Electric Utility Security
Protecting Utility Assets from Attacks by Terrorists and Other Adversaries
10.19.04   Richard Barker, President & CEO, Quad Resources, Inc.

Among the many results of the 9-11 attacks on U.S soil, increased concern for protection of critical infrastructure from terrorist acts is the one with the greatest potential impact for utilities and energy providers. The numbers of inquiries received from electric utilities and other energy clients, in fact, is indicative of the interest in the subject and the impetus for this article.

While terrorism may not be a threat in some locales, security of facilities against attacks by thieves, vandals, disgruntled employees and other malefactors is vital to all utilities if they are to ensure reliability and effectively manage risk.

Security involves far more than installation of intrusion detection or video surveillance. An effective security system will carefully integrate electronic security with deterrence measures, the utility's operations, the personnel who work in the facility or control center, the utility's policies and procedures, and other pertinent factors.

COMMON ERRORS IN SECURITY SYSTEM DESIGN
In addressing utilities' need for security, there are several common mistakes made by utilities and security contractors alike.

Feature-Based Systems - The feature-based approach decides what features are needed, wanted, or offered in the security contractor's product lines, and then designs the system around those features. While the selection of features is an important part of the planning and design process, a feature-based design can result in a system which may be rich in the latest features and technologies, but ineffective in deterring and protecting against attackers.

The most effective security system design will employ a performance-based approach, which establishes performance standards at the outset, and then develops security which will meet those standards.

Cookie-Cutter Systems – Feature-based design can also result in cookie-cutter security systems. Security contractors who do not understand the unique requirements of utilities may provide essentially the same security system they have designed for a shopping mall, an office building, a hospital or a factory. But energy facilities are, in fact, unique – they have unique vulnerabilities and unique operating requirements, and the consequences of a successful attack extend far beyond the facilities themselves.

Failure to Integrate – Electronic security systems do not operate in a vacuum – they have to integrate with normal utility operations, with the normal duties of utility personnel, and with operations policies and procedures. Yet it is not uncommon to find that security system designers simply install intrusion detection or video surveillance without taking into account how security will integrate into the whole – physical deterrence, utility operations, human factors, policies and procedures. This almost guarantees that the system will not effectively protect the utility's assets, an may even make a security system less effective than no system at all.

PRE-DESIGN ASSESSMENT
Prior to designing a security system, it is important that a detailed assessment of the facilities to be protected be made. The assessment work will include site inspections, interviews of operating and management personnel, and gaining a thorough understanding of the operation of the individual facilities and of the utility as a whole. This information will provide the basis for:

IEEE Guide 1402 provides a general checklist for security inspections of power substations, but it lacks much in the way of essential detail regarding vulnerabilities and other factors needed in conducting pre-design planning.

FUNDAMENTAL PROTECTION CONCEPTS
Physical asset protection integrates personnel, policies, procedures, equipment and systems into a whole for the protection of assets or facilities against sabotage, theft, vandalism, terrorist attacks, or other malevolent human activities. Protection is accomplished in two ways.

Deterrence - Deterrence prevents the adversary from making the attack. Deterrence is accomplished by measures that are perceived by adversaries as being too difficult to defeat; it makes the facility an unattractive target, so that the adversary abandons the attack or never attempts to make it.

Defeat – Defeat means thwarting an attack after it has been initiated. Defeating an attack involves three individual functions which must be accomplished in proper sequence if they are to be effective. These are:

  1. Detection – Discovering and verifying that an attack is in progress;
  2. Delay – Delaying the attacker in accomplishing his objective, and;
  3. Response – Stopping the attacker before he achieves the intended objective.

Effective deterrence will protect the facilities from the most common adversaries. Measures for protecting the facilities from an attacker, such as a terrorist, who is determined to enter the facility despite the difficulty and risk, are those which will defeat the adversary.

THREE-STEP PROCESS FOR DEFEATING AN ATTACK
Following are more detailed descriptions of how each of the three elements operate together to defeat an in-progress attack on a facility.

Detection – Detection is discovery of an adversary's action. It is more than just the receipt of an alarm from a detection device. It also includes assessment of the alarm to determine its validity, its cause and its nature. Detection without assessment is not useful detection because, until the assessment is made, an appropriate response can not be formulated or initiated.

