Power Generation Sector Vulnerable to Terrorist Attacks?

Apr 1, 2006 12:00 PM

While most U.S. refineries are well prepared to identify, repel or neutralize man-made attempts to disrupt operations, it does not mean that refineries are operating at a “best practice” level with respect to physical and cyber security, a critical infrastructure security expert tells the Denver Business Journal.

The U.S. power generation sector — based on observations at numerous plants and transmission facilities — is woefully behind in deploying both hard and soft methods to keep hackers and terrorists from disrupting operations, according to Ken Miller, CEO of Denver-based Ensuren Corp., a provider of security solutions for critical infrastructure.

He clarifies that the huge conglomerates that own most of America's refining capacity have put together more comprehensive security programs that establish standards for information technology and security in critical control environments. In mid-tier and smaller refineries, however, this effort has not happened yet.

But the refineries are more sophisticated than power generators in terms of security, Miller says. He goes on to say that it would require a comparatively small investment of time, manpower and money for the power generation sector's security initiatives to reach the sophisticated level of the refineries.

While the process control technology in refining is almost identical to that in power generation, Miller points out several differences, the most important being that power plants are more likely to have process control systems in unsecured areas, easily available to anyone who has access to the plant. Generally, more technicians work on process control systems in power generation, while more engineers work on process control systems in refining.

He says the power generation sector needs to focus more attention on securing all layers of the process control environment — facilities, personnel, networks and systems. “At some locations, as soon as you enter the property, you realize that the physical security is so weak that cyber security almost becomes moot,” Miller says.

In terms of computer-based attacks, both the power generation and refining sectors must be ever-vigilant against a malware intrusion, he adds. There is a high propensity for the propagation of malware through process control networks, either intentionally or accidentally, that can bring down view and control of critical processes.

“While the refining industry is voluntarily moving into what we call cyber security, we are finding fewer power generation groups doing the same,” Miller says. “The power generation sector, however, is being pressured by the North American Electric Reliability Council (NERC) to focus more on defense against cyber attacks.”

The cost to install a best-practice layered security system can be in the hundreds of thousands of dollars.

But, the expenses associated with having inadequate security systems in the power generation sector can be in the millions or tens of millions of dollars per day if a plant goes offline. Also, there can be lawsuits filed because the power company was unable to deliver its demand load. There can be adverse regulatory scrutiny, and worse yet, loss of faith in the company's financial stability.

The choice would seem to be quite a simple one, Miller says.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue