SURGE OF PROTECTION

Dec 1, 2004 12:00 PM, By Karl A. Seger

Since the Sept. 11 attacks, federal agencies have required vulnerability assessments for most water utilities, natural gas transmission and distribution systems, and electric transmission systems. Emergency response plans have been modified and updated, and security guidelines have been developed at many utilities.

Accountability for utility operations, including security, is mandated for many utilities by the Sarbanes-Oxley Act of 2003. Guidelines for utility responses to changing Department of Homeland Security (DHS) threat levels for physical and cyber-security have been developed and updated by the North American Electric Reliability Council (NREC). DHS funding is provided for upgrading security at some utilities, and most utilities will be affected by the National Incident Management System (NIMS) and local Incident Command Systems (ICS).

While the focus of many of these security programs is on preventing acts of terrorism and attacks by other extremists, an effective utility security program must also focus on its two primary threats: disgruntled employees and angry customers.

How much damage can a disgruntled employee cause? Consider the results of a cybercrime study conducted by the U.S. Department of Defense indicating that the average cost of an incident caused by an outside hacker is $56,000, while the average cost of responding to a malicious cyber-attack by an insider is $2.7 million.

Regardless of how effective its customer service program is or how reliable the system is, every utility will have an occasional angry customer. Angry customers have vandalized utility equipment, including vehicles, threatened and assaulted utility employees, and have been responsible for other malicious acts such as bomb threats.

How in a post-Sept. 11 world should a utility approach its security program? Hopefully by being realistic and budgeting security funds to address actual vulnerabilities and risks. Since the utility cannot protect all of its assets, it must first determine which assets are critical to system operations, assess the threats to and vulnerabilities of those assets, and then develop a risk management program to improve the security of the critical assets.

Threat

The first step to improving security at a utility is to identify the threats, both internal and external. In a larger utility, the threat committee includes personnel from human resources, security and operations. In a small utility, the committee may be the manager and several supervisors. If there is a possibility of retaliation by a disgruntled employee, local police should be notified. If there is a security guard force, guards should also be notified and provided with a photograph of the former employee and a description of the vehicle that person drives.

Protection from angry customers involves access control to the utility's facilities and personnel protection policies. Access to the facilities should be limited to customer service areas only, and these areas should be open with a high degree of visibility. Even offices where customer payment needs and other personal information is discussed should be visible by using glass walls. Clearly visible surveillance cameras also help to reduce the threat.

Personnel protection policies are as important in the field as they are in the office. Employees should be trained to deal with angry customers and learn how to help an angry customer to vent their frustrations until the employee can safely withdraw from the situation. Having specific check-in times also helps reduce the risk to field employees. If an employee does not check-in with the dispatcher at the appointed time and the dispatcher cannot reach the employee by radio or cellular phone, another employee can be sent to the area. If it is a high-risk area, police should be notified.

When assessing the specific risks to a utility, it is important to contact local law enforcement to discuss the crime data in the area. Law enforcement officers will also know who the local criminals and suspected criminals are and who is potentially dangerous. A crime prevention officer could conduct a vulnerability assessment of the facilities and provide recommendations to decrease risk.

Assessing the threats to a utility should contain the following questions:

• Have an employee or employees recently been terminated for cause? If so, does this employee represent a potential threat of retaliation?

• Are there problems within the labor force that would lead to disgruntled employees and possible internal threats?

• Are there specific customers who are angry with the utility and who represent a possible threat?

• Have there been any recent actions such as a rate increase, accident or environmental incident that would cause customers to be angry with the utility?

• Are there extremist groups operating in the service area?

• What is the crime rate in the area?

Criticality

Some assets are more critical to utility operations than others. For example, distribution substations linked to the transmission grid are obviously more critical than substations that only provide service to a local neighborhood. The customer load of the substation should also be considered. Substations that provide service to emergency response offices and major medical facilities are more critical than those that only service residential customers.

Identifying and prioritizing critical assets is usually a common-sense exercise. In large systems, there are various methods used to prioritize critical assets including criticality matrixes and other numerical evaluation approaches.

