[Editor's note: 'At the Frontline' is part of a joint interview that Security Technology & Design and SecurityInfoWatch.com do each month with a top-level security director. For the rest of this interview, see page 68 (the back page) of the April 2005 issue of Security Technology & Design magazine.]
Name: Anne M. Gibbons, CPP, RPA
Title: Building and Asset Security Analyst, Sr.
Company: Georgia Power Company
Years in Industry: 20
Most Recent Security Technology Purchase: Security management system based on high-end access control product
How does Georgia Power validate the identity of employees? Are you using multi-factor authentication (for example, a biometric authentication and an access card) at many of your facilities, or is this reserved only for high-security operations?
We constantly look at ways to validate the identity of employees. One of the criteria for the new access control system we chose late last year was the ability to utilize several methods of authentication. Our decision to use Smart Card technology will be helpful as decisions about authentication methods are integrated in the future.
Part of the security detail is to keep untrained, unauthorized persons away from the nuclear, coal and hydro plants. What new perimeter security technologies and intrusion detection systems have you researched or found that have gained your interest?
Perimeter security technologies have come a long way over the past few years. Particularly impressive is video analytics, which show the most promising future for capturing critical information. They also make the transmitted data useful by honing-in on only the necessary image. Smart sensors will give us the ability to recognize objects and activities so we can focus on the deviations from the norm. Strides in perimeter security that distinguish between people and animals also offer an attractive advantage. These applications also eliminate the need for viewing unnecessary images in a control center; thus allowing personnel to focus on screens where action is taking place. While there are still hurtles to overcome such as cost and bandwidth limits, I believe this technology is worth keeping an eye on.
Your reservoirs not only have industrial/utility purpose, but also create lots of recreational opportunities. How do you balance the need to secure power-generating facilities with the need for access by local recreation enthusiasts? Does this dual need make perimeter security a greater challenge?
Any time industry and the public are in close proximity, there ought to be concern. In these situations, there is always the danger of guests -- by accident or curiosity -- straying into areas which are restricted. Balancing various constituencies' needs for access is always a challenge but by overseeing these combined business/recreation areas and making sure our visitors understand the rules, we are able to effectively make them serve a dual purpose. Since rivers and streams flow across public and private land into our reservoirs, it would be most difficult to not share our recreational areas.
Facial recognition systems have been widely criticized in public applications as invasions of privacy, but they are widely marketed to nuclear and power plants, specifically for access control. Have these systems matured to the point that they are suitable for the high-security applications they target?
I can't speak for nuclear, but I have watched this technology and believe it has matured into a very usable product. While any such technology can be viewed as an invasion of privacy, I believe the benefits far outweigh the concerns. We all must understand that we live in a very different world today from what we were used to growing up. I once heard that for "every ounce of security, one gives up a pound of freedom," and because of this sacrifice, we as security professionals must always weigh what we are asking of those we seek to protect. That being said, I believe high-security applications simply must rely on multiple forms of authentication. The best of all worlds are authentications based on something you are (facial recognition, retina scan, etc.), something you know (a password or other memorized data), and something you have (an access card, a key, etc.) Even though some privacy is lost, much is gained because there is less room for error for a minimum inconvenience.
Do you incorporate disaster or attack simulations into emergency preparedness training? If so, how are local officials involved in these efforts? What part do such exercises play in the evolution of contingency planning?
Emergency response has always been a trademark of Georgia Power. Because we must cope with natural disasters -- sometimes several times a year -- we have a team of response professionals who are second to none. I am please to say that when 9-11 struck, we already had a comprehensive written emergency plan. Since that time tremendous energy has been poured into enhancing that plan, by setting up a strategic corporate team in addition to our multiple on-site teams; setting up an interfaces with a team at our parent, Southern Company; performing exercises to make sure the plans are practiced and improved. The key to a really well-managed plan is the understanding that it is always a work in progress which must be improved, drilled and refined and never considered finished. A plan, not tested, is not much better than no plan at all.
Potential cyber terrorism against critical infrastructure facilities has been increasingly highlighted in recent years, particularly after an Ohio nuclear plant's network was temporarily affected by the Slammer worm in 2003. Do you believe cyber terrorism is a significant threat to U.S. utilities? How do you work with other departments to increase security against and awareness of this threat?
Cyber threats are handled by in a different department, Information Technology Security; however because of increased regulatory requirements, it is becoming more and more necessary to work together, for instance, the FERC requirement to ensure adequate physical security for critical cyber assets. Sarbanes-Oxley is certain to offer additional joint opportunities. I have also found it beneficial to involve IT Security professionals in high level meetings to present security issues from their prospective. I also meet with members of their group to capitalize on projects we can mutually support; for instance there is a good opportunity to pair physical access control methods with logical access. Over the last few years, there has been a noticeable shift toward the convergence of physical security and information technology. I believe as we move forward into a converging security and information technology arena, the role of each department will become less and less easily distinguished. By seeking to understand the commonalities we share, we will be better equipped to work toward more viable combined solutions and a better awareness of the threats that concern us all.
Damage to transmission lines and distribution lines poses great economic and public safety concerns, and yet there is such a great web of them across the state that securing them must pose a particular challenge. Do you have security technology in place to protect the lines, or do you rely on human factors for this level of protection?
You are correct in your assumption that these pose a special opportunity and that protection of these assets is a challenge. While I choose not to comment on specifics, these assets like all others are protected and monitored in a number of ways. It is my belief that really good security (for protecting any property) is achieved by striking the right balance between security personnel and technology and adjusting both as the threat or threat perception rises. Keeping informed about what is going on in the world and in the industry is the key for keeping security at the proper level.
