If You’re in the Utility Business, You’re in the Security Business
Jim Willis Shares Three Steps to Better Equip You for the Increasingly Complex Challenges that Utility Security Professionals Face
“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” ~ Mark Twain.
Mr. Twain’s statement reflects the understanding of the utility security dynamic of many utility professionals. There has always been a disconnect in recognizing the overlap between the utility and security sectors. This lack of understanding has led to an insular approach, where many believe the two fields have little, if any, connection to one another.
To be clear, the relationship between the sectors is uniquely one-sided. You can be deeply immersed in the security world and have nothing to do with utilities, but you can’t be in the utility world without being involved in the security world. Regardless of your job, there are overlaps with one or more, and sometimes all four security domains—property, infrastructure, personnel, and information. Essentially, if you’re in the utility business, you’re also in the security business.
Historically, security has been an afterthought for utilities. Asset protection received little attention and minimal resources, and security improvements were implemented in a fragmented and sporadic manner. Security practices relied on cookie-cutter methods and one-size-fits-all protection technologies; in fact, the only consistency has been application inconsistency.
For years, facility security has focused on deterring theft. The standard approach has been chain-link fencing and three strands of barbed wire around the operations area, with gates unlocked in the morning and locked in the evening. Sometimes, dusk-to-dawn lighting and a few cameras have been added to the mix. Infrastructure security has traditionally had the same antitheft focus. It used the same chain-link fence and barbed wire configuration to protect substations, with gates secured by locks that half the county had keys to open.
Any application of personnel security was typically relegated to the safety program based on the flawed assumption that safety and security are essentially the same thing. Prior to the digital storage era, data and information security meant keeping vital documents in locked filing cabinets.
Cybersecurity was the first domain to emerge as a distinct security issue. The arrival of the digital age and the introduction of the Internet created a need for targeted security responses to mitigate cyberattacks, so a utility security domain evolved in response.
The evaluations of the 9/11 terrorist attacks identified the need for infrastructure security, while the 2013 attack on the PG&E Metcalf Substation emphasized the necessity for enhanced protection. This resulted in the emergence of a new security domain. Recent attacks on lower-tier infrastructure have expanded this domain to encompass all levels of the utility sector.
Facilities and personnel protection have evolved more slowly and organically, with individual steps taken to address the specific problems and concerns that arose periodically. Most utilities viewed the security status quo as sufficient for threat response. However, evolving attitudes and societal perspectives towards utilities and their employees have shifted to the extent that aggression is now seen as an acceptable response, and confrontations and violence are frequent occurrences; this gave rise to the facility and personnel protection domains.
So, how do we resolve the utility/security paradox? There are three essential steps to embracing the security side of the utility universe. First, acknowledge the sector overlap. Second, understand the critical nature of utility security. Third, realize that you’re probably not as proficient at security as you think.
Recognizing the overlap is the most fundamental step in reconciling the paradox. It’s essential to understand that one or more of the four security domains influence every aspect of utility operations. This means that, by default, you’re also in the security business. If you’re engaged in a business, you need the tools for it; in this case, the tools are security skills and knowledge. Every utility professional should possess awareness, de-escalation and response skills. The knowledge requirement includes understanding the security elements impacting your utility job. Essentially, your security skills should align with your technical skills.
One of the most compelling reasons to consider yourself a utility professional and part of the security sector is the critical importance of utility security. Threats to utilities can affect the organization and its personnel, the surrounding community, the region and even the nation. As far-fetched as it may sound, even a small utility can, under the right circumstances, be the catalyst for a mass casualty event. This sobering reality will hopefully motivate you to recognize the necessity of robust threat protection and spur you to action. However, this brings us to a third challenge: the danger of overconfidence.
It’s a natural human response to be overly confident in our abilities and understanding of a subject with which we have little actual experience. In fact, the less you know about a subject, the more confidence you have in your ability to handle it. This is a phenomenon known as the Dunning-Kruger effect, a cognitive bias in which people with limited competence in a specific area overestimate their abilities.
Overcoming this requires a deep dive into the subject. As you begin to learn more about the specific topic and its true complexities and ambiguities, your confidence will plummet. But as you gain knowledge and experience, you’ll develop genuine confidence and expertise.
The threat landscape is evolving quickly, and asset protection can no longer be overlooked. Every utility is facing a constant stream of threats and challenges with no relief in sight. Ignoring these issues is no longer a viable option. Regardless of their size, utilities must prioritize the safety of their personnel, property, data and infrastructure.
In today’s environment, if you are in the utility business today, you are also in the security business. As a utility professional, integrating asset protection into your role is essential. By following the three steps outlined previously, you will be well-equipped to handle these challenges.
——————–
About Jim Willis: Jim Willis is president of InDev Tactical, a security training and consulting firm. He is an electrical engineer, an experienced utility professional, and a credentialed homeland security specialist and anti-terrorism expert. If you want to discuss utility-focused security training or consulting assistance, you can reach Jim at 703-623-6819 or jim.willis@indevtactical.net.