Utilities

 

 

https://sm.asisonline.org/Pages/Global-Water-Risk.aspxGlobal Water RiskGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-09-01T04:00:00Zhttps://adminsm.asisonline.org/pages/mark-tarallo.aspx, Mark Tarallo<p>​If, as biblical wisdom reveals, the meek shall inherit the earth, then perhaps it will be the dirty, not the pure, who help build a sustainable global future—at least when it comes to water, say scientists.</p><p>As an issue of global significance, water security has recently vaulted to prominence. Half of the world’s largest cities now experience water scarcity, and roughly two-thirds of the world’s populace face seasonal or annual water stress. </p><p>The future looks even drier. Demand for water is expected to exceed supply by 40 percent within 15 years, if current conditions continue. By 2025, absolute water scarcity will be a daily reality for an estimated 1.8 billion people, according to a United Nations (UN) estimate. Water scarcity can lead to instability and violence; the crisis in Syria was triggered by, among other factors, a historic drought from 2007 to 2010.</p><p>But water security is a complex issue, and scarcity is merely one of its components.</p><p>Most activities that require water produce wastewater. As water usage grows, so does the production of wastewater. And more than 80 percent of wastewater worldwide is released into the environment untreated according to some estimates. </p><p>This discharge can contribute to devastating consequences. In 2012, for example, more than 800,000 deaths worldwide were caused by contaminated drinking water, inadequate handwashing facilities, and insufficient sanitation services. </p><p>In the oceans and larger seas, wastewater discharge sometimes causes deoxygenated dead zones that harm an estimated 245,000 square kilometers of marine ecosystems, according to UN estimates.</p><p>But instead of being discharged, wastewater can be treated—and reused. And more officials and experts are realizing the benefits of this new approach. </p><p>“Wastewater is gaining momentum as a reliable alternative source of water,” says the recently released United Nations World Water Development Report for 2017: Wastewater, the Untapped Resource. </p><p>“Wastewater is no longer seen as a problem in need of a solution, rather it is part of the solution to challenges that societies are facing today,” the report finds. “Wastewater can also be a cost-efficient and sustainable source of energy, nutrients, organic matter, and other useful by-products.” </p><p>Given the skyrocketing demand for water, the positive effect that wastewater reuse could have on the global water crisis is “immense,” says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It.</p><p>“This is a very big deal,” Glennon tells Security Management. He cites the example of the state of Arizona, which has been active in reusing water for a few decades now. Facilities like golf courses and ballparks can consume large amounts of water, he says, so Arizona’s water reuse practices have been helpful. </p><p>Moreover, state officials have formed WateReuse Arizona, a group that assists communities in achieving sustainable water supplies through reuse. Among other things, the group offers scholarships for Arizona college students interested in specializing in water reuse and reclamation.</p><p>On the U.S. federal level, the U.S. Department of the Interior announced in May that it awarded $23.6 million to seven states for researching, planning, designing, and constructing water reuse projects. </p><p>Often, treating wastewater so that it can be reused for agricultural purposes is less expensive than purifying it to the level where it can be used as drinking water. Given this, countries are becoming more aggressive in their water reuse programs, according to the report. </p><p>For example, in 2013, 71 percent of the wastewater collected in the Arab states was safely treated, and 21 percent was being reused, mostly for irrigation and groundwater recharge.   </p><p>Other regions are realizing the potential benefits of wastewater reuse. In the Asia Pacific region, some countries have discovered that byproducts from domestic wastewater, such as nitrogen, phosphorous, and salt, have potential economic value. </p><p>For example, case studies in Southeast Asia have shown that revenues generated from wastewater byproducts, such as fertilizer, are significantly higher than the operational costs of treating the wastewater. That provides an economic incentive for water reuse, the report finds. </p><p>However, “more needs to be done across the region to support municipal and local governments in managing urban wastewater and capturing its resource benefits,” the report adds. </p><p>In Latin America and the Caribbean, urban wastewater treatment has almost doubled since the late 1990s, so that between 20 and 30 percent of wastewater collected in all sewer systems is now treated. </p><p>“Treated wastewater could be an important source of water supply in some cities, particularly those located in arid areas (such as Lima), or where long-distance transfers are required to meet growing demands, particularly during drought (such as São Paulo),” the report finds.   </p><p>While progress in reusing wastewater has been made in the United States and around the world, there are still constraining factors hindering even more progress, Glennon says. One is cost; some localities in developing countries struggle to afford construction of wastewater treatment plants.   </p><p>Another is that countries like China and India continue to use unsustainable practices when it comes to their water supply, such as “pumping groundwater with impunity.” India, for example, has yet to truly face up to its water shortage crisis and change its practices. “The rules of groundwater pumping remain so relaxed,” Glennon says. </p><p>And in places where water scarcity is currently not a huge issue, some officials have the attitude of, “Why should I bother to reuse water if I can just drill a well?” Glennon says. He compares this attitude to the mistaken belief that an unlimited number of straws can be placed in the same glass—eventually, all the liquid will be sucked out. </p><p>In addition, there are some security issues related to the practice of wastewater reuse, says Yves Duguay, CEO and founder of HCIWorld, who has had on-the-ground experience with audits of water works and other infrastructure systems. For example, systematic controls in the process are needed to ensure that health, safety, and security requirements are maintained. “Most of the time, my audits have shown a lack of oversight and controls, along with poor contract performance management. This can increase the risk for water reuse,” he says. </p><p>This is doubly important in areas where waste management operations, which can include water reuse, are linked to corruption and even organized crime. “How certain are we that waste, solid or liquid, is being disposed as expected and regulated?” he asks. </p><p>Still, developed countries like the United States and Canada can show leadership by developing a systematic approach to the recycle and reuse of wastewater, Duguay says. And since it is not an “in-your-face issue,” wastewater reuse needs more awareness and advocacy so it is not crowded out by more publicized political concerns. “There is little room on our governments’ agenda for such a topic, unless it is talked about and frequently communicated to the general public,” he explains.</p><p>Nonetheless, in areas of the world where water scarcity hits hardest, it will ultimately become a necessity to reuse treated wastewater, because supply will not hold out, Glennon says. “Some places will have to use that for drinking water—there is simply no alternative,” Glennon explains. Duguay echoes this view: “There is no doubt that we need to control our utilization of water; it’s a unique resource that is not infinite,” he says. </p><p>In the end, the UN report argues that, in a world where limited water resources are increasingly stressed by over-abstraction, pollution, and climate change, it is imperative for officials around the globe to focus on wastewater treatment and reuse.   </p><p>“Neglecting the opportunities arising from improved wastewater management,” the report concludes, “is nothing less than unthinkable.”  ​ ​</p>

Utilities

 

 

https://sm.asisonline.org/Pages/Global-Water-Risk.aspx2017-09-01T04:00:00ZGlobal Water Risk
https://sm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds
https://sm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspx2016-09-01T04:00:00ZInfrastructure Protection Trends
https://sm.asisonline.org/Pages/Cyber-Pulls-the-Plug.aspx2016-05-01T04:00:00ZCyber Pulls the Plug
https://sm.asisonline.org/Pages/Five-Incidents-That-Shaped-Crisis-Management.aspx2015-06-29T04:00:00ZFive Incidents That Shaped Crisis Management
https://sm.asisonline.org/Pages/The-Power-of-Physical-Security.aspx2015-05-07T04:00:00ZThe Power of Physical Security
https://sm.asisonline.org/Pages/SM-Online-May-2015.aspx2015-05-01T04:00:00ZSM Online May 2015
https://sm.asisonline.org/Pages/News-and-Trends-1114.aspx2014-11-01T04:00:00ZNews and Trends
https://sm.asisonline.org/Pages/Utility-Attacks.aspx2014-11-01T04:00:00ZUtility Attacks
https://sm.asisonline.org/Pages/heating-up-the.aspx2014-09-01T04:00:00ZHeating Up The Perimeter
https://sm.asisonline.org/Pages/let-intelligence-light.aspx2014-09-01T04:00:00ZLet Intelligence Light The Way
https://sm.asisonline.org/Pages/Watching-The-Port.aspx2014-09-01T04:00:00ZIndustry News September 2014
https://sm.asisonline.org/Pages/nuclear-safety-0013417.aspx2014-06-01T04:00:00ZImproving Nuclear Security
https://sm.asisonline.org/Pages/chemical-facilities-tackle-explosive-problem-0013191.aspx2014-03-01T05:00:00ZChemical Facilities Tackle an Explosive Problem
https://sm.asisonline.org/Pages/chemical-plants-0013185.aspx2014-03-01T05:00:00ZChemical Plant Security
https://sm.asisonline.org/Pages/federal-prosecutors-open-investigation-west-virginia-chemical-spill-0013080.aspx2014-01-10T05:00:00ZFederal Prosecutors Open Investigation into West Virginia Chemical Spill
https://sm.asisonline.org/Pages/nuclear-facilities-0012979.aspx2013-12-01T05:00:00ZNuclear Facility Security
