Threats against power utilities in the United States have never been as real or diverse as they are today. Combating rising theft, vandalism and cyber assaults in today's economy is a challenge for power providers throughout the country. Utilities must also defend against the looming threat of terrorism, which holds catastrophic potential for damage.
Multi-billion dollar economic losses are no longer the hypothetical scenario of a successful attack, but are expected even for short-term regional outages. Industry experts concede that the economic impacts in a worst-case scenario are incalculable.
Regulators have, in recent years, developed a number of security mandates which apply to power providers, transmission operators, reliability coordinators and other service providers. Planning security program improvements while faced with looming regulatory compliance deadlines requires a comprehensive set of security strategies. This article highlights strategies the nation's top utilities have used to achieve their goals.
Strategy 1: Start a Cultural Evolution
Most utility infrastructures are many decades old and their facilities were not built with security in mind. Throughout the 20th century, attacks against power facilities and infrastructures were relatively minor and infrequent. Overall, security risks during this time were appropriately categorized as low. The culture of security for power utilities from their beginnings centered around the notion that even with easy access to their facilities and control systems, it would be too difficult or dangerous for someone to attack their facilities.
When incidents did occur, they were usually linked to vandalism or other petty crimes of low consequence. These facts validated the cultural mindset that security concerns were not a priority. Increasing threats from wire thieves, cyber adversaries and others has changed the perception of security and underscored the need to change every utility's security culture.
Power control systems have evolved from a maze of rudimentary logic devices that required physical access and special operational knowledge. Modern SCADA systems are now computerized and easy-to-use systems that can be operated from anywhere in the world with an Internet connection and readily available software. Smart grid initiatives bring with them a whole new subset of risk. Fortunately, the industry as a whole appropriately recognizes many of these emerging threats and new best practices are addressing these issues.
The new power industry standard of care requires an evolution of thinking for everyone within the organization to address current and emerging security threats. To implement this necessary change, a multi-faceted approach to security renovation is in order. Utility mission statements should be updated to include references to security. Pre-employment screening must go further than simple identity verification and should be tailored to the level of physical access to critical infrastructures and logical access to information. New employee hiring orientation should include a thorough introduction to the security culture of the utility. Each and every employee should be on record agreeing to adhere to security requirements regardless of their title or job duties. Penalties for security protocol violators should be clearly understood and enforced. An anonymous reporting mechanism should be put in place to allow for potential security issues to be forwarded for investigation without fear of retribution.
Finally, if collective bargaining agreements are in place, they should be updated at the first opportunity to address this new security culture. It may take some time for the complete transformation of the security program to occur, but utilities throughout the country are taking the steps necessary to evolve their security culture.
Strategy 2: Create a Coordinated Security Action Plan