State public service commissions are insisting that utilities adopt risk management programs, and are allowing less pass-through for those that don't.
Many electric utilities have been on high alert since Sept. 11 to protect the assets within their systems from cyber and physical attack. Months later, signs are that the warning lights will stay on for years to come as utilities refine their capabilities for attack prevention, mitigation, and recovery, both individually, and as a nation.
The Y2K fear forced virtually every utility in the country to reassess and reinforce the capabilities of their information technology systems, and this exercise helped to prepare the industry against cyber attack today. Expanding security attention from data to physical assets, many utilities were aware of the aging nature of their protection system technology prior to the events of 9/11, and began taking steps to replace and upgrade critical components, consultants agree. The new level of threat that utilities now face means that both procedures and technology must be enhanced in a dynamic way to permit utilities to react to the latest type of threat and still mitigate the potential for disruption or disaster.
Given the geographic spread of all the electric utility sites in the country, it is not feasible to protect all physical assets in the same way, thus prioritization of security efforts is a critical prerequisite to implementing the most feasible solution. Still, generators, distributors, and transmission companies alike are pursuing heightened security capability now.
"The level of response has risen substantially over the past six months for the protection of transmission lines and distribution assets," says Stephen Whitley, the senior vice president and chief operating officer at ISO New England. In the electric utility industry, "[t]actical response is adequate but strategic response is lacking," explains Massoud Amin, the area manager for infrastructure security at the Electric Power Research Institute, in Palo Alto, Calif.
Industry groups and government entities on a variety of levels have accelerated their work to assure the security of the electricity industry. "NERC (the North American Electric Reliability Council) has been acting in the realm of guidance on security issues and on communications for sharing information and threat levels," says Whitley. "And the organization that has done the most to help utilities harden their assets is EPRI. They have gone to countries like Israel and South Africa, where threats are day-in and day-out, and have brought back best practices, which are being disseminated now," he says.
Physical Security Upgrades Start at the Perimeter
Utilities are well along in the process of examining every security tool available, ranging from aerial surveillance to biological weapon sensors. The adoption of some procedure changes carry no cost, in contrast to some equipment that can cost tens of thousands of dollars per location-specific unit. The cumulative portfolio of tools is being enriched from cooperation among utilities, from industry recommendations, and from regulatory orders.
Vehicle barriers are one low-tech, relatively low-cost tool that many utilities have been adding over the past six months to a variety of facility types. After 9/11, the NRC added the requirement for vehicle barriers and armed responders at non-working reactors, aiming at the enhanced protection of stored fuel. Three Mile Island-1, for example, has "increased hardened vehicle barriers, increased security posts, and increased patrols," says Ralph DeSantis, communications manager for AmerGen Energy, the joint venture between Exelon and British Energy, in Middletown, Pa. "We've been in a state of heightened security since 9/11, and are in close contact with law enforcement and Homeland Security," he adds.
Similarly, Pacific Gas & Electric has upgraded barriers at a number of sites, says Jon Tremayne, a spokesman for the utility in San Francisco. PG&E may be particularly sensitive to the issue of access, having suffered a transformer substation outage in 1997-that involved unstated actions by an employee- affecting over 125,000 customers.
Among other utilities that have stepped up security over the past six months is Florida Power & Light, which, through its parent company, has conducted an engineering analysis of the St. Lucie and Turkey Point nuclear power plant facilities. Their study indicated that the facilities could withstand jet aircraft impacts, according to Bill Swank, a spokesperson for the utility. Apart from these measures, "I can confirm that we do have enhanced security, but we don't want to go into any of the things we've done," he says.
To keep would-be intruders from gaining entrance to electric utility sites "people are looking into more surveillance cameras and guards," says Alan Herbst, a principal at Utilis Energy, the New York-based energy sector consultants. "The utilities want some security display so any potential saboteur or terrorist would move on to another target. For the terrorists, the softer the target the better."
