Utilities

 

 

https://adminsm.asisonline.org/Pages/Paving-the-Way.aspxPaving the WayGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-03-01T05:00:00Zhttps://adminsm.asisonline.org/pages/lilly-chapa.aspx, Lilly Chapa<p>​For the citizens of Jayuya, Puerto Rico, December 15 came and went without fanfare—and in the dark. The U.S. territory's governor, Ricardo Rosselló, had estimated that 95 percent of Puerto Rico would have power back by mid-December following the devastation brought by Hurricane Maria in September. As of press time, that estimate had been extended to February.</p><p>Lilo Pozzo, an associate professor of chemical engineering at the University of Washington, traveled to Jayuya, Puerto Rico, in November with a group of students to assess the impact of extended power outages on public health. Due to its remote, mountainous location, the municipality was still largely without power, and Pozzo's group found that people with respiratory problems were greatly impacted.</p><p>"The overall message was that the people with respiratory ailments were in the worst condition because they weren't necessarily evacuated like patients that had more evident health problems, so these people with chronic conditions essentially stayed behind, and they are suffering because they can't power their devices to run therapies," Pozzo explains.</p><p>She describes people who are unable to operate their sleep apnea machines or administer asthma treatments. Those who need oxygen now have to wait for tanks to be delivered to the municipality because their standalone oxygen machines could not be charged. The main clinic in town had borrowed a generator after its first one broke down, but can only provide essential services due to concerns of damaging the current generator. All vaccinations and refrigerated medications were spoiled, and citizens with mobility issues or sensitive diets have also been affected. </p><p>The city's two major factories have also continued to operate by running generators, which Pozzo says is expensive and inefficient. The townspeople are fearful that it will be difficult for the factories to continue operations if conditions don't improve quickly or if extended power outages following natural disasters become the norm. "If you get hurricanes every year, that's going to change their economic calculations and could potentially create loss of workforce," Pozzo notes. </p><p>Despite the dire situations in part of Puerto Rico, power restoration has been slow due to a process fraught with politics and finger pointing between the territory's leaders and the U.S. federal government about the amount of aid that should be provided. However, Puerto Rico's power system was in trouble long before Hurricane Maria hit. </p><p>In the days following the territory's brush with Hurricane Irma in early September, which briefly knocked out power for a million people, investors became more vocal about privatizing the territory's struggling power grid. The Puerto Rico Electric Power Authority (PREPA), the largest public utility in the United States, had declared bankruptcy in July, and what little maintenance it was conducting on the island's power grid fizzled. Politicians, energy experts, and other stakeholders acknowledged that the grid might not hold up much longer without serious changes.</p><p>And then, two weeks later, Hurricane Maria made landfall in Puerto Rico as a Category 4 storm.</p><p>The entire island lost power. Several neighborhoods were destroyed. Most communication networks across the island were crippled. Fresh food and potable water became scarce. The official death toll in Puerto Rico is 64, but estimates suggest more than 1,000 people may have died from the storm and its aftermath. As of early January, 43 percent of the island still had no power, and more than 200,000 citizens have left their darkened communities for the continental United States.</p><p>"Puerto Rico is being supported to a large degree by U.S. power companies right now, but that's not sustainable," explains Mark Weatherford, chief cybersecurity strategist at vArmour. "That's why there needs to be a long-term plan here, but it's going to cost money. This is going to be a test of our nation in what we're willing to support to rebuild a state that was already teetering on bankruptcy."<img src="/ASIS%20SM%20Callout%20Images/0318%20NS%20Chart.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:562px;" /></p><p>When Hurricanes Harvey and Irma struck Texas and Florida last fall, power crews and equipment rolled in from other U.S. states to get the affected regions up and running. But the sheer magnitude of Hurricane Maria's damage to Puerto Rico—and its island location—made it difficult for other U.S. utility companies to lend a hand, says Daniel Kirschen, an engineering professor at the University of Washington and a member of the Clean Energy Institute.</p><p>"Typically, utilities are eager to help each other in those situations because of the mindset that this time it's your turn, but the next time it might be mine," Kirschen says. "So these companies are usually very willing to lend crews for repairs. Now, of course, Puerto Rico is an island so it's harder to organize sending crews down there, which on top of all the other problems has made recovery more difficult."</p><p>Brian Harrell, CPP, the vice president of security at AlertEnterprise and former director of critical infrastructure protection at the North American Electric Reliability Corporation (NERC), details what is involved in sending crews to repair Puerto Rico's power grid. Workers and tools must be flown to the island, and heavy equipment such as bucket trucks, transformers, and wires must be transported on ships, which makes the logistics of recovery difficult. Upon arrival, crews must manage downed lines, clear debris from roads, and fully repair the system, he says.</p><p>"During the aftermath of such devastation, it is imperative that safety and security is established on the ground," Harrell says. "Before critical infrastructure can be repaired and restored, it's vital that line crews, aid workers, and emergency personnel feel safe while conducting their jobs."