​THE POST-KATRINA LOOTING shows how chaos erupts when people are cut off from power, which might also result from a terrorist attack on utilities. Yet only about one-third of U.S. utilities have practiced a full-scale utilitywide role-playing exercise simulating a terrorist attack, according to a survey conducted by Security Management. Even fewer (15 percent) have practiced such an exercise involving multiple local utilities and agencies, with cascading effects among utilities.

These were just two of more than 30 questions asked of utility-security professionals across the United States. The survey sought to determine the security readiness of nuclear, electric, gas, water power, sewage treatment, and water purification operations in the following areas: security exercises, perimeter security, screening, access control, vulnerability assessments, guards, liaisons, and other measures, including computer security.

Responses were received from 79 professionals representing 145 utilities. Results are based on a total of 127 utilities, because 18 responses conflated the treatment of nuclear and nonnuclear facilities in the same overall operation.

Electric companies were most well represented in the survey, with 43 percent of the 127 total utilities represented offering electric generation or distribution. Then came gas (24 percent), water power (13 percent), water purification or distribution (8 percent), sewage treatment (6 percent), and nuclear (6 percent).

Almost a quarter of the facilities were operated by a government; the rest were privately controlled. Sixty-two percent served populations with one million or more residents. (See box for a discussion of the survey’s methodology.)

Exercises

Only 33 percent of utilities said that they had conducted full-scale role-playing exercises. The reason for that may be that smaller utilities have a tough time devising scenarios on their own, and many assume that police and fire officials would respond in a real emergency, says Larry E. Ness, president and owner of Ness Group International, Utility/Energy Security Consultants. In reality, they’d be hard-pressed to do so, he says.

Because they are required by law to do so, all nuclear facilities had conducted utilitywide simulations. But only 14 percent had conducted exercises with multiple utilities, which is not a requirement. For gas operations, the numbers were 41 percent for utilitywide drills and 19 percent for those involving multiple utilities.

According to James J. Palmieri, a former utilities-security consultant and now a project security manager with the Nuclear Energy Institute, Nuclear Regulatory Commission (NRC) orders require nuclear facilities to conduct various exercises, to include role playing. Although their exercises must integrate local and outside resources such as various levels of government and law enforcement, nuclear facilities are not required to bring other nuclear plants or other facilities into their exercises, states Palmieri. That accounts for the low number of nuclear facilities that have conducted exercises with other utilities in which cascading effects were simulated.

It may come as some surprise that smaller utilities, which, according to their survey responses, believed themselves to be less at risk of terrorism, generally had slightly higher rates of conducting utilitywide role-playing exercises. For example, the percentage of respondents with more than a million customers who said they had done utilitywide exercises were 38 and 29 respectively for gas and electric. The corresponding percentages for facilities serving less than one million customers were 45 and 32. An exception to this pattern was water power facilities, with 38 percent of large operations performing such exercises compared to only 11 percent of their smaller counterparts.

Larger utilities were much more active in conducting role playing that involved multiple utilities and agencies, with cascading effects among utilities. Only 7 percent of the small utilities that responded had done so compared to about one out of every five of the larger facilities.

Red teaming. Asked whether they had “red teamed” their facilities—that is, tried to penetrate key facilities to test security preparedness and response—virtually all utilities showed better rates than they had on role playing exercises. Overall, about 46 percent of respondents had red teamed their facilities, with all but one nuclear facility having done so and gas operations next in line at 50 percent.

Gene Gwiazdowski, CPP, chairman of the ASIS Utilities Security Council and director of security at Calvert Cliffs Nuclear Power Plant, notes that red teaming, also called force-on-force exercises, is an integral part of a nuclear security training and qualification plan. All commercial nuclear power plants must demonstrate the ability to successfully defend their facilities against a well-defined design-basis threat, he says. (A design-basis threat, according to the NRC, is a “profile of the type, composition, and capabilities of an adversary.”)

On the low end were water facilities. That’s not surprising, says Bruce Kozozenski, director of risk management for the Metropolitan St. Louis Sewer District, because water facilities know that terrorists can do plenty of damage without storming a facility. In the water system, there are virtually limitless points where foreign substances can be introduced to the supply, he says.

Small and large facilities had similar rates of conducting red teaming, with the exception of the electric sector: almost twice as many (73 percent) of smaller electric companies than large ones (38 percent) indicated that they had practiced penetrating their facilities.

Ness points out that these numbers reflect the makeup of the survey’s target audience, predominantly ASIS members, who are naturally much more security-oriented than staff at other utilities. Among a wider sampling of utilities as a whole, Ness says he suspects the numbers would be lower. “I can’t believe that that many are doing this,” he says. “Most of the ones I work with…don’t have full-time security staff,” he says.

Tabletop. Finally, relatively high numbers of utilities said they had practiced basic tabletop exercises simulating a terrorist attack. The overall rate was about 71 percent, with the various utilities ranging from about 65 to 80 percent. Size of the utility made little difference in the response.

Perimeters

Utilities are clearly more cognizant of perimeter security since 9-11, but not all have been able or willing to tighten it. Many utilities have little control of the standoff distance around their headquarters and major facilities, and, indeed, 55 percent said that they had not increased that distance. Again, given the sensitivity and regulations governing nuclear facilities, 100 percent of them reported having increased standoff distance.

According to Palmieri, NRC’s demand for nuclear facilities to change their design-basis threat to take into account post-9-11 realities required nuclear plants to recalculate standoff distances as of October 29, 2004. The design-basis threat changed so much that no plant could have kept the same standoff distance, Palmieri says, even if it previously had a generous setback. Although there are different standoff requirements depending on the sensitivity of the facility, “I know from personal experience that they all had to make changes in at least one of the elements,” he says.

Trailing nuclear facilities in this area were gas (45 percent), electric (39 percent), sewage (38 percent), and water power (35 percent). Across the board, larger operations had increased their setbacks more than the smaller utilities. Smaller utilities have a more difficult time funding these sorts of modifications, notes Steve Meyer, president/CEO of Meyer & Associates, Inc., a security consulting firm with an expertise in utilities. Moreover, with Congress pushing for deregulation, smaller utilities are under pressure to invest in distribution systems, not security, observes Ness.

Even though they were among the lowest, it’s significant that the numbers of increasing security wastewater and water-processing facilities around their operations were substantial. Before 9-11, “you found maybe a gate, and generally it wasn’t locked,” says Kozozenski. “They’re starting from ground zero” on perimeter protection.

Fences. Nearly four out of five utilities indicated that they had surrounded sensitive sites, such as electrical transformers, with fencing. Percentages were high for all facilities, including 82 percent each for electric, water power, and water purification. Very little difference was evident between utilities serving fewer than one million customers and those serving greater than a million.

Barricades. Utility security professionals were also asked whether their sensitive facilities use vehicle barricades, such as Jersey barriers or bollards, that can withstand a speeding vehicle. Fifty-three percent said yes, 47 percent no. Again, nuclear facilities set the pace, with all but one answering in the affirmative. Water purification plants followed fairly closely behind, at 73 percent. This makes sense, says Kozozenski, because it takes a large volume of material to contaminate a water-processing plant, and these facilities are becoming more conscious of the possibility of “big-capacity rigs rolling in and, perhaps in suicide fashion, blowing up one of their tanks.” On the low end, only 43 percent of sewage plants said they use vehicle barricades.

But the breakdown between large and small facilities runs counter to the expectations of the security professionals consulted for this story. In the electric and water power sectors, smaller services posted higher rates of barricade use.

Screening

Most utilities have taken to heart the need to upgrade procedures for screening prospective employees, contractors, and vendors—a full 77 percent said they had done so. Again, heavily regulated as they are, nuclear facilities led the way in this category, with all but one saying it had upgraded hiring procedures. Palmieri notes that the NRC has required nuclear facilities to amp up preemployment checks and ongoing employee screening by, among other things, conducting more follow-up investigations and reducing the interval between drug tests.

Eighty-four percent of gas facilities had upgraded their procedures, as did three-quarters of electric companies. The other utilities clustered between 60 and 70 percent. In all cases except nuclear, larger utilities were more active in this area. Every nuclear facility serving fewer than one million people had boosted screening, while all but one of the larger facilities had done so. Kozozenski surmises that the levels are generally high because background checks are straightforward and affordable.

Meyer says that the facilities he’s familiar with “all take it very seriously.” He figures that the ones that didn’t say that they had tightened their background screening “already had a high level.”

Not everyone agrees. Ness questions whether utilities are conducting substantive checks. “In my experience, a lot of these places do Internet background checks,” he says. “Well, that’s not a background check. All you’re doing is going into databases” that lack information from many jurisdictions. “Everyone I’ve ever worked with isn’t doing thorough background checks,” Ness says.

Metal detectors. An employee, contractor, or guest slipping through the door with a gun seems to be a minority concern. Only 30 percent of respondents said that they use metal detectors at key facilities. Of those that do use them, the focus is on visitors and contractors/vendors: 50 percent use them on visitors, 44 percent on contractors and vendors. Fewer (39 percent) subject staff to metal detector searches.

Nuclear facilities (100 percent) are the primary users of this technology, given that regulations require screening for weapons, explosives, and incendiary devices at “protected areas” of nuclear plants. The second highest users, water power companies, were far behind at 31 percent. In terms of utility size, the numbers skew heavily toward the larger facilities. For example, 38 percent of large electric companies use metal detectors versus 10 percent of the smaller ones. Meyer explains that people frequenting smaller utilities tend to know each other personally and trust one another. As for the category of people screened, the various utilities yielded very similar numbers.

Ness suggests that ASIS members work at the more security-conscious companies and that among the wider population, the numbers may be even worse than 30 percent. “I can’t remember the last time I’ve been through a metal detector” at a utility, he says. “Outside of a nuclear facility, you rarely find a metal detector.”

That may change in the future, however. Kozozenski predicts that more utilities will start investing in such screening in response to state laws allowing the carriage of concealed weapons.

Explosives detection. The numbers on use of explosives-detection equipment at key facilities fell into a similar pattern as metal detector use. Excluding the nuclear industry (where use is mandatory and, therefore, 100 percent) usage was at about 20 percent. Again, large utilities drove the numbers, with very few smaller facilities having the technology in place.

Contractors, vendors, and visitors were most likely to be targeted by explosives detection. Sixty-two percent of respondents screen contractors/vendors and 59 percent screen visitors, as opposed to only 37 percent that apply explosives detection to staff.

Biometrics

Forget iris scanning, facial recognition, and voice recognition. According to the survey results, they are not in wide use in utilities. Dominating the results was hand geometry, the biometric of choice for more than 80 percent of the utilities that use biometrics for access control. The only other technology used by the respondents was fingerprints, with one utility using both hand geometry and fingerprint systems.

The biggest user of biometric technology (which is not a federal requirement) was the nuclear sector, with 57 percent. About one-third each of electric, gas, and water power utilities indicated that they used biometrics. Likely because of cost and perceived threat, bigger utilities were much more frequent users of biometric technology.

Nuclear plants overwhelmingly preferred hand geometry to fingerprinting—83 percent to 17 percent. Hand geometry has become the de facto standard for nuclear facilities, confirms Palmieri. While the electric sector also preferred hand geometry, although the gap between use of that technology and fingerprints wasn’t as wide, 69 percent to 31 percent. But Ness notes that most of the technology deployed is at corporate headquarters buildings. “You don’t see it where power is made.”

Vulnerability Assessments

One of the first steps in any security reevaluation is a vulnerability assessment. By that measure, utilities of all types and sizes have been reexamining their protective profile since 9-11. Specifically, 96 percent of respondents reported having conducted a vulnerability assessment since that tragic day.

Legal requirements. Sixty-five percent of survey respondents reported that they have been required to conduct vulnerability assessments since September 11, 2001. Those requirements apply currently to nuclear facilities under NRC mandates and to water purification plants serving more than 3,300 people, as provided for under the Public Health Security and Bioterrorism Preparedness and Response Act.

Software. Despite the availability of software tools to help conduct assessments, relatively few utilities—26 percent—took advantage of them, and that rate of use was fairly consistent across sectors, regardless of the type of utility.

Though one might reasonably hypothesize that small utilities, lacking the in-house expertise, would constitute the primary users of such software, the opposite was actually true. Among every sector, larger utilities used this software much more than their smaller counterparts did. To cite one example, 40 percent of large water purification plants used vulnerability assessment software, as opposed to only 17 percent of those serving fewer than one million customers.

These figures don’t surprise Kozezenski, however. “The more complex your system, the more you need a sophisticated vulnerability assessment tool,” he says. “If you have one wellhead, one building, one chlorine tank, you probably don’t need it.”

Consultants. The survey also queried whether utilities hired or planned to hire outside consultants to help perform the analysis. Only a minority, 38 percent, said yes. As might be expected, smaller utilities availed themselves of consultants at higher rates. Twice as many small electric facilities (one-half) than larger electric facilities (26 percent) responded that they had used consultants.

