Disturbing Level of Drone Activity Near NYC Electric Utilities

David Lewin: 

I'm joined here by Scott Gross from Con Edison up in New York. I am really excited to talk about the Drone program that they've put into place and some of the data they've collected and bring a little bit of awareness across the board.  

This whole emerging threat of drones to critical infrastructure is something that takes public-private partnership and information sharing as we learn more and really appreciate Scott taking the time to join me on this call. So, I guess with that, I will get started here. Scott, welcome to the call as well. Thanks for joining.  

Scott is a system specialist with the System and Transmission Operations at Consolidated Edison of New York. He's been with ConEd since 2004, which marks his now 43rd year in the Security and Fire Protection industry. So, thanks for serving Scott and he's part of the steering committee on a brand-new, SIA Advisory Board and then also a steering committee on drone security or the Drone security and Alliance at DC for lobbying and information sharing on these kinds of topics. He has also implemented a drone detection program.  

In 2015, the team at Con Edison put into place a program to analyze the amount of drone activity and to put the building blocks in place to answer this ‘emerging threat of drones’ question and the possible threat that they are to critical infrastructure. So, Scott before we dive into the questions, did you have anything else to add there on your history or background or a background on the project? 

 

Scott Gross: 

Just hearing 43 years in the industry makes me feel old. [light laugh]  

Just to give you a little bit of background, I was originally from the Baltimore-Washington area. I worked for a local contractor for the federal government prior to moving up here to New York. Just after 9/11, I handled a lot of the fire protection and [some] of the security in the majority of the federal buildings in Washington DC. I graduated from University of Maryland and then after 9/11, the company I was working for dissolved their middle management and therefore I moved on up to New York to try to find a position. And lo and behold shortly after the move, I landed a position with the major security integrator at that time for Con Ed. Two years after that ConEd lured me over to work with another individual to set up their technical team with corporate security.  

Prior to actually moving into the position I'm in now, I was the project manager and then manager of the security operations center, which means I built the Operation Center for them and then operated it for the first year and a half before moving into my present position, which is where I am now and have been since 2010.     

  

David Lewin: 

Okay, excellent. I appreciate that extra background there Scott. And I guess with that said, before we dive into the details of what you've discovered regarding drones and the activity levels. My first question is overall, do you think that drones pose a real threat to critical infrastructure? 

  

Scott Gross: 

I absolutely do and I think our data is positive in that respect. First, let’s stop and take a look at exactly what kind of payloads a drone could carry. A few examples: a drone could carry C4, land on the roof of a sensitive building or substation and we would have a catastrophic event; or a drone could carry EMI equipment, land on a control or operations center for a critical infrastructure, and then we would have problems with the networks within that facility. Drones can also land and carry chemical biological or radioactive materials creating a safety or security breach event. Not only that, drones also have the capability to carry small Raspberry Pi computers which don’t actually have to land on the roof to open signals from your cell phones, cameras, and microphones capturing events that are happening within the building.  

This all takes me to the next level of worry as far as what could happen in the critical infrastructure.  

And let's stop and just think about what critical infrastructure actually is. That could be your electric utilities, your gas, your steam, your telecommunications, your waters- your water supplies in the major cities, such as the city of New York, and that also could be subways and airports.  

  

David Lewin: 

Oh yeah, that's a big one. Could you share a little bit about the how much Drone activity actually happens near critical infrastructure sites? And is it more than people might think? Was the actual activity level you have seen surprising?  What insights you gain from that?  

  

Scott Gross: 

Sure. What I can do is share the amount of alerts we have received. I will not share any additional information just because I believe that that is sensitive to ConEd. Just to give you the folks a little bit of background.  

I started this project back in 2015. I did an assessment on the building we are referencing, and I found that the security and the access control and so forth is CCTV. The video analytics all met or exceeded required standards. So, I sat down and really looked at the situation and I realized that I didn't have any protection on the low air space above my building. And of course, back in 2015, drones were just becoming popular. I developed a white paper on the project, a budget on the project, presented it to upper management, and they agree to move forward. I began to investigate.  