</p><p>But as each power line is restrung to bring electricity back to the island, experts are pointing out the opportunity to build a more resilient, smarter power grid that will prevent future catastrophic damage to Puerto Rico's infrastructure—but nobody has come up with a plan.</p><p>"Given the complete destruction of the island's power system, an opportunity has also presented itself to modernize the way electricity is generated, along with how it can be efficiently transmitted with newer technology," Harrell adds. "A key to preventing this type of destruction from ever happening again will be to build resilience and redundancy into the system."</p><p>Stuart McCafferty, president and CEO of GridIntellect and a National Institute of Standards and Technology (NIST) community resilience fellow for electrical power infrastructure, says that Puerto Rico needs to move beyond its reliance on fossil fuels, which are expensive and unsustainable. </p><p>McCafferty has been involved in the U.S. smart grid initiative since the beginning, creating the first smart grid maturity model for the U.S. Department of Energy (DOE) and a tool to evaluate a grid's resiliency. He says that while continental U.S. energy providers and government officials embraced the shift towards a smarter grid, there was a disconnect when it came to waterlocked states and territories. Hawaii has paved its own way by working with DOE to develop an unprecedented clean energy initiative in 2008—drawing the majority of the state's energy from renewable resources. Puerto Rico had made no effort to update its infrastructure. </p><p>Despite the critical situation in Puerto Rico right now, McCafferty says that the territory has an "incredible opportunity" to build localized power grids that are self-reliant and will not allow downed transmission lines to knock out power for the entire island. </p><p>Weatherford agrees. "With an aging infrastructure like that, unfortunately the only thing they will be able to do is rebuild from ground zero," he says. "They need to start over, and the good news is this gives them the opportunity to build a 21st century infrastructure—but it's going to cost a lot of money to do that."</p><p>Although PREPA is cash-strapped, McCafferty says money can come from federal grants and labs, venture capital, angel investors, and self-funded corporations. However, a sorely-needed roadmap for the territory's power grid is nowhere in sight, even as legacy infrastructure is being repaired. </p><p>"I don't see anyone coming up with any real solutions because of the financial issues and mismanagement of the grid by the operator," McCafferty explains. "Puerto Rico needs a roadmap, and it doesn't even have to be based on any of the financial needs. Once you've got that laid out, then you can start prioritizing and identifying the funding mechanisms to make that happen."</p><p>Weatherford suggests setting up temporary generators and small microgrids to keep the lights on for citizens while officials go back to the drawing board to figure out a more resilient solution. "Use temporary money to keep the lights on, and use long-term capital to rebuild the infrastructure," he says. A robust microgrid system, which would keep power outages isolated, paired with renewable energy such as solar and wind power, would be an ideal setup, he says. </p><p>Kirschen, who studies how to effectively deploy repair crews to restore critical infrastructure, agrees that redesigning the grid is not going to happen overnight, and crews need to focus on rebuilding what they can of the existing infrastructure. </p><p>"We're not at a point where we can generate quite enough power with solar generation to satisfy all the island's needs," Kirschen says. "What I see is a combination of a traditional grid built to a higher standard so it can withstand hurricanes and other disasters, combined with local microgrids designed to survive these hurricanes, so that if the main grid is broken for a while, you can still meet the emergency medical and essential needs until the main grid is repaired. It's particularly important in Puerto Rico because the landscape is rugged and there are some really remote areas that are hard to reach. Therefore repairing the grids to reach those areas will take time, so having one of those small emergency microgrids can be extremely useful."</p><p>Pozzo says that a solution for remote areas like Jayuya that would provide critical services during an emergency would be ideal. "You're not restoring power to everybody, but you're at the very least able to maintain the critical needs, storing medicine, providing power to people with medical devices," she says. "I believe that if the town had distributed independent systems—it could be clean energy but could also run on generators that are larger and more effective—they would fare much better, just because they could focus on repairs in a more localized way.</p><p>Part of Pozzo's research in Jayuya was quantifying exactly how much energy it would take to meet the critical needs of the entire community to better prepare emergency shelters to handle future power outages.</p><p>"We're analyzing ideas where you could invest in providing power to schools that could serve as shelters, so you need to understand how patients are distributed in a community and whether they are able to get to the shelters to have their needs met and how much energy would be necessary to satisfy the number of patients that would go there," she explains. The academic paper on her team's findings will be published in the spring. </p><p>"Climate change is happening—we're going to get natural disasters more frequently and more severely, so we have to make sure that our infrastructure is built to a standard that is appropriate for these natural disasters," Kirschen says. ​ ​</p>

Utilities

 

 

https://adminsm.asisonline.org/Pages/Paving-the-Way.aspx2018-03-01T05:00:00ZPaving the Way
https://adminsm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspx2017-11-17T05:00:00ZGridEx IV Tests The North American Power Grid
https://adminsm.asisonline.org/Pages/Global-Water-Risk.aspx2017-09-01T04:00:00ZGlobal Water Risk
https://adminsm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds
https://adminsm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspx2016-09-01T04:00:00ZInfrastructure Protection Trends
https://adminsm.asisonline.org/Pages/Cyber-Pulls-the-Plug.aspx2016-05-01T04:00:00ZCyber Pulls the Plug
