The Utility of Securing the Electric Supply
OUR SOCIETY IS BUILT in part on a foundation of reliable electrical energy. Utilities work to ensure the uninterrupted supply of electricity in the face of multiple threats, including copper thieves, marijuana growers, computer hackers, and potential terrorists. The experiences of three utilities, plus a look at how the industry as a whole is trying to improve information sharing, serve to illustrate the challenges this sector faces and the varied solutions that are helping to minimize the risks.
EPCOR Utilities Inc., a power and water provider owned by the City of Edmonton, Alberta, Canada, owns or operates 50 facilities in Canada and the United States. One major security problem the company faced in recent years was the theft of copper.
Global economic growth over the past decade, especially in China and India, had created a high demand for industrial metals like copper, boosting their values to unprecedented levels. Understandably, this market has made copper, which is prevalent across the energy sector, a prime target for thieves.
According to a survey published in January by the Electrical Safety Foundation International (ESFI), electrical utilities sustained an estimated 50,193 thefts of copper during 2008. ESFI estimates that copper thieves hit 95 percent of electrical utilities in the United States. The copper stolen was valued at just over $20 million.
The full impact of copper theft, however, dwarfs the cost of the metal alone. Thefts in 2008 caused more than 317 days of power outages, ESFI found. Utilities also have to spend money on repairs, and when custom-ordered materials are stolen from construction projects, further activity is delayed while replacement equipment is ordered and manufactured. Thus, the total impact of that year’s thefts is estimated at more than $60 million, while utilities spent another $27 million trying to prevent future copper theft incidents.
Beyond these costs are the dangers that such thefts pose to thieves and utility workers alike. Most people think of electricity in the context of home wall outlets.
That amount of energy is relatively small, and safety is carefully engineered into delivery from the substation to the homes and appliances that use it. That same level of safety does not exist at the utility generating plant or substation. ESFI found that 52 people were injured while stealing copper last year, and 32 died. Thieves have died in substations wearing running shoes, using rubber-handled cutting tools, mistakenly thinking that they were protected, only to have massive arcs of electricity travel through the air and their bodies en route to the ground. Similarly, if a thief successfully steals a copper grounding cable, the next utility worker to service that equipment could get a fatal shock.
Thieves find copper in the form of wire in construction projects, derelict housing, distribution lines, telephone boxes, and electrical substations, among many other sources. Those committing the crimes run the gamut from desperate drug addicts to members of organized crime syndicates.
The common thread is opportunism. If would-be thieves don’t see copper or don’t think they can access it easily, they won’t even try. Thus, experience has shown that the best way of reducing the theft of copper is to reduce ease of access to it.
Realizing that a company’s technical and construction personnel are best positioned to limit exposure and given the clear nexus with worker safety, EPCOR Utilities addressed the problem by educating staff through its existing program of Safe Work Practices. It turned out that many workers were unaware of both the risks posed by copper thefts and how easily they could help to mitigate them.
Construction crews now clean up all scrap copper at the end of the day, and unused copper wire and grounding equipment must be either returned to service centers at night or securely locked away.
Other solutions have been improvised by workers in the field. When, for example, they are burying copper cable, crews make sure that they finish a given segment before heading home for the day; they don’t start segments they can’t finish that day so that equipment will not have to be left out overnight, which would be an invitation to thieves.
Another simple method of thwarting copper thieves is wire tagging, which essentially entails “branding” copper with a sign of ownership. It works on three fronts: it’s a deterrent to thieves, it can help authorities track down perpetrators, and it can alert legitimate scrap vendors to stolen materials.
Utilities typically set up scrap disposal contracts with an approved recycler; that company should be the only vendor handling that utility’s copper scrap. If a legitimate recycler spots a company’s tags on scrap offered by a third party, the recycler won’t buy it, discouraging future theft.
EPCOR Utilities uses two products: DataDot, which is an adhesive material containing sand-sized particles bearing a registered company PIN number, and DataTraceDNA, also developed by DataDot Technology Ltd. along with Australia’s state-run Commonwealth Scientific and Industrial Research Organization. DataTraceDNA is battleship gray-colored paint containing a signature ceramic taggant identifying the owner.
Stamping copper components with the name of the electrical utility that purchases them is another excellent method of marking copper. Grounding stakes, copper fittings, and wire can all be stamped. Another tactic is use of alternative conductors such as Copper Clad Steel, produced by Copperweld. The cable’s conductive copper binding constitutes only 3 percent of its diameter, leaving a thief with minimal resale value.
These measures, part of a broader, companywide security program, helped reduce overall shrinkage at EPCOR by two thirds from 2007 to 2008. Copper thefts—one of which cost the company $20,000 in metal alone—were all but eliminated in 2008, with only four minor thefts reported.
Copper’s market price peaked at $4 per pound in 2006, but it fell to $1.50 per pound in early 2009, and the rate of theft has fallen somewhat with it. This is not the end of the problem, though. Utilities know that when the global economy improves, copper theft will increase again.