Water purification and sewage treatment plants were most likely to use consultants. Federal funding was available to water facilities to secure consultants, notes Kozezenski, which accounts for that sector’s high rate.

Implementation. Respondents were asked whether they implemented changes recommended in the vulnerability assessment. An overwhelming number, 84 percent, of facilities that had conducted a vulnerability assessment made at least some of the changes that were recommended. Nearly all the rest claimed to have made every recommended change.

Guards

More than half of the respondents (58 percent) reported adding security officers or patrols. Nuclear again led the pack at 100 percent. Water power utilities also scored high, at 81 percent, reflecting that federal standards require them to have security patrols, says Ness. Also, adds Kozozenski, some staffing increases are to help reduce the possibility of lawsuits from downstream landowners arising from an attack on a dam.

Arms. Nuclear plants are required by federal mandate to arm their guards, and, accordingly, 100 percent stated that they do so. Under NRC regulations, says Meyer, guards at nuclear facilities must be armed in some capacities, such as when responding to an incident, but security officers don’t require arms in other functions, such as staffing a screening area.

Also, explains Gwiazdowski, guards are required to qualify during both daytime and nighttime hours with their sidearm and a contingency weapon. In addition, they must qualify on a tactical course that simulates their response requirements at their facilities.

No other type of utility tallied more than 50 percent when asked whether guards are armed; 44 percent of the gas facilities said they arm their guards, for example. Not one water purification operation indicated that it arms its officers.

Armed or not, Kozozenski says that it is significant that there are guards at water utilities at all. “Whereas before there may have been an unlocked gate, now there’s an investment in a security officer,” he says. As with the question about increasing numbers or presence of officers, there was little difference due to utility size.

Liaisons

Survey responses showed that utilities have done well with liaison efforts. Every facility said it liaised with police, fire, and other emergency responders. Seventy-one percent said they had mutual-aid agreements with other utilities, led by 84 percent of gas companies and 78 percent of electric companies. Sewage was at the bottom of the heap at 38 percent. For each type of facility, larger utilities more frequently maintained mutual-aid agreements than smaller ones.

Utilities were also asked whether they participated in their sector’s Information Sharing and Analysis Center (ISAC) and how useful they found it to be. Overall, 79 percent participated, of which 94 percent found ISACs to be very or somewhat useful. Most well represented among the respondents was the gas industry, 91 percent of which participated in the corresponding ISAC. This may again reflect the involvement of ASIS members. In the real world, a lot of utilities don’t even know what an ISAC is, Ness says.

Other Measures

The survey also asked respondents about their use of electronic surveillance and about basic computer security technology and practices, such as whether they conduct regular penetration testing. For example, 96 percent answered that they use electronic surveillance: 95 percent use it at major staffed facilities, and 82 percent employ the technology at remote unstaffed properties.

Likewise, 85 percent of the utilities that indicated they had Supervisory Control and Data Acquisition (SCADA) systems said they had upgraded the system’s security. Eighty-eight percent of respondents have SCADA systems in place, according to the survey.

But how meaningful might these upgrades be? In some cases, not very, says Ness.

“They put a little effort in firewalls, but SCADA systems are still very vulnerable,” he states. That won’t change until there are federal standards that require strong SCADA protection, he predicts. In fact, Ness relates a story of how he recently had two young engineers try to hack into the SCADA code of a major utility. They succeeded in four weeks, and could have disrupted the whole region by activating power surges through the system or causing brownouts or blackouts.

Every utility in the survey did indicate that it at least uses a firewall and antivirus software to protect its networked computer systems. Ninety-seven percent use intrusion-detection software, 92 percent follow a patch-management policy, another 92 percent limit staff systems access according to duties, and 88 percent perform regular penetration testing on their computer systems. The effort may be paying off; only 4 percent said that their systems had been successfully infiltrated by a hacker.

Every expert contacted for this story commented that the wide disparity among utilities of security measures implemented derives from the lack of federal or state standards. Federal regulators have balked in all areas but cybersecurity, where they have issued some basic standards, says Ness. And a few states, such as New York, are taking action themselves, “but not nearly enough,” he adds. “We’re basically sitting in limbo.”

“Without standards, you’ll find a wide range of what is adequate protection,” says Kozozenski. “Unless it’s mandated, it’s not going to happen.”

Michael Gips is a senior editor at Security Management magazine. Special thanks to Leena Bhimani, Web site administrator, for her assistance on this survey.