Three strategies for utility security

April 28, 2010
How the nation's top utilities are tackling security challenges

Threats against power utilities in the United States have never been as real or diverse as they are today. Combating rising theft, vandalism and cyber assaults in today's economy is a challenge for power providers throughout the country. Utilities must also defend against the looming threat of terrorism, which holds catastrophic potential for damage.

Multi-billion dollar economic losses are no longer the hypothetical scenario of a successful attack, but are expected even for short-term regional outages. Industry experts concede that the economic impacts in a worst-case scenario are incalculable.

Regulators have, in recent years, developed a number of security mandates which apply to power providers, transmission operators, reliability coordinators and other service providers. Planning security program improvements while faced with looming regulatory compliance deadlines requires a comprehensive set of security strategies. This article highlights strategies the nation's top utilities have used to achieve their goals.

Strategy 1: Start a Cultural Evolution

Most utility infrastructures are many decades old and their facilities were not built with security in mind. Throughout the 20th century, attacks against power facilities and infrastructures were relatively minor and infrequent. Overall, security risks during this time were appropriately categorized as low. The culture of security for power utilities from their beginnings centered around the notion that even with easy access to their facilities and control systems, it would be too difficult or dangerous for someone to attack their facilities.

When incidents did occur, they were usually linked to vandalism or other petty crimes of low consequence. These facts validated the cultural mindset that security concerns were not a priority. Increasing threats from wire thieves, cyber adversaries and others has changed the perception of security and underscored the need to change every utility's security culture.

Power control systems have evolved from a maze of rudimentary logic devices that required physical access and special operational knowledge. Modern SCADA systems are now computerized and easy-to-use systems that can be operated from anywhere in the world with an Internet connection and readily available software. Smart grid initiatives bring with them a whole new subset of risk. Fortunately, the industry as a whole appropriately recognizes many of these emerging threats and new best practices are addressing these issues.

The new power industry standard of care requires an evolution of thinking for everyone within the organization to address current and emerging security threats. To implement this necessary change, a multi-faceted approach to security renovation is in order. Utility mission statements should be updated to include references to security. Pre-employment screening must go further than simple identity verification and should be tailored to the level of physical access to critical infrastructures and logical access to information. New employee hiring orientation should include a thorough introduction to the security culture of the utility. Each and every employee should be on record agreeing to adhere to security requirements regardless of their title or job duties. Penalties for security protocol violators should be clearly understood and enforced. An anonymous reporting mechanism should be put in place to allow for potential security issues to be forwarded for investigation without fear of retribution.

Finally, if collective bargaining agreements are in place, they should be updated at the first opportunity to address this new security culture. It may take some time for the complete transformation of the security program to occur, but utilities throughout the country are taking the steps necessary to evolve their security culture.

Strategy 2: Create a Coordinated Security Action Plan

Regulators have been good at focusing their security mandates on issues of concern. Each regulation focuses on a specific issue, such as cyber security, access control or suspicious-incident reporting. Unfortunately, each requirement does not address coordinating facility functions, physical security, technical systems, emergency response and other operational considerations naturally linked by the way in which utilities function. Some regulatory requirements can be essentially impossible to implement without structural redesign of the facility. Although regulators do allow for utilities to claim "technically unfeasible" exceptions to their regulations by explaining why a requirement cannot be complied with, taking advantage of this process is both time-consuming and undesired.

Many utilities prefer a minimalist approach to meeting requirements of these unfunded mandates to expedite compliance and thereby appease auditors most efficiently. The natural desire to limit time and effort on compliance activities has led utilities to develop components of their security program without updating related policies and procedures. This approach can lead to a series of overlapping and partially redundant procedures where security events might have a dozen or more procedural documents that apply, depending on the cause of an incident. Utilities might have independent procedures dealing with outages due to natural causes, vandalism, suspected sabotage, cyber system intrusion and other threats. Further complicating the challenge, emergency response, information technology, cyber and physical security responsibilities are usually under different department umbrellas which can serve as a roadblock to coordinated planning.

