Utilities

 

 

https://sm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspxGridEx IV Tests The North American Power GridGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-11-17T05:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​The North American power grid is completing its largest biennial exercise today, called GridEx, with its highest number of participants since it was launched in 2011 by the North American Electric Reliability Corporation (NERC).</p><p>More than 5,000 electric utilities; regional and federal government agencies in law enforcement, first response, and intelligence community functions; critical infrastructure cross-sector partners; and supply chain stakeholders participated in GridEx IV, a biennial exercise designed to simulate a cyber/physical attack on electric and other critical infrastructure across North America.</p><p>The exercise promotes a strong learning environment and collaboration between industry and the public sector to "enhance the security, reliability, and resiliency" of the bulk power system, said Charlie Baradesco, CEO of NERC.</p><p>Exact details of the exercise are not released due to security concerns. But it is similar to the other GridEx exercises in that it has participants work through their incident response plans, practice their local and regional response, engage interdependent sectors, improve communication skills, engage senior leadership, and compile lessons learned. The exercise, however, has no impact on the real electric grid.</p><p>GridEx IV is a "series of escalating scenarios in which the system is stressed continually further," says Tom Fanning, Electricity Subsector Coordinating Council cochair and chairman, president and CEO of Southern Company. "Consider the joint effects of a cyber and kinetic attack that,​ as time goes by, creates greater consequences to our ability to undertake commerce…what we're looking for are the potential friction points or breaks in the system. That's how we learn."</p><p>Also new this year is an emphasis on communication with the public, incorporating social media response and fake news mitigation​ says Marcus Sachs, CSO of NERC. On the first day of the exercise, participants uploaded photographs of simulated damage, explosions, and news stories to test how that information would play out. </p><p>"Allowing that to play out in an exercise space…shows how the simulation is a good replication of real world problems that we face," Sachs says.</p><p>The exercise also pulls in other industry stakeholders outside of the utilities sector, such as finance and telecom, because the utility sector is dependent on these to get the grid back up and running should an incident occur.</p><p>"We're taking the Russian nesting doll approach to preserving our system when it's under duress," Fanning adds. "We're dependent on telecom—we've got to be able to talk to our people in the field."</p><p>While a cyberattack has never turned off the power in North America, stakeholders must remain vigilant, Baradesco added in a call with reporters on Thursday. GridEx helps ensure "we remain as prepared as possible."</p><p>More than 400 executives—from government and the private sector—are also involved in this year's GridEx, participating in tabletop exercises to work through how they would handle an attack on the grid. </p><p>This participation is critical, Sachs says, because "security starts at the top."</p><p>And this commitment to getting those at the top involved in the exercise sets GridEx apart from other exercise scenarios, says Brian Harrell, CPP, vice president of security at AlertEnterprise. </p><p>"While federal partners have often incorporated losing critical grid components within their exercise scenarios, GridEx is the only event that has industry CEOs, trade associations, government partners, academia, and utility subject matter experts responding to a grid reliability scenario," Harrell says.</p><p>Harrell is the former operations director of the Electricity ISAC and director of critical infrastructure protection programs at NERC. He helped launch the first GridEx in 2011 because, as the largest machine on the planet, the North American power grid requires constant maintenance, monitoring, and continuous learning.</p><p>"Exercises are a key component of national preparedness—a well-designed exercise provides a low-risk environment to test capabilities, familiarize personnel with security policies, and foster interaction and communication across organizations," Harrell adds.</p><p>Participation in GridEx is voluntary, but Harrell says there is value for utilities to participate—even if in a limited capacity. </p><p>"Reviewing the security response to the grid's critical components, such as generators, large substations, and transmission lines during a disruptive, coordinated attack on the grid will help industry understand how to make the system more secure," he says.</p><p>Other industries—both those inside and outside the United States—run exercises to test specific response plans, policies, and procedures. But these exercises tend to focus on reliability issues, as a result of supply shortages, natural disasters, and catastrophic failure, Harrell explains.</p><p>"Very few exercises incorporate a coordinated physical and cyberattack scenario designed to destroy critical infrastructure components," Harrell says.</p><p>This has become all the more important after the cyberattack on Ukraine's electric grid in December 2015, which resulted in the first known loss of power due to a cyberattack. </p><p>"The United States has never experienced a massive cyberattack-related power outage, but there have been direct cyber events in recent years against energy infrastructure, including intrusions into energy management systems, targeted malware,, and advanced persistent threats (APTs) left behind on computers by phishing attacks," Harrell says. "The perception that cyber risks are low because only a few and limited attacks have occurred on industrial control systems is not just ignorant, but highly dangerous."</p><p>Once GridEx IV is completed, participants will begin to share lessons learned which NERC will compile into an after-action report. That report, according to officials on Thursday's call, is expected to be released in March 2018. ​</p>

