This is the first of what I hope is many joint blog posts with my friend and colleague, John McClean, Director, Util-Assist Inc. John and I have worked together for many years now, and one of the things I really admire about him is that he not only understands security, but he has a deep background in utility operations. Whereas my understanding of electricity is limited to ‘it’s invisible, and it wants to kill me,’ he really understands how it works. I’ve spent many hours going through substations with him, and I always learn a lot.
I learned a lot about security management at Atwood Oceanics, an offshore oil company in Houston, where I worked in the safety department. I had never heard of a security management program, but they had a detailed safety management program that I soon convinced myself would work very well as the guts of a security management program. Both disciplines are really the same thing: the prevention of unwanted incidents.
And now on to the blog post.
From a societal perspective, electricity can be considered a cornerstone component of what is known as the “Iron Triangle”. The other two components are telecommunications and the banking system. Loss of any one of these three renders it difficult to support or make a functioning economy and society. Electricity services are provided by organizations called utilities. In the distribution of electricity to communities, towns and cities, electricity utilities are granted licenses to act as monopolies because of the substantial investment in infrastructure that is required to serve customers. Duplication of that expensive infrastructure is wasteful and difficult due to the limited rights-of-way available. The public's financial interests are protected through regulators in each state (and province.) Regulators can also be called “Public Utility Boards,” “Public Utility Commissions” and “Public Service Commissions.” Their role is to protect customers and regulate the price of the service, ensuring that a utility cannot take advantage of the monopoly status and overcharge the customers.
Because this structure is not like a competitive market that offers alternatives, regulators set specific measures within the following four key areas of performance: customer focus, operational effectiveness, public policy and responsiveness, and financial performance among many other requirements.
These requirements placed on utilities ensure that the public's needs are met to the greatest extent possible. Utilities meet these obligations through:
· Adopting active redundancy in asset design. For example, several transmission lines may connect a power plant to a distribution network, and communities are served by several substations. The loss of any single substation or transmission line would have minimal impact on customer service.
· Plant maintenance, rehabilitation, and replacement programs. These efforts help ensure a well running network from the substation to the customer entrance.
· Promoting resiliency, hardening, and response measures to enable them to continue to provide power to customers during and after a disruption, responded quickly to outages, and restore service as soon as possible.
· Securing of electricity assets to ensure that adversaries have fewer opportunities to interfere with or stop the supply of power to the public, even if that is not their primary goal. For example, preventing unwanted access to substations serves to stop both copper thieves and saboteurs. Good asset security also reduces the risk to the public by preventing access to hazards and keeps electricity costs down by discouraging theft and vandalism.
Asset security is managed through a security management program. Security practitioners are facilitators in this process, ensuring that all points of view are addressed, and that all risks are accounted for.
· The Executive approves the security management program, provides guidance on risk appetite, security priorities, supports the security program by through the budget process, and helps to focus the organization's resources.
· Operations provide information on asset and component criticality and advise on resilience and redundancy strategies to ensure that the public's needs are met. This helps to ensure that security can concentrate on those assets and components that are truly critical to the utility. For example, a critical component that is expensive, has few spares, and takes a long lead time to obtain will likely be assigned a higher protection priority than an inexpensive component for which there are many spares and alternative sources of supply.
· Human Resources provides information on employees, including training, and participates in insider threat risk management activities.
· Law enforcement provides information on local criminal activity and cooperates in the task of security incident response.
· Information Sharing and Analysis Centers, Security intelligence organizations, trade associations, and fusion centres provides information on criminal and national security threats related to the sector or component utilities.
· The Public provide information on incidents and unusual activity in the vicinity of unmanned utility assets.
Similar to a safety management program, the security management program seeks to reduce the number and impact of unwanted incidents.
A security management program should address the following areas:
1. Mission and vision of the security program, and how it aligns with the mission and vision of the utility
2. Governance of the program, accountability, competence, and external relationships
3. Security risk management (usually based on ISO 31000 or something similar) including asset classification, threat assessment, vulnerability assessment, risk mitigation, communications, and the security budget planning process
4. Protection of information related to proprietary processes and technologies, personnel, security, and customers
5. Security of automated information and operational technology systems
6. Protection of employees, contractors, and visitors
7. Audit, management of changes to the program, and corrective action