Utility Security: The Missing Link in Operational Competency

Although the framework of operational competence had been in place for decades, its use as a gauge of organizational strength in the utility sector began to gain traction in the 1970s. Over the decades, the focus and benchmarks of operational competence have changed dramatically, but it’s still missing one core element: utility security.

So, what is Operational Competence?
You won’t find an official definition, but you’ll see the term used in financial documents, regulatory filings, board reports, operational bulletins, statutory guidance documents and other materials where an understanding of the utility’s operational capabilities is a key focus or provides critical information.

Operational competence (OC) refers to a utility’s ability to execute its operational mission reliably, safely and efficiently. It gauges an organization’s operational abilities against its peers based on core competency benchmarks. Several key factors influence OC, including regulatory compliance, the application of technical skills, workforce strength and capabilities, safety reputation, operational practices, and financial health. The benchmarks for operational competence are continually evolving to keep pace with shifts in the utility environment; in other words, the game changes, and the goalposts are moved.

In the 1970s, safety and compliance became key indicators of operational competence, with safety records and infrastructure reliability ratings serving as benchmarks of achievement. During the 1980s, standardization and automation emerged as key indicators, with the introduction of SCADA, efficiency improvement goals, and cost control targets used as benchmarks to score operational competence. 

The 1990s saw deregulation, privatization, and customer service ratings become key benchmarks, as utilities raced to unbundle long-standing organizational structures. Market liberalization, competition, customer engagement, and sometimes the speed at which a utility could be dismantled were considered as indicators of competence.

The digital transformation of utility operations began in the early 2000s, so OC benchmarks focused on smart metering, IT integration and asset management. As the digital evolution continued through the 2010s, OC benchmarks centered on transitioning away from fossil fuel energy sources, integrating renewable energy, and promoting distributed generation as signs of operational competence. 

In the 2020s, OC benchmarks shifted again to prioritize how quickly a utility can eliminate fossil fuels, how rapidly it can integrate advanced metering infrastructure (AMI), and how swiftly it can incorporate artificial intelligence (AI) into its processes.

Over the decades, some OC benchmarks, such as safety and reliability, have withstood the test of time and continue to have an impact. However, many benchmarks have faded over time as priorities have shifted—while others have been found to be unsustainable—and a few have led us down dangerous paths. A great deal of the most beneficial benchmarks have originated from within the utility community; however, some benchmarks are set by external actors with ulterior motives.

As any veteran utility professional can attest, sometimes the operational goalposts get moved by people who aren’t even playing the game. The industry must often contend with extraneous, sometimes unachievable, benchmarks driven by motives rooted in politics, public perception, and financial interests. Unfortunately, many externally imposed benchmarks have caused more harm than good, perpetuating negative perceptions and intensifying hostility toward the utility industry.

I’m not suggesting that all utility-focused hostility is tied to poor operational competency benchmarks, but in many cases, they certainly haven’t helped the situation—especially the benchmarks that focused more on advancing an external agenda rather than building true operational competency. But overall, most OC benchmarking efforts have helped utilities strengthen and improve operational performance.

Things are different today. Historically, OC benchmarks had a relevance shelf life of about a decade. Today, the components are in a constant state of flux; the utility sector is evolving rapidly, and the future is less predictable than ever. Uncertainty surrounding reliability, energy sourcing, environmental demands, and growing hostility toward established utilities has made benchmarking even more challenging. Now we have two new factors: AI and data center load growth.

These two seemingly independent factors are, in fact, interrelated. AI relies on data centers for computing power, and the growth of data centers is closely tied to the advancement of AI. Artificial intelligence is a term first coined in 1956 that, in simplistic terms, refers to computing systems capable of performing tasks that typically require human intelligence, such as reasoning, learning, decision-making, and perception. AI is now taking the world by storm, and it lives in “the cloud,” which first emerged in 2006. The cloud is, in reality, a network of data centers (i.e., someone else’s computers).

Today, the explosive growth of data centers is wreaking havoc on power systems and leaving existing demand projections in the dust. Currently, 30% of all the data centers under construction are dedicated exclusively to supporting AI, and I believe we haven’t even left the launch pad yet, so buckle up. It doesn’t matter where you’re located or if you serve data centers directly; their impact on the utility world is about to get real for all of us. Microsoft is footing the bill to recommission the Three Mile Island nuclear plant to support their data center/AI needs.

The data center and AI challenges, combined with production, transmission, and capacity issues, as well as concerns over environmental impacts, all contribute to a reputational image of the utility industry that’s sinking faster than the Titanic.