Utilities

 

 

https://sm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspx2017-11-17T05:00:00ZGridEx IV Tests The North American Power Grid
https://sm.asisonline.org/Pages/Global-Water-Risk.aspx2017-09-01T04:00:00ZGlobal Water Risk
https://sm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds
https://sm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspx2016-09-01T04:00:00ZInfrastructure Protection Trends
https://sm.asisonline.org/Pages/Cyber-Pulls-the-Plug.aspx2016-05-01T04:00:00ZCyber Pulls the Plug
https://sm.asisonline.org/Pages/Five-Incidents-That-Shaped-Crisis-Management.aspx2015-06-29T04:00:00ZFive Incidents That Shaped Crisis Management
https://sm.asisonline.org/Pages/The-Power-of-Physical-Security.aspx2015-05-07T04:00:00ZThe Power of Physical Security
https://sm.asisonline.org/Pages/SM-Online-May-2015.aspx2015-05-01T04:00:00ZSM Online May 2015
https://sm.asisonline.org/Pages/News-and-Trends-1114.aspx2014-11-01T04:00:00ZNews and Trends
https://sm.asisonline.org/Pages/Utility-Attacks.aspx2014-11-01T04:00:00ZUtility Attacks
https://sm.asisonline.org/Pages/heating-up-the.aspx2014-09-01T04:00:00ZHeating Up The Perimeter
https://sm.asisonline.org/Pages/let-intelligence-light.aspx2014-09-01T04:00:00ZLet Intelligence Light The Way
https://sm.asisonline.org/Pages/Watching-The-Port.aspx2014-09-01T04:00:00ZIndustry News September 2014
https://sm.asisonline.org/Pages/nuclear-safety-0013417.aspx2014-06-01T04:00:00ZImproving Nuclear Security
https://sm.asisonline.org/Pages/chemical-facilities-tackle-explosive-problem-0013191.aspx2014-03-01T05:00:00ZChemical Facilities Tackle an Explosive Problem
https://sm.asisonline.org/Pages/chemical-plants-0013185.aspx2014-03-01T05:00:00ZChemical Plant Security
https://sm.asisonline.org/Pages/federal-prosecutors-open-investigation-west-virginia-chemical-spill-0013080.aspx2014-01-10T05:00:00ZFederal Prosecutors Open Investigation into West Virginia Chemical Spill
https://sm.asisonline.org/Pages/nuclear-facilities-0012979.aspx2013-12-01T05:00:00ZNuclear Facility Security
https://sm.asisonline.org/Pages/Nuclear-Facility-Protection.aspx2013-12-01T05:00:00ZNuclear Facility Protection
https://sm.asisonline.org/Pages/state-bioterrorism-surveillance-0012857.aspx2013-11-01T04:00:00ZThe State of Bioterrorism Surveillance

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-Golden-Rule.aspxThe Golden Rule<p>​</p><p>HIGH IN THE ANDES mountains of northern Peru, 375 miles north of the capital city of Lima, is the Yanacocha mine—Latin America’s largest gold mine. The site, which is majority-owned by Colorado-based Newmont Mining Corporation, consists of six open pit mines, four leach pads, and three gold recovery plants. More than 100 small, rural communities fall within its influence area. While communities situated near Yanacocha have been concerned in the past about the mine’s impact on local water supplies and a lack of communication from the company, Lee Langston, Newmont’s regional director of security for South America, says that most concerns are related to employment.</p><p>Tensions over those concerns resulted in a series of protests in August 2006. Farmers blocked the road to Yanacocha for one week, and production at the mine came to a standstill for two days. According to media reports, protestors’ original demand for jobs turned to anger over environmental concerns, and in one violent clash, protestors blocking the road threw stones at police. In the response, one farmer was shot and killed.</p><p>The incident highlights the often strained relationships between local communities and international extractive companies operating abroad. As a result of this and other security conflicts between Newmont and the communities surrounding the mine in recent years, the company is in the process of implementing a new approach to security that recognizes the importance of human rights and community outreach.</p><p>Human Rights<br>The mining industry has an increased awareness of the connection between community relations and security today compared to a decade ago. “I think increasingly there really is a recognition on the part of the mining companies we work with that there is a degree of indivisibility between what you are doing in terms of your community relations or your community investment and security,” says Aidan Davy, a program director for socio-economic contribution for the London-based International Council on Mining & Metals (ICMM), an industry group which counts Newmont among its members.</p><p>Davy attributes the change to the influence of the Voluntary Principles on Security and Human Rights, an initiative of private companies, governments, and nongovernmental organizations (NGOs), that is intended to provide guidance to extractive companies on how they can maintain the safety and security of operations while ensuring respect for human rights.