https://adminsm.asisonline.org/Pages/Five-Incidents-That-Shaped-Crisis-Management.aspx2015-06-29T04:00:00ZFive Incidents That Shaped Crisis Management
https://adminsm.asisonline.org/Pages/The-Power-of-Physical-Security.aspx2015-05-07T04:00:00ZThe Power of Physical Security
https://adminsm.asisonline.org/Pages/SM-Online-May-2015.aspx2015-05-01T04:00:00ZSM Online May 2015
https://adminsm.asisonline.org/Pages/News-and-Trends-1114.aspx2014-11-01T04:00:00ZNews and Trends
https://adminsm.asisonline.org/Pages/Utility-Attacks.aspx2014-11-01T04:00:00ZUtility Attacks
https://adminsm.asisonline.org/Pages/heating-up-the.aspx2014-09-01T04:00:00ZHeating Up The Perimeter
https://adminsm.asisonline.org/Pages/let-intelligence-light.aspx2014-09-01T04:00:00ZLet Intelligence Light The Way
https://adminsm.asisonline.org/Pages/Watching-The-Port.aspx2014-09-01T04:00:00ZIndustry News September 2014
https://adminsm.asisonline.org/Pages/nuclear-safety-0013417.aspx2014-06-01T04:00:00ZImproving Nuclear Security
https://adminsm.asisonline.org/Pages/chemical-facilities-tackle-explosive-problem-0013191.aspx2014-03-01T05:00:00ZChemical Facilities Tackle an Explosive Problem
https://adminsm.asisonline.org/Pages/chemical-plants-0013185.aspx2014-03-01T05:00:00ZChemical Plant Security
https://adminsm.asisonline.org/Pages/federal-prosecutors-open-investigation-west-virginia-chemical-spill-0013080.aspx2014-01-10T05:00:00ZFederal Prosecutors Open Investigation into West Virginia Chemical Spill
https://adminsm.asisonline.org/Pages/nuclear-facilities-0012979.aspx2013-12-01T05:00:00ZNuclear Facility Security
https://adminsm.asisonline.org/Pages/Nuclear-Facility-Protection.aspx2013-12-01T05:00:00ZNuclear Facility Protection

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/The-Power-of-Physical-Security.aspxThe Power of Physical Security<p>​<span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">ny utilities security expert can effortlessly recite the details. In April 2013, someone snuck into an underground vault near a freeway in San Jose, California, and cut several telephone cables. Then, 30 minutes later, snipers shot at an electrical substation in Metcalf, California, for almost 20 minutes, knocking out 17 transformers that funnel power to Silicon Valley, before fleeing the scene and evading capture. </span></p><p>A major blackout was prevented by rerouting power around the downed station, but the attack caused more than $15 million in damage and brought physical threats to the electric grid to the forefront of discussions about the security of the United States’ critical infrastructure. It quickly became clear that cyberattacks were not the only threat to the U.S. power supply. </p><p>Two years have passed since the incident, and, while the snipers remain at large, the utility industry is taking steps to deter any future attacks.</p><p>“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry,” said acting Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur in a statement in March 2014. (LaFleur was named permanent chairman in July 2014.) Following LaFleur’s statement, FERC directed the North American Electric Reliability Corporation (NERC) to develop new standards requiring owners and operators of the bulk-power system to address risks due to physical security threats and vulnerabilities.</p><p>The FERC order asked NERC to create a standard to identify and protect transmission stations, substations, and associated primary control centers that could cause widespread outages if compromised. </p><p>From those instructions, a 10-person drafting committee created the CIP-014 standard that focuses on transmission assessments and physical security. The standard requires transmission station and substation owners to perform a risk assessment of their systems to identify facilities that could have a critical impact on the power grid.</p><p>The order also requires owners and operators to develop and implement a security plan to address potential threats and vulnerabilities.​</p><h4>Participants</h4><p>The electric system is made up of three components: generators—coal fired, biomass, solar, and wind—that produce electricity; transmission—taking the electricity from the power source and moving it somewhere, such as a substation; and distribution—power moving from a facility to the meter in a home, business, or other building.</p><p>When electricity moves from a generation station, such as a wind farm, it goes to a substation that normally has transformers that decrease the voltage, often from 500 to 230 kilovolts (kV). From there, the substation transmits the power to another substation, which usually lowers the voltage even further to 115 kV so it can be used in residential and commercial facilities. </p><p>CIP-014 applies to transmission substations in the electric system, not the generators or the distribution stations. However, it doesn’t apply to all 55,000 transmission substations in the country, explains Allan Wick, CPP, PCI, PSP, a member of the standard drafting committee. </p><p>Instead, the standard relies on categories that determine which facilities must comply with the standard. The standard takes effect if a system that is “rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading with an interconnection,” Wick explains. </p><p>Because of these criteria, CIP-014 applies to transmission facilities that operate at 500 kV or higher, or single facilities that operate between 200 kV and 499 kV where the substation is connected at 200 kV or higher voltage to three or more other transmission stations that have an “aggregate weighted value” higher than 3,000 kV. </p><p>This means that few transmission substations will have to comply with standards. “By the time you use those criteria against what’s in the standard, [CIP-014] will only apply to 200 or fewer substations in the United States,” Wick says. The standard also applies to the control centers that operate those 200 substations—which are owned by roughly 30 different companies. </p><div><span class="Apple-tab-span" style="white-space:pre;"> </span></div><h4>Preparation</h4><p>FERC approved CIP-014 in November 2014, officially kickstarting the compliance process that owners need to complete by the first implementation date in October 2015. Their first responsibility is to perform an initial risk assessment (Requirement 1) to identify the transmission stations and substations the standard may apply to. Owners then have to identify the primary control centers that operationally control each transmission station or substation identified in the risk assessment.