The Utility Security Council has released two new white papers –Critical Infrastructure Protection and Risk Management for Utility Security. A summary of each follows.
Critical Infrastructure Protection: Security Dependencies and Trends
Security of critical infrastructure has many dependencies; not all of them obvious. Much of CI protection relies on effective relationships, and these include the relationships with industry working groups, government, police and intelligence agencies, and national defense. It requires ongoing relationships with stakeholders where CI is located and operated. These complex working relationships are relied upon to meet national and international CI protection programs. They are the means by which utilities work with one another and other CI pillars such as transportation, banking, defense, and agriculture. In fact, the electricity sector is a key resource to all other CI pillars, as is energy, generally. Effective risk management is central to managing CI protection. Without it, standards can be applied haphazardly, and that can lead to government regulatory practices that will add another layer of bureaucracy and cost to the utility operation. Effective standards can be applied to CI protection if appropriate work to manage risk is in place. Examples of this exist in dam safety following the events of 9/11. The public should have a reasonable level of comfort that utilities are protecting their infrastructure, and governments representing the people have the responsibility to address their concern through legislation and regulation. Ultimately, utilities should strive toward a model of self-compliance with a mechanism like DOE’s risk management program model to provide the assurances government need in this area. National protection programs combined with industry working group actions serve to drive the necessary diligence and compliance required for CI protection. A failure on the part of the utility to meet security challenges related to its infrastructure is the fastest way to initiate government regulation. Within this discussion, though, is the requirement for effective information sharing to educate the public and government about what critical infrastructure really is and how it is applied across the utility. Not all infrastructure is critical within a CI pillar. Protection is applied accordingly.
Login to download the white paper
Utility Security Risk Management
The foundation of security management in any industry is sound risk management. Yet in many instances of security management, far too common the essential risk management program is inadequate or lacking. There has been growth in the adoption of threat-risk assessment even though vulnerability assessments and threat assessments are often packaged and sold off as risk assessment. To clarify, threat and vulnerability comprise important and necessary components of a risk assessment, but neither should be confused with risk assessment when taken in isolation. Various forms of threat-risk assessments exist today, applied in different industries to varying degrees of accuracy and effectiveness. Paper-and-pen assessments rely to a large extent on the personal knowledge and experience of the assessor, and these types of assessments and others of the past provide little more than a cursory overview of a limited number of security risks, based on a sampling of a few threats, and often based on an already existing security problem or concern. Consequently, meaningful threats or vulnerabilities may not have been identified and mitigation was misaligned or misses the security issue entirely, causing undue scrutiny on the cost-benefit and return on investment of the security department. Consider, what would happen when a mitigation recommendation is returned that $100,000 in new fencing is needed to resolve a theft problem at a facility rife with workplace violence and public safety incidents? One would expect raised eyebrows from company executives and finance managers. It may have been imperative that the facility receive a fencing upgrade, but the assessment was neither complete nor correct for the business needs, nor solves the priority security issues. Fences do not, by themselves, provide effective protection.
Login to download the white paper