</p><p>The Voluntary Principles, as they are commonly called, were established in 2000 and primarily address three issues: risk assessment, engaging with public security forces, and interacting with private security forces. For each of these issues, the Voluntary Principles provide several guidelines. Signatory organizations commit to abiding by the principles and submit annual reports on activities.</p><p>Extractive companies have historically taken a silo approach to security and community relations, Davy says, but the Voluntary Principles have led to a more synergistic approach. “Instead of taking the view of conventional security that our role is to protect our people and our assets in that order and [that] people outside the fence line or communities may represent a threat to either people or assets, the Voluntary Principles take the view that in legitimately providing security for people and assets, there is a genuine risk that you might compromise the safety, security, and wellbeing of people outside the fence line,” he explains.</p><p>That shift in perspective, he says, has helped companies realize the importance of aligning what they are doing in the security space to what they are doing in the community relations space. “That has had a profound influence, I would say, in terms of sensitizing people to the idea that these matters are closely related,” he says. </p><p>Slow Going<br>Davy admits that there is some public dissatisfaction about the lack of progress in implementation of the Voluntary Principles. “That absolutely is not the fault of companies exclusively,” he says. “I think it’s because, at its heart, the Voluntary Principles rely on a tripartite model of government, civil society, and company collective engagement and collaboration, and at times, I think they’ve failed to move this thing forward in a way that’s been collaborative.”</p><p>Indeed, one of the biggest challenges, according to Langston, is enforcing human rights in a foreign country and in remote areas. “The real challenge is that [we are] a private company, a foreign private company, [so] sometimes if it’s not approached delicately, government institutions can feel that you’re treading into their area of governing,” Langston says.</p><p>Davy says implementation guidance of the Voluntary Principles has also been lacking. “What’s been missing is practical guidance that will help people really move forward with implementation,” he says. An implementation guidance tool is currently being created by a coalition that includes the Voluntary Principles Secretariat, ICMM, the International Finance Corporation, the International Committee for the Red Cross, and the International Petroleum Industry Environmental Conservation Association (IPIECA). The guide should be available within a year, Davy says.</p><p>Newmont, which is an ICMM member, was one of the first companies to sign on to the Voluntary Principles in 2001. But Oxfam America, an NGO participant in the Voluntary Principles, lodged a complaint against the mining company in 2007 with the initiative’s Secretariat. That complaint was in response not only to the protests in 2006 and the death of farmer Isidro Llanos Chavarria but also to allegations later that year of illegal wiretapping, surveillance, and death threats by a private security company employed by Newmont against a prominent human rights activist and outspoken critic of the company.</p><p>Newmont and Oxfam America subsequently agreed to a third-party comprehensive review of Yanacocha’s security management and practices. The review consisted of interviews with company executives, Peruvian National Police authorities, representatives from two of the three hired security companies employed by Yanacocha, NGO personnel, and community leaders.</p><p>A summary of the review of Yanacocha’s security and human rights procedures was released publicly last summer. “The total review identified areas of strong performance as well as the processes that they felt Yanacocha could improve upon,” says Langston. Newmont and Yanacocha analyzed the review and then developed a plan of action to implement the report’s recommendations for a new approach to security and human rights.</p><p>New Action Plan<br>The plan of action that came out of the review included short-term objectives that would be implemented by the end of 2009, medium-term objectives that would be implemented by the end of 2010, and long-term objectives that would be done in 2011. In terms of implementing recommendations for the Yanacocha site, Langston, as regional security director, is responsible for ensuring that they are completed in the timeframe set by the committee.</p><p>One example of a short-term objective is the creation of a Risk Assessment and Conflict Resolution Office. Langston says the company had a similar office before but it was not as effective as it could have been. One problem was that it only addressed complaints filed directly with the office. For instance, if an allegation appeared in the media, it was not considered a legitimate complaint.</p><p>“Well, you have to be reasonable,” Langston says. “If it’s floating around in the media, you better address it as a complaint.” Now the office considers all allegations no matter how they get word of them. “One of our employees can say he heard something in a store, and that would be investigated,” Langston adds.</p><p>Investigations. Yanacocha now investigates all use-of-force incidents. “Anytime any of our security people have an incident, whether it’s with an employee or a contractor or a community member, that is reported and treated just as if it is an allegation so we can determine whether the force used was reasonable or not,” Langston says.