New threat, new challenge

    By Siàƒ¢n Green

    Keeping energy infrastructure operating in the event of a terrorist attack has become a key issue in the USA. Power plant owners and grid operators are looking for guidance on how best to secure their assets.

    Until late last year, most energy companies thought that the greatest threat to the security of their assets was ‘cyber attack’ or minor vandalism. The events of September 11, 2001 changed that.

    Now the energy industry has turned its attention to a new type of threat and the realisation that its physical assets are just as vulnerable as the IT systems that support them. In the USA in particular, keeping energy infrastructure safe from attack has become a key domestic issue.

    Immediately following September 11, energy companies and government departments took a variety of measures to hastily enhance security: the Department of Transportation pulled from its website detailed maps of the country’s pipeline infrastructure, the Nuclear Regulatory Commission (NRC) called for its major licensees to go to the highest level of security and temporarily closed its website; in some states, utilities hired police officers to guard power plants and other key sites.

    Now, these organizations are taking a long-term view of infrastructure security, identifying ‘weak links’ and formulating improvements. The NRC has implemented a full review of its security programme, while the Department of Energy and the Edison Electric Institute have established a CEO Task Force to review existing security and emergency plans in the electric power industry.

    Finding direction

    But while strategy is discussed, at a grass-roots level power plant and distribution system operators are left wondering what they should be doing to protect their assets. The nuclear industry has an advantage here, says Grant Grothen, director of security development at Burns & McDonnell.

    “The nuclear industry has an advantage in some ways because it has the NRC to set guidelines on security,” says Grothen. “Some individual states have opted to enhance this with the use of local law enforcement and the National Guard. But other types of facilities are finding it difficult to determine what precautions to take as there are no generalized guidelines.”

    But according to Grothen, even before the attacks on the US last September, some companies were becoming more aware of the need to protect their assets and had already implemented heightened security measures. “Security in the 60s and 70s when many power plants were built appears to have been a much bigger issue than in the 1990s, which were dominated by a desire to cut costs and be competitive,” explains Grothen.

    The FBI considers nuclear power plants to be ‘hardened targets’ due to their design base and ‘defence in depth’ strategy
    Click here to enlarge image

    “But with many assets changing hands throughout the late 1990s, a lot of companies began to realise the importance of these assets to their businesses and so started to take action.”

    However, most companies were not doing enough to protect power plants and other facilities prior to September, says Grothen. “A lot of these facilities represent over $1bn in assets, and the security that they have on site does not really represent this. It would be sensible to do something to protect an asset of this value.”

    At risk

    Assets most at risk are thought to be nuclear plants, large hydropower facilities and the transmission and distribution infrastructure. Large coal and natural gas fired power plants are also potential targets.

    Transmission and distribution infrastructure is probably the hardest part of critical power infrastructure for companies to protect given the wide areas covered. Substations are often located in remote areas and are difficult to monitor. In addition, the fact that these systems are networked with dispatch centres makes them vulnerable to cyber attack. “Most generation systems are not interconnected, but dispatch and distribution networks are, and these are vital systems,” comments Grothen.

    To overcome these challenges, utilities are now protecting their major substations with cameras and intrusion detection systems. They are also working with local law enforcement to put these facilities on patrol routes.

    Power plants face their own set of challenges, says Grothen, who has recently worked with a number of large coal-fired power plants. These types of facilities may have over ten square miles of land to monitor, with the added difficulty of roads, railroads or even recreation facilities to watch over. In such cases, basic security measures such as perimeter fencing can be challenging to maintain because of all the traffic created.

    “Companies need to look at their primary points of failure and their critical components,” says Grothen. “What we are recommending is focussing on long lead-time components, and in protecting these against terrorist attacks, you’re also protecting them against accidental damage, too. We’re finding that a lot of the recommendations we’re making are just general good practice.”

    Another challenge power plant operators face is finding a balance between acceptable risks and acceptable expenditure. “It is difficult for these plants to know what to do. Everyone knows that they need to do something, but just aren’t sure what,” says Grothen. “A lot of plants have a hard time balancing what is acceptable risk and what is not acceptable risk, and this is one of the areas in which Burns & McDonnell has been valuable. We are helping plants go through the process of identifying assets and threats, and then determining what are acceptable risks and where should money be invested to achieve protection.

    “A lot of these plants wish that there was some sort of direction to help them figure out what they should do, but the problem is that each of these plants is unique and individual, and so each has its own security issues.”

    Distribution infrastructure can be difficult to protect and monitor
    Click here to enlarge image

    There has been little hesitation by companies to put up the investment required for enhanced security, says Grothen. Typically, large coal-fired facilities are spending in the region of $100 000 to $400 000 to improve their systems.

    Looking back

    Burns & McDonnell has found that during the late 1980s and early 1990s, security took a back seat to cost cutting so that guard forces were reduced and security cameras neglected. Now companies are re-examining their practices, and, somewhat ironically, are returning security to the levels seen when their plants were originally built.

    “We are seeing a lot of facilities replacing their camera systems,” says Grothen. “Many of these camera systems were installed when the facilities were first built, but the only cameras that have been maintained are those that are critical to operations, rather than those that are critical for security.” So companies might have a camera in their coal yard to enable them to check on the status of their equipment and for employee safety, but otherwise neglected their camera systems. Now they are adding new camera locations and upgrading the CCTV systems.

    Burns & McDonnell has also found that utilities need to enhance the way in which they communicate with local law enforcement and emergency services and how incident response plans are coordinated. This is in line with some early recommendations put forward by the DOE/EEI CEO Task Force, which also noted that communications networks should be reviewed to ensure that energy companies would be able to communicate effectively with emergency services, the FBI, NERC and other organizations in the event of an emergency to ensure continued secure operation of the energy infrastructure.

    And in addition to upgrading perimeter fencing, another important step that should be taken is employee training to ensure that personnel are familiar with drills and procedures, and are generally alert and observant. According to Grothen, many companies are also extending their routine employee drug testing programmes to include background checks on contract as well as permanent employees.

    The information debate

    In this new world of heightened security, the question of the public’s right to information versus the need to restrict certain data on critical infrastructure has inevitably arisen. For example, the pipeline maps that were removed from the Department of Transportation’s website were part of the US Environmental Protection Agency’s ‘Right to Know’ public information campaign, designed to allow the public to track existing and proposed pipeline routes.

    But on the whole, Grothen believes that a lot of information was made available purely as a public service, rather than because it was demanded by the public and so will not be missed.

    But concern over information availability is something of a blow to the nuclear industry, which has worked hard to inform the public about nuclear technology and how facilities operate. The industry has therefore been keen to promote the fact that the FBI considers nuclear plants to be ‘hardened targets’ due to their robustness, redundant safety systems and ‘defence in depth’ strategy.

    No posts to display