https://sm.asisonline.org/Pages/Nuclear-Facility-Protection.aspx2013-12-01T05:00:00ZNuclear Facility Protection
https://sm.asisonline.org/Pages/state-bioterrorism-surveillance-0012857.aspx2013-11-01T04:00:00ZThe State of Bioterrorism Surveillance
https://sm.asisonline.org/Pages/critical-infrastructure-security-assessment-prevention-detection-response-assessment-prevent.aspx2013-09-01T04:00:00ZCritical Infrastructure Security: Assessment, Prevention, Detection, Response Assessment, Prevention, Detection, Response

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-Power-of-Physical-Security.aspxThe Power of Physical Security<p>​<span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">ny utilities security expert can effortlessly recite the details. In April 2013, someone snuck into an underground vault near a freeway in San Jose, California, and cut several telephone cables. Then, 30 minutes later, snipers shot at an electrical substation in Metcalf, California, for almost 20 minutes, knocking out 17 transformers that funnel power to Silicon Valley, before fleeing the scene and evading capture. </span></p><p>A major blackout was prevented by rerouting power around the downed station, but the attack caused more than $15 million in damage and brought physical threats to the electric grid to the forefront of discussions about the security of the United States’ critical infrastructure. It quickly became clear that cyberattacks were not the only threat to the U.S. power supply. </p><p>Two years have passed since the incident, and, while the snipers remain at large, the utility industry is taking steps to deter any future attacks.</p><p>“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry,” said acting Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur in a statement in March 2014. (LaFleur was named permanent chairman in July 2014.) Following LaFleur’s statement, FERC directed the North American Electric Reliability Corporation (NERC) to develop new standards requiring owners and operators of the bulk-power system to address risks due to physical security threats and vulnerabilities.</p><p>The FERC order asked NERC to create a standard to identify and protect transmission stations, substations, and associated primary control centers that could cause widespread outages if compromised. </p><p>From those instructions, a 10-person drafting committee created the CIP-014 standard that focuses on transmission assessments and physical security. The standard requires transmission station and substation owners to perform a risk assessment of their systems to identify facilities that could have a critical impact on the power grid.</p><p>The order also requires owners and operators to develop and implement a security plan to address potential threats and vulnerabilities.​</p><h4>Participants</h4><p>The electric system is made up of three components: generators—coal fired, biomass, solar, and wind—that produce electricity; transmission—taking the electricity from the power source and moving it somewhere, such as a substation; and distribution—power moving from a facility to the meter in a home, business, or other building.</p><p>When electricity moves from a generation station, such as a wind farm, it goes to a substation that normally has transformers that decrease the voltage, often from 500 to 230 kilovolts (kV). From there, the substation transmits the power to another substation, which usually lowers the voltage even further to 115 kV so it can be used in residential and commercial facilities. </p><p>CIP-014 applies to transmission substations in the electric system, not the generators or the distribution stations. However, it doesn’t apply to all 55,000 transmission substations in the country, explains Allan Wick, CPP, PCI, PSP, a member of the standard drafting committee. </p><p>Instead, the standard relies on categories that determine which facilities must comply with the standard. The standard takes effect if a system that is “rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading with an interconnection,” Wick explains. </p><p>Because of these criteria, CIP-014 applies to transmission facilities that operate at 500 kV or higher, or single facilities that operate between 200 kV and 499 kV where the substation is connected at 200 kV or higher voltage to three or more other transmission stations that have an “aggregate weighted value” higher than 3,000 kV. </p><p>This means that few transmission substations will have to comply with standards. “By the time you use those criteria against what’s in the standard, [CIP-014] will only apply to 200 or fewer substations in the United States,” Wick says. The standard also applies to the control centers that operate those 200 substations—which are owned by roughly 30 different companies. </p><div><span class="Apple-tab-span" style="white-space:pre;"> </span></div><h4>Preparation</h4><p>FERC approved CIP-014 in November 2014, officially kickstarting the compliance process that owners need to complete by the first implementation date in October 2015. Their first responsibility is to perform an initial risk assessment (Requirement 1) to identify the transmission stations and substations the standard may apply to. Owners then have to identify the primary control centers that operationally control each transmission station or substation identified in the risk assessment.