</p><p>All such reports undergo a new process of evaluation as well. If the risk level is classified as low, the incident is evaluated by a human rights and security investigation committee, which includes the site security manager as well as representatives from legal and operations. Representatives from other relevant departments are also on the committee.</p><p>For instance, if an incident involves the community, someone from the social responsibility department is there; if an allegation concerns an employee or contractor, a human resources or contracts manager serves on the committee. They assess the allegation and determine whether it has merit.</p><p>If the allegation is deemed legitimate, the committee orders an investigation and picks an investigation team to report back with results and recommendations. The onsite committee must also keep the South American regional board, which mirrors the committee at the site level, informed.</p><p>If the risk level of a complaint is considered medium, the regional-level committee handles it, and if it is a high-risk complaint, corporate, which also has a similar body, investigates.</p><p>Working with police. Because the response time is so long from Cajamarca, a contingent of police officers is stationed at the mine and rotated on a monthly basis. The company pays the police officers a daily stipend and provides lodging and meals and makes a contribution to the police institution for their services as stipulated in a formal memorandum of understanding (MOU).</p><p>In addition, the MOU has provisions for additional response to the mine area if an incident should occur. However, one of Yanacocha’s medium-term objectives is to work with the police to make this MOU more transparent. The police acknowledge on their Web site that they have an agreement with the mine, Langston says, but they do not publish the contents of the MOU, which is important information for the local community to have. </p><p>One of the long-term objectives is to expand the police training to the regional and national levels, but it will take time. “Obviously it’s the state’s responsibility to do this kind of stuff,” Langston says. But, “[i]f we can help them with a reasonable cost to the company, we’re going to do that.”</p><p>The comprehensive review also recommended equipping police forces with nonlethal weapons, Langston says. “We’re not so sure [as a] company that we want to get involved in providing that type of material, because it’s nonlethal, but it’s offensive in nature,” Langston says. Currently the company provides protective gear for police who are stationed at the mine site or who are responding to an incident. These items include helmets, shields, padding, and other riot response equipment.</p><p>Equipping police raises concerns beyond just the cost to the company, Langston says. There are also legal concerns. “We need to be very cognizant of the Foreign Corrupt Practices Act when we talk about equipping people,” he says. “We have to have some means of monitoring the use of that equipment.” </p><p>Another objective the company hopes to meet by the end of this year is the establishment of regular, formal meetings with public security partners, which include the national police as well as the military. Newmont’s security officials currently engage in formal, high-level meetings with these partners at least once a year, but the company is negotiating with Peru’s interior and defense ministries to set up a formal schedule that would include meeting twice a year at the ministry level and quarterly with generals at the regional level.</p><p>The purpose of the meetings is to assess collaboration and discuss ways to improve performance within the framework of the Voluntary Principles. Yanacocha’s security manager, Jose Antonio Rios Pita Diez, CPP, currently meets with local police on a weekly basis.</p><p>Human rights training. In 2008, in an effort to improve the company’s implementation of the Voluntary Principles even before the review was completed, Yanacocha launched two training programs designed to raise awareness among employees and contractors about the importance of respecting human rights. One program is basic training in human rights and provides an overview of relevant initiatives Newmont is involved with, such as the Voluntary Principles and the United Nations Global Compact. Each participant also receives a primer on human rights.</p><p>In the first year, 3,000 participants benefited from the program, including all of the security contractor personnel working for Yanacocha. The program continues on an annual basis.</p><p>The second training program launched the same year is training in the Voluntary Principles. This program targets the mine’s security staff, contractor personnel, and police assigned to the site. Training focuses on ways to ensure the safety of Yanacocha’s employees and operations while respecting human rights. </p><p>In the first year, the training was provided only to security and contractor supervisors and to public security officers assigned to provide support to the operation. In 2009, all security personnel received the training, which includes use-of-force instruction and a code of conduct for law enforcement officers. The training is being extended in 2010 to Newmont’s Conga project, which is also in Peru, and its Merian project in Suriname. </p><p>Community relations. Yanacocha’s security department has also launched a security-community integration program to improve relationships and trust between security personnel and local communities. As a part of the program, security personnel work with security contract personnel, the police, the military, and local businesses and organizations to plan one-day festivals in isolated communities in the mine’s area of influence. Some activities include music provided by the army or police bands, Andean folk dances, lunch prepared and served by security personnel, and social services, such as presentations on family planning, spousal abuse, and hygiene conducted by the police health unit.