Vulnerability

There are numerous security checklists that can be used to identify potential vulnerabilities at critical assets. The crime prevention officer at the local police department will either have a physical security checklist or will help identify resources where appropriate checklists are available.

Physical security is usually assessed using an outside-in approach. Using a substation as an example, assessment should begin by inspecting the area outside of the fence. There should be a 20-foot clear area on both sides. Next, the fence and all gates should be inspected. This means walking the entire fence line looking for washed-out areas or problems with the fence itself. In most cases there will be three strands of barbed wire on top of the fence, facing outward.

Lighting should also be inspected, and it should be checked at night. Finally, structural security of control rooms and other physical assets at the site should be inspected. Windows and doors must be secured commensurate to the local threat.

Some utilities are adding intrusion detection systems and video surveillance at critical sites, including substations. A local security company can recommend, install and help maintain intrusion detection systems appropriate for the degree of threat and the environmental and other physical considerations in an area. Video surveillance systems should include recorders. Malicious acts may not be directly observed as they occur, but the recording system will help identify the perpetrators when the act is detected.

Cyber-vulnerabilities should also be identified — including threats to the internal network, Internet communications and the Supervisory Control and Data Acqusition (SCADA) system. If the utility does not have a network security employee, an outside source can conduct a vulnerability assessment of these assets. The SCADA system, depending on its functions, may be of particular importance. A system that only monitors operations is not as critical as a system that has control functions. In all cases, access to the SCADA system, both cyber access and physical access, should be tested, and if vulnerabilities are identified, they should be corrected.

Risk

The team that assesses the threats to the utility and then identifies the critical assets and vulnerabilities develops a list of options to reduce the risks at the critical facilities. These recommendations are in three categories — immediate, short-term and long-term.

Immediate needs might include holes in fences, the need to upgrade or replace locks and other obvious needs. Short-term needs — those falling within the current budget, but not an immediate need — include replacing doors or adding security screening to windows. Long-term needs include replacing the fencing at critical assets and adding or upgrading intrusion detection and video surveillance systems.

Determining the amount of risk the utility is willing to accept is a management decision. It is the responsibility of the security assessment team to make recommendations on how to reduce the risks identified, but the team should expect that management may not adopt their recommendations.

Preparing for a crisis

Utilities have an advantage over other industries in that they have experience in responding to crises. There is an emergency response plan in place that is reviewed at least once a year and updated as needed. There are three considerations in updating a post-Sept. 11 emergency response plan.

The list of external emergency contacts should include a regional Homeland Security Office. Depending on the nature of the incident, the nearest office of the Federal Bureau of Investigation should be notified. The contact information for both of these offices should be included in an emergency response plan.

Although the physical and threat response guidelines published by the North American Reliability Council (NERC) are written for electric utilities, they may be adopted for other utility services as well. These guidelines are found on the NERC Web site, www.nerc.com.

The utility should become familiar with the National Incident Management System (NIMS), enacted by the Department of Homeland Security in March 2004. Information on NIMS is available at www.dhs.gov. The Federal Emergency Management Agency (FEMA) offers a self-study guide introduction to NIMS, National Incident Management System (NIMS), An Introduction, IS-700 (August 2004), available at www.fema.gov.

NIMS establishes standardized incident management processes, protocols, and procedures that all responders — federal, state, tribal, and local — will use to coordinate and conduct response actions. This includes the role of utilities in the Incident Command System (ICS) procedures used to respond to local and regional incidents. The primary role of assessing damage and re-establishing utility services does not change, but the overall management of the event and the communication and reporting procedures used may be different. A county emergency response office or the regional Homeland Security office can help the utility understand its role in the NIMS program. The utility may also expect to be asked to participate in training and exercises to implement and test the ICS in the community.

Consequences Could Be Catastrophic

From staff reports

At 103 commercial nuclear power plants operating at 64 sites in 31 states, new security requirements are in place to “make nuclear power plants the most secure industrial facilities in America,” says Marvin Fertel, the Nuclear Energy Institute's chief nuclear officer.