</p><p>Once these steps have been completed, owners will have 90 days to have an unaffiliated third party verify their assessments (R2). This third party can be a registered planning coordinator, transmission planner, reliability coordinator, or an entity that has transmission planning or analysis experience. </p><p>If the third party adds or removes a transmission station or substation from the original assessment, owners then have an additional 60 days to modify their risk assessments or document the basis for not making the appropriate changes.</p><p>Additionally, if the primary control centers identified are owned by a company other than the transmission station, that owner needs to be notified (R3) within seven days following the third-party verification that it has operational control of the primary control center.</p><p>After the initial risk assessment has been completed, transmission owners that are covered by the standard will perform subsequent assessments at least once every 30 months. Transmission owners that are not covered by the standard are also required by law to perform assessments, but only once every 60 months.​</p><h4>Physical Security</h4><p>Once the transmission analysis and identification have been completed, owners are required to conduct evaluations of the potential threats and vulnerabilities of a physical attack (R4) to each of their respective transmission stations, substations, and primary control centers.</p><p>These evaluations should include unique characteristics of the identified and verified transmission stations, substations, and control centers. For example, characteristics could include whether the substation is rural or urban, if it’s near a major highway, or if it’s in a valley. </p><p>For instance, the substation could be “set down in a small valley, so there are areas around it [from which] a shooter could either shoot the transformers or even use a rocket-propelled grenade to shoot something into it,” Wick explains.</p><p>Owners also need to detail any history of attacks on similar facilities, taking into account the “frequency, geographic proximity, and severity of past physical security related events,” according to the standard. CIP-014 asks owners to include intelligence or threat warnings they’ve received from law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, and government agencies from either the United States or Canada.</p><p>Once these evaluations have been completed, and no more than 120 days after R2 is completed, owners are required to develop and implement a documented security plan and timeline that covers their respective transmission stations, substations, and primary control centers (R5). </p><p>Within the security plan, owners should include law enforcement contact and coordination information, provisions to evaluate evolving physical threats and their corresponding security measures, and resiliency or security measures designed “collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified” during R4.</p><p>The drafting committee chose this language specifically, Wick says, because “you can’t just do one of those—you need to put them together as a group to ‘deter, detect, delay,’ because those are the primary components…in a layered security program.”</p><p>The committee was also purposely less prescriptive about methods owners can use as part of their security measures. “We tried to build in maximum flexibility to arrive at the same end state for everybody,” Wick says. For instance, to delay someone “you can do that several different ways. You could have a 20-foot -high wall with razor tape, or you could do it with a chain link fence; there are so many options that you could use to mitigate the threats and vulnerabilities that are identified in R4.”</p><p>This nonprescriptive method has faced some criticism, but many others think it’s beneficial. The regulators “are not really telling you to go out and spend all sorts of money on increased cameras, spending a lot of money on fences,” says Rich Hyatt, PCI, manager of security services for Tucson Electric Power. “They’re kind of promoting that you should harden up your site, like vegetation removal, signage…it’s not like the government’s coming in and telling you to spend $5 million per substation.”</p><p>The committee is also allowing owners to take a twofold approach by giving them the opportunity to build in resiliency on the operational side and protect their assets with security measures.</p><p>For example, Tucson Electric Power is increasing its resiliency by hardening its substations, says Hyatt, who’s also a member of the ASIS International Utilities Council. This is important because sometimes transformers malfunction. “There’s always the likelihood of sabotage, but we also have a threat of malfunction or weather-related issues, or manmade stuff that could go into a transformer being taken out,” he explains.