Utilities

 

 

https://adminsm.asisonline.org/Pages/Something-in-the-Water.aspxSomething in the WaterGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-11-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​With this access, the hacker obtained information about the status and operation of the dam, including the water levels, temperature, and status of the sluice gate that controls water levels and flow rates.</p><p>However, the hacker was prohibited from obtaining control of the gate because it had been manually disconnected for maintenance.</p><p>After a lengthy investigation, the U.S. Department of Justice indicted seven Iranians for their alleged roles in both the dam hacking and a broader series of distributed denial of service (DDoS) attacks on financial institutions in New York state. </p><p>"The infiltration of the Bowman Avenue Dam represents a frightening new frontier in cybercrime," said Preet Bharara, then U.S. attorney of the southern district of New York. "These were no ordinary crimes, but calculated attacks by groups with ties to Iran's Islamic Revolutionary Guard and designed specifically to harm America and its people."</p><p>Since the infiltration of the dam, the United States has made some progress in addressing cybersecurity threats to critical infrastructure. The U.S. Department of Homeland Security (DHS) designated critical infrastructure verticals, created information sharing and analysis centers for each vertical, and conducted extensive outreach to the private sector—which owns and operates most critical infrastructure in the United States.</p><p>DHS released a cybersecurity strategy for 2018 to 2022 over the past summer (see Security Management, August 2018, "Cyber Goals Past Due"). It also recently created the National Risk Management Center, which will focus on creating a cross-cutting approach to defending U.S. critical infrastructure.</p><p>The center "will employ a more strategic approach to risk management born out of the re-emergence of nation-state threats, our hyperconnected environment, and our survival and its need to effectively and continually collaborate within the private sector," said DHS Secretary Kirstjen Nielsen in a speech at the 2018 National Cybersecurity Summit. </p><p>A focal point of these efforts is addressing cybersecurity threats to the North American electric grid. However, some experts have expressed concerns about whether enough is being done to address vulnerabilities to water and wastewater systems.</p><p>"The power grid gets a lot of the news coverage because you can imagine what it's like to have no power," says Chris Grove, director of industrial security at Indegy. "But people don't think about water as much because they don't understand what a total outage looks like."</p><p>One recent example of this was in Washington, D.C., on July 12 when the District of Columbia Water and Sewer Authority issued a boil order for thousands of residents. The order was in response to the discovery that an open valve at a pumping station created a loss of pressure in parts of the district's distribution center for roughly one hour.</p><p>That loss of pressure could have allowed contaminants to enter the water system that 100,000 residents and visitors use to cook, clean, bathe, and drink. </p><p>The boil order was lifted 48 hours later after the district had conducted a thorough testing of its system to ensure that no contamination was present. But during this time, residents and businesses were forced to stock up on bottled water and take other measures to reduce the boil order's impact.</p><p>There was also a six-hour delay in issuing the boil order, which meant some individuals could have been exposed to contaminated water while the authority crafted its emergency alert. Officials later said the delay occurred because they were working to pinpoint the exact area affected.</p><p>The authority has since conducted a full audit of the incident and released an after-action report to improve its monitoring and alert process for future incidents, should they occur.</p><p>"This report makes good on our promise to be as open and transparent with our customers as we can," said D.C. Water CEO and General Manager David L. Gadis in a statement. "We can and will do better. Although I'm proud of how quickly our team restored water pressure, how infrequently these types of incidents occur at our facility, and the many ways we shared the information with our customers, I want us to constantly improve."</p><p>Included in the list of recommendations from the audit were valve restrictions, such as placing operational controls at pumping stations to prevent releases of pressure by requiring a supervisor to approve when divider valves are opened; a review of the authority's SCADA alarm protocols; and adding a second server to reduce the likelihood that the authority's website would be overwhelmed.</p><p>While the D.C. incident was the result of a physical system error, experts like Grove are concerned about how well water and wastewater systems are equipped to address cyber threats to their infrastructure.</p><p>Many systems operators perceive that they are protected from cyberattacks because they use air gaps—meaning there's no direct connection between the system that controls the operations of the water or wastewater system and the Internet. </p><p>But with advancements in technology, many systems are not as isolated from the Internet as their operators might perceive, Grove says. </p><p>"Maybe in the old days, but nowadays it's not," he explains. "They tend to need to update systems, or they want to get data from a remote plant to a central facility for accounting purposes or to find out how many gallons of water they treated. All those things have evaporated the air gap."</p><p>Another vulnerability is the inability to regularly update systems inside the treatment facilities themselves—sometimes because of the air gap or because the system always needs to be operational.