</p><p>The security department spearheads approximately one event per month, going to a different local village each time. Security personnel and their families attend. Not only do the events build trust between company and contract employees and the communities, but they also improve relations between the state law enforcement personnel and the local Indian communities, Langston says. </p><p>Yanacocha’s Diez says that it is important to venture into the community relations realm, even though others may consider it the work of an external affairs or social responsibility department.</p><p>“We are doing our work in a preventive way because if we have some problems in the road, the problem also will be for the security department and also for our company,” he says. “We are working in a preventive way in order to avoid these kinds of situations.”</p><p>On a regional level, Newmont is working with the Interior Ministry to assist and provide resources to the rondas campesinas, or rural peasant patrols, which have developed over centuries to provide security for their own rural communities. Each local community has its own ronda. Newmont provides them with minor equipment and gear that makes the ronda campesina stand out in the community, such as vests that say “Ronda” and identify the community; flashlights, boots, and some rain gear.</p><p>Results<br>The goal of these community outreach efforts at its simplest was—and is—to “put a face” on security. The hope was that if local residents got to know security personnel as people before there was an incident, then when they showed up on the scene to respond to trouble, the locals might be disgruntled, but they would be “less likely to pick up a rock or a stick and start to assault the guard. And that’s exactly what we’re seeing,” says Langston.</p><p>He says that security personnel are met more cordially on the road and that they now have conversations with members of the communities. Both Langston and Diez say the efforts at Yanacocha are also showing some tangible results. For example, the company experienced 25 roadblocks in 2007 and only one last year. The company also tracks conflicts that involve physical force, and those incidents have dropped from 64 in 2007 to six in 2009.</p><p>Langston has noticed a growing awareness that community relations affect security and vice versa. “Used to be security was checking the lunchbox at the gate, and it’s much more than that now,” he says. “You have to go beyond the fence, and that takes a whole different mind-set and set of skills.”</p><p>Stephanie Berrong is an assistant editor at Security Management.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Blended-Training-for-Six-Sigma.aspxBlended Training for Six Sigma<p>​</p><p>In early 2013, a multimedia entertainment company explored Six Sigma as a way to address access control concerns. Several members of the company’s security leadership were already familiar with Six Sigma, and they wanted to know how it might be used and implemented within a security environment.</p><p>While senior management believed that the security program could benefit from Six Sigma, their questions and concerns centered on how to implement the program. Executives requested that, regardless of the approach taken for implementation, various team members be trained, with the intent that the security department could eventually take on additional improvement projects.</p><p>The company chose a blended learning program, which incorporates different learning modes, is designed to appeal to different learning styles, and is engineered to meet the requirements of effectiveness, cost, and flexibility. Common components of a good model include interactive e-learning, classroom simulations, live and recorded web­inars, online or paper-based testing, one-on-one coaching, support structures such as study halls, interactive Six Sigma software tools, and reference sources.</p><p><strong>Getting Acquainted</strong></p><p>Although technically not part of the official training, the company decided to have an initial meeting on the project to provide an op­portunity for the trainer to understand the company culture. The meeting provided the security team with a chance to evaluate the personality and expectations of the trainer. The meeting was also used to codify the scope of the overall initiative, ask any questions, and discuss benefits and concerns.</p><p>Individuals within the company came to the meeting with varying degrees of buy-in, from skepticism to total acceptance. However, as ideas for applying Six Sigma began to develop and projects were of­fered for consideration, cotmpany employees agreed that several key security projects could benefit from using this methodology.</p> At the conclusion of the meeting, the company agreed to set up an e-learning program for each security team member.