</p><p>Hyatt is also working with substation employees to improve emergency communication, another issue addressed in the standard. “We’re also engaging our…substation folks to beef up their emergency response and have additional spare parts in their inventory so they can respond if a transformer got shot out—we could get it back online quicker,” he explains.</p><p>However, Jake Parker—director of government relations for the Security Industry Association (SIA)—says physically protecting assets is the better way to go for utilities security. “We think that physical security measures are much more cost effective because the cost of hardening the structure can also be extremely steep,” he explains. </p><p>Once owners have drafted and implemented their physical security plans, they then need to be verified again by a third party reviewer (R6) within 90 days. This reviewer can be an entity or organization with physical security experience in the electric industry and whose review staff: has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; is approved by the Electric Reliability Organization (ERO); is a government agency with physical security expertise; or is an entity or organization with law enforcement, government, or military physical security expertise.</p><p>The ASIS certifications requirement was included after a review of existing applicable certifications. “By holding one of those two certifications, it shows that you know what you’re talking about on physical security,” Wick explains. “We did reviews of any certification that had physical security requirements, and these were the only two that were suitable.”</p><p>If the reviewer recommends changes to the R4 evaluation or the security plan, owners then have 60 days to comply with those recommendations or document why they are not modifying their plans.</p><h4>Penalties</h4><p>CIP-014 has an aggressive implementation timetable; Parker says he expects most utilities to have their physical security plans in place by spring 2016. There are no penalties for owners who do not comply with the new standard, although owners who do comply are required to keep documentation as evidence to show compliance for three years. NERC is responsible for enforcement.</p><p>Despite the lack of penalties and the limited number of transmission stations and substations covered by the standard, many companies say the standard has inspired them. CIP-014 has given companies guidance on increasing their physical security, according to Parker.</p><p>“We’re seeing, given the current environment and response to what happened at Metcalf…that utilities are finding it easier to justify security improvements across the board via rate increases,” he explains.</p><p>The rate increases are the funding mechanism utilities can use to pay for physical security improvements. They can do this by bringing proposals to their boards and justifying small rate increases “to cover the cost of the security upgrades because of the standard, but also because of the need to improve physical security of the electric grid overall,” Parker adds. </p><p>Hyatt agrees, saying that the industry is doing a “really good job” on being proactive in “policing up” and increasing the use of best security practices. The incident at Metcalf, he adds, has “actually increased security’s perception among executives where we work that physical security is just as important as cybersecurity.” ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspxInfrastructure Protection Trends<p></p><p>If you fail to upgrade your Internet technologies, you’ll find yourself stuck in 1997. But if you fail to upgrade your infrastructure, you’ll find yourself stuck in 1897. It’s a well-worn joke, but it illustrates the importance of secure, well-functioning infrastructure to modern society.</p><p>Moreover, the rise of sophisticated cyberattacks on infrastructure make it an area of increasing vulnerability, experts say. As a result, the global market for critical infrastructure protection is growing, and it is projected to reach $94 billion by 2020, according to Global Industry Analysts, Inc. This demand is being driven by the increasing need to protect critical assets and prevent disruptions to normalcy due to threats, the company reports. And because critical infrastructure assets and systems are vital to the economy, disruptions or breaches can be catastrophic.</p><p>Given the stakes in play, Yves Duguay, CEO and founder of HCIWorld, sees a clear trend in infrastructure protection—a greater focus on resilience, on being prepared before an incident occurs, and on maintaining operating continuity before and after an incident. HCIWorld’s clients include airports, transportation systems, and other key infrastructure facilities.</p><p>“Resilient organizations have moved from the ‘if’ to the ‘when,’” he says. “It’s not a question of whether or not a given scenario will materialize, it’s when and how often it will be repeated, as exemplified by the viral number of cyberattacks recorded by security agencies.”