</p><p>"These systems on the industrial side, they're meant to be running stagnant for 10, 20, or 30 years so they aren't updated," Grove says. </p><p>"They don't take them down and patch them, and the end result is once an attacker gets past that mythical air gap…there's nothing to stop them from moving laterally, embedding themselves to stay there, and doing the things they want to do," he explains.</p><p>For instance, many of these systems—along with treating wastewater—also produce fresh water. In a worst-case scenario, a plant could be compromised and forced to begin dumping wastewater into creeks and rivers. Then, customers would turn on their taps and no water would come out.</p><p>"After a few days, when all the bottled water runs out, most people believe they'd just go to the mountains and live off the earth," Grove explains. "But if the places where we get our fresh water have been polluted, now we're going to have a tough time meeting that demand. "</p><p>"And without water, everything stops. You can't run a factory without water. You can't even make gasoline without water."</p><p>The perception of an air gap can also play against security professionals who are seeking to get funding to create a more layered approach to enhance the security of the system. </p><p>According to the U.S. Environmental Protection Agency's (EPA's) Cybersecurity Guide for States, one of the main challenges for water and wastewater utilities is the lack of resources for information technology and security specialists to assist with creating a cybersecurity program.</p><p> The entire threat landscape is hard to grasp, especially if the system relies on physical security stop gaps to avoid cyberattacks.</p><p>"Utility personnel may believe that cyberattacks do not present a risk to their systems or feel that they lack the technical capability to improve their cybersecurity," according to the guide. </p><p>In his conversations with security teams at water treatment facilities, Grove says he often finds that executives believe the air gap is a failsafe system, so additional security measures aren't needed to protect it from attack. </p><p>"Then it works against them and ends up causing them to struggle getting what they need to make a true, layered security model," Grove adds.</p><p>For instance, this would include mapping to determine what assets are in the system and how they're vulnerable, along with a monitoring system to detect when an infiltration has occurred—such as in the Bowman Avenue Dam attack.</p><p>The EPA's Cybersecurity Guide also offers a worksheet for water and wastewater treatment facility operators to create an effective cybersecurity program. Action items include auditing IT systems and identifying vulnerabilities, implementing secure remote access practices, improving physical security for IT equipment, and conducting cybersecurity training for utility staff and contractors.</p><p>"Talk to your IT service providers and others who manage your IT systems about how to carry out these actions at your utility," the guide suggested.</p><p>The guide also includes a section offering seven suggested steps for responding to a suspected cyber incident at a water utility. These include actions such as disconnecting compromised computers from the network, rather than rebooting systems; isolating all affected systems; and alerting customers as needed. </p><p>And while some are slow to take this advice, Grove says he has seen perceptions changing over the last year as cyberattacks have become more mainstream and understanding of the vulnerabilities in critical infrastructure deepens.</p><p>"If something as simple as a drip of water can actually take our society down, then people become much more interested in addressing it," he adds. ​</p>

Utilities

 

 

https://adminsm.asisonline.org/Pages/Something-in-the-Water.aspx2018-11-01T04:00:00ZSomething in the Water
https://adminsm.asisonline.org/Pages/Paving-the-Way.aspx2018-03-01T05:00:00ZPaving the Way
https://adminsm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspx2017-11-17T05:00:00ZGridEx IV Tests The North American Power Grid
https://adminsm.asisonline.org/Pages/Global-Water-Risk.aspx2017-09-01T04:00:00ZGlobal Water Risk
https://adminsm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds
https://adminsm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspx2016-09-01T04:00:00ZInfrastructure Protection Trends
https://adminsm.asisonline.org/Pages/Cyber-Pulls-the-Plug.aspx2016-05-01T04:00:00ZCyber Pulls the Plug
https://adminsm.asisonline.org/Pages/Five-Incidents-That-Shaped-Crisis-Management.aspx2015-06-29T04:00:00ZFive Incidents That Shaped Crisis Management
https://adminsm.asisonline.org/Pages/The-Power-of-Physical-Security.aspx2015-05-07T04:00:00ZThe Power of Physical Security
https://adminsm.asisonline.org/Pages/SM-Online-May-2015.aspx2015-05-01T04:00:00ZSM Online May 2015
https://adminsm.asisonline.org/Pages/News-and-Trends-1114.aspx2014-11-01T04:00:00ZNews and Trends
https://adminsm.asisonline.org/Pages/Utility-Attacks.aspx2014-11-01T04:00:00ZUtility Attacks
https://adminsm.asisonline.org/Pages/heating-up-the.aspx2014-09-01T04:00:00ZHeating Up The Perimeter
https://adminsm.asisonline.org/Pages/let-intelligence-light.aspx2014-09-01T04:00:00ZLet Intelligence Light The Way
https://adminsm.asisonline.org/Pages/Watching-The-Port.aspx2014-09-01T04:00:00ZIndustry News September 2014
https://adminsm.asisonline.org/Pages/nuclear-safety-0013417.aspx2014-06-01T04:00:00ZImproving Nuclear Security
https://adminsm.asisonline.org/Pages/chemical-facilities-tackle-explosive-problem-0013191.aspx2014-03-01T05:00:00ZChemical Facilities Tackle an Explosive Problem
https://adminsm.asisonline.org/Pages/chemical-plants-0013185.aspx2014-03-01T05:00:00ZChemical Plant Security
https://adminsm.asisonline.org/Pages/federal-prosecutors-open-investigation-west-virginia-chemical-spill-0013080.aspx2014-01-10T05:00:00ZFederal Prosecutors Open Investigation into West Virginia Chemical Spill
https://adminsm.asisonline.org/Pages/nuclear-facilities-0012979.aspx2013-12-01T05:00:00ZNuclear Facility Security

