An entirely new and better approach to measuring risk and compliance allows companies actually to measure this kind of risk—that is, to measure the degrees of compliance regarding actual field...
U.S. border security system should be integrated into a larger network of screening points that includes our transportation system and access to vital facilities, such as nuclear reactors," the report states. (p. 387) The commission also "encourage(s) widespread adoption of newly developed standards for private-sector emergency preparedness-since the private sector controls 85 percent of the nation's critical infrastructure." (. 20)
Mitch Singer with the Nuclear Energy Institute says the industry, by the end of 2004, will have poured $1 billion into physical and cyber-security upgrades, including the installation of additional barriers and jersey walls at nuke plants. The security guard force also has been increased since 9/11 by about 35 percent. "It's over 7,000 guards," Singer says. "They're basically paramilitary forces. Most of them have previous experience either in the military, state and local police, or in other industrial security settings."
When suspicious activity does occur, NERC looks for help to broadcast it across the different agencies responsible for America's critical infrastructure.
"This is a two-way street of information," Leffler says. "We would expect that if there is intelligence focusing on the industry, that they would communicate it to the industry, directly to the asset owner and/or through the electric sector ISAC" ()-the Information Sharing Analysis Center- through which NERC distributes threats to electricity sector infrastructure. But first the information has to get to NERC. That's where the Critical Infrastructure Protection System comes in.
"It runs on a secure Web," Leffler says, and "it provides the ability for people in the field, of which there are hundreds, to communicate with the ISAC and also with the Department of Homeland Security if there are incidents.
"We developed a program called Indications, Analysis, and Warnings-a list of some 15 items, physical and cyber, which should be reported within a stated amount of time."
"The thing we report the most … are incidents of what's called surveillance, or social engineering, where pictures are being taken, people are asking questions. … In some cases they're taking pictures, and they're obviously not tourists because when they're approached by a plant security officer, they toss the camera in the car and take off. That happens. [Security officials] get the license plate. Local law enforcement and the FBI get together and they track these things down, and most of the time it's nothing, but these are the kinds of things that are very important to report because, in the event a terrorist is going to attack a facility, part of their modus operandi is to figure out what site they want to attack … and do surveillance: take pictures, make notes, observe guard rotations. Then they come back, make their plans, and before they do the attack they go back and make sure nothing's changed.
"So one of the things we tell our people is, 'Change your appearance to the outside world, and 'Survey the outside world so you know what's going on out there.' Because if these things are happening and they do get reported … that can lead to tracking down one of these [attacks]