New security measures include:

• a 60 percent larger paramilitary security force — increased to a total of 8,000 officers;

• physical improvements to protect against vehicle bombs and other potential terrorist assaults;

• increased training for security officers;

• a rigorous “force on force” mock adversary exercise regime;

• increased security patrols and more security posts;

• increased vehicle standoff distances;

• tightened access controls; and

• enhanced coordination with state and local law enforcement.

With an increased threat level and given the nuclear plants' role in the nation's critical infrastructure, it's not surprising that nuclear power plants are the most well protected utility facilities of all. “Nuclear power plants require a completely different set of rules than most utilities,” says security consultant G.F. Bryant, who has performed threat assessments and security integration for utility companies such as Cinergy Corp., Cincinnati. “If they are not adequately protected, the consequences may be catastrophic.”

But security issues are also top-of-mind for utility companies of all sizes and shapes operating all types of plants and other facilities throughout the country. And while security efforts at other utilities may not be as stringent — or as regulated — as those at nuclear power plants, there are still substantial issues and challenges to be dealt with.

“Security at utility companies requires greater regulation because of the impact that a loss of utilities would have on the population, particularly in Northern climates,” says Roger Mellor of HMA Consulting Inc., Calgary. “There is also a threat from radiation, gas leak, dam bursts, and so forth.”

Geography is a factor

One of the most significant challenges of securing utilities is lack of geographic proximity of many of the facilities.

“The water system for one city can easily consist of over 300 different sites, including treatment plants, reservoirs, pump stations and other facility types,” says John Saunders of Enterprise Protection Associates, Phoenix. “These are going to be spread over a very large area, and network connectivity to all these remote sites is an iffy proposition at best. Obviously, some sites, such as treatment plants, are treated as more critical than others, but the planning and technology to coordinate the security effort to include all essential sites is a difficult undertaking.”

Since many facilities are large and spread out, a two- or three-man guard force cannot be expected to protect it effectively on their own. The introduction of technology — in the form of alarms and alarm assessment tools — can spread the reach of the guard force, and will allow them to provide appropriate response to different security situations, Saunders says.

Cost vs. benefit

Like all businesses, utilities are faced with balancing the costs of security and its benefits, which may not be obvious.

“Visible results may not be immediately tabulated,” Bryant says. “It is difficult to justify the cost of security when the apparent benefit may only be negligible. Security is often transparent. It's what you don't see that could very well be the return on investment.”

“Finding affordable security solutions is a challenge,” agrees Steve Meyer, a security consultant who, previously, was a security section leader at Palo Verde, the nation's largest nuclear generating station. A manager needs to make the right business decision without compromising company assets.

“The security staff must carefully evaluate their needs before making any purchase or entering into any contract,” Meyer adds. “Ensuring an acceptable return on investment (ROI) — an increasing concern among upper management — cannot be accomplished except by way of thorough security assessments.”

Bryant warns against allowing misguided corporate interests to supercede adequate security measures. “Relevant security issues may be ignored or positioned as a low priority,” he says.

A high level of security can be very expensive. Says Saunders: “Requiring extensive infrastructure improvements, in the absence of funding, would seriously impair the ability of many utilities to do business.”

Looking at the total picture is also important. Mellor tells about a nuclear power plant that had an armed response and all of its security focused on the reactor, while there were above-ground power lines going in and out of the facility. And the plant could not be restarted without power.

Security vs. operations

By its nature, security is inconvenient, which is part of what makes it work. The result can be a conflict between operational and security needs.

Balancing an adequate amount of security with operational efficiency may be elusive. “Utilities must properly assess and analyze their risk and implement appropriate levels of security,” Bryant says. “When these security measures are in place, they will not impede operations.”

Integrating employees, contractors and management into the security system is a vital step in making sure the system becomes a part of operations. “Security technology cannot operate in a vacuum,” Saunders says. “The security industry is rife with examples where an expensive, technologically advanced system was installed and then ultimately ignored. This challenge is made more difficult at a utility due to the distributed nature of both the work force and the technology.”