<br><p> <strong>E-learning</strong></p><p>For the e-learning portion of the blended training program, the company chose MoreSteam.com, which specializes in online Six Sigma training. Over several weeks, each security team member worked on the online beginner class, which provided a cost effective way to evaluate Six Sigma. Individuals worked at their own pace until completing the program. Each member’s progress was monitored via the Web by tracking online quiz results. Teleconfer­ences were held to support the e-learning, as well as to discuss pos­sible projects.</p><p>The subjects taught during the class included the DMAIC process, process mapping, measurement and basic statistics, understanding variation, and standardized work documentation.</p><p>One team member was given additional training and served as the Six Sigma project leader after the trainer left. The remaining team members stopped after the in­i­tial training.</p><p>The purpose for training each member at a basic level was to give all members an understanding of terminology as well as driving cultural change. The goal was not just to save money and improve quality on a project-by-project basis, but to create an en­vironment driven by data and measurements.</p><p><strong>Implementation</strong></p><p>As an initial project, the company chose to address access control issues. The overall problem was that security received a sig­­nificant number of access control alarms. When security responded to these alarms, they often found that the access control devices were malfunctioning. The data had been collected from the system audit reports that showed thousands of data points indicating various potential security breaches. However, security eventually responded to these alarms as if they were false, creating the potential for a real security incident to be ignored or handled poorly. Once the project was chosen, the Six Sigma project leader worked alongside the trainer to apply to the real world what had been learned in the online training class.</p> Applying the Six Sigma process, the company decided to work with the access control vendor and address each malfunctioning device. After this was completed, a maintenance schedule was de­vised to ensure that devices remained in good working order.<br><br><p> The accumulated data also revealed failures in access control points not associated with component failure. Other problems resulted from failures of system design and employee use, such as tailgating. These issues were addressed through reconfiguration of access control readers and training for nonsecurity employees.</p><p>Once those problems were addressed, remaining alarms were treated as potential breaches in security. With this in mind, security used Six Sigma methodology to devise a prioritization of responses for each access control point. The ranking considered the location of each access control point and what the security device was meant to protect. This led to the next project: identifying individual access rights.</p><p><strong>Goals</strong></p><p>The company’s goal was to reap ROI on the training and consultation services associated with the initial project, and to carry on with future projects without the need for outside consultation.</p><p>The access control project recouped 150 percent of the training and consultation costs. The cost savings were associated with wasted resources responding to false alarms or low-priority alarms, and the reduction in risk achieved when security was able to respond to actual incidents.</p> The company continued the Six Sigma program through the employee who was trained as a project leader. This ensured that the program, and the culture of continuous improvement, remained strong once the advisor and trainers departed.<br><br>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Power-of-Physical-Security.aspxThe Power of Physical Security<p>​<span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">ny utilities security expert can effortlessly recite the details. In April 2013, someone snuck into an underground vault near a freeway in San Jose, California, and cut several telephone cables. Then, 30 minutes later, snipers shot at an electrical substation in Metcalf, California, for almost 20 minutes, knocking out 17 transformers that funnel power to Silicon Valley, before fleeing the scene and evading capture. </span></p><p>A major blackout was prevented by rerouting power around the downed station, but the attack caused more than $15 million in damage and brought physical threats to the electric grid to the forefront of discussions about the security of the United States’ critical infrastructure. It quickly became clear that cyberattacks were not the only threat to the U.S. power supply. </p><p>Two years have passed since the incident, and, while the snipers remain at large, the utility industry is taking steps to deter any future attacks.</p><p>“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry,” said acting Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur in a statement in March 2014. (LaFleur was named permanent chairman in July 2014.) Following LaFleur’s statement, FERC directed the North American Electric Reliability Corporation (NERC) to develop new standards requiring owners and operators of the bulk-power system to address risks due to physical security threats and vulnerabilities.</p><p>The FERC order asked NERC to create a standard to identify and protect transmission stations, substations, and associated primary control centers that could cause widespread outages if compromised. </p><p>From those instructions, a 10-person drafting committee created the CIP-014 standard that focuses on transmission assessments and physical security. The standard requires transmission station and substation owners to perform a risk assessment of their systems to identify facilities that could have a critical impact on the power grid.