Employee Background Checks More Detailed
FPL also conducted background checks on all 800 employees at its plants with the help of the U.S. Federal Bureau of Investigation, Swank says. More detailed employee background checks are becoming more common and crucial, not only for U.S. citizens, but also for foreign nationals, about whom such information is not often readily available. The problem of background checks arises more often for temporary workers and subcontractors' crews, which necessitate an ability to do rapid assessments.
"Human resources background checking sounds a bit like Big Brother, but if the employees have access to sensitive areas, you have to look at their background for employment and gaps," says Herbst. "Perhaps there should be some government involvement to check against their information and make sure no U.S. government agency has them on a list," he adds. The FBI's relationship with Interpol, for example, helps facilitate rapid checks on foreign nationals.
As security concerns continue to spread beyond the security department to areas like HR, they eventually will touch all aspects of operations. "Utility public affairs people are worried about limiting liability concerns associated with security breaches," says Herbst. Security events will increasingly mean coordinated efforts by multiple departments in utilities. "Most HR people don't think about how you deal with bomb threats," for example, says Herbst. "Do you evacuate a building each time you get a threat, or weigh that action against checking various areas first? A lot of firms are trying to figure that out now," he says. "Utilities need a way to qualify and quantify the threat level. If someone knows you shut down every time you get a phone call, then you may get a lot of phone calls," he points out.
Although utilities have always been careful about the ways entrance gates are controlled, many have become substantially more vigilant and demanding over the past six months. "We are now using owner-controlled area badges, so no one can get in without one, whereas they might have been able to get in before," notes Kathy McMullin, manager of communications for Entergy's Indian Point nuclear power plant.
One critic of the U.S. Nuclear Regulatory Commission's oversight of employee-related security at nuclear power plants is Democratic Representative Edward Markey of Massachusetts, a member of the House Energy and Commerce Committee. "The NRC does not know how many foreign nationals are employed at nuclear reactors, and does not require adequate background checks of nuclear reactor employees that would determine whether an employee was a member of a terrorist organization," he charges.
Nanogram Sensing in Demand
To help screen vehicles and individuals, chemical-sensing equipment is in strong demand now, and the perceived need is not only to screen for explosives but also for biological agents, says Brook Miller, the vice president of marketing at Barringer Instruments, in Warren, NJ. "The utility fleet of security equipment is old, in a broad sense, and there is a fair amount of replacement activity going on now," he says. "We're selling more equipment now than before 9/11," but the trend of new equipment acquisition started about six months before 9/11, he notes.
"The guys who are particularly nervous now are the nuclear operators, who are taking a very thorough and careful look at security arrangements," says Miller. "They're examining our chemical sensing equipment, x-ray machines, walk-through trace detection portals, perimeter systems, and monitoring systems," he says. Barringer's chemical sensing equipment routinely registers nanograms, or parts per billion, and in some cases parts in parts per trillion. Basic site operator-controlled equipment for sensing explosives is sold in the high $30,000 cost range, and utilities typically purchase several units, Miller says, noting that the company sold over 1,000 machines last year.
While such equipment is being used primarily at the gate, other analysts point to the possibility of the terrorist use of infrastructure like a cooling tower to disperse biological agents; thus multiple site sampling may become a necessity, even if only one machine is utilized. "We have remote monitoring capability and we spend more time on operator training now than ever before," Miller says.
Some security officials are considering such technology as biometrics-including fingerprint, hand, and iris scanners for failsafe identification. "The biometrics industry has hit a plateau but recent events may give it an upsurge," says Herbst. However, the cost of such equipment may exceed that of alternate responses to the perceived threat level that a utility is protecting against. "If you are not dealing with much of the public at a given site, you may not need $20 million worth of technology," he reasons.
To a great degree, threat levels are distinctly high for nuclear generators, so the level of technology employed by those operators is expected to exceed that employed at other electric utility sites. "I don't see a carry-over of the level of technology being employed by the nuclear utilities to general electric generators, but the depth will continue to increase among the latter, as well," says Miller.
