Because of heightened security requirements within the United States and due to the volatility of the business environment for utilities, federal regulators, and Congress are finally seeing the need to ensure that utilities and energy industries are secure. This consortium of interests is attempting to advise the utilities and their commercial clients and customers on protecting physical plant and associated assets against the potential impact of terrorist attacks against critical national energy and power infrastructures. When we think about massive outages from a conventional point of view, there is a tendency to point to the following types of widespread yet still localized examples:
1) 1965, 1977, and 2003 blackouts in New York City and neighboring areas, carried with them incurred costs (of the most recent event) of up to $10 billion
2) August 10, 1996: 7.5 million customers across 11 western states and two Canadian provinces lost power some for several hours.The estimated economic losses were $2 billion
3) August 13, 1999: Downtown Chicago blackout, which shut down about 3,000 businesses in the Loop caused $100 million in estimated economic losses
4) March 18, 2000: 550,000 customers in New Mexico lost power due to grass firea rendering a key transmission line inoperable
According to a number of government agencies and national security experts the combined utilities-energy industries are vulnerable to and rank high on the list of potential targets by terrorists. This having been said, utility executives struggle with improving security of their forty to fifty year old infrastructures which were not built with security in mind. These same executives also have to deal with deregulation, additional state and federal regulations, and of course the big question, how to pay for it all when the economy slipping?
Utilities are constantly reminded of how easy it is to access their facilities and control systems. In addition, we have all heard that it is impossible to protect a utility because of remote facilities and infrastructure. We have also heard that an attack on the utility industry, or in using utilities to terrorize could have devastating effects on our nation, our citizens, and our national economy. There is also the reality that it is impossible to protect a utility 100% from an attack, be it a cyber attack, or a physical attack on a utility’s facilities or infrastructures.
One cannot completely secure a utility and we all know that;making it tougher to penetrate is possible. A number of state regulators are looking at, and some are requiring, security assessment implementation at utility facilities. This must be done before a utility can request a rate adjustment to pay for security improvements. Many utilities are having security assessments done as a regular course of business and putting recommended security improvements in place. The majority of utilities are struggling with revenue commitments to pay for improvements and enhancements without compromising their productivity and day-to-day operations. Many utilities look at physical and cyber security and settle on improving those areas. A professional security assessment will address physical and cyber security, supervisory control and data acquisition (SCADA) and distributed control systems (DCS), communications security, grid security, distribution security, generation security, and biological/chemical issues to include an anthrax assessment. The security assessment team (usually consultants) needs to have recognized experts in security as well as technical experts who have worked in the industry itself. Conducting an assessment is one thing, however, coming up with sound solutions and meaningful results are another. A professional security assessment team should be knowledgeable of current technologies and be able to recommend financially viable options for implementing solutions.
A developing trend is to put in place a “security collaborative” where several utilities share in the cost of an assessment and have a security assessment conducted on a number of facilities at the same time. This is common practice among smaller utilities, especially rural electric power cooperatives. The utility industry has always been very community oriented, and they pride themselves on employing only the best. It is not uncommon for a utility employee to have fifteen to twenty years of service.
When utilities are confronted with the concept of pre-employment screening or security checks on vendors, there is frequently push back, “we have known these folks for years.” With pockets or cells of terrorists living in the United States sometimes for years (once unthinkable but now a probability) not to mention the everyday common criminal, it is critical to screen every employee and vendor.
As utilities move into a new era of security, the adoption of sound security policies, procedures, and guidelines are of the utmost importance, along with the development of a formal business continuity plan or to update existing plans to address these new scenarios that could possibly occur. The development of the business continuity plan must include Federal, State, and Local law enforcement and emergency services personnel to ensure all bases are covered before, during and after an incident. As recent news stories confirm, in order for a security plan to be as successful as possible, it is critical to create a “security culture” at all levels of a utility from the CEO on down. This can be accomplished through on the job training seminars put on by a security professional in conjunction with law enforcement. The more eyes and ears the utility has, coupled with having personnel trained on what to look for, increases the chances of having a successful security program in place.
