The security of critical infrastructure in the electricity sector is complex. Electricity assets are concentrated in small areas and distributed over large geographical expanses. They are manned and unmanned, involve dangerous equipment that citizens must be protected from, and they provide a resource to the public that enables the quality of life we enjoy today.
Protection of these assets require security professionals to use every tool in the toolbox. Security managers have to consider protecting physical property, cyber assets, employees, and the public. Priorities must be established that respects the needs of the public and the organization being protected.
Any protection program that is developed must be as efficient and cost-effective as possible, as budgets are limited and ratepayers are sensitive to wasteful spending. Effective security programs rely on risk management principles and associated tools to establish priorities, allocate budget dollars, and harden infrastructure sites.
Physical security protection encompasses defensive mechanisms to prevent, deter, and detect physical threats of various kinds. Specifically, these measures are undertaken to protect personnel, equipment, and property against anticipated threats. Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility's resistance to numerous threats while meeting demand, reliability, and performance objectives.
Security plans should be developed based off of solid security principles, practical security assessments, and known threat data. To create actionable security plans and procedures, we must first understand some very basic security principles. All too often, simple definitions are interchangeably used. This leads to confusion and unfitting assumptions. Understanding the definitions listed below will help start to build a comprehensive security program.
Threat - Actions, circumstances, or events that may cause harm, loss, or damage to your organization's personnel, assets, or operations.
Risk - The combination of impact and likelihood for harm, loss, or damage to your organization from exposure to threats.
Vulnerability - Weaknesses and gaps in a security program or protection efforts that can be exploited by threats.
Resilience - The ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
Risk management - An analytical process that considers the operational context of the organization and the risk of unwanted events that might impact personnel, operations, and assets, with the aim of developing strategies that reduce risk by reducing the likelihood and impact of these events.
Once risks to a facility are accurately assessed, security professionals can determine whether countermeasures currently in place are adequate to mitigate those risks or if additional procedural, programmatic, or physical security countermeasures should be implemented. Any process used for identifying these risks should:
- Identify those threats which could affect personnel, assets, or operations
- Determine the organization's vulnerability to those threats
- Identify the likelihood and impact of the threats
- Prioritize risks
- Identify methods and strategies to reduce the likelihood and impact of the risks
Sign up for Computerworld eNewsletters.