Regulators have been good at focusing their security mandates on issues of concern. Each regulation focuses on a specific issue, such as cyber security, access control or suspicious-incident reporting. Unfortunately, each requirement does not address coordinating facility functions, physical security, technical systems, emergency response and other operational considerations naturally linked by the way in which utilities function. Some regulatory requirements can be essentially impossible to implement without structural redesign of the facility. Although regulators do allow for utilities to claim "technically unfeasible" exceptions to their regulations by explaining why a requirement cannot be complied with, taking advantage of this process is both time-consuming and undesired.
Many utilities prefer a minimalist approach to meeting requirements of these unfunded mandates to expedite compliance and thereby appease auditors most efficiently. The natural desire to limit time and effort on compliance activities has led utilities to develop components of their security program without updating related policies and procedures. This approach can lead to a series of overlapping and partially redundant procedures where security events might have a dozen or more procedural documents that apply, depending on the cause of an incident. Utilities might have independent procedures dealing with outages due to natural causes, vandalism, suspected sabotage, cyber system intrusion and other threats. Further complicating the challenge, emergency response, information technology, cyber and physical security responsibilities are usually under different department umbrellas which can serve as a roadblock to coordinated planning.
One source of confusion for power utilities are the blizzard of reporting requirements related to an unexpected outage. Procedures may require reporting to the Department of Energy, Homeland Security, FBI, the Royal Canadian Mounted Police, State officials and local law enforcement. Different reporting forms must be used sometimes to report the same activities, further complicating response activities.
To solve these problems, utilities should create one coordinated Security Action Plan that effectively cross references policies and reporting requirements or replaces them altogether. These new documents should effectively coordinate necessary activities among operations, information technology, security, emergency responders and management. Tabletop exercises will confirm the effectiveness of any new plan.
Strategy 3: Go "No Tech"
Every advanced technology is ineffective if the fundamentals of operational security are missing or underdeveloped. Verified background screening of contract security personnel, contractors and vendors is rightfully becoming the accepted practice for utilities. In cases where outside firms perform such screening, regular audits of these checks is now being written into contract language to enable utilities to validate the thoroughness of these checks.
Protection of sensitive information is more important than ever. Utilities are developing policies to protect information, such as site plans, security system layouts and assessment reports - which are no longer transmitted in an unsecure manner. Key control is one important area where historical ambivalence is now giving way to more informed understanding and attention. The most sophisticated access control systems can be rendered "Security Theatre" if physical keys to facilities are not also under control. Formal key control programs have evolved to the point where developing and retroactively implementing them has become far easier. Facilitating regular plant access to outside entities has historically proved troublesome.
Remember, security is only as effective as its weakest link (or lock) and it is no longer acceptable to allow a series of "Master Lock #1" padlocks to outnumber the links at a facility main gate. Removing easy-to-breach locks is now the standard of practice and other "non-utility" entities that need access are coming to understand and adapt to the new security standard for power facilities. Old locks can be either replaced with more secure devices with anti-copy keys or better still, not replaced at all. Access should be granted only when the facility is open or during times an escort is available.