</p><p>Once these steps have been completed, owners will have 90 days to have an unaffiliated third party verify their assessments (R2). This third party can be a registered planning coordinator, transmission planner, reliability coordinator, or an entity that has transmission planning or analysis experience. </p><p>If the third party adds or removes a transmission station or substation from the original assessment, owners then have an additional 60 days to modify their risk assessments or document the basis for not making the appropriate changes.</p><p>Additionally, if the primary control centers identified are owned by a company other than the transmission station, that owner needs to be notified (R3) within seven days following the third-party verification that it has operational control of the primary control center.</p><p>After the initial risk assessment has been completed, transmission owners that are covered by the standard will perform subsequent assessments at least once every 30 months. Transmission owners that are not covered by the standard are also required by law to perform assessments, but only once every 60 months.​</p><h4>Physical Security</h4><p>Once the transmission analysis and identification have been completed, owners are required to conduct evaluations of the potential threats and vulnerabilities of a physical attack (R4) to each of their respective transmission stations, substations, and primary control centers.</p><p>These evaluations should include unique characteristics of the identified and verified transmission stations, substations, and control centers. For example, characteristics could include whether the substation is rural or urban, if it’s near a major highway, or if it’s in a valley. </p><p>For instance, the substation could be “set down in a small valley, so there are areas around it [from which] a shooter could either shoot the transformers or even use a rocket-propelled grenade to shoot something into it,” Wick explains.</p><p>Owners also need to detail any history of attacks on similar facilities, taking into account the “frequency, geographic proximity, and severity of past physical security related events,” according to the standard. CIP-014 asks owners to include intelligence or threat warnings they’ve received from law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, and government agencies from either the United States or Canada.</p><p>Once these evaluations have been completed, and no more than 120 days after R2 is completed, owners are required to develop and implement a documented security plan and timeline that covers their respective transmission stations, substations, and primary control centers (R5). </p><p>Within the security plan, owners should include law enforcement contact and coordination information, provisions to evaluate evolving physical threats and their corresponding security measures, and resiliency or security measures designed “collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified” during R4.</p><p>The drafting committee chose this language specifically, Wick says, because “you can’t just do one of those—you need to put them together as a group to ‘deter, detect, delay,’ because those are the primary components…in a layered security program.”</p><p>The committee was also purposely less prescriptive about methods owners can use as part of their security measures. “We tried to build in maximum flexibility to arrive at the same end state for everybody,” Wick says. For instance, to delay someone “you can do that several different ways. You could have a 20-foot -high wall with razor tape, or you could do it with a chain link fence; there are so many options that you could use to mitigate the threats and vulnerabilities that are identified in R4.”</p><p>This nonprescriptive method has faced some criticism, but many others think it’s beneficial. The regulators “are not really telling you to go out and spend all sorts of money on increased cameras, spending a lot of money on fences,” says Rich Hyatt, PCI, manager of security services for Tucson Electric Power. “They’re kind of promoting that you should harden up your site, like vegetation removal, signage…it’s not like the government’s coming in and telling you to spend $5 million per substation.”</p><p>The committee is also allowing owners to take a twofold approach by giving them the opportunity to build in resiliency on the operational side and protect their assets with security measures.</p><p>For example, Tucson Electric Power is increasing its resiliency by hardening its substations, says Hyatt, who’s also a member of the ASIS International Utilities Council. This is important because sometimes transformers malfunction. “There’s always the likelihood of sabotage, but we also have a threat of malfunction or weather-related issues, or manmade stuff that could go into a transformer being taken out,” he explains.</p><p>Hyatt is also working with substation employees to improve emergency communication, another issue addressed in the standard. “We’re also engaging our…substation folks to beef up their emergency response and have additional spare parts in their inventory so they can respond if a transformer got shot out—we could get it back online quicker,” he explains.</p><p>However, Jake Parker—director of government relations for the Security Industry Association (SIA)—says physically protecting assets is the better way to go for utilities security. “We think that physical security measures are much more cost effective because the cost of hardening the structure can also be extremely steep,” he explains. </p><p>Once owners have drafted and implemented their physical security plans, they then need to be verified again by a third party reviewer (R6) within 90 days. This reviewer can be an entity or organization with physical security experience in the electric industry and whose review staff: has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; is approved by the Electric Reliability Organization (ERO); is a government agency with physical security expertise; or is an entity or organization with law enforcement, government, or military physical security expertise.</p><p>The ASIS certifications requirement was included after a review of existing applicable certifications. “By holding one of those two certifications, it shows that you know what you’re talking about on physical security,” Wick explains. “We did reviews of any certification that had physical security requirements, and these were the only two that were suitable.”</p><p>If the reviewer recommends changes to the R4 evaluation or the security plan, owners then have 60 days to comply with those recommendations or document why they are not modifying their plans.</p><h4>Penalties</h4><p>CIP-014 has an aggressive implementation timetable; Parker says he expects most utilities to have their physical security plans in place by spring 2016. There are no penalties for owners who do not comply with the new standard, although owners who do comply are required to keep documentation as evidence to show compliance for three years. NERC is responsible for enforcement.</p><p>Despite the lack of penalties and the limited number of transmission stations and substations covered by the standard, many companies say the standard has inspired them. CIP-014 has given companies guidance on increasing their physical security, according to Parker.</p><p>“We’re seeing, given the current environment and response to what happened at Metcalf…that utilities are finding it easier to justify security improvements across the board via rate increases,” he explains.</p><p>The rate increases are the funding mechanism utilities can use to pay for physical security improvements. They can do this by bringing proposals to their boards and justifying small rate increases “to cover the cost of the security upgrades because of the standard, but also because of the need to improve physical security of the electric grid overall,” Parker adds. </p><p>Hyatt agrees, saying that the industry is doing a “really good job” on being proactive in “policing up” and increasing the use of best security practices. The incident at Metcalf, he adds, has “actually increased security’s perception among executives where we work that physical security is just as important as cybersecurity.” ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspxInfrastructure Protection Trends<p></p><p>If you fail to upgrade your Internet technologies, you’ll find yourself stuck in 1997. But if you fail to upgrade your infrastructure, you’ll find yourself stuck in 1897. It’s a well-worn joke, but it illustrates the importance of secure, well-functioning infrastructure to modern society.</p><p>Moreover, the rise of sophisticated cyberattacks on infrastructure make it an area of increasing vulnerability, experts say. As a result, the global market for critical infrastructure protection is growing, and it is projected to reach $94 billion by 2020, according to Global Industry Analysts, Inc. This demand is being driven by the increasing need to protect critical assets and prevent disruptions to normalcy due to threats, the company reports. And because critical infrastructure assets and systems are vital to the economy, disruptions or breaches can be catastrophic.</p><p>Given the stakes in play, Yves Duguay, CEO and founder of HCIWorld, sees a clear trend in infrastructure protection—a greater focus on resilience, on being prepared before an incident occurs, and on maintaining operating continuity before and after an incident. HCIWorld’s clients include airports, transportation systems, and other key infrastructure facilities.</p><p>“Resilient organizations have moved from the ‘if’ to the ‘when,’” he says. “It’s not a question of whether or not a given scenario will materialize, it’s when and how often it will be repeated, as exemplified by the viral number of cyberattacks recorded by security agencies.”</p><p>This is an important issue in the business community, because while governments do oversee and protect some critical infrastructure, much infrastructure is in the hands of the private sector. For example, in Canada, where HCIWorld is based, a recent survey found that 80 percent of the infrastructure in the energy and water sectors is privately held. The situation is similar in the United States. “Generally speaking, there is a lot more private sector involvement, on both sides of the border,” Duguay says.</p><p>By focusing on resilience and risk management in infrastructure security, companies can dem­onstrate proper due diligence in managing the range of risks they face. “This not only offers a protection of the company’s reputation, but it also reduces its legal liabilities, and possibly its insurance costs,” Duguay says. </p><p>Some forward-thinking firms have adopted infrastructure resilience strategies that include contingency and emergency plans, which are practiced and reviewed with their employees. “Resilience must become part of everyone’s job description, not only of the security department,” Duguay says. When employees understand why certain measures are taken and their own role in contingency and emergency planning, they become much more involved and committed, Duguay explains.</p><p>When a crisis does happen, communication is crucial, he adds. “The key to the success of protecting infrastructure also lies in the ability of companies, especially large ones, to involve their employees by communicating with them in real time, and providing them with accurate information and guidance during an emergency,” he explains. </p><p>Resilience can also have bottom-line financial benefits. “Activating a contingency plan quickly to resume business activities will translate into a competitive advantage for these companies,” Duguay says.  </p><p>In addition to the move toward greater resilience, another clear trend in infrastructure security is greater interconnectedness, says Jeffrey Slotnick, CPP, PSP, CSO of OR3M and president of Setracon. Slotnick has been an architect in the U.S. homeland security enterprise, including stints writing standards and managing assessments for critical infrastructure protection. </p><p>He offers the example of a computer, which may be connected to a printer, a scanner, and other hardware. It works under the “plug-and-play” concept: all equipment is integrated, and can be operated by simply turning on one switch. Right now, infrastructure protection tools are not interconnected to the level where an access camera, a door controller, and other systems are fully integrated to the plug-and-play level. “We haven’t got there yet in the security industry,” he says. </p><p>But that’s the direction that infrastructure security will be moving in the next five years, Slotnick says. The next logical step is a common operating platform, on which disparate systems will be integrated and can talk to one another. This is already happening in some smart cities, where integrated systems are becoming more common, he explains.  </p><p>There’s also a demographic driver to this trend, as the number of technology-savvy millennials increases in the workplace. “Millennials manipulate technology differently,” Slotnick says, and they will demand more integration. </p><p>However, Slotnick also cites one negative trend that continues: the fact that infrastructure facilities are often guarded by officers who are inadequately compensated and insufficiently trained. “We take a minimum wage security officer and place that officer in front of multimillion dollar infrastructure facility, and then we wonder why situations arise that may not necessarily be to our liking,” he says. </p><p>Europe has a better model, he explains. There, security officers are in a “guild profession” with a more equitable pay scale that correlates to different position levels, such as site supervisor or area manager, for example. In contrast, the modest wages in the American system means that turnover is often a problem because officers will switch companies for a 25-cent-per-hour increase.</p><p>“If I could change one thing in the security industry,” Slotnick says, “it would be that.”</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/The-Golden-Rule.aspxThe Golden Rule<p>​</p><p>HIGH IN THE ANDES mountains of northern Peru, 375 miles north of the capital city of Lima, is the Yanacocha mine—Latin America’s largest gold mine. The site, which is majority-owned by Colorado-based Newmont Mining Corporation, consists of six open pit mines, four leach pads, and three gold recovery plants. More than 100 small, rural communities fall within its influence area. While communities situated near Yanacocha have been concerned in the past about the mine’s impact on local water supplies and a lack of communication from the company, Lee Langston, Newmont’s regional director of security for South America, says that most concerns are related to employment.</p><p>Tensions over those concerns resulted in a series of protests in August 2006. Farmers blocked the road to Yanacocha for one week, and production at the mine came to a standstill for two days. According to media reports, protestors’ original demand for jobs turned to anger over environmental concerns, and in one violent clash, protestors blocking the road threw stones at police. In the response, one farmer was shot and killed.</p><p>The incident highlights the often strained relationships between local communities and international extractive companies operating abroad. As a result of this and other security conflicts between Newmont and the communities surrounding the mine in recent years, the company is in the process of implementing a new approach to security that recognizes the importance of human rights and community outreach.</p><p>Human Rights<br>The mining industry has an increased awareness of the connection between community relations and security today compared to a decade ago. “I think increasingly there really is a recognition on the part of the mining companies we work with that there is a degree of indivisibility between what you are doing in terms of your community relations or your community investment and security,” says Aidan Davy, a program director for socio-economic contribution for the London-based International Council on Mining & Metals (ICMM), an industry group which counts Newmont among its members.</p><p>Davy attributes the change to the influence of the Voluntary Principles on Security and Human Rights, an initiative of private companies, governments, and nongovernmental organizations (NGOs), that is intended to provide guidance to extractive companies on how they can maintain the safety and security of operations while ensuring respect for human rights.</p><p>The Voluntary Principles, as they are commonly called, were established in 2000 and primarily address three issues: risk assessment, engaging with public security forces, and interacting with private security forces. For each of these issues, the Voluntary Principles provide several guidelines. Signatory organizations commit to abiding by the principles and submit annual reports on activities.</p><p>Extractive companies have historically taken a silo approach to security and community relations, Davy says, but the Voluntary Principles have led to a more synergistic approach. “Instead of taking the view of conventional security that our role is to protect our people and our assets in that order and [that] people outside the fence line or communities may represent a threat to either people or assets, the Voluntary Principles take the view that in legitimately providing security for people and assets, there is a genuine risk that you might compromise the safety, security, and wellbeing of people outside the fence line,” he explains.</p><p>That shift in perspective, he says, has helped companies realize the importance of aligning what they are doing in the security space to what they are doing in the community relations space. “That has had a profound influence, I would say, in terms of sensitizing people to the idea that these matters are closely related,” he says. </p><p>Slow Going<br>Davy admits that there is some public dissatisfaction about the lack of progress in implementation of the Voluntary Principles. “That absolutely is not the fault of companies exclusively,” he says. “I think it’s because, at its heart, the Voluntary Principles rely on a tripartite model of government, civil society, and company collective engagement and collaboration, and at times, I think they’ve failed to move this thing forward in a way that’s been collaborative.”