Three strategies for utility security

How the nation's top utilities are tackling security challenges

Utility employees should be clear on what their security responsibilities are, how to support enforcement of day-to-day policies, and what they should do if they witness suspicious behavior or become aware of a security breach. Regular awareness training on current and emerging threats, policies and procedures confirms staff knows their roles and helps ensure a unified and consistent response to unexpected events. Conducting incident response exercise drills not only reinforces the importance of the security program and increases general awareness, but these exercises also uncover meaningful opportunities for program improvement. It is not uncommon for issues to be identified during incident response drills that were not previously known to management or security personnel. Including stakeholders from each operational function into these drills improves the effectiveness of such exercises and fosters a cooperative security environment. Focusing first on low-cost or no-cost capital improvements helps set the framework for a successful utility security program.

Lessons Learned

Implementing security program changes requires leadership, vision and skill. Evolving the culture of security can sometimes be met with significant initial resistance. Humans are, by nature, creatures of habit, and the phrase "old habits die hard" applies to dated security mindsets. A 2005 study by the Massachusetts Institute of Technology confirms that bad habits are much more difficult to break than good ones.

Diligence and management support have proven critical to program improvement success for utilities across the country. Coordinated security plans not only aid in meeting compliance requirements, but can also serve as an operational bridge among various departments. Good planning leads to a coordinated application of security throughout the utility and less confusion about responsibilities during an incident.

In these challenging economic times, utilities are gravitating toward low-cost or no-cost improvements. Successfully implementing these "No Tech" measures can benefit the security program just as much as high-cost capital improvements. No single measure by itself can address every security concern, but applying these three security principles has proven to raise both the perception and reality of power provider security programs.

James R. Black, CPP, PSP, CSC, CET serves as senior security consultant for TRC Solutions out of its Irvine, Calif., office. Over the past 15 years, Mr. Black has developed comprehensive security programs for some of the nation's largest power producers. He is a member of ASIS Architecture and Engineering Council and the International Association of Professional Security Consultants. He holds numerous security licenses and regularly writes and lectures about current and emerging security technologies. Contact him at