</p><p>This is an important issue in the business community, because while governments do oversee and protect some critical infrastructure, much infrastructure is in the hands of the private sector. For example, in Canada, where HCIWorld is based, a recent survey found that 80 percent of the infrastructure in the energy and water sectors is privately held. The situation is similar in the United States. “Generally speaking, there is a lot more private sector involvement, on both sides of the border,” Duguay says.</p><p>By focusing on resilience and risk management in infrastructure security, companies can dem­onstrate proper due diligence in managing the range of risks they face. “This not only offers a protection of the company’s reputation, but it also reduces its legal liabilities, and possibly its insurance costs,” Duguay says. </p><p>Some forward-thinking firms have adopted infrastructure resilience strategies that include contingency and emergency plans, which are practiced and reviewed with their employees. “Resilience must become part of everyone’s job description, not only of the security department,” Duguay says. When employees understand why certain measures are taken and their own role in contingency and emergency planning, they become much more involved and committed, Duguay explains.</p><p>When a crisis does happen, communication is crucial, he adds. “The key to the success of protecting infrastructure also lies in the ability of companies, especially large ones, to involve their employees by communicating with them in real time, and providing them with accurate information and guidance during an emergency,” he explains. </p><p>Resilience can also have bottom-line financial benefits. “Activating a contingency plan quickly to resume business activities will translate into a competitive advantage for these companies,” Duguay says.  </p><p>In addition to the move toward greater resilience, another clear trend in infrastructure security is greater interconnectedness, says Jeffrey Slotnick, CPP, PSP, CSO of OR3M and president of Setracon. Slotnick has been an architect in the U.S. homeland security enterprise, including stints writing standards and managing assessments for critical infrastructure protection. </p><p>He offers the example of a computer, which may be connected to a printer, a scanner, and other hardware. It works under the “plug-and-play” concept: all equipment is integrated, and can be operated by simply turning on one switch. Right now, infrastructure protection tools are not interconnected to the level where an access camera, a door controller, and other systems are fully integrated to the plug-and-play level. “We haven’t got there yet in the security industry,” he says. </p><p>But that’s the direction that infrastructure security will be moving in the next five years, Slotnick says. The next logical step is a common operating platform, on which disparate systems will be integrated and can talk to one another. This is already happening in some smart cities, where integrated systems are becoming more common, he explains.  </p><p>There’s also a demographic driver to this trend, as the number of technology-savvy millennials increases in the workplace. “Millennials manipulate technology differently,” Slotnick says, and they will demand more integration. </p><p>However, Slotnick also cites one negative trend that continues: the fact that infrastructure facilities are often guarded by officers who are inadequately compensated and insufficiently trained. “We take a minimum wage security officer and place that officer in front of multimillion dollar infrastructure facility, and then we wonder why situations arise that may not necessarily be to our liking,” he says. </p><p>Europe has a better model, he explains. There, security officers are in a “guild profession” with a more equitable pay scale that correlates to different position levels, such as site supervisor or area manager, for example. In contrast, the modest wages in the American system means that turnover is often a problem because officers will switch companies for a 25-cent-per-hour increase.</p><p>“If I could change one thing in the security industry,” Slotnick says, “it would be that.”</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Utility-Attacks.aspxUtility Attacks<p>​</p><p>UTILITY SECURITY PROFESSIONALS are living in the post-Metcalf era. Last year’s mysterious attack on a power station in Metcalf, California, has heightened the importance of protecting the U.S. electrical grid—not only from natural disasters and everyday crime, such as theft and vandalism, but from a potential terrorist attack.</p><p>During the Metcalf incident in April 2013, snipers opened fire on an electrical substation for nearly 19 minutes, knocking out 17 giant transformers and causing more than $15 million in damage. The attack brought the utility grid’s susceptibility to terrorism to the fore.