Nuclear Reactors Draw Security Bead
The security practices and technology employed at the 103 nuclear power plants in the United States have drawn more attention than fossil-fuel generators since 9/11. While the NRC long has been known for its tough standards on security, "The NRC does not know what its licensees spend on security or how many security guards are employed at each reactor," Markey contends.
Although many of the country's nuclear reactors are close to population centers, only TMI-1 was built to withstand the impact of a sizable commercial aircraft, according to Markey. The precaution at TMI was due to the proximity of the Harrisburg airport, about three miles away, because of which an accidental crash scenario was considered in the engineering design of the twin plants, says DeSantis.
The fear that a commercial aircraft could penetrate a reactor building and cause the release of a radioactive plume has fueled an intense debate in Congress over where the industry-government line should be drawn in terms of who provides security for the reactors. Markey is among federal officials advocating a federal takeover of security at nuclear plants. Even though the NRC coordinates physical drills to test security at the nuclear plants, Markey warns that "security exercises at nuclear reactor sites are inadequate, and sites continue to fail the exercises about 50 percent of the time."
A study initiated in mid-November by Markey surmised that security at U.S. reactors under the supervision of the NRC is lacking. He reports: "Twenty-one U.S. nuclear reactors are located within five miles of an airport, but 96 percent of all U.S. reactors were designed without regard for the potential for impact from even a small aircraft." In his report, he also questions the relative security at some utilities' spent fuel storage facilities, which in some cases were constructed with less rigorous designs than the reactors at the sites. The NRC in some cases issued exemptions from security regulations for the spent fuel buildings, since it was assumed permanent off-site storage would be available long ago, he asserts.
One safeguard that the NRC has rejected, reports Markey, is to place "anti-aircraft capabilities at nuclear facilities, even though other countries (including France) have chosen to do so and even though many reactors are located very close to airports." Not all industry officials believe such an action would be appropriate. "Anti-aircraft guns are being discussed in Congress, but I don't believe it's a good idea, because we need a separation between what is private sector security and what is a national defense for the security of the nation. If they do approve them, that's when I stop flying," says Pat Asendorf, the manager of security at the Indian Point nuclear power plant. Indian Point security was recently reviewed by New York State Office of Public Security Director James Kallstrom, and a number of recommendations for security enhancements were made. Most of those have already been adopted, and the remainder are in process, notes McMullin. "We are working with the Nuclear Energy Institute as well as the NRC in assessing our security program and implementing enhancements," Asendorf says.
Nonetheless, the NRC has tightened security at nuclear plants since 9/11. The commission announced on April 7 that the recently created Office of Nuclear Security and Incident Response is working with the White House's Office of Homeland Security to protect U.S. nuclear reactors. The new office will complement and coordinate work long performed by the NRC's Office of Nuclear Material Safety and Safeguards, which supervises security programs for nuclear fuel facilities and materials, transportation and disposal, and by the Office of Nuclear Reactor Regulation, which supervises nuclear plants and spent nuclear fuel storage facilities, the commission states.
Among concerns about the security of nuclear reactors is the possibility of core damage after sustained power interruption. According to Markey, "If all electrical power to a reactor was cut off (by a deliberate crash of an aircraft into the power generation systems, for example), the time it would take for damage to the reactor core to begin is estimated by the NRC to be about two hours." Similarly, the destruction of cooling towers-built with little protection from the air-could lead to core damage in some circumstances, he says.
Industry Groups Focus on Security Specifics
Since utilities long have been on the march to upgrade their enterprise software and computer hardware systems, perhaps more focus has been placed on keeping electronic assets safe than on keeping physical assets safe, one consultant suggests. "One of the biggest issues with IT security where people see threats is that the grid is run by computers, and you've seen that hackers can get into things quite easily," says Herbst. "This is an area where a lot of consultants are looking now," he says.