One source of confusion for power utilities are the blizzard of reporting requirements related to an unexpected outage. Procedures may require reporting to the Department of Energy, Homeland Security, FBI, the Royal Canadian Mounted Police, State officials and local law enforcement. Different reporting forms must be used sometimes to report the same activities, further complicating response activities.

To solve these problems, utilities should create one coordinated Security Action Plan that effectively cross references policies and reporting requirements or replaces them altogether. These new documents should effectively coordinate necessary activities among operations, information technology, security, emergency responders and management. Tabletop exercises will confirm the effectiveness of any new plan.

Strategy 3: Go "No Tech"

Every advanced technology is ineffective if the fundamentals of operational security are missing or underdeveloped. Verified background screening of contract security personnel, contractors and vendors is rightfully becoming the accepted practice for utilities. In cases where outside firms perform such screening, regular audits of these checks is now being written into contract language to enable utilities to validate the thoroughness of these checks.

Protection of sensitive information is more important than ever. Utilities are developing policies to protect information, such as site plans, security system layouts and assessment reports - which are no longer transmitted in an unsecure manner. Key control is one important area where historical ambivalence is now giving way to more informed understanding and attention. The most sophisticated access control systems can be rendered "Security Theatre" if physical keys to facilities are not also under control. Formal key control programs have evolved to the point where developing and retroactively implementing them has become far easier. Facilitating regular plant access to outside entities has historically proved troublesome.

Remember, security is only as effective as its weakest link (or lock) and it is no longer acceptable to allow a series of "Master Lock #1" padlocks to outnumber the links at a facility main gate. Removing easy-to-breach locks is now the standard of practice and other "non-utility" entities that need access are coming to understand and adapt to the new security standard for power facilities. Old locks can be either replaced with more secure devices with anti-copy keys or better still, not replaced at all. Access should be granted only when the facility is open or during times an escort is available.

Utility employees should be clear on what their security responsibilities are, how to support enforcement of day-to-day policies, and what they should do if they witness suspicious behavior or become aware of a security breach. Regular awareness training on current and emerging threats, policies and procedures confirms staff knows their roles and helps ensure a unified and consistent response to unexpected events. Conducting incident response exercise drills not only reinforces the importance of the security program and increases general awareness, but these exercises also uncover meaningful opportunities for program improvement. It is not uncommon for issues to be identified during incident response drills that were not previously known to management or security personnel. Including stakeholders from each operational function into these drills improves the effectiveness of such exercises and fosters a cooperative security environment. Focusing first on low-cost or no-cost capital improvements helps set the framework for a successful utility security program.

Lessons Learned

Implementing security program changes requires leadership, vision and skill. Evolving the culture of security can sometimes be met with significant initial resistance. Humans are, by nature, creatures of habit, and the phrase "old habits die hard" applies to dated security mindsets. A 2005 study by the Massachusetts Institute of Technology confirms that bad habits are much more difficult to break than good ones.

Diligence and management support have proven critical to program improvement success for utilities across the country. Coordinated security plans not only aid in meeting compliance requirements, but can also serve as an operational bridge among various departments. Good planning leads to a coordinated application of security throughout the utility and less confusion about responsibilities during an incident.

In these challenging economic times, utilities are gravitating toward low-cost or no-cost improvements. Successfully implementing these "No Tech" measures can benefit the security program just as much as high-cost capital improvements. No single measure by itself can address every security concern, but applying these three security principles has proven to raise both the perception and reality of power provider security programs.
James R. Black, CPP, PSP, CSC, CET serves as senior security consultant for TRC Solutions out of its Irvine, Calif., office. Over the past 15 years, Mr. Black has developed comprehensive security programs for some of the nation's largest power producers. He is a member of ASIS Architecture and Engineering Council and the International Association of Professional Security Consultants. He holds numerous security licenses and regularly writes and lectures about current and emerging security technologies. Contact him at [email protected].