Proper security master planning is the solution, he says. “With many security installations, the bunker mentality eventually co-opts the system, as users find it so inconvenient that they resort to propping doors and ignoring alarms,” he adds. In an effective plan, the designer confers with the operational staff to develop the security designs. Input from users is essential.

There is a delicate balance between site security and operations, Meyer says. Utilities along with their security programs need to protect the public, company property and personnel from theft, sabotage and other criminal acts. “This can be accomplished with a program that allows for monitoring, access control and safety,” he says.

Crisis management: An oxymoron

“If contingency plans have not been evaluated, approved and implemented prior to a crisis occuring, then there may be nothing left to manage,” Bryant says. As critical components in our nation's infrastructure, utilities today must reevaluate contingency planning, and in the event of an incident, be proactive in their effort to ensure effective business continuity. “Utilities must rethink the foundational basis for outdated traditional ideologies and existing internal protocols to determine more appropriate solutions,” Bryant adds.

Can operations and security emergency plans come together during an event? To avoid conflict, operations personnel must be involved with the planning, Meyer says. “Tabletop exercises and practice drills should be conducted. What are the safe shutdown procedures? Are emergency routes and alternate routes well defined to operations and security personnel? All site personnel have a responsibiltiy for site security. The security department relies on the eyes and ears of all personnel to alert them to unusual situations.”

Regulations and standards

When utilities maintain reliability, functionality, safety and reputation without regulation, Bryant says, then none is needed. However, “the ‘War on Terrorism’ requires us to be more aware of our vulnerabilities and vigilant to our responsibilities,” he says.

Saunders suggests that regulation is best approached in terms of developing security best practices rather than stringent requirements. “The wide variety of sites and the disparity in geographic circumstances mean that a degree of flexibility in design is necessary,” he says.

Business processes are generally governed by ISO standards, which are, for the most part, voluntary — but they are essential to continuing business. “There is no reason why a set of security standards could not be developed in the same way. The application of best practices is probably a good start.”

Meyer suggests that current security regulations for utilities should evolve as warranted with input from the utilities to be effective to ensure adequate protection without over-regulation.

Guard forces

Cost has always been the driving factor for security guard forces in any industry. It is especially so in the nuclear industry. Nuclear power plants require specialized, highly trained, proprietary guard forces with knowledge of both proactive planning and reactive tactical responses. Teamwork is essential. Security clearances (i.e. Safeguards, “Q”) for personnel who work within the nuclear industry are a factor. Finding qualified and dedicated personnel has always been a costly and time consuming task. And once they are hired, retaining competent personnel is a challenge.

“The use of contract security is necessary at many facilities,” Saunders says. “The issues here are no different than at many other locations. The real truth is that contract security is very often a relatively low-paying job. Human error is one of the real problems in a security program. Quality of the guard force and quality of training are the two biggest hurdles. The first can often be overcome by raising the level of pay if possible, and by rigid auditing of the guard force by the utility. The training issue incorporates two areas — general security training and site specific training. These are equally important matters, and regular refreshers for the guards can ensure that they are kept up to speed.”

Ongoing efforts to keep the staff motivated and up-to-date on current events and industry trends are essential to success, Meyer says. “Manpower requirements and staffing can be a challenge for any security force,” he adds. “The nuclear power security forces tend to retain staff longer than most security forces. This speaks to the high caliber of personnel, training, company benefits and working conditions.”

FOR THE RECORD…

About the Author

Karl A. Seger, Ph.D., provides anti-terrorism consulting and training for all branches of the U.S. military, the Departments of Justice and Treasury, and for the Federal Emergency Management Agency. He owns and operates Associated Corporate Consultants Inc., Lenoir City, Tenn., a provider of security training and consulting services for government and corporate clients. Seger has authored “Utility Security: The New Paradigm,” “The Anti-Terrorism Handbook,” and he co-authored “Computer Crime: An Investigator's Handbook.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue