Kathleen Davis, Associate Editor
Dr. Paula Scalingi knows infrastructure. As the founder and former director of the Department of Energy’s (DOE) Office of Critical Infrastructure Protection (CIP), she took a hard look at America’s energy infrastructure daily.
Today, Dr. Scalingi is founder and president of The Scalingi Group, a consulting company focusing on infrastructure security, energy preparedness, energy assurance and information assurance.
Paula welcomes 225 representatives from 65 public and private sector organizations.
She spoke to EL&P about security, energy and infrastructure from her northern Virginia office in January.
EL&P: Have our views of how to protect the electric power infrastructure changed since the Sept. 11th attacks?
Scalingi: Let’s take it from a couple of different viewpoints. First of all, looking at the industry, up until Sept. 11, it was difficult to get too many folks in energy companies excited about security related issues. Until that date, companies traditionally did not put too high a priority on security in terms of dollars, and security directors had to fight for recognition and to get a larger part of the budget. It was also difficult to get companies to admit that their security plans and procedures were anything but adequate.
This is understandable [in a pre-Sept. 11 environment], as they were mostly concerned with single-point failures. Energy companies are used to dealing with these, whether it’s weather, systems failure, human error or the occasional physical threat. What we’re talking about now, in the 21st Century, is a different situation where we have interconnected infrastructures, and an attack or disruption of one-in certain circumstances-can cause cascading impacts that could affect a region and really compound response and recovery.
What this means is that, in the 21st century, the electric power infrastructure is facing new challenges with these interdependencies. You have, basically, a new ballgame, and companies are not prepared to deal with this. Until Sept. 11th, however, they really didn’t recognize that in any meaningful way.
Looking at the U.S. government, in the mid-1990s, there was a growing realization-particularly among national security-focused agencies-that there was going to be a real problem with terrorism, or even significant national disasters, within the infrastructure because of the information age and infrastructure interdependencies. There was a Presidential Commission on Critical Infrastructure Protection established, and the Commission delivered its report in late 1997. It pointed out that the energy infrastructure was not prepared for a significant regional failure which could be caused by these interconnections. However, within the U.S. government, there was not a major focus, until Sept. 11, on working with the industry to develop the tools to protect, mitigate, respond and recover to significant attacks and disruptions.
EL&P: You’ve labeled the increased physical protection at power companies post Sept. 11 as the “guns, guards, and gates” approach to enhancing security. Does it work?
Scalingi: There was a natural response to Sept. 11 on the part of industry and government to immediately institute increased physical protection measures, and there was a call to identify critical assets which could be protected with enhanced security measures like extra guards and additional barriers. What people are now recognizing is that these interconnected infrastructures have thousands of critical components, and criticality of components is oftentimes dependent on location, weather, environmental conditions. A component that may not be necessarily viewed as critical in one instance, may become critical when you have some sort of a systems problem or a weather problem. So, there is no way you can protect all your critical assets and facilities. Therefore, trying to station more guards, put up more barriers, is not going to be a cost-effective strategy. Indeed, you’re going to end up spending a lot of money on security when your clever terrorists-and as we saw on Sept. 11, a terrorist can be quite systematic and innovative about launching an attack-can get right around these defenses. So, you need another approach.
EL&P: During your tenure with the CIP, what did you uncover as potential threats to and vulnerabilities within the electric infrastructure?
Scalingi: The big vulnerability within our industry is its very fragility. It is vulnerable even to small attacks or disruptions because of the forces at work, which have put it on the edge, so to speak. These forces include advancing information technology, which has enabled us to market over the internet and to automate operations; the trend toward deregulation; companies examining their bottom line and outsourcing so much of their work. Plus, you have companies who have critical assets co-located with those of other infrastructures, and these interdependencies that we’ve been discussing all along are growing ever tighter as well. We have created a very fragile system, and we depend upon that system.
When you hear that energy is the “life’s blood” of all the other infrastructures, that is the truth. So, it’s not what particular threat is the most worrisome. What’s worrisome is that our infrastructure is so vulnerable to disruption and attack. When you look at the California energy situation, there’s an excellent example. We were blessed that things turned around in California, but the conditions that caused that crisis included a number of the factors I just mentioned.
EL&P: Beyond the fragility of the infrastructure, are their other factors-both strengths and weaknesses-to consider?
Scalingi: It’s a robust system; it’s able to cope-for the most part. At the same time, we have entered into a “brave new world.” We really don’t understand all those forces at work impacting the infrastructure and how they interact together to make us more vulnerable. Going back to what led to the California energy situation: people didn’t do their homework when it came to looking at deregulation. You really see the same thing today-post Sept. 11-with how you enhance security at energy companies. Well, you’ve got to do that homework, and that entails looking-in a comprehensive and systematic way-at evaluating and prioritizing critical assets, at physical and cyber vulnerabilities and particularly at examining interdependencies with suppliers and customers.
You really don’t see companies doing that because they haven’t thought this through. It’s a matter of showing them what is required to take a prudent, cost-effective approach to security.
EL&P: This may seem a little redundant after our discussion about homework and preparation, but how can a company ensure a secure electric infrastructure, or can they?
Scalingi: There is no way you can be 100 percent secure, but the key to having the level of security that you are capable of achieving today is a risk-based approach. The challenge we are facing today is: “at what price security?”
I remember one CEO of a major energy company who told me he laid awake in bed at night worrying about how much he was going to have to spend on security, because, looking at the vulnerabilities we face in this day and age, he would simply be pouring money down a bottomless well. You don’t need to do that. The idea is to adopt a comprehensive approach that focuses on preparedness, and that is, for a company, to look at the range of threats they face, from weather to human error to actual attack, and figure out what is the greatest concern. Put your money where it is most needed to enhance your response and recovery plans, figuring there is no way you’re going to dodge every bullet. Chances are you will be impacted, and you’re going to want to respond and recover as quickly as possible.
It’s so important to know those interdependencies, because what the other infrastructures are, or are not doing, in a regional emergency is going to affect your company.
EL&P: Is there a specific area the industry needs to focus on, in regards to security?
Scalingi: This is a very important question. I assisted a utility to conduct a workshop recently, and one of the questions we asked their personnel was which threats were of the greatest concern. Of course, the threats are going to change depending on the infrastructure element involved. So, it’s important to think specifically about what threats can cause you the most harm, not what threat is getting the most attention. I wish that folks would step back and take a new look at what are the real threats in this day and age.
We have a natural tendency to look at the latest events, and it becomes the “crisis du jour.” The crisis du jour right now is physical attacks. If what happened on Sept. 11 had been cyber attacks, the crisis du jour would be cyber attacks. If what happened on Sept. 11 had been an extremely hot spell of weather initiating a major grid failure, then that would have been the crisis du jour.
Again, it’s a matter of steering away from the crisis du jour mentality, of stepping back and looking at what can actually cause you harm and then seeking-in a cost-effective manner-to take appropriate steps to enhance protection, mitigation, response, and recovery.
EL&P: Where does an energy company start when tackling security issues?
Scalingi: What you find across the board-not just with energy companies, but with any infrastructure sector when you ask about their security-is the immediate reaction “We’re prepared!” They say, “We have our response and recovery plans. We have good security.” Indeed, any company worth its salt is going to publicly give you a great presentation about how they practice excellent security, safety and reliability. When you get them into a private discussion or in a workshop or an exercise, what is truly the case-again, nearly across the board-is that they are well-prepared for the single-point failures that they deal with every day. What they are not prepared for are the significant regional disruptions or attacks that are going to be increasingly common in the 21st Century.
So, when they seriously look at how they do business, they should note that they do not have the level of physical security they need in the correct places. They may discover-in the area of cyber security-that they don’t have the proper procedures and plans. They could be indulging in practices that would make them vulnerable to outsiders, even something as basic as people posting the passwords for their computers right on their terminals.
What is often the case is that a company looks at its response and recovery plan and discovers that it is outdated. It may not take into account the interdependencies with other infrastructures. The company may not even have something as simple as a “yellow pages” of key contact points within government or other infrastructures. They may not have good procedures for command and control within their company or locality. They may discover that they don’t have the best remediation plans or adequate equipment and manpower.
Again, they are prepared for isolated events but not for significant disruptions or attacks.
EL&P: What’s #1 on the list?
Scalingi: They need to take a systematic look at their security needs, and I use the term security in the broadest sense: protection, mitigation, response, recovery.
To do that, you need a recognition at the senior management level as well as at the mid-level, among your operators, your marketing people, your legal people. All the different elements of the company need to recognize that.
One of the most useful things to start with is a workshop or exercise, and bring in participants from other infrastructures who also need to be familiar with those interdependencies. Get briefings from them and then ask questions-questions very much along the lines of just what you’re asking me: What threats concern you most? Are plans adequate? How are your communications? What are your response and recovery plans? Yes, these are basic questions, but a company needs to address them and answer them honestly. Only then can a security strategy be devised.
EL&P: How do you convince these companies that money spent on security is money well spent?
Scalingi: Companies have limited funds. The first hurdle you face is that a lot of them still have what I call the “ostrich mentality.” They can’t really come to grips with the idea of addressing their vulnerabilities. Once you get over that hurdle, the next hurdle is sharing information. You hear, “I can’t share information with other infrastructures or state and local government. It will make me look like I’m not reliable, safe and secure.” Of course, if you’re in business, that appearance of stability is very important to your public image. So, if they can get over that hurdle and find a way to protect proprietary information, then they become sensitized.
It’s very much about forcing yourself out of the ostrich mentality and being willing to assess the shortfalls. Then put the money towards addressing these shortfalls. But, again, it’s not just about throwing money at the problem. It needs to be a systematic, risk-based approach, and I really underscore that because the burning issue today is balancing security and costs. Simply throwing money toward protective measures really buys you very little. You can’t afford it, and that’s not the way to go.
EL&P: Would you talk a little bit about the prototype you developed for infrastructure assurance at the 2002 Winter Olympics.
Scalingi: Within Salt Lake City, as elsewhere, there are what I call infrastructure stakeholders: the representatives from all the key utilities, state and local governments, hospitals, mass care, police, fire-those with a vested interest in a major regional disruption or attack. For the Olympics, there has been a very good planning process where they have set up a whole series of committees, and one of these committees focuses on infrastructure protection. It is comprised of these stakeholders, about 75 or more companies and organizations. So, it’s both public and private.
Around two years ago, they had been meeting for some time, and they were concerned about developing a comprehensive plan to deal with disruptions or attacks. What I did in my former capacity as head of the Office of Critical Infrastructure Protection at the DOE was assist them, along with some very good technical people from the national laboratories, to develop that comprehensive plan. Once we had the plan down on paper, the committee had an excellent idea to hold an exercise focusing on these infrastructure interdependencies, so we could identify where in the Salt Lake City area they were the most vulnerable and what they needed to do about it.
We set up a small scenario design committee of volunteers, and we started with discussing what were the biggest concerns in the area for the Olympics. Well, the biggest concern turned out not to be a terrorist event. What was the biggest threat in Salt Lake City? A major snow and ice storm.
During the Olympics, when you have thousands of people in town, a lot of congestion, a lot of international folks, the main concern is a prolonged snow storm. We added into this scenario a cyber intrusion, or a failure of the SCADA [supervisory control and data acquisition] system of the power company.
During the exercise, we had a prolonged power outage. As the power outage continued over time, the other infrastructures degraded, which is, again, understandable. You can have back-up. You can have diesel generators. You can have batteries, but, indeed, they will last only so long. And, because of these interdependencies, we ended up with regional paralysis at the end of the exercise.
EL&P: What did this exercise in Salt Lake City-labeled “Black Ice”-teach you and the infrastructure stakeholders?
Scalingi: This was a first-of-its-kind interdependencies exercise, and there were four major lessons learned.
First, the stakeholders did not understand those interdependencies: how their operations were connected to each other, how the interdependencies would exacerbate response and recovery.
The second major shortfall was with response and recovery plans, which were not coordinated among the stakeholders. So, you had certain companies or organizations who thought their response procedures were adequate, but, they were conflicting and causing additional problems.