</p><p>Indeed, one of the biggest challenges, according to Langston, is enforcing human rights in a foreign country and in remote areas. “The real challenge is that [we are] a private company, a foreign private company, [so] sometimes if it’s not approached delicately, government institutions can feel that you’re treading into their area of governing,” Langston says.</p><p>Davy says implementation guidance of the Voluntary Principles has also been lacking. “What’s been missing is practical guidance that will help people really move forward with implementation,” he says. An implementation guidance tool is currently being created by a coalition that includes the Voluntary Principles Secretariat, ICMM, the International Finance Corporation, the International Committee for the Red Cross, and the International Petroleum Industry Environmental Conservation Association (IPIECA). The guide should be available within a year, Davy says.</p><p>Newmont, which is an ICMM member, was one of the first companies to sign on to the Voluntary Principles in 2001. But Oxfam America, an NGO participant in the Voluntary Principles, lodged a complaint against the mining company in 2007 with the initiative’s Secretariat. That complaint was in response not only to the protests in 2006 and the death of farmer Isidro Llanos Chavarria but also to allegations later that year of illegal wiretapping, surveillance, and death threats by a private security company employed by Newmont against a prominent human rights activist and outspoken critic of the company.</p><p>Newmont and Oxfam America subsequently agreed to a third-party comprehensive review of Yanacocha’s security management and practices. The review consisted of interviews with company executives, Peruvian National Police authorities, representatives from two of the three hired security companies employed by Yanacocha, NGO personnel, and community leaders.</p><p>A summary of the review of Yanacocha’s security and human rights procedures was released publicly last summer. “The total review identified areas of strong performance as well as the processes that they felt Yanacocha could improve upon,” says Langston. Newmont and Yanacocha analyzed the review and then developed a plan of action to implement the report’s recommendations for a new approach to security and human rights.</p><p>New Action Plan<br>The plan of action that came out of the review included short-term objectives that would be implemented by the end of 2009, medium-term objectives that would be implemented by the end of 2010, and long-term objectives that would be done in 2011. In terms of implementing recommendations for the Yanacocha site, Langston, as regional security director, is responsible for ensuring that they are completed in the timeframe set by the committee.</p><p>One example of a short-term objective is the creation of a Risk Assessment and Conflict Resolution Office. Langston says the company had a similar office before but it was not as effective as it could have been. One problem was that it only addressed complaints filed directly with the office. For instance, if an allegation appeared in the media, it was not considered a legitimate complaint.</p><p>“Well, you have to be reasonable,” Langston says. “If it’s floating around in the media, you better address it as a complaint.” Now the office considers all allegations no matter how they get word of them. “One of our employees can say he heard something in a store, and that would be investigated,” Langston adds.</p><p>Investigations. Yanacocha now investigates all use-of-force incidents. “Anytime any of our security people have an incident, whether it’s with an employee or a contractor or a community member, that is reported and treated just as if it is an allegation so we can determine whether the force used was reasonable or not,” Langston says.</p><p>All such reports undergo a new process of evaluation as well. If the risk level is classified as low, the incident is evaluated by a human rights and security investigation committee, which includes the site security manager as well as representatives from legal and operations. Representatives from other relevant departments are also on the committee.</p><p>For instance, if an incident involves the community, someone from the social responsibility department is there; if an allegation concerns an employee or contractor, a human resources or contracts manager serves on the committee. They assess the allegation and determine whether it has merit.</p><p>If the allegation is deemed legitimate, the committee orders an investigation and picks an investigation team to report back with results and recommendations. The onsite committee must also keep the South American regional board, which mirrors the committee at the site level, informed.</p><p>If the risk level of a complaint is considered medium, the regional-level committee handles it, and if it is a high-risk complaint, corporate, which also has a similar body, investigates.</p><p>Working with police. Because the response time is so long from Cajamarca, a contingent of police officers is stationed at the mine and rotated on a monthly basis. The company pays the police officers a daily stipend and provides lodging and meals and makes a contribution to the police institution for their services as stipulated in a formal memorandum of understanding (MOU).</p><p>In addition, the MOU has provisions for additional response to the mine area if an incident should occur. However, one of Yanacocha’s medium-term objectives is to work with the police to make this MOU more transparent. The police acknowledge on their Web site that they have an agreement with the mine, Langston says, but they do not publish the contents of the MOU, which is important information for the local community to have. </p><p>One of the long-term objectives is to expand the police training to the regional and national levels, but it will take time. “Obviously it’s the state’s responsibility to do this kind of stuff,” Langston says. But, “[i]f we can help them with a reasonable cost to the company, we’re going to do that.”