In the planning and design stage, successful detection is expressed as Probability of Detection (PD), which in turn depends on three other measurable quantities: (1) The probability of sensing the presence of or action by an adversary (PS); (2) The time required to make an accurate assessment of the alarm (tA), and; (3) the Nuisance Alarm Rate (NAR).

Included in tA is the total amount of time between the instant of activation of a sensor (t0) and determination of the character of the alarm by human operators. The times required for the system to process, communicate and display the alarm for the operators are also included in tA.

If tA is very small, PD will be near PS, but PD decreases as tA increases. The relationship between PD and NAR is more complex, but if NAR is too high, PD will also suffer. Understanding these relationships and incorporating them into system design is an important part of the Performance-Based Design process.

Delay – Delay is the time interval between completion of the detection process and the adversary's accomplishment of the intended objective. Although the adversary may be delayed before detection, this delay is of no value in defeating an attacker because it does not provide any additional time for the utility to respond to the attack. Delay before detection is a component of deterrence.

The measure of delay effectiveness (td) is the time required by the adversary, after being detected, to defeat or bypass each delay element. Both increasing td and decreasing tA thus reduce the time available for the adversary to achieve his objectives.

Response – Response may be defined as actions taken by appropriate personnel to prevent the adversary from completing an attack. Response includes two components:

  1. Communication to the response personnel (utility security, police, etc.) of accurate information about the attacker, his actions, and the type of response needed, and;

     

  2. Interruption of the attacker's progress by the timely arrival at the site of the response personnel, or by some other means.

ROLE OF POLICIES AND PROCEDURES
Security policy provides the fundamental framework against which all procedures will be developed and all security expenditures will be justified.

Procedures set forth the specific measures which the utility and its personnel will employ in deterring and defeating attackers -- from what equipment will be installed, how alarm assessments will be made, and what responses are required, to what routine inspections and tests of security equipment are made and how often. They will also provide for inspection and testing of security equipment, as well as record keeping and maintenance of data for measurement of the security system's performance.

Procedures which are well-documented and properly implemented can reduce tA and response time following detection, thereby reducing the potential for serious damage to occur to the utility's facilities.

MAKING A BUSINESS CASE FOR SECURITY
Most of the benefits associated with a security system relate to the reduction of risk. There are essentially four types of risks which will be reduced by an effective system.

  1. Economic Risk – Economic risk is the risk of incurring expenses and capital costs associated with recovery from the effects of a successful attack. The utility, its customers and the community are all subject to economic risk. Risk to the utility may include:

    Economic risk to the utility's customers and the community at large may include:

    Most of these economic costs can be estimated by fairly simple means.

     

  2. Human Risk – This includes the risks of injury or loss of life by the adversaries themselves, by response team members, and other persons who may affected by the attack or its aftermath. Human risks, while the most important type of risk, are difficult to quantify in economic terms.

     

  3. Legal Liability Risk – Legal liabilities are economic risks of a different nature. The obligations and legal liabilities associated with economic and human losses due to a successful attack on a utility's facility could be very large. Jury awards are often staggering, and trial lawyers are usually quick to institute liability litigation following any kind of large-scale event or tragedy. Among the factors which will affect proportions of the utility's liability in such events will be whether reasonable and prudent measures were in place to prevent or mitigate the effect of the event.

     

  4. Credibility Risk – Prolonged effects of a major event, especially one which could have been prevented or limited in impact by reasonable measures, may damage the reputation of the utility, its personnel, and the community.

Risk associated with an attack should be calculated for each risk category and then normalized to the severity of consequences for each. The performance-based design approach allows utilities to quantify in advance how much the security system will reduce risk, which can then be weighed against the cost of installing the security and protection equipment to determine whether the cost justifies the benefit.

In my experience, the value of risk reduction usually will outweigh the cost of the system by several multiples. This usually makes security for substations, generating plants and other utility facilities an excellent investment.

A properly planned, designed and integrated performance-based system costs little or no more than a feature-based system, but will have a greater risk reduction benefit and be far more effective in protecting the utility's assets against attack.

 

To subscribe or visit this site go to:  http://www.energypulse.net

Copyright 2004 CyberTech, Inc.