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/The-Power-of-Physical-Security.aspxThe Power of Physical Security<p>​<span style="line-height:1.5em;">A</span><span style="line-height:1.5em;">ny utilities security expert can effortlessly recite the details. In April 2013, someone snuck into an underground vault near a freeway in San Jose, California, and cut several telephone cables. Then, 30 minutes later, snipers shot at an electrical substation in Metcalf, California, for almost 20 minutes, knocking out 17 transformers that funnel power to Silicon Valley, before fleeing the scene and evading capture. </span></p><p>A major blackout was prevented by rerouting power around the downed station, but the attack caused more than $15 million in damage and brought physical threats to the electric grid to the forefront of discussions about the security of the United States’ critical infrastructure. It quickly became clear that cyberattacks were not the only threat to the U.S. power supply. </p><p>Two years have passed since the incident, and, while the snipers remain at large, the utility industry is taking steps to deter any future attacks.</p><p>“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry,” said acting Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur in a statement in March 2014. (LaFleur was named permanent chairman in July 2014.) Following LaFleur’s statement, FERC directed the North American Electric Reliability Corporation (NERC) to develop new standards requiring owners and operators of the bulk-power system to address risks due to physical security threats and vulnerabilities.</p><p>The FERC order asked NERC to create a standard to identify and protect transmission stations, substations, and associated primary control centers that could cause widespread outages if compromised. </p><p>From those instructions, a 10-person drafting committee created the CIP-014 standard that focuses on transmission assessments and physical security. The standard requires transmission station and substation owners to perform a risk assessment of their systems to identify facilities that could have a critical impact on the power grid.</p><p>The order also requires owners and operators to develop and implement a security plan to address potential threats and vulnerabilities.​</p><h4>Participants</h4><p>The electric system is made up of three components: generators—coal fired, biomass, solar, and wind—that produce electricity; transmission—taking the electricity from the power source and moving it somewhere, such as a substation; and distribution—power moving from a facility to the meter in a home, business, or other building.</p><p>When electricity moves from a generation station, such as a wind farm, it goes to a substation that normally has transformers that decrease the voltage, often from 500 to 230 kilovolts (kV). From there, the substation transmits the power to another substation, which usually lowers the voltage even further to 115 kV so it can be used in residential and commercial facilities. </p><p>CIP-014 applies to transmission substations in the electric system, not the generators or the distribution stations. However, it doesn’t apply to all 55,000 transmission substations in the country, explains Allan Wick, CPP, PCI, PSP, a member of the standard drafting committee. </p><p>Instead, the standard relies on categories that determine which facilities must comply with the standard. The standard takes effect if a system that is “rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading with an interconnection,” Wick explains. </p><p>Because of these criteria, CIP-014 applies to transmission facilities that operate at 500 kV or higher, or single facilities that operate between 200 kV and 499 kV where the substation is connected at 200 kV or higher voltage to three or more other transmission stations that have an “aggregate weighted value” higher than 3,000 kV. </p><p>This means that few transmission substations will have to comply with standards. “By the time you use those criteria against what’s in the standard, [CIP-014] will only apply to 200 or fewer substations in the United States,” Wick says. The standard also applies to the control centers that operate those 200 substations—which are owned by roughly 30 different companies. </p><div><span class="Apple-tab-span" style="white-space:pre;"> </span></div><h4>Preparation</h4><p>FERC approved CIP-014 in November 2014, officially kickstarting the compliance process that owners need to complete by the first implementation date in October 2015. Their first responsibility is to perform an initial risk assessment (Requirement 1) to identify the transmission stations and substations the standard may apply to. Owners then have to identify the primary control centers that operationally control each transmission station or substation identified in the risk assessment.</p><p>Once these steps have been completed, owners will have 90 days to have an unaffiliated third party verify their assessments (R2). This third party can be a registered planning coordinator, transmission planner, reliability coordinator, or an entity that has transmission planning or analysis experience. </p><p>If the third party adds or removes a transmission station or substation from the original assessment, owners then have an additional 60 days to modify their risk assessments or document the basis for not making the appropriate changes.</p><p>Additionally, if the primary control centers identified are owned by a company other than the transmission station, that owner needs to be notified (R3) within seven days following the third-party verification that it has operational control of the primary control center.</p><p>After the initial risk assessment has been completed, transmission owners that are covered by the standard will perform subsequent assessments at least once every 30 months. Transmission owners that are not covered by the standard are also required by law to perform assessments, but only once every 60 months.​</p><h4>Physical Security</h4><p>Once the transmission analysis and identification have been completed, owners are required to conduct evaluations of the potential threats and vulnerabilities of a physical attack (R4) to each of their respective transmission stations, substations, and primary control centers.</p><p>These evaluations should include unique characteristics of the identified and verified transmission stations, substations, and control centers. For example, characteristics could include whether the substation is rural or urban, if it’s near a major highway, or if it’s in a valley. </p><p>For instance, the substation could be “set down in a small valley, so there are areas around it [from which] a shooter could either shoot the transformers or even use a rocket-propelled grenade to shoot something into it,” Wick explains.</p><p>Owners also need to detail any history of attacks on similar facilities, taking into account the “frequency, geographic proximity, and severity of past physical security related events,” according to the standard. CIP-014 asks owners to include intelligence or threat warnings they’ve received from law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, and government agencies from either the United States or Canada.</p><p>Once these evaluations have been completed, and no more than 120 days after R2 is completed, owners are required to develop and implement a documented security plan and timeline that covers their respective transmission stations, substations, and primary control centers (R5). </p><p>Within the security plan, owners should include law enforcement contact and coordination information, provisions to evaluate evolving physical threats and their corresponding security measures, and resiliency or security measures designed “collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified” during R4.</p><p>The drafting committee chose this language specifically, Wick says, because “you can’t just do one of those—you need to put them together as a group to ‘deter, detect, delay,’ because those are the primary components…in a layered security program.”</p><p>The committee was also purposely less prescriptive about methods owners can use as part of their security measures. “We tried to build in maximum flexibility to arrive at the same end state for everybody,” Wick says. For instance, to delay someone “you can do that several different ways. You could have a 20-foot -high wall with razor tape, or you could do it with a chain link fence; there are so many options that you could use to mitigate the threats and vulnerabilities that are identified in R4.”</p><p>This nonprescriptive method has faced some criticism, but many others think it’s beneficial. The regulators “are not really telling you to go out and spend all sorts of money on increased cameras, spending a lot of money on fences,” says Rich Hyatt, PCI, manager of security services for Tucson Electric Power. “They’re kind of promoting that you should harden up your site, like vegetation removal, signage…it’s not like the government’s coming in and telling you to spend $5 million per substation.”</p><p>The committee is also allowing owners to take a twofold approach by giving them the opportunity to build in resiliency on the operational side and protect their assets with security measures.</p><p>For example, Tucson Electric Power is increasing its resiliency by hardening its substations, says Hyatt, who’s also a member of the ASIS International Utilities Council. This is important because sometimes transformers malfunction. “There’s always the likelihood of sabotage, but we also have a threat of malfunction or weather-related issues, or manmade stuff that could go into a transformer being taken out,” he explains.</p><p>Hyatt is also working with substation employees to improve emergency communication, another issue addressed in the standard. “We’re also engaging our…substation folks to beef up their emergency response and have additional spare parts in their inventory so they can respond if a transformer got shot out—we could get it back online quicker,” he explains.</p><p>However, Jake Parker—director of government relations for the Security Industry Association (SIA)—says physically protecting assets is the better way to go for utilities security. “We think that physical security measures are much more cost effective because the cost of hardening the structure can also be extremely steep,” he explains. </p><p>Once owners have drafted and implemented their physical security plans, they then need to be verified again by a third party reviewer (R6) within 90 days. This reviewer can be an entity or organization with physical security experience in the electric industry and whose review staff: has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; is approved by the Electric Reliability Organization (ERO); is a government agency with physical security expertise; or is an entity or organization with law enforcement, government, or military physical security expertise.</p><p>The ASIS certifications requirement was included after a review of existing applicable certifications. “By holding one of those two certifications, it shows that you know what you’re talking about on physical security,” Wick explains. “We did reviews of any certification that had physical security requirements, and these were the only two that were suitable.”</p><p>If the reviewer recommends changes to the R4 evaluation or the security plan, owners then have 60 days to comply with those recommendations or document why they are not modifying their plans.</p><h4>Penalties</h4><p>CIP-014 has an aggressive implementation timetable; Parker says he expects most utilities to have their physical security plans in place by spring 2016. There are no penalties for owners who do not comply with the new standard, although owners who do comply are required to keep documentation as evidence to show compliance for three years. NERC is responsible for enforcement.</p><p>Despite the lack of penalties and the limited number of transmission stations and substations covered by the standard, many companies say the standard has inspired them. CIP-014 has given companies guidance on increasing their physical security, according to Parker.</p><p>“We’re seeing, given the current environment and response to what happened at Metcalf…that utilities are finding it easier to justify security improvements across the board via rate increases,” he explains.</p><p>The rate increases are the funding mechanism utilities can use to pay for physical security improvements. They can do this by bringing proposals to their boards and justifying small rate increases “to cover the cost of the security upgrades because of the standard, but also because of the need to improve physical security of the electric grid overall,” Parker adds. </p><p>Hyatt agrees, saying that the industry is doing a “really good job” on being proactive in “policing up” and increasing the use of best security practices. The incident at Metcalf, he adds, has “actually increased security’s perception among executives where we work that physical security is just as important as cybersecurity.” ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/Infrastructure-Protection-Trends.aspxInfrastructure Protection Trends<p></p><p>If you fail to upgrade your Internet technologies, you’ll find yourself stuck in 1997. But if you fail to upgrade your infrastructure, you’ll find yourself stuck in 1897. It’s a well-worn joke, but it illustrates the importance of secure, well-functioning infrastructure to modern society.</p><p>Moreover, the rise of sophisticated cyberattacks on infrastructure make it an area of increasing vulnerability, experts say. As a result, the global market for critical infrastructure protection is growing, and it is projected to reach $94 billion by 2020, according to Global Industry Analysts, Inc. This demand is being driven by the increasing need to protect critical assets and prevent disruptions to normalcy due to threats, the company reports. And because critical infrastructure assets and systems are vital to the economy, disruptions or breaches can be catastrophic.</p><p>Given the stakes in play, Yves Duguay, CEO and founder of HCIWorld, sees a clear trend in infrastructure protection—a greater focus on resilience, on being prepared before an incident occurs, and on maintaining operating continuity before and after an incident. HCIWorld’s clients include airports, transportation systems, and other key infrastructure facilities.</p><p>“Resilient organizations have moved from the ‘if’ to the ‘when,’” he says. “It’s not a question of whether or not a given scenario will materialize, it’s when and how often it will be repeated, as exemplified by the viral number of cyberattacks recorded by security agencies.”</p><p>This is an important issue in the business community, because while governments do oversee and protect some critical infrastructure, much infrastructure is in the hands of the private sector. For example, in Canada, where HCIWorld is based, a recent survey found that 80 percent of the infrastructure in the energy and water sectors is privately held. The situation is similar in the United States. “Generally speaking, there is a lot more private sector involvement, on both sides of the border,” Duguay says.</p><p>By focusing on resilience and risk management in infrastructure security, companies can dem­onstrate proper due diligence in managing the range of risks they face. “This not only offers a protection of the company’s reputation, but it also reduces its legal liabilities, and possibly its insurance costs,” Duguay says. </p><p>Some forward-thinking firms have adopted infrastructure resilience strategies that include contingency and emergency plans, which are practiced and reviewed with their employees. “Resilience must become part of everyone’s job description, not only of the security department,” Duguay says. When employees understand why certain measures are taken and their own role in contingency and emergency planning, they become much more involved and committed, Duguay explains.</p><p>When a crisis does happen, communication is crucial, he adds. “The key to the success of protecting infrastructure also lies in the ability of companies, especially large ones, to involve their employees by communicating with them in real time, and providing them with accurate information and guidance during an emergency,” he explains. </p><p>Resilience can also have bottom-line financial benefits. “Activating a contingency plan quickly to resume business activities will translate into a competitive advantage for these companies,” Duguay says.  </p><p>In addition to the move toward greater resilience, another clear trend in infrastructure security is greater interconnectedness, says Jeffrey Slotnick, CPP, PSP, CSO of OR3M and president of Setracon. Slotnick has been an architect in the U.S. homeland security enterprise, including stints writing standards and managing assessments for critical infrastructure protection. </p><p>He offers the example of a computer, which may be connected to a printer, a scanner, and other hardware. It works under the “plug-and-play” concept: all equipment is integrated, and can be operated by simply turning on one switch. Right now, infrastructure protection tools are not interconnected to the level where an access camera, a door controller, and other systems are fully integrated to the plug-and-play level. “We haven’t got there yet in the security industry,” he says. </p><p>But that’s the direction that infrastructure security will be moving in the next five years, Slotnick says. The next logical step is a common operating platform, on which disparate systems will be integrated and can talk to one another. This is already happening in some smart cities, where integrated systems are becoming more common, he explains.  </p><p>There’s also a demographic driver to this trend, as the number of technology-savvy millennials increases in the workplace. “Millennials manipulate technology differently,” Slotnick says, and they will demand more integration. </p><p>However, Slotnick also cites one negative trend that continues: the fact that infrastructure facilities are often guarded by officers who are inadequately compensated and insufficiently trained. “We take a minimum wage security officer and place that officer in front of multimillion dollar infrastructure facility, and then we wonder why situations arise that may not necessarily be to our liking,” he says. </p><p>Europe has a better model, he explains. There, security officers are in a “guild profession” with a more equitable pay scale that correlates to different position levels, such as site supervisor or area manager, for example. In contrast, the modest wages in the American system means that turnover is often a problem because officers will switch companies for a 25-cent-per-hour increase.</p><p>“If I could change one thing in the security industry,” Slotnick says, “it would be that.”</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/The-Golden-Rule.aspxThe Golden Rule<p>​</p><p>HIGH IN THE ANDES mountains of northern Peru, 375 miles north of the capital city of Lima, is the Yanacocha mine—Latin America’s largest gold mine. The site, which is majority-owned by Colorado-based Newmont Mining Corporation, consists of six open pit mines, four leach pads, and three gold recovery plants. More than 100 small, rural communities fall within its influence area. While communities situated near Yanacocha have been concerned in the past about the mine’s impact on local water supplies and a lack of communication from the company, Lee Langston, Newmont’s regional director of security for South America, says that most concerns are related to employment.</p><p>Tensions over those concerns resulted in a series of protests in August 2006. Farmers blocked the road to Yanacocha for one week, and production at the mine came to a standstill for two days. According to media reports, protestors’ original demand for jobs turned to anger over environmental concerns, and in one violent clash, protestors blocking the road threw stones at police. In the response, one farmer was shot and killed.</p><p>The incident highlights the often strained relationships between local communities and international extractive companies operating abroad. As a result of this and other security conflicts between Newmont and the communities surrounding the mine in recent years, the company is in the process of implementing a new approach to security that recognizes the importance of human rights and community outreach.</p><p>Human Rights<br>The mining industry has an increased awareness of the connection between community relations and security today compared to a decade ago. “I think increasingly there really is a recognition on the part of the mining companies we work with that there is a degree of indivisibility between what you are doing in terms of your community relations or your community investment and security,” says Aidan Davy, a program director for socio-economic contribution for the London-based International Council on Mining & Metals (ICMM), an industry group which counts Newmont among its members.</p><p>Davy attributes the change to the influence of the Voluntary Principles on Security and Human Rights, an initiative of private companies, governments, and nongovernmental organizations (NGOs), that is intended to provide guidance to extractive companies on how they can maintain the safety and security of operations while ensuring respect for human rights.</p><p>The Voluntary Principles, as they are commonly called, were established in 2000 and primarily address three issues: risk assessment, engaging with public security forces, and interacting with private security forces. For each of these issues, the Voluntary Principles provide several guidelines. Signatory organizations commit to abiding by the principles and submit annual reports on activities.</p><p>Extractive companies have historically taken a silo approach to security and community relations, Davy says, but the Voluntary Principles have led to a more synergistic approach. “Instead of taking the view of conventional security that our role is to protect our people and our assets in that order and [that] people outside the fence line or communities may represent a threat to either people or assets, the Voluntary Principles take the view that in legitimately providing security for people and assets, there is a genuine risk that you might compromise the safety, security, and wellbeing of people outside the fence line,” he explains.</p><p>That shift in perspective, he says, has helped companies realize the importance of aligning what they are doing in the security space to what they are doing in the community relations space. “That has had a profound influence, I would say, in terms of sensitizing people to the idea that these matters are closely related,” he says. </p><p>Slow Going<br>Davy admits that there is some public dissatisfaction about the lack of progress in implementation of the Voluntary Principles. “That absolutely is not the fault of companies exclusively,” he says. “I think it’s because, at its heart, the Voluntary Principles rely on a tripartite model of government, civil society, and company collective engagement and collaboration, and at times, I think they’ve failed to move this thing forward in a way that’s been collaborative.”</p><p>Indeed, one of the biggest challenges, according to Langston, is enforcing human rights in a foreign country and in remote areas. “The real challenge is that [we are] a private company, a foreign private company, [so] sometimes if it’s not approached delicately, government institutions can feel that you’re treading into their area of governing,” Langston says.