Although this article was originally written for electrical utilities, the concepts apply to other companies and organizations. Darren Nix of Risk Management Associates authored this article originally published in Security Products Magazine.
Increased security at Electrical Utility companies for the prevention of ordinary events also provides protection for the extraordinary events. There has been a tremendous focus on protecting our nation’s infrastructure from terrorist attacks. For several years, many in the security industry have even been “holding their breath” waiting for terrorist attacks to become routine on US soil. Public agencies and private sector businesses have been preparing for such events and how to mitigate them and/or respond; rightfully so, because it is critical that our industry, and America as a whole, is prepared for such events. The fact is, when conducting a threat assessment of an electrical utility facility, a terrorist attack is considered a low probability event but potentially very critical. Notwithstanding, there is a definite correlation between electrical companies providing increased protection and response to the higher probability lower criticality events and the security measures to protect and respond to terrorism attacks on our infrastructure. As a key element to our country’s infrastructure, electrical utilities face the threat of high probability events as well as low probability terrorist acts.
Electrical utility providers have a responsibility to protect a variety of facilities and assets, such as power plants, operation centers, remote maintenance facilities, substations, transmission lines, and office buildings. Each of these facilities holds assets to be protected, such as employees, confidential company files, critical production equipment, precious metals, service equipment, money, and others. Homeland Security directives require electrical utilities to identify, prioritize, and protect BCI (Business Critical Infrastructure) facilities and operations. The utility providers protect assets at these facilities and other assets throughout their organization. A breakdown of those facilities might look like the following:
- Generation facilities including control rooms at these facilities
- Coal (fossil fuel) plants
- Hydro Plants
- Nuclear Plants (Government Regulations on security)
- Gas fired IC Turbine facilities
- Substations (Some are more critical than others with 500kV subs generally the most critical. Others are 230kV, 115kV, and 66kV Some substations provide power to customers, such as, military bases, hospitals, government facilities, etc.)
- Transmission lines (hardest to protect)
- Distribution lines
- Control Center (very critical facility where generation operations are monitored and to a great extent controlled)
Federal, state, and industry regulatory demands are placing increased pressure on the electrical utility industry to handle incidents in a manner that minimizes the impact of downtime while maintaining public confidence. As with other businesses, utility providers should determine the probability and criticality of specific events with a detailed Threat Assessment. Once this assessment has been completed, the company can then provide the appropriate resources to lessen the possibility of the event or the impact to the company. For example, consider the high probability of copper theft. With the rising cost of copper, there is an increase in theft of copper products. Electrical utility providers are one of the most susceptible victims to this type of theft. In most locations, preventing copper theft is a daily requirement. Thieves have been so bold as to even cut live or electrified copper lines out of substations. In some cases, assailants have lost their lives in the act. A copper theft of this nature could obviously cause some power outages and would draw the public’s attention to the company’s security. There are certainly many other events to consider, and with the increase of this and other types of incidents in recent years, utility companies have taken many necessary measures to enhance their security programs to prevent higher probability events.
A common standard of care and security practice for the electrical utility companies is to prevent, prepare, and respond. First, prevention techniques are utilized. Each of the following security tools is incorporated in many cases at the facilities:
- Fencing (height, top guard, etc.)
- Lighting (standards)
- Security management systems
- Access control
- Video surveillance and recording
- Intrusion detection systems (buildings, fencing, etc.)
- Barriers (natural and man-made)
- Security Guards (presence)
- Hardened control rooms
By creating a security atmosphere around the facilities and utilizing many of the above tools, the companies are essentially attempting to prevent and thwart unwanted events. By creating barriers around the facility, installing fences, adding signage, meeting lighting standards, and using some of these other tools, utility companies are accomplishing two things. First, they are making it more difficult for would be attackers to carry out their plan. With some of these other tools, such as security management systems, intrusion detection systems, and video surveillance, security personnel are able to better monitor facilities. These systems send notifications that would allow security personnel to assess the situation and perhaps intervene prior to the event taking place. As in our example of the higher probability of copper theft, these prevention techniques also effectively assist in making it more difficult for terrorists. For example, a utility company was experiencing an increase in copper theft at their operations facility by individuals compromising the fence at the back of the facility. Company management elected to increase security by making improvements to the fence, adding video surveillance on the fence line, and implementing video analytics to notify security personnel of activity around the fence. Applying these tools not only makes it more difficult for a copper thief to breach the fence line, but it also makes it harder for a would-be terrorist to breach the fence as well.
Secondly, these companies must be prepared. Preparation unifies and permeates prevention and response. Along with the prevention tools mentioned above, these companies should have fundamental written security policies and procedures. Also, it is extremely critical that they have an Incident Management Plan (IMP) and/or Business Continuity Plan (BCP). After an event or natural disaster, the company must be able to quickly return the business critical infrastructure facilities to an operational status. This accomplishes two things: customer and public confidence is maintained and power production and transmission are quickly returned providing minimal losses in revenue. As companies are implementing these prevention methods, they are basically being prepared. They build on that by training personnel to be prepared. Some of this training is directly related to responding to events. For example, security guards and other personnel are trained in how to respond to certain incidents and how to resolve any problems. Therefore, the preparations made link the level of and methods of prevention and response.
How a company responds to certain events displays how prepared they were to deal with it and the effectiveness of their IMP or BCP. If the response is poor then public scrutiny is almost certain, but even with an effective and well planned response, public opinion is often critical and long lasting. Therefore, prevention and preparation is equally, if not more important, than response. Utility companies must also communicate with local authorities in order to effectively coordinate response activities. For example, if a copper theft has occurred, then security personnel must gather as much of the investigative material possible to give to law enforcement. This may include recorded video, event data, eyewitness statements, and other information that will help in the investigations. Ultimately, the relationship and communication efforts that utility companies develop with law enforcement on the day-to-day, higher probability cases such as copper thefts will increase their overall effectiveness in responding to more critical incidents like terrorist attacks.
Higher probability prevention ultimately assists the company and their security program in being prepared to prevent and potentially respond to terrorist attacks. This point is not meant to imply that if a company addresses all high probability, low criticality events they will be prepared to deal with very critical events, such as terrorist attacks. The resources needed to be able to respond to more critical events are much different than those needed to respond to a less critical event. However, as these companies increase their security posture and implement the tools and techniques to prevent the more probable and most likely less critical incidents, they are ultimately increasing the ability to prevent terrorist activities, are better prepared to deal with terrorist acts, and have the means to respond to those types of incidents.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.