing, locking doors or other physical barriers will sometimes slow down the incursion to the point they are willing to give up. However, once again, using the Metcalf example, the presence of a large physical barrier with anti-cut and anti-climb properties and some level of visual screening would have helped conceal the substations critical assets and minimized the damage by making targeting much more difficult to hit.


The Defend perimeter is typically a security personnel response that attempts to apprehend the intruder. Surveillance is used at this perimeter to record the apprehension and determine the overall effectiveness of the response.

Final Thoughts

As both the power industry and the threats it faces continue to evolve, it will become increasingly important for transmission owners to analyze the threat and develop a plan that works for their assets and operating models, some aspects of hardening and improving perimeter security will almost certainly be a major component of the plan. Once again, depending on the situation and the threat, ONTRAXSYS can deploy a wide range services that encompass all the D’s referenced including defensive surveillance equipment, sensing technology and infrastructure hardening tailored to your application and budget.

Learn more about ONTRAXSYS and its Physical Security Coalition by clicking HERE


ONTRAXSYS is a Veteran Affairs Certified Service Disabled Veteran Owned Small Business (SDVOSB) founded by a former Naval Special Operations (EOD) Technician who has led counterterrorism operations and provided technical security at the highest levels in the government in support of the U.S Secret Service, State Department and Foreign Protection Agencies during high profile events to ensure the safety of the President and Vice President of the United States and, foreign heads of state. Our Physical Security consultants are former Navy SEALs and Naval Special Operations with real-world experience in counterterrorism and protective operations.

The experience gained through these high-profile assignments serves as the basis for the strategies and principles ONTRAXSYS employs to protect utilities and other high-value assets across the country.

We have also teamed up with industry leaders in site and civil construction to provide one of the most complete CIP-014 solutions in the industry. Please contact ONTRAXSYS today to learn more about our tailored services.

ONTRAXSYS is a Certified Service Disabled Veteran Owned Small Business.