</p><p>Davy says implementation guidance of the Voluntary Principles has also been lacking. “What’s been missing is practical guidance that will help people really move forward with implementation,” he says. An implementation guidance tool is currently being created by a coalition that includes the Voluntary Principles Secretariat, ICMM, the International Finance Corporation, the International Committee for the Red Cross, and the International Petroleum Industry Environmental Conservation Association (IPIECA). The guide should be available within a year, Davy says.</p><p>Newmont, which is an ICMM member, was one of the first companies to sign on to the Voluntary Principles in 2001. But Oxfam America, an NGO participant in the Voluntary Principles, lodged a complaint against the mining company in 2007 with the initiative’s Secretariat. That complaint was in response not only to the protests in 2006 and the death of farmer Isidro Llanos Chavarria but also to allegations later that year of illegal wiretapping, surveillance, and death threats by a private security company employed by Newmont against a prominent human rights activist and outspoken critic of the company.</p><p>Newmont and Oxfam America subsequently agreed to a third-party comprehensive review of Yanacocha’s security management and practices. The review consisted of interviews with company executives, Peruvian National Police authorities, representatives from two of the three hired security companies employed by Yanacocha, NGO personnel, and community leaders.</p><p>A summary of the review of Yanacocha’s security and human rights procedures was released publicly last summer. “The total review identified areas of strong performance as well as the processes that they felt Yanacocha could improve upon,” says Langston. Newmont and Yanacocha analyzed the review and then developed a plan of action to implement the report’s recommendations for a new approach to security and human rights.</p><p>New Action Plan<br>The plan of action that came out of the review included short-term objectives that would be implemented by the end of 2009, medium-term objectives that would be implemented by the end of 2010, and long-term objectives that would be done in 2011. In terms of implementing recommendations for the Yanacocha site, Langston, as regional security director, is responsible for ensuring that they are completed in the timeframe set by the committee.</p><p>One example of a short-term objective is the creation of a Risk Assessment and Conflict Resolution Office. Langston says the company had a similar office before but it was not as effective as it could have been. One problem was that it only addressed complaints filed directly with the office. For instance, if an allegation appeared in the media, it was not considered a legitimate complaint.</p><p>“Well, you have to be reasonable,” Langston says. “If it’s floating around in the media, you better address it as a complaint.” Now the office considers all allegations no matter how they get word of them. “One of our employees can say he heard something in a store, and that would be investigated,” Langston adds.</p><p>Investigations. Yanacocha now investigates all use-of-force incidents. “Anytime any of our security people have an incident, whether it’s with an employee or a contractor or a community member, that is reported and treated just as if it is an allegation so we can determine whether the force used was reasonable or not,” Langston says.</p><p>All such reports undergo a new process of evaluation as well. If the risk level is classified as low, the incident is evaluated by a human rights and security investigation committee, which includes the site security manager as well as representatives from legal and operations. Representatives from other relevant departments are also on the committee.</p><p>For instance, if an incident involves the community, someone from the social responsibility department is there; if an allegation concerns an employee or contractor, a human resources or contracts manager serves on the committee. They assess the allegation and determine whether it has merit.</p><p>If the allegation is deemed legitimate, the committee orders an investigation and picks an investigation team to report back with results and recommendations. The onsite committee must also keep the South American regional board, which mirrors the committee at the site level, informed.</p><p>If the risk level of a complaint is considered medium, the regional-level committee handles it, and if it is a high-risk complaint, corporate, which also has a similar body, investigates.</p><p>Working with police. Because the response time is so long from Cajamarca, a contingent of police officers is stationed at the mine and rotated on a monthly basis. The company pays the police officers a daily stipend and provides lodging and meals and makes a contribution to the police institution for their services as stipulated in a formal memorandum of understanding (MOU).</p><p>In addition, the MOU has provisions for additional response to the mine area if an incident should occur. However, one of Yanacocha’s medium-term objectives is to work with the police to make this MOU more transparent. The police acknowledge on their Web site that they have an agreement with the mine, Langston says, but they do not publish the contents of the MOU, which is important information for the local community to have. </p><p>One of the long-term objectives is to expand the police training to the regional and national levels, but it will take time. “Obviously it’s the state’s responsibility to do this kind of stuff,” Langston says. But, “[i]f we can help them with a reasonable cost to the company, we’re going to do that.”</p><p>The comprehensive review also recommended equipping police forces with nonlethal weapons, Langston says. “We’re not so sure [as a] company that we want to get involved in providing that type of material, because it’s nonlethal, but it’s offensive in nature,” Langston says. Currently the company provides protective gear for police who are stationed at the mine site or who are responding to an incident. These items include helmets, shields, padding, and other riot response equipment.