Consultants and industry groups are leveraging the experience of IT security enhancements to look beyond data protection to the protection of operations. Trade groups like the not-for-profit EPRI and NERC have been instrumental in this effort over the past few years, and now have become the vanguard of fence-to-fence security planning.
"We started work at EPRI on a comprehensive electric infrastructure security assessment when several board members (of the group's two-year-old Enterprise Infrastructure Security program) asked us what technology could do for security beyond the use of guards, dogs, cameras and guns," says Amin. "By 9/17, we had a team of 30 colleagues performing an end-to-end preliminary system assessment with suggested countermeasures, covering areas including cyber threats, grid operation, distribution, and disaster recovery, with generation and energy market threats," he says. EPRI developed two reports of recommendations as a result. The first covers a rapid response period of up to 18 months after 9/11 and the second covers a mid-term response from 18 months after 9/11 to five years out. "It was all closely guarded and encrypted, and we shredded what paper we had in hand," Amin says. The reports were circulated to the members of the board, as well as to various levels of government agencies-like the FBI, with which the group cooperates. EPRI's EIS has about 35 entities involved now, including U.S. and Canadian utilities, distribution and transmission companies, and other organizations.
As an outgrowth of the EIS work, EPRI is developing an intrusion detection tool, and tools for resource-constrained encryption for utility applications. To broaden its work to include more affected entities, in late April, EPRI launched a two-year program-the Infrastructure Security Initiative-to address near-term industry security measures. As part of its overall strategy to maximize utility enhancements of their security findings, EPRI is utilizing surveys to help participating utilities benchmark where they are in their security program development. Amin also advocates the use of game theory to develop potential attack scenarios against which utility officials should train.
Secrecy Enhances Security
For-profit consultants also have become much more active in advising utilities on the full scope of security measures, but even they are not discussing details of their recommendations or of utility adoption of measures. "Specifics would not be appropriate due to the sensitivity of the situation," says Larry Bean, the president of Energy Services, an operating unit of Pinkertons, in Parsippany, N.J. His unit serves about 16 electric utilities presently, drawing on a staff of more than 1,200 employees. "Utilities have stayed close to the leading edge of security innovations for a number of years, but it has been a very active period recently," he allows.
For distribution and transmission entities, the need for outside security consulting is perhaps greater than for generators, given the relatively low past expectation of physical security breaches. "Transmission facilities are not as physically secure sites as other (generating) facilities are, so we did have a consultant in last fall and are working through his recommendations," says Mike Calimano, the vice president of operations and reliability at ISO New York. "We also recently had a DOE (U.S. Department of Energy) vulnerability assessment, and they are coming back again in the fall," he says. "We're basically using outside security consultants because security wasn't a great concern originally," he says, of the historic priority assigned to physical breaches.
Part of the problem of public assessment of security procedures and technology capabilities for electric utilities is the generally secretive blanket thrown over the issue, analysts say. "In the past, utilities were very closed-mouthed about what their security problems were," says Herbst. Following 9/11, secrecy has become another tool in the portfolio of limiting exposure to attackers, say other industry officials. "We are no longer sharing as much information about what our contingency plans or alternatives are," says Whitley. "The first thing we've done and need to continue to improve on is change the way we control the information we share with general public-maps, diagrams, locations of key facilities, and the results of studies," he says. "From now on, maps will be more generic and reports will be about issues, not specific problems that can cause reliability problems," he says. As a result, part of the challenge the industry faces is to say enough to the public to gain its support for greater security implementation, but not to say enough to tempt terrorists. "The public doesn't appreciate the latent threat to the power system," opines Amin.
Building a Nationally Coordinated Security Response
While a national response to the protection of electricity assets has been intensified since 9/11, "There is no centralized industry security coordination and assurance capability" yet, Amin points out.
But for the past few years, organizations like the FBI have been working with the industry to assist with security needs and to come up with a list of electrical infrastructure that can be classified as national security priorities.
