[BETA] Fortnightly

State public service commissions are insisting that utilities adopt risk management programs, and are allowing less pass-through for those that don't.

Many electric utilities have been on high alert since Sept. 11 to protect the assets within their systems from cyber and physical attack. Months later, signs are that the warning lights will stay on for years to come as utilities refine their capabilities for attack prevention, mitigation, and recovery, both individually, and as a nation.

The Y2K fear forced virtually every utility in the country to reassess and reinforce the capabilities of their information technology systems, and this exercise helped to prepare the industry against cyber attack today. Expanding security attention from data to physical assets, many utilities were aware of the aging nature of their protection system technology prior to the events of 9/11, and began taking steps to replace and upgrade critical components, consultants agree. The new level of threat that utilities now face means that both procedures and technology must be enhanced in a dynamic way to permit utilities to react to the latest type of threat and still mitigate the potential for disruption or disaster.

Given the geographic spread of all the electric utility sites in the country, it is not feasible to protect all physical assets in the same way, thus prioritization of security efforts is a critical prerequisite to implementing the most feasible solution. Still, generators, distributors, and transmission companies alike are pursuing heightened security capability now.

"The level of response has risen substantially over the past six months for the protection of transmission lines and distribution assets," says Stephen Whitley, the senior vice president and chief operating officer at ISO New England. In the electric utility industry, "[t]actical response is adequate but strategic response is lacking," explains Massoud Amin, the area manager for infrastructure security at the Electric Power Research Institute, in Palo Alto, Calif.

Industry groups and government entities on a variety of levels have accelerated their work to assure the security of the electricity industry. "NERC (the North American Electric Reliability Council) has been acting in the realm of guidance on security issues and on communications for sharing information and threat levels," says Whitley. "And the organization that has done the most to help utilities harden their assets is EPRI. They have gone to countries like Israel and South Africa, where threats are day-in and day-out, and have brought back best practices, which are being disseminated now," he says.

Physical Security Upgrades Start at the Perimeter

Utilities are well along in the process of examining every security tool available, ranging from aerial surveillance to biological weapon sensors. The adoption of some procedure changes carry no cost, in contrast to some equipment that can cost tens of thousands of dollars per location-specific unit. The cumulative portfolio of tools is being enriched from cooperation among utilities, from industry recommendations, and from regulatory orders.

Vehicle barriers are one low-tech, relatively low-cost tool that many utilities have been adding over the past six months to a variety of facility types. After 9/11, the NRC added the