1. Modernizing Physical Security and Incorporating Best Practices Into New Assets
Interview with David Grubbs, Director, Regulatory Affairs and Compliance at City of Garland,
TX
As the Department of Homeland Security has reported, cyber
security threats to the utility industry are increasing in number
and sophistication. Because of this challenge, the North
American Reliability Corporation (NERC) is increasing the
Critical Infrastructure Protection (CIP) regulatory requirements to
ensure organizations and facilities are meeting basic standards
in this area.
marcus evans had the privilege to hear from David Grubbs before the upcoming Utility Cyber
Security & CIP Compliance Conference, January 15-17, 2013 in Atlanta, GA. Below he shares
with us his perspective on how CIP standards are affecting cyber security within electric utilities.
The responses below strictly reflect the views and beliefs of David Grubbs, and not necessarily
those of City of Garland, TX.
What are some of the newer efforts being utilized to protect the physical assets
of utilities?
David Grubbs: Electric utilities continue to improve both physical and cyber security efforts to
counter known and unknown threats. In physical security, many upgraded security features
have been added including: card access at many locations, electronic padlocks that require the
regular reauthorization of keys and can be set to ignore keys identified as lost, video monitoring,
fence tamper detection and motion sensors. The most important aspect of improving security is
properly training personnel and achieving a security mindset within the industry. The CIP

2. Standards make a start at this, but only include personnel with access the CIP Critical Cyber
Assets.
Can you elaborate on the benefits of applying CIP standards to non-critical
assets?
DG: The CIP standards are a good starting point for any security system. They are however,
inadequate to fully protect any asset. Security is achieved by a defense in depth. Much as an
onion has numerous layers, good security systems should have numerous layers of which the
CIP standards are only a few of the layers. Frequently, the best defenses are those no one
knows about. Unfortunately, at least through version 4, the CIP Standards are somewhat
prescriptive. Many of the security aspects of a facility, and even which facilities have security,
can be guessed because of the CIP standards. Beginning with version 5 of the CIP standards
the industry will have more flexibility to install the appropriate security for a facility rather than
specific security practices.
Why should utilities consider organizational security to be just as important as
safety?
DG: Security systems are inherently designed to keep the “bad guys” out. Excellent security
systems can easily be defeated when someone inadvertently leaves a door open or invites the
“bad guys” in. The most common ways of entering a system are by social engineering. Asking
innocent sounding questions, a hyperlink in an email that appears to be from your boss, or
getting someone to plug in a USB drive or CD are the easiest way to get into a secure system.
A second source of lost information is a lost laptop or the USB drive that contains sensitive
information.
The following article from Intelligent Utility,
http://www.intelligentutility.com/article/12/10/cyber-risk-conversation , explores
the potential motivation behind cyber attacks aimed at utilities in the format of a

3. hypothetical conversation between utility executives. If you had a chance to join
the conversation, what comments/counterarguments would you give?
DG: I have had several very similar conversations with industry executives across North
America. Different entities have differing risk profiles to the various threats identified in the
discussion. Certain companies may be more of a target to certain organizations, such as
environmental extremists, while others might be less so. There is some risk for all of these
threats to each of us. Some organizations, because of their small size, might believe they are
immune to such activities because no one knows they are there and theorize that someone
would not be interested in attacking them. By the same logic, an attacker might go after a
smaller organization believing their security is less organized than at a larger entity and easier
to penetrate, thus making a smaller entity a more attractive target. None of these is true in all
circumstances, but are potential considerations when designing a security system.
As someone who has attended marcus evans events in the past, what do you
think attendees can take away from this conference?
DG: There are three primary takeaways from a marcus evans conference. First is the
educational aspect. Attendees learn how other comparable companies are coping with the
issues; from compliance, to security, to organizational structure, to budgeting. Second, are the
relationships you build with the speakers and fellow participants. Being able to discuss ideas
with others, both during the conference and afterward, can give significant insight into issues.
Third, and perhaps most important, it gives you a chance to break out of a rut and do something
different. We are all guilty of continuing to do what we have been doing and as long as nothing
jolts us, we just keep on doing it. A conference, such as this, gives us the opportunity to review
our own programs in the light of the best practices of others. It allows us to refocus on the needs
of our organization and gives us a new enthusiasm for pursuing the ideas we developed at the
seminar.
Mr. Grubbs joined the City of Garland in 2002 and has held numerous positions within the City.
He is currently serving as the Director of Regulatory Affairs and Compliance reporting directly to

4. the Managing Director of the Electric Utility on Regulatory, Compliance and Transmission
Planning Issues. Immediate prior to joining Garland, Mr. Grubbs worked as a consultant
developing wind energy and compressed air energy storage generation units.
For more information, please contact Michele Westergaard, Senior Marketing Manager at 312-
540-3000 ext. 6625 or Michelew@marcusevansch.com.
About the Utility Cyber Security & CIP Compliance Conference
This unique event will take place in Atlanta, GA from January 15-17, 2013. Industry leaders
attending this event will benefit from a dynamic presentation format consisting of workshops,
panel discussions and case studies. Attendees will experience highly interactive conference
sessions, 10-15 minutes of Q&A time after each presentation, 4+ hours of networking and
exclusive online access to materials post-event.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events designed to
provide key strategic business information, best practice and networking opportunities for senior
industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually;
ensuring niche focused subject matter presented directly by practitioners and a diversity of
information to assist our clients in adopting best practice in all business disciplines.