In the past, utilities have not always shown a willingness to share their security problems with government entities. Since the NRC has had oversight of the nuclear utilities, more of a quietly defensive posture may have been assumed by the utilities it regulates. "Initially a lot of utilities didn't want to talk to the government, but now there is a lot more cooperation," says Herbst. "You can't expect the government to fix everything by itself, because the industry knows itself better than the government. But there has to be a partnership to protect the assets," he says.
For the past three years, the FBI has coordinated the National Infrastructure Protection Center (NIPC), now under the direction of Ronald Dick, to help prepare a comprehensive plan for defending the nation's electrical system. The NIPC was formed with a directive that "defines critical infrastructures to include those physical and cyber-based systems essential to the minimum operations of the economy and government, to include, without limitation, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private," Dick told Congress in an October 2001 hearing. "The NIPC also provides timely information on cyber vulnerabilities, hacker exploit scripts, hacker trends, virus information, and other critical infrastructure best practices," he says.
"Since 1998, the NIPC has been developing the FBI's Key Asset Initiative, identifying over 5,700 entities vital to our national security, including our economic well-being," Dick says. "Following the Sept. 11 events, and at the request of the National Security Council, the NIPC has leveraged the Key Asset Initiative to undertake an all-agency effort to prepare a comprehensive, centralized database of critical infrastructure assets in the United States," he says. One industry official estimated that electric utility assets represent between 20 percent and 40 percent of the facilities identified under the Key Asset Initiative. "The Key Assets Initiative is pretty far along, since the electricity industry had already identified key assets as part of our operating and reliability criteria," notes Whitely.
"The NIPC gathers together under one roof representatives from, among others, the law enforcement, intelligence, and defense communities, who collectively provide a unique analytical perspective to threat and incident information obtained from investigation, intelligence collection, foreign liaison, and private sector cooperation. This perspective ensures that no single 'community' addresses threats to critical infrastructures in a vacuum; rather, all information is examined for its potential for simultaneous application to security, defense, counterintelligence, terrorist or law enforcement matters," Dick says.
Thinking Nationally, Acting Locally
As an outgrowth of the NIPC program, InfraGuard, a grass-roots private/public organization was formed and held its first national meeting in June 2001, to help utilities share information with local and regional law enforcement agencies, among other entities. "The NIPC has developed InfraGuard into the largest government/private sector joint partnership for infrastructure protection in the world," says Dick. "We have taken it from its humble roots of a few dozen members in just two states to its current membership of over 2,000 partners," he says. To cover the country, "local InfraGuard chapters (are) within the jurisdiction of each of the 56 FBI field offices and several of its resident agencies (subdivisions of the larger field offices)," he says. "InfraGuard provides its membership the capability to write an encrypted sanitized (the sender's identity can be masked) report for dissemination to other members," he notes.
InfraGuard and the NIPC also are tapping into global expertise for security enhancement in the United States. Apart from relationships with a dozen U.S. agencies, the NIPC also includes member groups from the United Kingdom, Canada, and Australia. "The NIPC has established information sharing connectivity with a number of foreign cyber watch centers, including in the United Kingdom, Canada, Australia, New Zealand, and Sweden. And, we continue to take advantage of the FBI's global presence through its legal attache offices in 44 nations," Dick says.
Commenting in May 2001 on a U.S. General Accounting Office analysis of the NIPC, Dick notes, "The NIPC, under the authority of the FBI, is the only locus where law enforcement, counterintelligence, foreign intelligence, and private sector information may be lawfully and collectively analyzed and disseminated, all under well-developed statutory protections and the oversight of the Department of Justice."
The electric utility sector was the first to develop a close working relationship with the NIPC, establishing a model for other sectors of the U.S. economy to follow. "Over the past two years the NIPC and NERC-the ISAC (Information Sharing and Analysis Center) for the electric power sector-have established an indications, analysis, and warning program, which makes possible the timely exchange of information valued by both the NIPC and the electric power sector, Dick says.
Articles found on this page are available to Internet subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.