POWER to protect - Security Camera

POWER to protect

Dec 1, 2003 12:00 PM
By MICHAEL FICKES

In October, a man named Michael D. Poulin mounted a bizarre attack on the electric power infrastructure. He drove to electric transmission towers in the Northwest and loosened bolts anchoring the towers to their foundation. His goal, he says, was to highlight weaknesses in the security systems that protect domestic infrastructure. He did just the opposite.

All told, Poulin seems to have tampered with eight transmission towers. On the afternoon of October 21, utility workers from two different companies, apparently on routine maintenance patrols, spotted Poulin near two towers. In both cases, Poulin fled, but the utility workers, aware of the need for heightened security, investigated, noticed the missing bolts, and filed reports that included a description of Poulin and his truck. A week later, Poulin was arrested while asking for directions at a California Highway Patrol office. Someone recognized him from a wanted poster.

While the event was not widely reported, Poulin had more eyes looking for him than he might have imagined. Security directors with utilities across the country knew about his attacks and monitored the situation from beginning to end. "We participated in several conference calls about it," says George Gacser, manager of emergency management with Pepco, a Bethesda, Md.-based utility whose operating area covers Washington, D.C. "A similar incident also showed up on the Naval Investigative Service. It's important to note that both incidents were detected due to the vigilance of utility employees."

Gacser and utility security directors around the country receive regular security briefings from the North American Electric Reliability Council (NERC), which receives security-related intelligence from the Department of Homeland Security and other federal agencies.

Electric utilities have always attended to the security of their infrastructure. They have become adept at rebuilding it in the wake of storms, floods, hurricanes, fires and other natural disasters. Since the Sept. 11 terrorist attacks, however, utilities in consultation with industry groups and government agencies have boosted intelligence-gathering capabilities, re-evaluated security programs and ramped up their overall security efforts in a broad industry effort to be more proactive.

"We have to start looking harder," says Laurence Brown, legal affairs director with the Edison Electric Institute (EEI), the trade association for investor-owned electric utilities. "This is one reason why Poulin was caught so quickly, before anything he did caused a tower to fall."
The Scope Of Electric Utility Security

Tightening security around any critical infrastructure is a massive job. In the case of electric power, the sheer size of the infrastructure boggles the mind. Approximately 8,000 power plants generate electric power in the United States. Seven hundred utility companies operate about 4,000 of these plants, which send power to a nationwide power transmission network called the grid. The remaining 4,000 plants are operated by non-utilities ¡ª companies generating power for their own or some specialized use. Approximately 12 percent of the power produced by non-utilities also ends up on the grid.

At least half of the nation's 150,000 miles of transmission lines are physically accessible by anyone. Strung above ground between steel towers, power lines crisscross the country for all to see.

High-voltage transmission lines move electricity to substations, where transformers step the power down and send it to communities along lower-capacity lines. These lines flow into smaller substations that step the power down to voltages appropriate for home and business use. Delivery lines shuttle the power to end-user facilities.

"Looking harder" means refining an existing security system in ways that will enable it to safeguard as many of these assets as possible. Since Sept. 11, the utility industry and interested government agencies have been working to tighten utility security. Progress so far includes the development of a mandatory cyber-security standard and a host of physical security guidelines. Security directors at individual utility companies have also been enhancing their security policies and use of technologies.
Threats And Vulnerabilities

What kinds of threats must the industry deal with? What are the vulnerabilities? "We don't know the threats," says EEI's Brown. "We look to the federal government ¡ª the Department of Homeland Security and the FBI ¡ª to help us develop ideas about this. But I'm not free to discuss specifics about what they tell us."

Industry participants also hesitate to discuss vulnerabilities. But the August 8 blackout in the Northeast suggests that the electric generation, transmission and delivery system has serious vulnerabilities. While no one believes that criminals or terrorists caused the blackout, the events of last August make one wonder whether computer-savvy outsiders might be able to create conditions that could black out a region of the country.

