The electrical infrastructure, and Kansas City's risk

Sep 1, 2001 12:00 PM, By RANDY SOUTHERLAND

When it comes to threats to the nation's electrical infrastructure, the enemy may not necessarily be at the gates, but in front of a computer keyboard in a distant land.

Just ask Larry Dolci, security director for Kansas City Power and Light Co.

“Threats come from a variety of sources,” says Dolci, an attorney who has held a number of positions at the electrical utility. “Everything from recreational hackers to nation-states.”

Deep in America's heartland, Dolci's company is cyber-scanned 24 hours a day by those attempting to make unauthorized connections.

“Somewhere between 5,000 and 6,000 sources will try to connect with us each month,” he relates. “It's not unusual. If you're monitoring, that's what you will see. Even people with home computers who have put on personal firewalls and who have digital subscriber lines or cable modems, once they start monitoring, will see within the first hour somebody trying to connect to their home PC.”

A few months ago, more than 300,000 computers were infected by the infamous Red Worm computer virus. The malevolent cyber-creature is just one of the many dangers which have infected computers and wreaked untold damage. In most cases, businesses and home-users have felt the inconvenience of having their systems go down for a period of time. However, the possibility of an electrical utility going down, with the harm that can be inflicted on the economy and countless other services, has alarmed many officials.

The Federal Government, through Presidential Decision Directive 6, designated the electrical utilities along with telecoms, oil and gas pipelines, water, and emergency services as critical infrastructure. That action triggered a major effort by electrical utilities, which are largely in private hands, to join with federal agencies such as the FBI and U.S. Army to develop a plan for dealing with cyber-attacks.

While the kid at home who manages to hack into the Pentagon computer network can garner attention, more sinister entities have also been known to use the Internet for their own illegal purposes. These cyber-terrorists include not only firms and individuals trying to commit industrial espionage, but homegrown terrorists, and even highly sophisticated national governments with vast resources at their command.

That's one of the biggest challenges faced by a security director such as Dolci, who must handle the murky and often unseen realm of IT security in addition to the physical security side of cameras, gates, and access cards.

“On the physical side, it's a more mature field,” says Dolci. “On the other hand, the IT field changes daily, and the threats change daily. The defenses against some of the threats are really difficult.”

To protect power plants, substations and offices from outside threats requires more vigilance than in the past. The country's electrical grid is no longer controlled simply by opening and closing switches. Nowadays, computers handle the tasks of generating electricity at the power plant and transferring it to sub-stations and on down the line to individual homes.

“If you want to attack the United States, you can sit in Baghdad with a PC and Internet connection and hack into the system,” Dolci asserts. “If you take out the electrical grid in the country, you're going to lose telecommunications, banking, finance, water, oil and gas pipelines, and emergency services. You can cause a tremendous impact even for installations that have backup generators. [The Federal Emergency Management Agency (FEMA)] says most generators won't start, or won't run 24 hours. Even if they will run, most of them have a one- or two-day fuel supply, and if you don't have electrical energy to pump fuel into tank trucks to take around to them, you're going to start losing some lights.”

That is a threat Dolci and many in the industry and federal government take seriously. For the past several years, Dolci has served on a committee for the national infrastructure center of the FBI and the National Electrical Reliability Council.

“It's a joint committee to harden the electrical grid of the country against cyber and physical attacks,” says the security director. “Working on that group has been a challenge. When we started about four years ago, IT security issues were not anything the electrical industry worried about.”

As a result of the presidential directive, government agencies were ordered to develop cooperative programs with the private sector to harden the nation's critical infrastructure. The National Electrical Reliability Council (NERC) works on a continuing basis with the FBI's National Infrastructure Protection Center. One of their primary jobs is monitoring cyber-attacks and the numerous viruses that make their way through the Internet.

“A major challenge has been to get this thing on the radar of electrical companies,” he explains. “If you look back, to the Y2K period, there were a number of arrests that involved terrorists who had targeted the electrical grid or electrical plants.”

Making sure utilities and other vital services take the threat seriously is a big job and one that has been only partially successful. Some utilities still have not taken steps to protect their assets, but, according to Dolci, the situation is beginning to change.

In the high-tech electrical world, he has not neglected the physical side of security. For example, Kansas City Power's assets are protected by manned guard posts, CCTV and smart cards.

“We're in the process of installing a single automated security monitoring and control station that's going to rely much more heavily on technology — such as cameras and remotely controlled gates and access controls — at our facilities to replace some of the manned positions with electronics,” he notes.

Guarding the utility is complicated by the need to protect more thn 2,300 employees and numerous facilities. These include four plant sites with 18 units providing power to customers and selling into the wholesale market for the central states region. They connect to more than 120 sub-stations and thousands of miles of transmission lines. There are also numerous office buildings and service centers.

“We're trying to pull all of those facilities into a single monitored site and to control access,” he asserts. “Being a utility, it presents challenges. We don't have a single facility and a parking lot to take care of.”

Dolci also plans to replace the separate cards now being used for access and ID with a single smart card that permits building access, computer system log-on, and identification.

Melding together IT and physical security is a difficult task, but Dolci believes that the two must go hand-in-hand.

“There's too much overlap,” he says. “There are physical security issues in protecting the computer system. The misuse of a computer can also cause physical damage to systems. You need one entity, one organization that works in both those areas. The people in IT are concerned about keeping the computers on and installing new applications. Their first priority will never be security.”

Dolci took on physical security for the utility after stints in the employee relations and environmental divisions of the company.

“I had the physical security responsibility and some other responsibilities in the company when I was approached and asked to take [IT],” Dolci says. “I was fortunate enough to bring good people into the positions — both the physical and IT positions. I think what it requires isn't the technical knowledge as much as the ability to manage. The priority is managing the function, not the technical knowledge. You can pick that up or you can hire good people, but you have to have the contacts with law enforcement, which I had. I'm an attorney and that helps in the criminal area. It helps give me a background in some of the legalities we're dealing with.”

While a legal background is important, Dolci says the greatest asset any security director can possess is communication skills.

“You have to be able to sell your programs internally,” says Dolci. “You have to be able to establish a good working relationship with law enforcement. You have to be able to talk to the public about your programs. In addition to the basic knowledge of security, you really have to be a diplomat, an effective communicator — part scientist, part lawyer and part engineer. Things have changed. You can't be someone who was just a great cop and move into these jobs and expect to be a success.”

Successful security for an electrical utility means keeping the lights on and the power plants humming. To accomplish that task, Dolci brings a vision that stretches far beyond the plant gates and out into the far reaches of cyberspace.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue