By Kathleen Davis, Associate Editor
If you ask them directly, they’ll tell you the truth: Utilities are not secure.
It’s a statement that the post-September-11th power company doesn’t really want to hear, but according to Don Buzzelli and Will Gunther-two former military men who now specialize in security-that fact is a cold wake-up call that most utilities need to face head-on.
“Electricity is the critical infrastructure that powers our lives. Without it, everything stops,” stated Buzzelli, founder and CEO of the Anti-Terrorist Operations Group (ATOG), a security consulting team which already counts a handful of power companies as clients. “That’s a huge point to make: the damage to life and health and the economy would be immense if we lose these pieces.”
Rethink your assumptions
But, the first question is: Are utilities really a likely target for terrorist attack?
Will Gunther says, “Yes.” Gunther is President of Operation Corporate Training, a handful of former Special Operations men who’ve been working in the security training business since ’99. Like Buzzelli, they already have a few utility clients. And, also like Buzzelli, Gunther expects more phone calls from the power community once they realize that terrorists operate with a different mindset, one that runs parallel to guerilla warfare.
“One of the goals for both terrorist and guerilla fighters is to shift the blame, to get the people to turn on the establishment, to stop having faith in the structure,” Gunther said in a phone interview with EL&P.
“This can be partially accomplished by denying the public items that they rely on: power, water, for example. Terrorists are trying to make the public feel vulnerable that way, to feel like the government cannot protect them,” he added.
In his opinion, taking out a significant portion of any power grid could have a “huge impact” on the public, and, therefore, would be a prime target for terrorists.
Find the problem
Buzzelli stated that his company looks at four separate categories when examining a utility for security vulnerabilities: physical, cyber, human resources (H.R.) and legal (looking at the boundaries of law when it comes to a company’s need for security). While the physical and cyber have been two at the forefront since the September 11th attacks, Buzzelli points out that examining human resources and legal issues should not be put on the back burner.
“If there are holes in any of those individual pieces, it certainly affects the entire security of the operation,” he told EL&P.
Buzzelli stressed that looking at the “H.R. side of security” is an often overlooked necessity which includes a thorough examination of personnel background, levels of training, education, policy and procedures.
“A lot of utilities don’t look at their employees from a security stand-point, but we do. We look at the possibility of disgruntled or former employees. We know there’s boredom, laziness, carelessness and incompetence in human nature; we simply take those possibilities into account,” Buzzelli stated.
“The bottom line: You can have the finest physical security hardware today, but if it’s not operated properly, it’s not a deterrent,” he added.
Gunther stated that his group tries to get inside the mind of a potential terrorist, taking a look at the facility from the outside in.
“A terrorist is trying to find the easiest way to disrupt-especially if it doesn’t require actual penetration of the facility. It’s simpler from the outside, so that’s where we start. We talk about doing simple things,” Gunther said.
Gunther stated that his single most common statement to a client involves surveillance.
“Nothing happens without surveillance,” he commented. “No one is just going to drive by and say ‘Hey, there’s a power plant; I think I’ll blow it up.’ If they decide they are going to hit a power plant, they are going to be looking at more than one.
“They’ll find the most vulnerable, and that’s where they will go,” he added.
Gunther summed up his theory of security with the comment that companies are often too self-referential. Instead, companies-including utilities-need to put themselves into an overall picture with like peers: Are you more or less vulnerable?
Summing it up simply, Gunther said, “Remember, you don’t have to be faster than the bear; you just have to be faster than the other guy running from the bear.”
Both Buzzelli and Gunther agreed that the distributed nature of utilities is a unique security issue, offering a number of temptations for a potential terrorist-all without having to go against the heavier security of the generation facility.
Gunther believes, however, that the substations are the largest security risk. He doesn’t particularly feel that the lines offer much impact to a would-be terrorist, as most utilities can repair lines within 48 hours. He pointed out that not everything needs to be guarded, and that some items-like transmission lines-can remain, essentially, “vulnerable” without being a huge security risk.
The substations, however, could be a huge potential risk.
“I have worked with facilities that are concerned about the main facility, the main structure, but you do need to take into account the placement of all the spokes in the wheel. If they are working from the outside in-as terrorists usually do-they will be more likely to attack a substation rather than the main facility,” Gunther stated. “So, utilities could conceivably spend millions on protecting generation and be no safer than they are right now. It’s more about proper use of the money, not simply throwing money at the problem.”
Buzzelli noted that each particular utility’s situation is unique, but that there are some general suggestions he could make overall. These included:
- Control entry into all facility areas.
- Increase security requirements for facility personnel.
- Restrict entry into critical facility areas.
- Optimize use of surveillance and access control devices.
- Integrate tamper-detection technologies into facility’s security monitoring systems. (For example, often the ability to get into the room where the security TVs are being monitored is wide open; this is a huge security risk.)
Gunther pushed training in his list of recommendations. His also included:
- Bring in the entire staff for security training, not just the guards.
- Make your security plans flexible. (Terrorists can adapt; your people need to be able to do the same.)
- Remember that more technology-more “stuff”-will not sew up security loopholes; it takes optimization.
- Have proper back-up or secondary security.
Gunther pushed the lack of secondary security as a major issue with utilities today.
“Utilities have security measures, but these usually are riddled with assumptions: That nice people go through the checkpoints quietly, and that terrorists will come in with guns blazing,” Gunther stated. “Often, this isn’t the case. As a terrorist, I can use this assumption to my advantage.
I can pull up to a checkpoint, politely wait for the one guard to come out, take him out and get through without muss or fuss.”
Gunther added that putting two guards in the same booth will not help this problem-that there needs to be a series of checkpoints with separate and distinct security features. Gunther feels that this concept of secondary security is not often taken seriously by the corporate community, but that it’s a valid, necessary and simple form of significantly increasing security.
Buzzelli added one final suggestion: that he doesn’t want his clients to hide their new security light under a basket. Instead, he wants them to let it shine; he wants companies to advertise their new security upgrades.
“Terrorists are not stupid, and what you’re doing here is taking yourself off the top ten list,” Buzzelli commented. “It’s like putting an ADT sign out if front of your house; it’s a warning.”
Buzzelli can be reached via e-mail at ATOG55@aol.com or via phone at 770-814-4222. Gunther can be reached at president@ operationcorporatetraining.com.