No business has the capacity to build an intelligence function to the scale attainable by governments such as the United States, the United Kingdom, or China. In an era of big data, so much information is available from so many sources that creating an in-house intelligence function is a dizzying prospect.

Businesses have a much more circumscribed scope of concerns than state actors do, making the task more manageable. However, constructing an internal intelligence capacity that’s truly “intelligent” requires the strategic selection and analysis of specific information, not a dive into a data dump.

An effective in-house intelligence function can help companies identify, evaluate, and mitigate existing threats and vulnerabilities. Developing such a program requires a dedicated and talented security staff and an organized approach to tackling complicated problems. An electrical utility company in the Midwest established such a program and found that the intelligence gathering and analysis techniques used in criminal investigations could be a boon when applied to security challenges.

The company, which supports 10,000 miles of transmission lines, a few hundred electrical substations, and about a half dozen offices, hired a new team leader for its security department in 2011. After an assessment of the company’s security program, the team leader determined that an in-house intelligence function could address the major threats facing the company, including vandalism, theft, and attacks from internal and external sources. However, before the intelligence function could be developed, the utility had to make some changes.

UPGRADING THE PROGRAM

Before launching an in-house intelligence function, it was imperative to assess the existing security program. The new team leader had to determine whether current personnel were capable and willing to initiate and maintain the intelligence function. The team leader also had to sell senior management on the value of an intelligence program. Without adequate resources or support, the new program would fail.

The initial analysis of the utility’s security program revealed that the department was deficient in several key components. There was a lack of focus, organization, vision, leadership, structure, and discipline. There was no central repository of written standard operating procedures to guide even the simplest of duties within the department. Officers neglected to write reports or document security incidents. In addition, the individual officers worked on separate projects and failed to share them with the rest of the team, leading to an overall lack of focus. 

To address this problem, the team leader directed the department to compile a manual of operations, which documented and organized security processes for the reference of all company personnel, not just security officers. Where necessary, security staff received formal training on aspects of their jobs.

After a capable and willing staff had been assembled, the next step was to engage them in developing specific missions based on the needs of the security department and the organization as a whole. The missions would be clearly defined and the path to success laid out in advance. The team would document each mission and assign a member of the department to spearhead each effort.

Once each of the missions was defined, it was imperative to standardize operations and practices while carefully documenting how each of the missions would be accomplished. Each mission had a distinct set of standard operating procedures. For example, if intelligence is developed indicating that theft is occurring, the procedures for that mission should include a predetermined plan with an asset protection specialist and law enforcement liaison contacts who can act on any leads that develop.

For the utility, the in-house security function was designed to develop sufficient situational awareness to identify potential adversaries and determine their possible methods. The goal was to develop and maintain a list of subjects or groups who were capable of an attack and had the intent to do the organization harm. After an incident, the department could quickly turn the list of names of the tracked adversaries over to appropriate law enforcement officials to assist in an arrest.

MISSIONS

Over a three-year period, the utility developed several intelligence missions, including deterring external threats, addressing copper theft, and hardening specific utility targets.

External threats. In 2012, security launched a mission to expose external threats to the company. To uncover those who might do harm to the company in the future, the security team gathered intelligence by examining past incidents, identifying prior adversaries, and exploring the methods that could be used to harm the organization. However, a cursory analysis revealed an underlying problem: the company did not have a comprehensive program to track those who made direct threats to the company.

As is industry practice, the company had built transmission lines by paying a right-of-way stipend to landowners. As part of this effort, the company had established a vibrant community outreach program. In so doing, several departments encountered people who were angry or aggressive toward the utility, but all the records of these encounters were maintained in the individual departments. There was no central repository for security to analyze. This led to situations where different departments were aware that a person had made threatening remarks but had failed to inform those who might come into contact with this same person in the future.

For example, if a homeowner attending a community open house made direct threats to harm company personnel, the customer relations department did not share the threat information with construction personnel charged with building the lines on this person’s property, with the asset management employees who maintained the equipment, or with the vegetation management workers who trimmed the trees along this person’s property. The situation created the potential for company personnel to walk into a threatening situation unprepared. 

To address the problem, security conducted a companywide assessment to gather information. For each threat made, security interviewed any staff who had witnessed the incident. Security then researched whether this person had made previous threats or had a history of violence.

In evaluating potential external threats, security weighed capability and intent. A threat who is highly capable of an attack can develop the intent to attack the organization quickly. However, a threat with high intent and low capacity will require time to develop the capacity to cause damage. So, security developed the tools to monitor the intent and capability of known threats. For example, if landowners had threatened to kill a company employee if the utility continued its work, the intent would be considered high. Security would then check with local, state, and federal law enforcement to determine whether the individuals had been convicted of prior crimes of violence, whether they owned guns, or whether they were members of any groups affiliated with domestic terrorism—all factors that would signal a high capability of carrying out a threat.