The final report on the causes of the August blackout has yet to be released by the Federal Energy Regulatory Commission (FERC). Media summaries of an early draft of the report have been circulated, however, and according to those summaries, operators in a control room in Akron, Ohio, may have failed to react correctly when overloaded transmission lines caused a short circuit and automatically disconnected from the grid. The operators should have conducted a contingency analysis and then rerouted the flow of electricity around the problem, adding generators to the mix and reducing the power required from others.

Utility system operators regularly face similar critical decisions in dozens if not hundreds of electric-utility control stations located around the country. Each of these stations has access to a sophisticated computer network capable of managing the flow of electricity into the grid.

A new mandatory standard for cyber-security created by the NERC earlier this year is currently being adopted by electric utilities. The cyber-security standard suggests an industry perception of potential vulnerabilities related to the control of the electric grid.

"This standard is a first step intended to raise the level of consciousness in the industry and get people to recognize that they may have vulnerabilities," says Tim Gallagher, director of standards for NERC.

According to Margaret Levine, manager of security for Atlanta-based Georgia Power Company, a subsidiary of the Southern Company, the cyber-security standard requires utilities to identify critical assets and to set electronic and physical security perimeters.

The standard also calls for the use of electronic and physical access control technology and the comprehensive monitoring of these systems. In addition, electric utilities must adopt measures that will protect data and information. Utilities must train employees with access to critical cyber-assets to follow cyber-security policies. Other provisions map out compliance monitoring requirements, define non-compliance and set sanctions for non-compliance. "Southern Company has committed to being in compliance with the NERC Cyber Security Standard no later than the end of the first quarter of 2004," Levine says.

While NERC calls the new comprehensive cyber-security standard mandatory, the organization does not yet have the authority to enforce the standard. "We are working to get legislation passed that will give us this authority," Gallagher says.

The Energy Policy Act of 2003 contains provisions that will empower FERC to confer enforcement authority on NERC. The House and Senate have passed different versions of the bill, which is currently being revised in a House and Senate conference committee. While the political differences about the bill do not relate to NERC's enforcement powers, giving teeth to NERC standards will have to wait for the conference committee to complete its work and for the regulatory process that will follow enactment of the law. According to EEI's Brown, the enabling process will take at least 18 months.

To a large extent, NERC standards tend to be self-enforcing. "The utilities know that if you don't comply with a NERC standard and something happens, they could be held accountable," says Pepco's Gacser.
Physical Security Guidelines

Last year, NERC issued a set of general security guidelines for utilities. The guidelines cover vulnerability and risk assessments, threat responses, emergency plans, business continuity, communications, physical security, cyber-security, employee background screening and the protection of sensitive information.

Unlike NERC standards, guidelines are not considered mandatory. "In our industry, the term guidelines means nothing more than what a prudent entity would consider," Brown says.

NERC has issued guidelines in this area because few electric utilities face the same security challenges. Even individual utilities will apply different techniques to assets located in geographically diverse areas. Allentown, Pa.-based PPL Corp., for example, delivers electricity to customers in Pennsylvania, Latin America, and the United Kingdom. The company also generates electricity in Arizona, Connecticut, Maine, Montana and New York. The company also markets electricity in 43 states and Canada. "I structure security differently and use different technology depending on geography," says Ron Newman, manager of security services for PPL. "Montana, for instance, is less populated than the East Coast, and we only have generating plants there ¡ª no transmission or delivery business. In Pennsylvania, we operate all the components of our business, in both urban and rural areas."

That said, Newman has reviewed and upgraded his security operations across PPL. "We were more of a reactive security department before Sept. 11," he says. "Now, we're proactive. We have upgraded our systems and integrated systems where we hadn't been integrated before."

While Newman won't discuss the use of access control and closed circuit television (CCTV) technology in detail, he indicates that he has added layers of protection. "Where we may have had just perimeter security in the past, we have now added some interior security, especially in areas where critical infrastructure is located."

In Washington, D.C., Pepco must deal with an altogether different security challenge. The nation's capital, of course, is unlike any other major city. There is the potential for attacks using weapons of mass destruction. "In such a case where no one is targeting Pepco directly, an attack on federal infrastructure could affect us indirectly, by preventing us from getting to our facilities," Gacser says. "We were affected indirectly by the anthrax incident. Our employees weren't harmed or in danger, but our bill payments go through the post office that was closed."

