Electric Sector is leading the charge for security

Jul 8, 2006 12:00 PM

Editor:
The article “Power Generation Sector Vulnerable to Terrorist Attacks?” (Access Control & Security Systems, April 2006) quotes a source identified as a “critical infrastructure security expert.” I don't believe there is such a thing since there are 17 separate critical infrastructures, each with its own unique vulnerabilities. While general security principles are the same, the deployment and methodology vary greatly from sector to sector.

Comments in the article seem to transfer assumptions of the banking industry to power plants. Indeed, if our systems worked like a bank we would be woefully unprepared. The electric system is, in fact, a robust and dynamic system that does not rely on a specific plant or even a couple of plants or other assets. It is designed to withstand multiple failures caused by weather (our historic enemy) and can be recovered quickly if there is disruption regardless of cause. Katrina and Rita devastated the electric system in the regions they damaged, yet every customer that could receive power was recovered within 12 days. Entire facilities and thousands of miles of transmission were destroyed, and yet it was all recovered in record time.

I also take exception to the idea that the Electric Sector is being “pressured by the North American Electric Reliability Council (NERC) to focus more on defense from cyber attacks.” The fact is, NERC is made up of members of the electric sector. There is a core staff in Princeton N.J., but the organization, which has dealt with reliability issues through the creation of and auditing of compliance with currently more than 100 separate standards, is made up of committees. Members of the industry populate these committees. One such committee is called the Critical Infrastructure Protection Committee (CIPC), which has been in place for over two years as a standing committee, and before that existed in NERC as an advisory council and was called the Critical Infrastructure Protection Advisory Group or CIPAG.

The CIPAG was formed years before Y2K and was focused primarily on the cyber issues related to making sure there would be no issue on Y2K. After 9/11, the focus changed and more physical security and operations people joined the group. When it officially became a committee, the voting members were and still are comprised on one cyber security, one physical security and one operations member per NERC region. This committee was the first industry group to generate cyber, physical security and operation guidelines (originally 10, now 17), and had them created and published by spring of 2002. The Cyber Security Standards (CIP-002 through 009), which were just approved by the NERC board, were created by a drafting team made up mostly of CIPC members. Theses replace the temporary Cyber Security Standard NERC 1200, which was in place as of August 2003. The Electric Sector was also the first sector to publish a Threat Alert System, long before DHS came out with its 5-color system.

I take offense to any portrayal of the Electric Sector as being pressured into improving physical and cyber security. The professionals of the Electric Sector have been leading the charge, not resisting or hiding from our responsibilities.
— R. Scott McCoy, CPP, CISSP, CBCP
Director, Enterprise Security, Excel Energy

YOUR THOUGHTS

We are looking for reader feedback. E-mail larry.anderson@penton.com

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue