AWS for Industries

Using Cloud Technology to Better Protect Power Grids from Physical Threats

When was the last time you thought about how the power stays on? Probably not since you lost power in a storm. We take it for granted that the electricity and natural gas will flow. In today’s world, electricity and gas are a core foundation of the economy and of society, making energy one of the 16 critical infrastructure sectors in the United States and around the globe. Electric and gas utility operators continually think about maintaining reliable delivery of service to meet the ever-growing demand and the changing operational landscape, including changes in security risks to the physical facilities that generate and deliver electricity and gas.

Critical infrastructure comes with increased security risks, including attacks on physical facilities. Physical threats like vandalism, mischief theft, equipment damage from gunshots, and other incidents are increasing at substations. According to data from the US Department of Energy, there were 163 reported incidents of physical attacks, vandalism, suspicious activity, and sabotage at US substations in 2022, an increase from 57 incidents reported in 2018. This increase is prompting a focused effort on addressing the challenge of physical threats and on considering new ways to monitor and protect substations.

In this blog, we drill down on the practicalities of security tasks and consider ways that cloud technology can augment utilities’ physical security efforts.

Material impacts of physical security attacks

Physical security incidents pose a high risk to human safety and mission-critical systems and can lead to millions of dollars in cost. For example, in April 2013, intruders fired weapons at the transformers of a substation in Coyote, California, resulting in more than $15 million of equipment damage.

The outages caused by security incidents are significant as well. In the December 2022 substation vandalism attack in Moore County, North Carolina, intruders cut through the fencing around a substation and used firearms to shoot and deactivate numerous pieces of equipment, resulting in equipment damage and power failure for about 45,000 customers. In the few months that followed, at least nine substations were attacked in North Carolina, Washington State, and Oregon, disrupting power availability for tens of thousands of people.

Adding to the security incentives are increased regulatory interests. The increase in physical attacks on electric substations captured the attention of the Federal Energy Regulatory Commission (FERC), which directed the North American Electric Reliability Corporation (NERC) to report on an evaluation the effectiveness of the Critical Infrastructure Protection (CIP) standards in mitigating physical security risks. NERC opted not to expand the requirements at this time but continues to monitor the situation. FERC and NERC continue to discuss physical security of the Bulk-Power System such as at a recent joint technical conference in Atlanta.

The fundamental priorities of utilities

When considering security approaches, it is useful to understand the functions and priorities to be protected. The core purpose of a power grid operator is to maintain the balance between supply and demand. Operational infrastructures build in contingencies, redundancies, and practices to reduce and manage potential disruptions to the system. Substations also have security teams that work to prevent, detect, and respond to events that could disrupt the flow of electricity, placing particular priority on preventing a cascading outage, which NERC defines as “the uncontrolled successive loss of System Elements triggered by an incident at any location” (see NERC Glossary of Terms).

Utilities adapt and implement multiple solutions to prevent and manage unplanned power outages and to evolve their technological resources, including the current solutions available in grid modernization, demand forecasting, predictive maintenance, weather forecasting, and other solutions that mitigate natural or demand-related challenges. Technology solutions are also a big part of security mitigation and responsiveness—components that would benefit from innovation and modernization.

Common challenges in protecting electric substations

Many of the more than 55,000 electrical substations in the United States are on relatively large, remote sites with transparent physical barriers, such as chain-link fencing. These substations often do not have on-site personnel guarding them. However, they often do have security measures—such as robust fencing, access controls and authorization requirements, lighting, cameras, and a relationship with law enforcement—to slow potential access and reduce potential impact. Security teams rely heavily on visual and audio from cameras to monitor and investigate alarms, and access alarms to signal potential unauthorized access. These kinds of technology provide critical information for security teams to detect, identify, and respond to potential security events. However, everyday occurrences of low-risk events and human error can create distractions.

Utilities security professionals that we interviewed cited managing the “noise” of false alarms as a top frustration. Consider a plastic bag caught on concertina wire within a camera’s eye, generating several false alarms with its motion. If the technology is unable to determine that the alarm is false and remove the bag from monitoring, correcting the problem requires a person to physically remove the plastic bag.

Even though sites are remote, staff visit substations in person for operational and maintenance routines. Human errors, such as incorrect PINs, missteps in gaining authorization, or mere impatience with lock releases, require security personnel to address the false positive. Security teams can be overwhelmed with thousands of false alarms in a day, depending on the substation’s infrastructure complexity.

According to one physical security operation center responsible for multiple substations sites, 70% of false alarms were caused by non-intrusion events like personnel error, weather, debris, wildlife.

Existing on-premises technology is also limited in its ability to address such challenges. Systems are constrained by an inability to ingest high volumes of data as well as a lack of reliable artificial intelligence (AI) models and informative data visualization for decision-making.

The good news is that modernizing the existing technology with cloud-based solutions can help mitigate these challenges. Modernization can help the technology to provide the right information at the right time with a high degree of prediction accuracy, replacing the “noise” with actionable knowledge for security teams.

Cloud technology can help with modernization

Using a predictive, integrated, risk-based approach, cloud technology can play an important role in securing substations. It can improve intrusion detection, alarm management, entry control, risk evaluation, active and passive barrier delay, and engagement with response force and with threat neutralization. Cloud solutions cannot eliminate threats completely, but in keeping with the Electricity Information Sharing and Analysis Center’s (E-ISAC’s) Vulnerability of Integrated Security Analysis (VISA) method of physical security protection, a modernized cloud solution can improve the detect, assess, delay, and respond functions of physical protection systems.