</p><p>Equipping police raises concerns beyond just the cost to the company, Langston says. There are also legal concerns. “We need to be very cognizant of the Foreign Corrupt Practices Act when we talk about equipping people,” he says. “We have to have some means of monitoring the use of that equipment.” </p><p>Another objective the company hopes to meet by the end of this year is the establishment of regular, formal meetings with public security partners, which include the national police as well as the military. Newmont’s security officials currently engage in formal, high-level meetings with these partners at least once a year, but the company is negotiating with Peru’s interior and defense ministries to set up a formal schedule that would include meeting twice a year at the ministry level and quarterly with generals at the regional level.</p><p>The purpose of the meetings is to assess collaboration and discuss ways to improve performance within the framework of the Voluntary Principles. Yanacocha’s security manager, Jose Antonio Rios Pita Diez, CPP, currently meets with local police on a weekly basis.</p><p>Human rights training. In 2008, in an effort to improve the company’s implementation of the Voluntary Principles even before the review was completed, Yanacocha launched two training programs designed to raise awareness among employees and contractors about the importance of respecting human rights. One program is basic training in human rights and provides an overview of relevant initiatives Newmont is involved with, such as the Voluntary Principles and the United Nations Global Compact. Each participant also receives a primer on human rights.</p><p>In the first year, 3,000 participants benefited from the program, including all of the security contractor personnel working for Yanacocha. The program continues on an annual basis.</p><p>The second training program launched the same year is training in the Voluntary Principles. This program targets the mine’s security staff, contractor personnel, and police assigned to the site. Training focuses on ways to ensure the safety of Yanacocha’s employees and operations while respecting human rights. </p><p>In the first year, the training was provided only to security and contractor supervisors and to public security officers assigned to provide support to the operation. In 2009, all security personnel received the training, which includes use-of-force instruction and a code of conduct for law enforcement officers. The training is being extended in 2010 to Newmont’s Conga project, which is also in Peru, and its Merian project in Suriname. </p><p>Community relations. Yanacocha’s security department has also launched a security-community integration program to improve relationships and trust between security personnel and local communities. As a part of the program, security personnel work with security contract personnel, the police, the military, and local businesses and organizations to plan one-day festivals in isolated communities in the mine’s area of influence. Some activities include music provided by the army or police bands, Andean folk dances, lunch prepared and served by security personnel, and social services, such as presentations on family planning, spousal abuse, and hygiene conducted by the police health unit.</p><p>The security department spearheads approximately one event per month, going to a different local village each time. Security personnel and their families attend. Not only do the events build trust between company and contract employees and the communities, but they also improve relations between the state law enforcement personnel and the local Indian communities, Langston says. </p><p>Yanacocha’s Diez says that it is important to venture into the community relations realm, even though others may consider it the work of an external affairs or social responsibility department.</p><p>“We are doing our work in a preventive way because if we have some problems in the road, the problem also will be for the security department and also for our company,” he says. “We are working in a preventive way in order to avoid these kinds of situations.”</p><p>On a regional level, Newmont is working with the Interior Ministry to assist and provide resources to the rondas campesinas, or rural peasant patrols, which have developed over centuries to provide security for their own rural communities. Each local community has its own ronda. Newmont provides them with minor equipment and gear that makes the ronda campesina stand out in the community, such as vests that say “Ronda” and identify the community; flashlights, boots, and some rain gear.</p><p>Results<br>The goal of these community outreach efforts at its simplest was—and is—to “put a face” on security. The hope was that if local residents got to know security personnel as people before there was an incident, then when they showed up on the scene to respond to trouble, the locals might be disgruntled, but they would be “less likely to pick up a rock or a stick and start to assault the guard. And that’s exactly what we’re seeing,” says Langston.</p><p>He says that security personnel are met more cordially on the road and that they now have conversations with members of the communities. Both Langston and Diez say the efforts at Yanacocha are also showing some tangible results. For example, the company experienced 25 roadblocks in 2007 and only one last year. The company also tracks conflicts that involve physical force, and those incidents have dropped from 64 in 2007 to six in 2009.</p><p>Langston has noticed a growing awareness that community relations affect security and vice versa. “Used to be security was checking the lunchbox at the gate, and it’s much more than that now,” he says. “You have to go beyond the fence, and that takes a whole different mind-set and set of skills.”</p><p>Stephanie Berrong is an assistant editor at Security Management.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465