</p><p>The order also requires owners and operators to develop and implement a security plan to address potential threats and vulnerabilities.​</p><h4>Participants</h4><p>The electric system is made up of three components: generators—coal fired, biomass, solar, and wind—that produce electricity; transmission—taking the electricity from the power source and moving it somewhere, such as a substation; and distribution—power moving from a facility to the meter in a home, business, or other building.</p><p>When electricity moves from a generation station, such as a wind farm, it goes to a substation that normally has transformers that decrease the voltage, often from 500 to 230 kilovolts (kV). From there, the substation transmits the power to another substation, which usually lowers the voltage even further to 115 kV so it can be used in residential and commercial facilities. </p><p>CIP-014 applies to transmission substations in the electric system, not the generators or the distribution stations. However, it doesn’t apply to all 55,000 transmission substations in the country, explains Allan Wick, CPP, PCI, PSP, a member of the standard drafting committee. </p><p>Instead, the standard relies on categories that determine which facilities must comply with the standard. The standard takes effect if a system that is “rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading with an interconnection,” Wick explains. </p><p>Because of these criteria, CIP-014 applies to transmission facilities that operate at 500 kV or higher, or single facilities that operate between 200 kV and 499 kV where the substation is connected at 200 kV or higher voltage to three or more other transmission stations that have an “aggregate weighted value” higher than 3,000 kV. </p><p>This means that few transmission substations will have to comply with standards. “By the time you use those criteria against what’s in the standard, [CIP-014] will only apply to 200 or fewer substations in the United States,” Wick says. The standard also applies to the control centers that operate those 200 substations—which are owned by roughly 30 different companies. </p><div><span class="Apple-tab-span" style="white-space:pre;"> </span></div><h4>Preparation</h4><p>FERC approved CIP-014 in November 2014, officially kickstarting the compliance process that owners need to complete by the first implementation date in October 2015. Their first responsibility is to perform an initial risk assessment (Requirement 1) to identify the transmission stations and substations the standard may apply to. Owners then have to identify the primary control centers that operationally control each transmission station or substation identified in the risk assessment.</p><p>Once these steps have been completed, owners will have 90 days to have an unaffiliated third party verify their assessments (R2). This third party can be a registered planning coordinator, transmission planner, reliability coordinator, or an entity that has transmission planning or analysis experience. </p><p>If the third party adds or removes a transmission station or substation from the original assessment, owners then have an additional 60 days to modify their risk assessments or document the basis for not making the appropriate changes.</p><p>Additionally, if the primary control centers identified are owned by a company other than the transmission station, that owner needs to be notified (R3) within seven days following the third-party verification that it has operational control of the primary control center.</p><p>After the initial risk assessment has been completed, transmission owners that are covered by the standard will perform subsequent assessments at least once every 30 months. Transmission owners that are not covered by the standard are also required by law to perform assessments, but only once every 60 months.​</p><h4>Physical Security</h4><p>Once the transmission analysis and identification have been completed, owners are required to conduct evaluations of the potential threats and vulnerabilities of a physical attack (R4) to each of their respective transmission stations, substations, and primary control centers.</p><p>These evaluations should include unique characteristics of the identified and verified transmission stations, substations, and control centers. For example, characteristics could include whether the substation is rural or urban, if it’s near a major highway, or if it’s in a valley. </p><p>For instance, the substation could be “set down in a small valley, so there are areas around it [from which] a shooter could either shoot the transformers or even use a rocket-propelled grenade to shoot something into it,” Wick explains.</p><p>Owners also need to detail any history of attacks on similar facilities, taking into account the “frequency, geographic proximity, and severity of past physical security related events,” according to the standard. CIP-014 asks owners to include intelligence or threat warnings they’ve received from law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, and government agencies from either the United States or Canada.</p><p>Once these evaluations have been completed, and no more than 120 days after R2 is completed, owners are required to develop and implement a documented security plan and timeline that covers their respective transmission stations, substations, and primary control centers (R5). </p><p>Within the security plan, owners should include law enforcement contact and coordination information, provisions to evaluate evolving physical threats and their corresponding security measures, and resiliency or security measures designed “collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified” during R4.