I sat down with counterterrorism of NYPD to get pointers on how I should move forward with the project or questions - because this is new technology. I began to research the manufacturers of equipment available on the market, then moved forward by adding cameras on the roof as my first stage and second stage of the project.  

I actually went to phase three of the project in 2021 where I added a single sensor on the roof of the building [specifically for drone detection]. The reason why we did that was to prove to the company whether the additional security efforts merited funding. Within months of activating the first sensor in February of 2021, we were detecting hundreds of alerts. We then increased the budget, moved to phase 4 of the project which including adding four additional sensors, plus an Aeroscope, and an AI computer which then allowed us to talk-triangulate, and receive the actual information location on a GUI including the make and model of the drone.  

As of January 2023, we have had over 10,200 alerts received. Bear in mind that three-quarters of Manhattan, which is where we're located, is a Class B no-fly zone - as far as drones are concerned. So, is that alarming? Absolutely.  

  

David Lewin:

Scott, what was the timeframe of the 10,000 flights? 

  

Scott Gross: 

Since February 2021. However, the majority of those - 8,800 plus - were received between April 2022 and January 2023.  

  

David Lewin:

Wow. So, you're seeing a real uptick then, in that activity. Are you concerned about other drone platforms other than DJI? If so, how would you suggest addressing non DJI drone incursions? 

  

Scott Gross:

There's no doubt that I am concerned. I'm also concerned as to custom or homemade drones if you will. The system we currently have is only a steppingstone as to what I plan to do with the system. I am looking to move forward to phases, five, six, and seven. I am open to other equipment that I can add to the system so that we can protect the airspace above the building completely.  

  

David Lewin:

Do you see other critical infrastructure organizations around the country budgeting for drone detection or other counter-drone programs?  

  

Scott Gross:

Yes, I do. I am familiar with others that are operating systems like ours. The one thing that sets us apart from other utilities and critical infrastructure in the country right now is that we have incorporated the cameras into our system. Therefore, if we do see or do detect a drone incursion overhead or within several blocks of the building, we receive and save visual [evidence] on the drones. My goal is to be able to visually inspect the payload and be able to internally mitigate - should we determine that that drone is carrying some type of explosives are so forth. 

  

David Lewin:

Many utilities are waiting until legislation changes before they're willing to start testing drone detection technology or putting any sort of program in place.  Why are you guys taking more of a proactive approach – despite knowing that if you do see a drone, you can't really do much about it at the moment? 

  

Scott Gross: 

I would say that I have always exceeded the standards required for the building as far as protection is concerned. I always stop and look at my customer base. I am protecting one of the biggest or greatest cities in the country. As far as who we serve – citizens, Wall Street, a majority of the television network corporate headquarters, and the United Nations. I believe that our customer base warrants the company being more proactive as to better protect the infrastructure of the city of New York. 

  

David Lewin: 

A more proactive posture when it comes to security and security and critical infrastructure, versus just reactively waiting for a compliance requirement to come through. 

  

Scott Gross:

Right. I was honored go back this past summer to be able to speak to the State Department of Homeland Security for Pennsylvania Antiterrorism advisory Council both in Philadelphia and Pittsburgh, where I made presentations about our project. And they pretty much have declared that we are in the forefront of this type of operation. I am just very proud of that.  

I'm proud that the company has allowed us to move forward. I think it puts the company in good light, but not only that the data that we are sharing to me is critical with hopes that it reaches the ears of congress so that they can further expand the infrastructure and drone emerging threats act that's currently being reviewed. Hopefully, the Peters’ bill can be reopened in congress again this year to give the local law enforcement agencies and the critical infrastructure the authority they need to protect their airspace.  

  

David Lewin: 

In terms of emerging legislation, you think that something may pass this year? I know I've heard that but you know, most of these things get kicked down the road.  