If the investigation revealed that the person might be a threat, security created flyers for company employees. The flyers contained information about the person, such as their address and the  specific threatening actions he or she had taken against company personnel. Security distributed these flyers to each office building and to each department that could possibly have contact with the potentially dangerous individual. This information was also placed on a shared computer drive for all company personnel to access. To protect employees in the field, security used computer mapping to devise threat maps. If employees were going to an area where they could encounter a dangerous person, that information would display on the map.

Vandalism. Another mission was to uncover who was behind several incidents of damage caused by citizens shooting firearms at company transmission lines. Security first participated in a meeting on the subject with the company’s transmission line maintenance department, the asset maintenance department, and customer relations. After the meeting, security took the lead on this project and, in collaboration with the group, developed an action plan. 

The first step of the plan was to gather intelligence, analyze available paperwork, and document past incidents. The investigation showed that there were no security incident reports filed on the vandalism. Similarly, a meeting with local law enforcement found that the police had not been notified of all the prior incidents nor had they maintained written reports for those they did know about. The only history of the incidents was gleaned from maintenance records. Analysis of these records uncovered 12 incidents of shooting vandalism between 2006 and 2012. With the initial analysis conducted, security contacted law enforcement in the area, including the FBI, state police, and the county sheriff’s office. Security informed the agencies of the vandalism and convened a meeting to discuss law enforcement options.

The group then worked to establish when the vandalism was mostly likely to occur again. The sheriff’s office placed surveillance cameras on the trails in the area. The footage from these cameras helped narrow the time of greatest activity to the hours between 3:00 p.m. and 8:00 p.m. during the week and any time on the weekends. The sheriff’s deputies then patrolled the area periodically and on a random basis based on these patterns. 

The sheriff’s department offered the use of a camera with long-range identification capabilities. The system could capture quality photographs and read license plates from approximately 300 yards away. The sheriff’s department deployed the camera in the area where vandalism had occurred in the past. The police monitored this camera and were prepared to use any footage as evidence. Additionally, the deputies spoke to several persons who were firing weapons in the area. This put people on alert that law enforcement was involved.

The team evaluated existing laws around the criminal activity and researched what statutes were available to law enforcement. The sheriff’s department provided documentation on two state laws that applied to the situation—both were felonies punishable by five years in prison. The laws were sent to the utility company’s legal department, which conducted additional research across all the states in which the company did business. The laws uncovered by the legal department were used to provide law enforcement with tools to charge offenders with felonies for damaging the power lines. The laws also gave security guidance in developing specific signage that warned shooters that they were committing a crime if they caused such damage.

The team evaluated prior and existing public awareness campaigns used to educate the public on the dangers associated with downed transmission lines. Based on this research, customer relations developed a press release and followed up with a comprehensive public awareness campaign, which included television coverage of the problem.

These strategies were deployed in late 2012 and the public awareness campaign was updated prior to deer hunting season in the fall of 2013. To date, there have been no additional vandalism incidents due to shootings.

Copper theft. Using the same strategies employed in assessing the vandalism, security conducted an assessment of break-ins at company substations and theft of copper in those stations. There were no security incident reports on the thefts but police records revealed 76 reports over the past five years. Once the reports were analyzed, security found that the police had identified several strong suspects. These suspects had been charged with misdemeanors for other crimes and were not in custody. Security suspected the thieves would return.

To stop the thefts, security began meeting the first Friday of each month to analyze incidents from the prior month and develop measures to address any issues. These meetings included personnel from asset management and other company employees as deemed appropriate.

Security began mapping the incidents, first using paper maps, then computer spreadsheets, and finally computer mapping software. Security then developed and documented a standardized incident report for such thefts. This assisted in tracking and reporting details of the thefts. These documents were used to develop an incident report database, which could be used to analyze data and produce reports identifying criminal patterns and activity. These patterns indicated that most criminal activity was occurring during certain months. The software then allowed security to react to new patterns of criminal activity.

Security also rotated surveillance systems within the area of criminal activity. The camera systems included infrared capability and were tied to a motion detector to capture video clips when an alarm was triggered. The cameras operated via cell phone frequencies and ran on batteries, making them extremely mobile. However, the system had a few drawbacks. It was dependent on cell phone networks and could be tripped by wind or wildlife.

The team maintained three separate spreadsheets: a list of known copper thieves, a list of scrap dealers with a tiered system to track the most nefarious, and a list of law enforcement officials investigating copper thefts in various jurisdictions. This intelligence was shared with other utilities and law enforcement. Based on the information the company provided, law enforcement arrested nine people and charged them with various felonies. Some served prison time, while others were released within months. Those who were released turned out to be repeat offenders. Of those nine who were charged, three were arrested for property crimes against the utility twice within a year’s time.

After the arrests, the team worked to upgrade security at vulnerable locations. First, security collaborated with asset management to develop a cost code for the thefts and repairs to accurately track monetary loss. Security updated the substation inspectors’ monthly checklist to include a brief security section. The team also established and maintained a spreadsheet of all company assets and the level of physical security at each of the substations. These efforts helped justify the expanded security measures.