Today, demonizing the utility industry is practically a spectator sport. The constant vilification of utilities by politicians, journalists, political pundits and special interest groups has led to an increasingly negative perception of the utility industry, fueling growing hostility. This demonization, in some cases, has reached the level of stochastic terrorism and is playing a direct role in the growing aggression and violence being inflicted on utilities and utility professionals.

The explosive demand growth, unrealistic sourcing and supply mandates, coupled with tanking public perceptions and societal expectations of unflagging service, have created a perfect storm for utility operations.

So, what does all of this have to do with operational competency? Well, everything. If we want to get in front of the myriad issues created by AI/data center-fueled load growth, supply, and capacity issues, unrealistic expectations, and sinking public perceptions, we as an industry need to establish effective and meaningful OC benchmarks. We’ll still have to deal with external OC benchmarks being imposed on the industry, but we need to recognize the value of benchmarking and employ it as a tool for overcoming the tremendous obstacles we face, including a surge in hostility aimed directly at the utility industry.

Security needs to become a core component of operational competency. I believe that utility security benchmarking has been the missing element in operational competence for decades. In many ways, the utility sector is at the same point with security as it was with safety practices in the 1970s. It has been recognized as an issue, and efforts have been made to address some aspects of it; however, there’s been little movement toward a comprehensive or methodical approach. Establishing security as a core operational competency and setting ambitious but achievable OC benchmarks is how we can overcome the security shortfall and enhance protection for all utility assets—something we need now more than ever.

Today, employees are increasingly facing verbal and physical attacks, and a disturbing new trend quickly gaining momentum is the use of tactics like stalking, swatting and doxing against utility workers and their families, which can have deadly consequences.

Although we have begun to take positive action to address data and cyber threats, we need to “up our game” in dealing with physical threats while not slacking up on cyber/data security. Establishing operational excellence benchmarks can be the catalyst needed to make this happen. Operational competency today includes ensuring that every employee has the necessary security skill sets to recognize and respond effectively to digital and physical threats.

Your employees are either the strongest defense or the weakest link in your utility’s security posture. One of the primary reasons that, despite investing millions in firewalls, access controls, and surveillance systems, security failures continue to occur is human error.

Human actions, whether irrational decisions, carelessness, or deliberate acts, are the principal sources of harm. But one of the most dangerous aspects of human nature that is easily ignored is inattention. The impact of inattention to security cannot be overstated. Luckily, it’s also one of the easiest security vulnerabilities to benchmark and correct. Inattention leads to missing critical details and a failure to recognize security gaps, overlooking threats and aggressive behaviors, and a lack of organizational discipline.

Where to start with security benchmarking? To close the security gap, utilities must treat utility security as a core operational competency. However, to be effective, it must set and achieve realistic benchmarks that promote security, rather than merely being another compliance checklist. There are many places to consider as a benchmark starting point. I’ve listed a few below.

• Security assessments: Engage an outside expert to provide an unbiased, unflinching assessment of the current security environment. The goal of the assessment should be to identify vulnerabilities and security issues and provide an actionable findings and recommendations report that identifies and prioritizes vulnerabilities, along with a next-step action plan.
• Job-specific security training: Provide training tailored to the unique needs of field crews and office personnel. Topics should include situational awareness, conflict de-escalation, violence response, and critical thinking.
• Threat simulation exercises: Conduct realistic drills and exercises, ranging from cyberattack scenarios, facility penetration tests, active shooter/workplace violence response and infrastructure attack/crisis response tabletop exercises.

The Path Forward
Historically, operational competency has focused on overcoming challenges relating to capacity, reliability, technical capability, procedural compliance, and preparedness. Today, we need to add utility security as a core operational competency.

Although security threats have always been present, we are now confronting an unprecedented level of security challenges. The list of threats and threat actors continues to grow, including an endless stream of cyberattacks, an increasingly aggressive public, hostile special interest groups, and terrorists who see infrastructure as high-value, exploitable targets. Creating and working vigilantly to achieve solid security-focused OC benchmarks will go a long way toward leveling the playing field and enhancing utility security.

—————-

About the author: Jim Willis is the president of InDev Tactical, a security training and consulting firm. He is a utility engineer, credentialed homeland security specialist, and anti-terrorism expert. If you want to discuss utility-focused security training or consulting assistance, or how to develop a plan to make security a core competency and set realistic benchmarks, give Jim a call at 703-623-6819 or email him at jim.willis@indevtactical.net.