The U.S. Court of Appeals for the Third Circuit has ruled that the New Jersey Board of Public Utilities (BPU) is preempted under the federal Public Utility Regulatory Policies Act (PURPA) from...
up to 18 months after 9/11 and the second covers a mid-term response from 18 months after 9/11 to five years out. "It was all closely guarded and encrypted, and we shredded what paper we had in hand," Amin says. The reports were circulated to the members of the board, as well as to various levels of government agencies-like the FBI, with which the group cooperates. EPRI's EIS has about 35 entities involved now, including U.S. and Canadian utilities, distribution and transmission companies, and other organizations.
As an outgrowth of the EIS work, EPRI is developing an intrusion detection tool, and tools for resource-constrained encryption for utility applications. To broaden its work to include more affected entities, in late April, EPRI launched a two-year program-the Infrastructure Security Initiative-to address near-term industry security measures. As part of its overall strategy to maximize utility enhancements of their security findings, EPRI is utilizing surveys to help participating utilities benchmark where they are in their security program development. Amin also advocates the use of game theory to develop potential attack scenarios against which utility officials should train.
Secrecy Enhances Security
For-profit consultants also have become much more active in advising utilities on the full scope of security measures, but even they are not discussing details of their recommendations or of utility adoption of measures. "Specifics would not be appropriate due to the sensitivity of the situation," says Larry Bean, the president of Energy Services, an operating unit of Pinkertons, in Parsippany, N.J. His unit serves about 16 electric utilities presently, drawing on a staff of more than 1,200 employees. "Utilities have stayed close to the leading edge of security innovations for a number of years, but it has been a very active period recently," he allows.
For distribution and transmission entities, the need for outside security consulting is perhaps greater than for generators, given the relatively low past expectation of physical security breaches. "Transmission facilities are not as physically secure sites as other (generating) facilities are, so we did have a consultant in last fall and are working through his recommendations," says Mike Calimano, the vice president of operations and reliability at ISO New York. "We also recently had a DOE (U.S. Department of Energy) vulnerability assessment, and they are coming back again in the fall," he says. "We're basically using outside security consultants because security wasn't a great concern originally," he says, of the historic priority assigned to physical breaches.
Part of the problem of public assessment of security procedures and technology capabilities for electric utilities is the generally secretive blanket thrown over the issue, analysts say. "In the past, utilities were very closed-mouthed about what their security problems were," says Herbst. Following 9/11, secrecy has become another tool in the portfolio of limiting exposure to attackers, say other industry officials. "We are no longer sharing as much information about what our contingency plans or alternatives are," says Whitley. "The first thing we've done and need to continue to improve on is change the way we control the information we share with general public-maps, diagrams,