When oil prices dip oil executives begin to panic over the loss of revenue. When the price at the pump climbs the consumer starts to think about rebellion. The simple truth is that the utility/energy sector operates like a swiss watch. Damage one small component and the watch ceases to function. Destroy a major refinery, severely damage the natural gas delivery system, sink the tankers, successfully conduct a cyber attack on telecommunications and electricity delivery grids, sicken the people who keep the system functioning and then, attack. Those are the scenarios that can cause a finely tuned system to cascade into catastrophic collapse. Understanding the threat and knowing your vulnerabilities are only part of the answer to these troubling questions. Knowing how to plan for the worst-case scenario and building that plan takes time and skill. The skill exists, but do we have the time?
The following are some examples of where Utilities are vulnerable:
1) “Attack upon the power system”: In this case, the electricity infrastructure itself is the primary target-with ripple effects, in terms of outages, extended onto the customer base. The point of attack could be a single component, such as a critical substation, or a transmission tower. However, there could also be a simultaneous, multi-pronged attack intended to bring down the entire grid in a region of the U.S. Similarly, the attack could target electricity markets, which because of transitional status are highly vulnerable.
2) “Attack by the power system”: In this case, the ultimate target is the population, using parts of the electricity infrastructure as a weapon. Power plant cooling towers, for example, could be used to disperse chemical or biological agents.
3) “Attacks through the power system”: In this case, the target is civil infrastructure. Utility networks include multiple conduits for attack, including lines, pipes, underground cables, tunnels and sewers. An electromagnetic pulse, for example, could be coupled through the grid with the intention of damaging computer and/or telecommunications infrastructure.
4) “Spare Parts”: It should to be noted that “large” spare parts for power plants take months/years to build and the majority of them are shipped from overseas. If a power facility is attacked, getting it back on-line could be a major issue.
The following are some specifics worth noting:
1) “Utility Hacks”: U.S. utilities are currently being hacked daily from all over world and from domestic sources as well. Because of the relative age of the infrastructure and due to wide-spread connections to the internet this makes this a relatively easy task.
2) “Infrastructure Networks”: There has been a sharp increase over the past year of hacks on our nation’s infrastructure and most have been coming from outside the United States. Although difficult to trace the sharp increase is of concern and should not be overlooked.
3) “CIA warning to US Power and Utility Industry”: A CIA analyst, within the past few months, stated that cyber-attackers have hacked into utility companies outside the US and made demands. In at least one case this caused a power outage that affected multiple cities. It was also suspected that the hackers had the benefit of inside knowledge.
4) “Tennessee Valley Authority (TVA)”: Our nation’s largest public power company (TVA) is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people, according to a Government Accountability Office (GAO) report recently released. The House Homeland Security Panel on cyber security is hearing testimony from the Federal Energy Regulatory Commission (FERC) about gaining additional authority to require electric utilities to implement added cyber security measures.
The following are some specific challenges we face:
1) “Federal and State Regulations” : Congress needs to continue its efforts to develop Federal standards for securing for our utility/energy infrastructures, utilizing a public/private review process, to insure the standards address all critical issues.
2) “Physical Security Standards”: With all the focus on cyber-security, physical security standards are being overlooked. Most utilities have very little, if any, physical security in place. It is very easy to access power plant facilities, substations, and corporate offices. In cases where utilities have security the security equipment itself (cameras, sensors, etc) are outdated and security guards are often poorly trained.
3) “State of Denial”: We are suffering from the “let’s-wait-until-something-happens-and–than-fix-it” syndrome. We need to educate the American public on this critical issue now instead of trying to explain why a crisis happened. 911 is a good example.
When we live in a world that is driven by technology. We are 100% reliant on our nations' utilities to supply the energy to run these technologyies. It is critical that we secure our utility/energy infrastructures now. Homeland Security initiatives will not function without electricity, the world economy (which is very dependent on the US economy) would stop, our food supplies would go bad in a matter of weeks, our banks and financial markets would be placed in jeopardy, and depending on where one lives, people would suffer from heat/cold and our country would be in chaos if power doesn't flow. A lot can be learned from military history. Take out the infrastructure first, and then proceed with the attack. Congress needs to move now to implement strong standards for securing our most valuable assets (the grid system and energy infrastructures) against a terror attack because it is not “if” but “when”. Hacks on utility/energy infrastructures are occurring as we speak. Waiting versus acting will prove to be devastating.
Larry Ness is President of Ness Group International Utility/Energy Security Consultants and author of the newly published book, "Securing Utility and Energy Infrastructure."