</p><p>“Prior to 2014…physical security initiatives among grid owners were focused primarily on preventing vandalism and theft (of copper wire) rather than a terrorist attack,” writes Paul Parfomak, a specialist in energy and infrastructure policy with the Congressional Research Service (CRS), in a recent CRS report, Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations.</p><p>The CRS report focuses on one of the more important components of the grid: high voltage (HV) transformers. HV transformer units make up less than 3 percent of all transformers in U.S. power substations, but they carry 60 to 70 percent of the nation’s electricity that flows through the 200,000 miles of high-voltage transmission lines in the grid. And they are not secure, according to the report.</p><p>“There is widespread agreement among government, utilities, and manufacturers that HV transformers in the United States are vulnerable to terrorist attack, and that such an attack potentially could have catastrophic consequences,” Parfomak writes.</p><p>How likely is such an attack? More work needs to be done to get a better handle on that question, the report recommends. An effective multitransformer attack would require a certain level of sophistication on the part of attackers, including a good understanding of the operational aspects of the grid. Consequently, more analysis is needed to ascertain attacker capabilities and potential targets, and clearer assessments need to be made about where and how the grid would be most vulnerable. A continued lack of such analysis could lead to a poorly executed grid security program.</p><p>“Incomplete or ambiguous threat information may lead to inconsistency in physical security among HV transformer owners, inefficient spending of limited security resources at facilities that may not really be under threat, or deployment of security measures against the wrong threat,” Parfomak writes.</p><p>Given the need for more analysis and assessments, the report asks Congress to do further work in four main issue areas. First, the report calls for more focus on identifying transformers and substations that can be considered truly critical and are of national significance. A 2013 study by Federal Energy Regulatory Commission (FERC), for example, identified only 30 as critical. Failing to make these designations risks the possibility of hardening too many substations or hardening the wrong ones.</p><p>But to make these designations in a strategically sound way, policymakers need to consider all potential threats that the grid faces, not just a terrorist attack, says energy expert Jason Black, who leads the grid solutions research team at Battelle, the nonprofit research and development organization.</p><p>“We will have a lot more hurricanes, than—hopefully—we will have physical attacks,” Black says, so the critical designation process should reflect that. Moreover, strategic designation depends on what level of risk policymakers are willing to accept. “For an event like Hurricane Sandy, we may have a certain amount of outages we will accept, and some we will not,” Black says.</p><p>Second, the report emphasizes the importance of keeping critical transformer information confidential. A strategic grid security plan will likely require more independent risk assessments by outsiders, meaning that more sensitive information about the grid will be shared among utilities, consultants, and other third parties. “Ensuring that [sensitive information] generated and transferred among these entities remains secure could require special attention,” Parfomak writes.</p><p>However, the need for some confidentiality, while important, must be balanced with the public’s need to know enough information about threat levels, Black says. “As a rate payer, I want to know that my money is being well spent.”</p><p>The report also stresses the importance of maintaining adequate HV transformer protection, especially given that funding for security is not unlimited. “Security measures, in themselves, are cost items, with no direct monetary return. The benefits are in the avoided costs of potential attacks whose probability is generally not known. This makes cost-justification very difficult,” Parfomak writes.</p><p>That point addresses a fundamental challenge about electric power security, Black says—the grid was never designed with antiterrorism safeguards in mind. “We don’t have a system that’s hardened against terrorist attacks,” he explains. That means examining all potential hazards, prioritizing, and making the most efficient and strategic investments possible.</p><p>The report calls on federal officials to be as clear and consistent as possible when releasing threat assessments, so that sound security policy decisions can be made.</p><p>Parfomak offers an example of inconsistent threat information from federal officials—discussion of the Metcalf attack, which so far is unsolved. “Some federal officials reportedly have characterized the Metcalf incident as a domestic terrorist attack, potentially a ‘dry run’ for a more destructive attack on multiple HV transformer substations,” he writes. “However, the FBI has stated that it does not believe Metcalf was a terrorist incident.”<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465