</p><p>The comprehensive review also recommended equipping police forces with nonlethal weapons, Langston says. “We’re not so sure [as a] company that we want to get involved in providing that type of material, because it’s nonlethal, but it’s offensive in nature,” Langston says. Currently the company provides protective gear for police who are stationed at the mine site or who are responding to an incident. These items include helmets, shields, padding, and other riot response equipment.</p><p>Equipping police raises concerns beyond just the cost to the company, Langston says. There are also legal concerns. “We need to be very cognizant of the Foreign Corrupt Practices Act when we talk about equipping people,” he says. “We have to have some means of monitoring the use of that equipment.” </p><p>Another objective the company hopes to meet by the end of this year is the establishment of regular, formal meetings with public security partners, which include the national police as well as the military. Newmont’s security officials currently engage in formal, high-level meetings with these partners at least once a year, but the company is negotiating with Peru’s interior and defense ministries to set up a formal schedule that would include meeting twice a year at the ministry level and quarterly with generals at the regional level.</p><p>The purpose of the meetings is to assess collaboration and discuss ways to improve performance within the framework of the Voluntary Principles. Yanacocha’s security manager, Jose Antonio Rios Pita Diez, CPP, currently meets with local police on a weekly basis.</p><p>Human rights training. In 2008, in an effort to improve the company’s implementation of the Voluntary Principles even before the review was completed, Yanacocha launched two training programs designed to raise awareness among employees and contractors about the importance of respecting human rights. One program is basic training in human rights and provides an overview of relevant initiatives Newmont is involved with, such as the Voluntary Principles and the United Nations Global Compact. Each participant also receives a primer on human rights.</p><p>In the first year, 3,000 participants benefited from the program, including all of the security contractor personnel working for Yanacocha. The program continues on an annual basis.</p><p>The second training program launched the same year is training in the Voluntary Principles. This program targets the mine’s security staff, contractor personnel, and police assigned to the site. Training focuses on ways to ensure the safety of Yanacocha’s employees and operations while respecting human rights. </p><p>In the first year, the training was provided only to security and contractor supervisors and to public security officers assigned to provide support to the operation. In 2009, all security personnel received the training, which includes use-of-force instruction and a code of conduct for law enforcement officers. The training is being extended in 2010 to Newmont’s Conga project, which is also in Peru, and its Merian project in Suriname. </p><p>Community relations. Yanacocha’s security department has also launched a security-community integration program to improve relationships and trust between security personnel and local communities. As a part of the program, security personnel work with security contract personnel, the police, the military, and local businesses and organizations to plan one-day festivals in isolated communities in the mine’s area of influence. Some activities include music provided by the army or police bands, Andean folk dances, lunch prepared and served by security personnel, and social services, such as presentations on family planning, spousal abuse, and hygiene conducted by the police health unit.</p><p>The security department spearheads approximately one event per month, going to a different local village each time. Security personnel and their families attend. Not only do the events build trust between company and contract employees and the communities, but they also improve relations between the state law enforcement personnel and the local Indian communities, Langston says. </p><p>Yanacocha’s Diez says that it is important to venture into the community relations realm, even though others may consider it the work of an external affairs or social responsibility department.</p><p>“We are doing our work in a preventive way because if we have some problems in the road, the problem also will be for the security department and also for our company,” he says. “We are working in a preventive way in order to avoid these kinds of situations.”</p><p>On a regional level, Newmont is working with the Interior Ministry to assist and provide resources to the rondas campesinas, or rural peasant patrols, which have developed over centuries to provide security for their own rural communities. Each local community has its own ronda. Newmont provides them with minor equipment and gear that makes the ronda campesina stand out in the community, such as vests that say “Ronda” and identify the community; flashlights, boots, and some rain gear.</p><p>Results<br>The goal of these community outreach efforts at its simplest was—and is—to “put a face” on security. The hope was that if local residents got to know security personnel as people before there was an incident, then when they showed up on the scene to respond to trouble, the locals might be disgruntled, but they would be “less likely to pick up a rock or a stick and start to assault the guard. And that’s exactly what we’re seeing,” says Langston.</p><p>He says that security personnel are met more cordially on the road and that they now have conversations with members of the communities. Both Langston and Diez say the efforts at Yanacocha are also showing some tangible results. For example, the company experienced 25 roadblocks in 2007 and only one last year. The company also tracks conflicts that involve physical force, and those incidents have dropped from 64 in 2007 to six in 2009.</p><p>Langston has noticed a growing awareness that community relations affect security and vice versa. “Used to be security was checking the lunchbox at the gate, and it’s much more than that now,” he says. “You have to go beyond the fence, and that takes a whole different mind-set and set of skills.”</p><p>Stephanie Berrong is an assistant editor at Security Management.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465