BC Hydro and Power Authority is a provincially owned utility in Canada; it produces power for domestic use and export and manages small water supply operations in remote communities within British Columbia. For BC Hydro, a utility serving 94 percent of British Columbia’s population areas, the problem is electricity theft and the associated damage caused by it, which are estimated to cost the company $30 million annually. That figure is expected to rise to $60 million within a decade if left unchecked.
In British Columbia, 99 percent of energy theft is linked to illegal indoor marijuana cultivation operations, which require powerful lamp light 24 hours a day. Criminals tap into distribution circuits in various ways to bypass the electric meter. Some of their methods are quite sophisticated, and all are extremely dangerous. Beyond the obvious risk of electrocution to both perpetrators and utility workers, diversions can result in unstable circuits that can lead to house fires, explosions, and power surges across the circuit affecting all homes in the community.
Besides obvious physical tampering with a meter that would appear clearly to a company technician, the most telling indicators of diversion are a sudden drop in metered consumption and a sudden increase in actual power draw. To uncover these indicators, BC Hydro special investigation teams search for anomalies in the electric consumption records of customer premises and conduct field tests on distribution circuits, distribution feeds, and at the electrical meters.
Any diversion confirmed by BC Hydro is reported to law enforcement. While statistically, energy diversion can establish suspicion of marijuana cultivation, the decision of whether to investigate or pursue narcotics charges falls solely to police. And in Canada the utility’s lost rate fees are solely a civil matter except where restitution associated with a successful theft conviction is ordered by the courts. It falls to each utility to collect from the energy thief, and the matter is often settled before a civil court judge.
In the United States, the process is only slightly different, according to Scott Burns, a former criminal prosecutor and now executive director of the National District Attorneys Association. Nearly all U.S. states have criminal theft-of-service statutes, with penalties mirroring those for physical theft. The utilities are expected to report energy diversions to police. Then, as in Canada, it falls to police to decide whether to simply pursue theft charges or investigate possible drug cultivation.
Not all pot growers steal power. But most of them exact an exceptionally high draw on the grid, which presents critical safety concerns within a building. Thus, an amendment to British Columbia’s Safety Standards Act allows municipalities to request information regarding high consumption users without violating privacy.
High consumption is specifically defined in the law as consumption over 93 kilowatt-hours per day, compared to about 30 kilowatt-hours daily for a normal household. Records are provided to municipalities on written request from a designated public safety official, such as a fire marshal, to ensure that high consumption does not present a life-safety danger.
Manitoba Hydro, also a provincially owned power utility in Canada, generates and transmits power to Manitoba and the United States. Like other utilities, it was concerned about the cybersecurity of industrial control systems (ICS), including the supervisory control and data acquisition (SCADA) software used by utilities.
The vulnerability of these systems has gained attention in recent years as media reports have highlighted the potential threat posed by hackers breaking into these systems and remotely controlling or sabotaging the electric grid. An anonymously sourced article earlier this year in the Wall Street Journal, for example, reported that Chinese and Russian spies had both penetrated the North American electric grid and left behind bot-like programs that could possibly be activated at a later date to cripple the North American electricity infrastructure.
The report elicited the widest possible range of responses from network security experts. Some cast the report as an accurate and overdue public wake-up call for the utility sector. Others brushed off the report as a cynical bid from within the U.S. government to advance a policy agenda.
Utility security professionals who are disciplined about risk know that the greatest threat of cyberattack comes not from overseas or from a radicalized hacker but from within. Consider, for example, that in 2000, an Australian engineer quit his job with a contractor hired to install a SCADA system in a sewage treatment plant. When the utility did not hire him as an independent contractor, he accessed the SCADA system himself and dumped more than 200,000 gallons of raw sewage into area rivers, parks, and onto the grounds of a local hotel.
More recently, the U.S. government charged that a former IT contractor for California-based Pacific Energy Resources, Ltd., remotely disabled network systems the company used to alert them to leaks at off-shore oil rigs.
Addressing the threat, inside and out, requires a comprehensive, converged enterprise security plan with sound fundamentals, including strong procedures for ensuring personnel security and multiple factors of network access control that change regularly to prevent access by former employees or vendors.
Manitoba Hydro handles personnel risk assessment using a methodology established by the HR Policy Association that considers the nature of a worker’s position, the gravity of prior offenses, and the length of time since they occurred. While the company is already using this approach to assess new hires, assessments on longstanding employees are the subject of negotiations with unions.
With regard to network access control, the company recognizes that solid IT security requires regular training and awareness programs, along with use of passwords, tokens, and remote access authentication and encryption.
The electric utility sector as a whole is taking a major step toward bolstering both general and cybersecurity with a suite of nine critical infrastructure protection standards. Issued in 2005 by the sector’s self-regulation entity, the North American Electric Reliability Corporation (NERC), the standards address real or suspected sabotage, critical cyber-asset identification, security management controls, personnel and training, electronic security perimeters, physical security of critical cyber assets, systems security management, incident reporting and response planning, and recovery plans.