A third area of shortfall was communications, and that’s always a big one. One of the first things to go are cell phones, because everyone gets on the system, and it crashes. You loose your land-line; you loose your ability to communicate by e-mail. What you customarily find when you ask emergency managers about their company’s response procedures is that they will say, “No problem. We’ll communicate with people by cell phone, e-mail, and fax.” They don’t realize that in a prolonged power outage situation this will not be the case.
The fourth area was in resources and command and control. There was confusion about who was in charge and who determined the placement of manpower and equipment and what to do if a company didn’t have enough.
Those were the four major areas of shortfall, and, what we have discovered since the exercise, which was in November a year ago, was that those major areas of deficiency are the norm for most stakeholders. Again, it was understandable because companies and organizations are only prepared for single-point failures.
EL&P: Have the events of Sept. 11 changed that prototype any?
Scalingi: Let me answer this question by reporting what happened in the aftermath of Black Ice. We came up with a very good action plan to address those areas of deficiency, but it was very difficult to get people too terribly motivated because they were so busy doing their day jobs. They were slowly moving along, but one of the biggest impediments was information sharing. That is an obstacle that we are simply going to have to get around, because it’s absolutely crucial to a comprehensive preparedness approach needed to secure the energy industry in the 21st Century.
You have to be able to-in a protected, confidential way-exchange operational and emergency response and recovery information with people up and down the chain. You need to be sharing information and coordinating your response and recovery plans with all those stakeholders. Ideally, you want to take information on your critical assets and facilities, region wide, and put it in a secure database. In order to do “what-if” scenario planning in the event of an emergency, it would be very useful to have a system like that available to you. That’s a huge step for stakeholders to take.
Now, going back to the Olympics planning process, that information sharing was understandably an obstacle for them, but they managed to get over that. Sept. 11 has given them an even greater impetus to move forward expeditiously, and they’re doing a lot of work right now to increase their preparedness.
EL&P: It’s interesting how that terrorist action gave the Salt Lake City energy infrastructure stakeholders a little boost forward with information sharing.
Scalingi: Well, Sept. 11 has given everyone “a little boost.” Again, it’s a very difficult issue, this exchanging information. States have freedom of information and sunshine laws that are a real deterrent for industry to exchange information with state and local governments. A lot of states now are looking at incorporating exemptions for threat- or critical infrastructure-related information. The federal government is also doing this. That’s a step in the right direction. But, we do need to find ways to protect the information being exchanged.
One cause of concern for me is that, unfortunately because of Sept. 11, the natural reaction is for companies to hold that information much more closely to the vest. And yet, at the same time, exchanging that information with their suppliers and customers is more important than ever. It’s a real conundrum.
EL&P: Going back to the general overview of electric infrastructure, who should pay to ensure infrastructure protection?
Scalingi: In terms of the money and resources needed, certainly utilities should be able to pass on some of that cost to the customer. And, I do think, post Sept. 11, the general public is going to be much more receptive to that. Also, the federal government can provide a lot in terms of technical expertise, research and development, understanding vulnerabilities, conducting analysis, developing mitigation approaches and identifying interdependencies. And, there needs to be tax incentives for industry to encourage companies to meet minimum security criteria. I feel that’s extremely useful, if such standards are well crafted and acceptable to the industry.
EL&P: One final question, a cultural one. Are we overly concerned about electric infrastructure protection-perhaps even bordering on hysterical?
Scalingi: No, we are not overly concerned. We don’t really understand what we have created; we are exceptionally vulnerable. In the event of a major terrorist attack or natural disaster which could affect key assets, these interdependencies between and within infrastructures could lead to catastrophic problems in the U.S., North America-and even globally. There are so many interconnections now that you could have a domino effect from a prolonged power outage with significant negative impacts on health, human safety, and the economic viability of the nation.
Scalingi was founder and director of the DOE’s Office of Critical Infrastructure Protection, established in October 1999. Prior to this, Scalingi was founder and director of the Infrastructure Assurance Center at Argonne National Laboratory outside Chicago. She has also worked for the U.S. Arms Control and Disarmament Agency, the U.S. House of Representatives Permanent Select Committee on Intelligence and the CIA.
She can be reached directly via phone (703-760-7847) or e-mail (scalingigroup@ cox.rr.com).