</p><p>The drafting committee chose this language specifically, Wick says, because “you can’t just do one of those—you need to put them together as a group to ‘deter, detect, delay,’ because those are the primary components…in a layered security program.”</p><p>The committee was also purposely less prescriptive about methods owners can use as part of their security measures. “We tried to build in maximum flexibility to arrive at the same end state for everybody,” Wick says. For instance, to delay someone “you can do that several different ways. You could have a 20-foot -high wall with razor tape, or you could do it with a chain link fence; there are so many options that you could use to mitigate the threats and vulnerabilities that are identified in R4.”</p><p>This nonprescriptive method has faced some criticism, but many others think it’s beneficial. The regulators “are not really telling you to go out and spend all sorts of money on increased cameras, spending a lot of money on fences,” says Rich Hyatt, PCI, manager of security services for Tucson Electric Power. “They’re kind of promoting that you should harden up your site, like vegetation removal, signage…it’s not like the government’s coming in and telling you to spend $5 million per substation.”</p><p>The committee is also allowing owners to take a twofold approach by giving them the opportunity to build in resiliency on the operational side and protect their assets with security measures.</p><p>For example, Tucson Electric Power is increasing its resiliency by hardening its substations, says Hyatt, who’s also a member of the ASIS International Utilities Council. This is important because sometimes transformers malfunction. “There’s always the likelihood of sabotage, but we also have a threat of malfunction or weather-related issues, or manmade stuff that could go into a transformer being taken out,” he explains.</p><p>Hyatt is also working with substation employees to improve emergency communication, another issue addressed in the standard. “We’re also engaging our…substation folks to beef up their emergency response and have additional spare parts in their inventory so they can respond if a transformer got shot out—we could get it back online quicker,” he explains.</p><p>However, Jake Parker—director of government relations for the Security Industry Association (SIA)—says physically protecting assets is the better way to go for utilities security. “We think that physical security measures are much more cost effective because the cost of hardening the structure can also be extremely steep,” he explains. </p><p>Once owners have drafted and implemented their physical security plans, they then need to be verified again by a third party reviewer (R6) within 90 days. This reviewer can be an entity or organization with physical security experience in the electric industry and whose review staff: has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; is approved by the Electric Reliability Organization (ERO); is a government agency with physical security expertise; or is an entity or organization with law enforcement, government, or military physical security expertise.</p><p>The ASIS certifications requirement was included after a review of existing applicable certifications. “By holding one of those two certifications, it shows that you know what you’re talking about on physical security,” Wick explains. “We did reviews of any certification that had physical security requirements, and these were the only two that were suitable.”</p><p>If the reviewer recommends changes to the R4 evaluation or the security plan, owners then have 60 days to comply with those recommendations or document why they are not modifying their plans.</p><h4>Penalties</h4><p>CIP-014 has an aggressive implementation timetable; Parker says he expects most utilities to have their physical security plans in place by spring 2016. There are no penalties for owners who do not comply with the new standard, although owners who do comply are required to keep documentation as evidence to show compliance for three years. NERC is responsible for enforcement.</p><p>Despite the lack of penalties and the limited number of transmission stations and substations covered by the standard, many companies say the standard has inspired them. CIP-014 has given companies guidance on increasing their physical security, according to Parker.</p><p>“We’re seeing, given the current environment and response to what happened at Metcalf…that utilities are finding it easier to justify security improvements across the board via rate increases,” he explains.</p><p>The rate increases are the funding mechanism utilities can use to pay for physical security improvements. They can do this by bringing proposals to their boards and justifying small rate increases “to cover the cost of the security upgrades because of the standard, but also because of the need to improve physical security of the electric grid overall,” Parker adds. </p><p>Hyatt agrees, saying that the industry is doing a “really good job” on being proactive in “policing up” and increasing the use of best security practices. The incident at Metcalf, he adds, has “actually increased security’s perception among executives where we work that physical security is just as important as cybersecurity.” ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465