Implementation of the first standard applying to cybersecurity—critical cyberas set identification—generated an April memo from NERC Chief Security Officer Michael Assante, who indicated that utilities might require a more robust consideration of which assets are critical by first assuming that all assets are. NERC asked that member utilities “take a fresh, comprehensive look at their risk-based methodology and their resulting list of [assets] with abroader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control but also the potential misuse of those assets by intelligent threat actors.”
Assante’s letter implied that in initial assessments, the utility sector designated far fewer assets “critical” than NERC thought it should have. Testifying recently before Congress with Assante, Stephen T. Naumann of energy company Exelon Corp. assured lawmakers that “as owners, operators, and users of the bulk power system, electric utilities take cybersecurity very seriously.”
The first NERC standards were scheduled to become enforceable in July, with fines for noncompliance of up to $1 million a day, but the Federal Energy Regulatory Commission, which formally regulates the power sector, has urged industry compliance by the end of 2010, after which time it would take enforcement action.
A comprehensive regimen of information sharing between utilities and government agencies is a critical component of security. While communications occur today on an unprecedented scale, they are still not completely open and collaborative.
Countries like the United States have created regulatory agencies that seek to ensure the reliability of the bulk electric system and, as a prerequisite, the security of that system. The Department of Energy sets policy, the Federal Energy Regulatory Commission regulates U.S. utilities and the Department of Homeland Security (DHS) steers security policy, coordinated in part through NERC, which serves as the sector’s official information-sharing and analysis center.
Canada, by comparison, lacks a central regulatory agency for its electricity sector. Natural Resources Canada regulates environmental impacts, while provincial utility commissions represent consumers. Public Safety Canada administers national security and federal emergency management programs. But none of these agencies has jurisdiction over the publicly and privately owned electrical utilities across Canada. Like their American counterparts, major Canadian utilities—but not all of them—are affiliated with NERC through regional reliability coordinating councils. The 32-member Canadian Electrical Association (CEA), the country’s private industry organization, has become the de facto voice for sector information sharing. Utilities security is addressed specifically by the CEA Security and Infrastructure Protection Committee (SIPC).
SIPC meets three times a year, and meetings feature closed-door “pens-down,” or off-the-record, sessions in which relevant experiences and concerns related to critical infrastructure protection can be discussed without fear of public disclosure. Several years ago, the committee agreed to include representatives from the Royal Canadian Mounted Police (RCMP) in a meeting. The first meeting demonstrated a need and desire for information and intelligence sharing and spawned a new level of participation and cooperation. Today, several federal government agencies join in these meetings to facilitate public-private information-sharing efforts and to provide classified briefings.
The RCMP, Public Safety Canada, and the Canadian Cyber Incident Response Centre were invited to subsequent SIPC meetings and their participation continues. Reciprocally, the RCMP has provided security clearances to CEA members who now participate in twice-yearly classified energy sector briefings.
The three government agencies are all partners in the national Integrated Threat Assessment Centre (ITAC). Sector members with secret-level clearance receive ITAC’s relevant intelligence products and participate in secret briefings in Ottawa. Most important, new trusted relationships between government and utility personnel have resulted in ongoing communication about threats and vulnerabilities.
Before these types of exchanges, sector-specific concerns like copper theft were relatively unknown to national officials from the RCMP. Similarly, many utility-sector representatives were unfamiliar with the threat posed by extremist environmental groups like the Earth Liberation Front. Collaboration has brought a new sense of understanding and cooperation to public and private participants.
CEA representatives recently attended a NERC cybersecurity meeting in Phoenix, Arizona, during which American counterparts shared their desire for more trusted person-to-person relationships with their federal agencies like the FBI and DHS. Canada’s effort has benefitted in part from its scale, with utilities and government serving a population roughly one-tenth that of the United States.
Canada’s information-sharing effort is not perfect. It is difficult to reach all critical infrastructure owner operators when they are not compelled to participate in information sharing. But the CEA’s SIPC model is providing an excellent conduit for information sharing in a way that is gaining momentum and trust.
A more formal information-sharing environment, such as the CEA established within Canada, could serve as a model for any country’s critical infrastructure sector. The end result would be better preparedness and better response capabilities, to the mutual benefit of all parties.
Ross Johnson CPP, BMASc (Bachelor of Military Arts and Science), is senior manager, security and contingency planning for Capital Power Corporation in Edmonton, Alberta, Canada, and is a member of the ASIS Oil, Gas, and Chemical Industry Security Council.
Chris McColm, CPP, CFI (Certified Forensic Investigator), is corporate security manager for Manitoba Hydro and Gas in Winnipeg, Manitoba, Canada, and a member of the ASIS Utility Security Council.
Doug Powell, CPP, PSP, is manager, corporate security for BC Hydro and Power Authority, headquartered in Vancouver, British Columbia, Canada.