Here is an example of how modern, cloud-based technologies can help mitigate current challenges:

Cameras can capture the 360-degree view of a substation’s landscape in the form of continuous streaming data and can balance the decision-making between edge and cloud computing models. Coupled with a highly accurate object detection model, the system can identify a normal occurrence, like a plastic bag on the fence, and log it as a nonthreat. This model can also identify unusual patterns, like unanticipated human trespassing, suspicious human behaviors, and unauthorized vehicles. A data lake can bring all relevant data from multiple systems, like badging, work permits, maintenance, substation security, and streamed video clips, to apply an AI-based model that reviews and validates the authenticity of logged events with a contextual search across the systems. As an example, a person’s face recognition for the substation access entry can couple with work permit approvals within the anticipated time window to enhance the substation entry or to reduce human error issues, such as incorrect PINs.

Below is the architecture to implement the above-described modern solution using Amazon Web Services (AWS).

Figure 1. Architecture for substation security on AWS

Figure 1. Architecture for substation security on AWS

First, this solution ingests semistructured data—such as unlock requests from security gate badge systems—through AWS IoT Core, a managed service that lets you connect billions of IoT devices and route trillions of messages to AWS. Unstructured data, such as images and videos from security cameras, is ingested through Amazon Kinesis Video Streams, a service that makes it easy to securely stream video from connected devices to AWS. AWS Lambda—a serverless, event-driven compute service—and Amazon DynamoDB—a fully managed, serverless, key-value NoSQL database—then use the data to recognize a person and authorize permissions by validating his or her identity against the database. The person, once identified, will be allowed to enter the substation section perimeter to perform the assigned job based on the database query result.

Second, the solution uses Amazon Rekognition Video, which offers pretrained and customizable computer vision (CV) capabilities, to classify objects as threatening (like firearms) and nonthreatening (like plastic bags) before triggering an event notification. The AI service is integrated with Amazon Kinesis Video Streams and Amazon Kinesis Data Streams, a serverless streaming data service, to automate and streamline the object-detection workflow. The machine learning (ML)–based classification can be continually improved with human-in-the-loop (HITL) through Amazon Augmented AI (Amazon A2I), which allows you to conduct a human review of ML systems. The human reviewers will be involved if necessary to moderate the results and judge nuanced situations.

Third, the solution provides event-driven architecture based on AWS Lambda and Amazon Simple Notification Service (Amazon SNS), a fully managed Pub/Sub service for Application-to-application (A2A) and Application-to-person (A2P) messaging, to notify the substation operators of an emergency based on the filtered alarms.

Last but not least, the solution provides a user-friendly, interactive visualization for event reporting and alerting through the integration of Amazon CloudWatch, which collects and visualizes near-real-time logs, metrics, and event data in automated dashboards, and Amazon Managed Grafana, a fully managed service for Grafana that offers scalable and secure data visualization.

Where security modernization starts

The above approach is one example of how cloud technology can reduce false alarms and increase the accuracy of security-related information from substations. Cloud technology can help security personnel to identify security events, increase defense, reduce negative impacts, reduce time to response and resolution, and free up time for security personnel to focus on priorities.

The expanded compute capacity of cloud solutions opens doors to integrate informational resources that may not be currently accessible to physical installations. These solutions have further potential to draw on cloud-based cybersecurity analytics resources to complement or identify connected behavior. Additionally, consider opportunities to build in law enforcement intel resources to inform security personnel of physical behavior patterns seen in other industry settings.

Are you ready to consider the physical security challenges you face and what solutions can make a difference for your security operations? Let’s talk about the substation security modernization journey. Get in touch with your AWS account team to learn more about electric substation security and how it can help you mitigate security challenges.

New to the cloud? Contact AWS Sales to get started with transforming your business.

Maggy Powell

Maggy Powell

Maggy Powell is a member of the AWS security assurance team working as an electric sector industry specialist. She is a 14-year veteran of the power and utility industry. Maggy helps utility customers adopt cloud solutions for regulated workloads in a secure and compliant way.

Ritesh Patil

Ritesh Patil

Ritesh Patil is a Customer Solutions Manager (CSM) at AWS. He leads enterprise customers in their cloud transformation journey. In this role, Ritesh enables customers to accelerate their cloud journey and drive business values through cloud-based innovation and modernization. Ritesh is also a GenAI Ambassador and is an aspiring member of power and utility technical field community at AWS. Prior to joining AWS, Ritesh had worked in energy customers domain for 14 years.

Dr. Song Zhang

Dr. Song Zhang

Dr. Song Zhang is a Senior Industry Solution Specialist at AWS Energy & Utilities. He leads the grid solution modernization for power utilities with HPC, IoT, AI/ML and data analytics on AWS. Prior to joining AWS, Song had worked in the power industry for 13 years. Song is also a proactive community leader and contributor. He is the Chair of IEEE PES Working Group “Cloud4PowerGrid”, the Vice Chair of IEEE PSOPE Technology and Innovation Subcommittee and a Steering Committee Member of IEEE Transactions on Cloud Computing.