Gacser employs security guards and technology from access control to CCTV to protect the company's facilities, but he must also deal with the general threats related to living and working in Washington, D.C. Gacser regularly sends both security and operations people to courses dealing with weapons of mass destruction and terrorism.

Gacser's staff also participates in joint drills with city and federal government agencies. "Before the August blackout, which didn't affect us, we took part in a full-scale exercise at the D.C. incident command center," Gacser says. "The scenario was a blackout that affected D.C. We also participate in other drills that don't involve the electric infrastructure. This is important. During a real emergency, you don't want to be meeting first responders for the first time. You want to get to know them ahead of time."
New Technologies For Utilities

Whatever the specific security challenges facing electric utilities, many are applying the newest, most advanced security technologies and technology designs. Both Gacser and Newman are using new digital video technology, integrated with modern access control systems.

Lockwood Greene Engineers Inc., Spartanburg, S.C., reports increasing interest in both new digital video and IP-based camera systems. The firm's engineers have also begun to integrate systems in new ways. "We look carefully at integrating security response capabilities into operations," says D. Keith Henson, P.E., director of security services with Lockwood Greene. For example, a security camera trained on a door can also be used to scan equipment when necessary. Henson notes that it is easier to pay for technology that does more than one thing.

Henson also says more utilities have expressed interest in wireless Internet or WiFi systems. "A security officer can carry a handheld device on rounds," Henson says. "If an alarm comes in, he can display video on the device. We're currently designing systems like this for utilities."

Lockwood Greene is also developing solar-powered WiFi video systems for use at remote facilities. "There are highly dependable systems out there for $1,500 to $2,000 per station," he says. "These systems can bring back alarms as well as some level of video."

It will take time to complete the work of enhancing the security of the electric infrastructure. Fortunately, the job is well under way, as the hapless Michael Poulin discovered first-hand. He now awaits trial on charges of damaging an energy facility and injuring government property in the Sacramento County jail on 24-hour lockdown. He is being held without bail.
SITE FOCUS

HARDENING NUCLEAR POWER PLANTS

Hardened security systems protect 103 nuclear reactors at 67 nuclear power plants in the United States.

How hard is hardened? When someone approaches the Joseph M. Farley Nuclear Plant near Dothan, Ala., he or she is greeted at the gate by security officers armed with AR-15's and protected by body armor. But that is just a first level of security. Inside, security hardens and then hardens again.

"The entire focus of security at a nuclear power plant is to protect what we call the vital area, the reactors and the computer systems that control the reactors," says Steve Higginbottom, a spokesman for the Southern Nuclear Operating Company, a subsidiary of the Birmingham-based Southern Company and owner of the Farley Plant.

Three concentric security rings surround the vital area. A fence with a guardhouse at the gate forms the outermost ring. A network of special lighting, motion detectors, and integrated CCTV cameras monitor the outer ring, while more armed officers patrol or stand guard.

At some distance inside the outer fence, there is a "protected area," with a double fence, again secured with lighting, motion sensors, and cameras. The components of the double fence stand no more than a few feet apart. The area between the fences is called a penetration zone. Anything or anyone breaching that zone will set off an armed response.

Inside the double fence is the vital area, with the reactors and computer control systems. "To get in there, you must go through explosives detectors, metal detectors, and some form of biometric access control system," Higginbottom says. "There are also several physical barriers ¡ª large metal doors."

The Nuclear Regulatory Commission (NRC) requires these and other security measures that Higginbottom won't discuss at all nuclear power plants.

A human security force ties the technology together. The nuclear industry employs the most well-trained security guards in the business, says Higginbottom. About 70 percent of these officers have prior military or law enforcement experience. Employed directly by utility companies, each security officer undergoes 230 hours of initial training with 90 hours of additional training every year. Training covers topics ranging from basic security to anti-terrorism responses. In short, NRC standards require a small security army capable of repelling a paramilitary attack. Since Sept. 11, the total number of security officers protecting nuclear plants in the U.S. has increased by one-third to a force of approximately 7,000. The number of guards patrolling individual plants is classified.