Based on the intelligence gathered on the thefts, security identified substations that required fixed surveillance systems or heightened security measures. Security then evaluated and tested cutting-edge technology for deployment in the substations. Based on these evaluations, security added high-definition cameras and infrared beam detection devices to several of the substations.

To ensure support for the initative, security developed a monthly report to inform executives, as well as construction, safety, and asset management personnel, of the incidents and mitigation efforts.

The results of the mission were rewarding. In 2011 the company had 29 substation break-ins. By 2012 these had been reduced to 14, and incidents fell to six in 2013. In addition, relationships with law enforcement improved greatly after company intelligence led to the arrest of several of the thieves. These bonds are still strong, resulting in a mutually beneficial relationship between the company and police.

Substation protection. In 2013, a shooting incident at a Metcalf, California, substation caught the attention of the industry. In the orchestrated attack, perpetrators entered the substation through two different manholes and cut the fiber cables, knocking out landlines to the substation as well as local 911 services and cell phone service in the area. Then, the assailants fired more than 100 rounds from a high-powered rifle at transformers in the facility. Though the perpetrators failed to disrupt power service, they damaged 10 transformers.

In light of this attack against the industry, security at the company worked with asset management to develop the Physical Security Assessment Working Group (PSAWG). Members included representatives from security, the critical infrastructure protection program office, asset maintenance, communications, asset performance, metering and control, and cybersecurity.

The PSAWG was formed to protect against a coordinated attack on an entire substation. The assessment considered possible attacks on substation perimeters, transformers, and control houses. Based upon specific risk assessments the PSAWG emphasized recommendations from several industry best practices. Many of these practices included resilience measures and a blended approach between physical and cybersecurity.

The PSAWG reviewed the California incident, assessed company vulnerabilities, reviewed current practices and preparedness, and developed an action plan. The action plan called for creating an incident response team to handle incidents as they occurred throughout the company’s holdings. The plan also called for the use of an existing incident communications process to notify and engage appropriate company personnel should an attack occur.

Appropriate company departments conducted vulnerability assessments of the equipment critical to operations in company substations. Security and asset maintenance worked together to conduct site-specific assessments of company substations. Security ensured that significant incidents were reported and entered into a database to provide situational awareness for responding personnel. Security and asset maintenance consulted with the legal department to develop signage that could be displayed on substations with specific language about laws and penalties.

The group also established communications with the security departments of industry partners, the FBI, and the Department of Homeland Security, in order to share intelligence on common threats.

Though the perpetrators of the Metcalf attack have not been apprehended, some industry experts have speculated that there might be a connection to terrorists. With this in mind, security evaluated and assessed regional, national, and international criminal, terrorist, and extremist groups with a presence in the company’s area of operations. Security conducted research on domestic extremists, ecoterrorists, known terrorist groups, and lone wolf offenders.

After obtaining background information on each of the groups, security addressed three issues: whether the group had a presence in the company footprint, whether the group had the capability to do damage, and whether the group had the intent to harm the company or other utilities.

For example, the section on al Shabaab revealed that the group has a presence in every metropolitan area where there is a significant Somali population; there is a documented presence in Minneapolis and parts of western Wisconsin; and al Shabaab members are within driving distance of any company assets they decide to target.

Al Shabaab has deployed American citizens from Minneapolis to target the enemies of Islam. They have also employed mass murder, as demonstrated in the Westgate Mall shooting in Kenya. No specific threats emanating from al Shabaab to the company have been uncovered. However, open source reporting indicates that there have been attacks on electrical utilities overseas. Because al Shabaab has a presence near company property and past attacks have demonstrated the organization's capability to plan and execute violent attacks when provoked, the analysis recommended that al Shabaab should be included in any future company risk assessment.

MAINTAINING THE PROGRAM

Maintaining an in-house intelligence function is critical because intelligence expires. Security conducts annual risk assessments of evolving threats and continues to coordinate and share intelligence with aligned industry partners and local law enforcement at the detective level.

As part of the utility maintenance program, security reaches out to other potential partners, such as the FBI, the Department of Homeland Security, fusion centers, and industry peers. The more personal the developed contacts are at each level, the more likely requests will be honored.

Documenting standard operating procedures for tracking and monitoring the ever-changing threat streams helps the department establish priorities going forward. Security continues to review, organize, track, and document incidents that have occurred in the utilities industry. If these events are familiar and standard operating procedures are developed to address them, the resolution will be more effective, efficient, and repeatable.

The most important aspect of maintaining an in-house intelligence function, however, is to track and document the program’s successes. These victories are shared with the entire organization, especially senior executives, as evidence of how valuable such a program can be. 

Thomas A. Trier is employed by Miller/Coors Security in Milwaukee, Wisconsin. He previously served as the team leader of corporate security for a Midwestern electrical utility company. Trier also spent 25 years as an FBI special agent.