  

Scott Gross:

I'm hoping that it is opened again. I'm hoping that we do have something moving forward. I hope they look in favor of revising the emerging threats act. I hope that they reopen, the Peters-Johnson Bill and look with favor on that.  

My biggest concern is the Amazons of the world, the Walmarts of the world, and the drone manufacturers who are all putting a lot of money into development and populating the airspace. Unfortunately, we as critical infrastructure could be hitting a brick wall.  Hope that's not the case but I honestly believe it is. I also believe that the more data we can share from critical infrastructure around the country and present to the FAA, present to Congress - that is all evidence that, yes there is a real threat. 

  

David Lewin:

Yeah, I agree. And do you think that critical infrastructure operators, might actually receive permission to use drone mitigation systems as part of the Johnson bill? Are you thinking that legislation will recommend a very short list of approved authorities, maybe police at the local or state level or something to that effect?  

 

Scott Gross:

The way the Peters Johnson bill was written and the way I see the emerging threats act, and again I'm not an attorney nor am I a politician, but my opinion is that critical infrastructure would have limited mitigation authority. However, granting additional authority to SLTT to assist with mitigation is plausible.  

One thing I would love to be able to see moving forward, I don't see it happening this year or maybe even in the next Congress, would be to allow the critical infrastructure to be able to somehow geofence their site. I would love to be able to just turn a drone around - send it back and protect the airspace. Over my critical emphasis - my substations, my transmission stations and so forth.  

  

David Lewin:

Are you concerned about what's happening in Ukraine and do you think that that's going to spur on additional regulatory compliances within NERC/CIP or do you think that NERC/CIP is going to be implemented in a manner that takes drones seriously? I guess those are kind of two separate questions: is Ukraine going to help push concern for drones along, and is NERC/SIP requiring anything today?  

  

Scott Gross: 

Right now, my interpretation of NERC/CIP would be that they can actually give you a pretty blank canvas to be able to meet the standards. Let's cite an example for physical security that's sub-six. Sub-six gives you standards that you must meet, but it does not tell you exactly what equipment to use or how to implement that. That is your responsibility as the customer as the shareholder or the other utility.  

We just went through a NERC/CIP this past October and one of the positive comments that the auditors made was that the technology we were using for the drone detection showed that our company, Con Edison, uses sophisticated technology to increase the security posture of their secured building.  

They are aware and they recognize the value . However, you must understand that some of the utilities throughout the country have very limited budgets and this could - if they actually incorporated this into one of the standards - impact how those utilities manage their corporate security. 

  

David Lewin:

Interesting and it could probably make costs go up for users as well, right? Or for their customers? 

  

Scott Gross: 

I would think so. You know, all the budgets we have are all based on rate cases where we go to the Public Service Commission of the local authority which in our case is the state of New York and we say, “okay because of the cost of purchasing energy and distributing that energy, and protecting our facilities, we need 10% more from the customer.” And since the Public Service Commission is representing our customer base, they'll come back to us and say, “All right. No. We're not going to give you 10 but here's 7%.”  That’s what our budgets for the next few years are based upon. So that's how we project our budgets and, hopefully, increase the quality of the systems that we have to meet the emerging threats. 

  

David Lewin: 

Do you feel like it's going to be primarily tier-one facilities under NERC/CIP regulations that are going to- receive the funding to implement drone detection or any sort of counter drone systems?  

  

Scott Gross: 

Are you saying federal funding? 

  

David Lewin: 

My question is more, is this going to be limited to tier-one facilities or do you think it will be expanded in terms of drone detection to other less critical facilities as ranked by NERC/CIP compliance?  

  

Scott Gross: 

Well, again right now, NERC/CIP doesn't require you to have a drone program, but the security posture could dictate exactly how you proceed.  

In our particular case, just because of the sensitivity of our customer base, we elected to move forward with the drone projects. Tier-one facilities would be, of course, your most critical assets. Therefore, I would say yes and this is just my opinion. I know that we are looking as to how we could increase additional sites but that's in the future and nothing is set in concrete as of yet.  

Should the drone projects or drone detection becomes part of the CIP standards that would change the way we would actually budget? Right now, that's not included.  

  

David Lewin: 

Going back, what does mitigation entail? Bearing in mind currently there is no authority for critical infrastructure to “mitigate” and I think you mentioned geofencing would be ideal to where it would just disallow the drone to fly over your space, and maybe it would activate the call home and send it away. How else do you mitigate? 

  

Scott Gross: 

I can explain that a little bit as to what we do in our particular building and that is I am in the process of writing an internal procedure. If we do detect a drone flying over the building for 15 minutes or longer, we will alert our local watch engineer to begin to monitor our networks, looking for any irregularities. If irregularities are observed, we could begin to shut those systems down and move to our alternate sites, allowing power to continue to our customer base. 

  

David Lewin:

That's interesting. That's really proactive. One of my questions is also kind of changing gears here a little bit back to your comments on presenting this project to leadership at the beginning who agreed to fund the initial phases of drone detection.  

How has the response been from leadership after seeing the real activity after you've had you know 8,800 sighting in the last six or eight months? Do you think that helps create a business case for them to justify continuing to invest in drone detection or counter drone programs? Did it help to move it up in the priority list since you're collecting data? 

  

Scott Gross: 

I think that there's no doubt that when I initially present it to upper management, everybody looked at me and said “well, we're not sure if we really want to move forward.” As we began to share data and alerts with them, they became more alarmed.  Other organizations were following the project and sharing data with their membership. Our upper management is now well aware of what this project is, and they understand that we are in the forefront of the technology. However, that all must be worked into the budgets. And more information needs to be received, which is why we are sharing internally and  externally. 

I'm hopeful that leadership looks with favor on expanding these systems  

  

David Lewin:

We have a question on the NERC/CIP topic. Could you help with context around how NERC/CIP works? And why they would or would not become more explicit in this area about detecting drones or mitigating drones? 

  

Scott Gross: 

Again, I'm going to answer this on a personal level. I could see that NERC and CIP trying to enforce this as part of a new standard would be a very costly operation for most utilities in the country. But I think that what they are doing is monitoring activity, such as ours, closely and would consider it moving forward.  

  

David Lewin:

Okay, this type of detection might fit within a CIP 6 compliance on multi-factor authentication or somewhere else? Are there any other sections of NERC or CIP that require some sort of protection at the fence  line of people or vehicles or, aerial detection of things crossing the perimeter fence or anywhere else that this might fit within CIP?  

  

Scott Gross: 

No doubt about it. This particular type of system [drone detection] definitely enhances physical protection of the building, and also could protect and monitor the cybersecurity of the building as well. So, yes, this system could fall under multiple standards. We have always strived to exceed what the standard requires. That is evident from the comments by the auditors, this past October. And so, therefore, I could see us expanding this project. However, as far as other utilities are concerned, I think that NERC and CIP are looking for additional data before they make any recommendations. 

  

David Lewin: 

Okay. Fair enough. Well Scott, thank you so much for your time. I really appreciate this. You're definitely on the cutting edge and being very proactive, which we all appreciate. And thank you, of course, for the efforts on the steering committees that you're on with SIA, and with the Drone Security Alliance in DC that are helping to push things forward for everyone not just ConEd.  

  

Scott Gross: 

You're very welcome. I want to just thank everybody and if you have any questions, don't hesitate to reach out to me. I'll do the best I can to answer them for you. And I appreciate David, your time and your effort to expand the concerns all around the drones in the emerging threats.  

  

David Lewin: 

Awesome. Right on. Well, have a good day, everybody. Thanks so much.  

 

Note: Minor edits have been made to the transcribed dialogue for clarity only.