Robert "RJ" Hope
Abraham Maslow's "law of the instrument" says: If the tool you have is a hammer, then everything looks like a nail. To avoid the pitfall Maslow describes, let’s remember that the nature of a threat profile should decide the choice of security equipment, not the availability of that equipment. When we hear about a school shooting, for example, some of us immediately think “they should have had a camera system?” The ones thinking that probably sell camera systems. Although we are in the business of selling equipment, let’s also focus on solving problems and making customers safer. Obviously, manufacturers need to sell more products, and integrators want to install as many systems as they can. But meeting the customer’s needs should not be lost amid our zealous sales efforts. In the end, the onus is on the customer to analyse security threats and decide what measures can be used to mitigate those threats. Buying new equipment should not be the default response. Rather, it should be among the possible solutions chosen after a systematic assessment of threats and risk. Equipment by itself doesn’t provide security. End users often turn to consultants and A&E firms for guidance. There is real value in an impartial view from someone who has no vested interest in what technology a customer buys, says R.J. Hope, department manager, global security services for Burns & McDonnell, an A&E firm. In contrast, even the most honest integrators have a vested interest in how many cameras the customer buys. “The approach we take is to understand what got us here,” says Hope. “If you just focus on an incident in the parking lot, technology won’t solve that, although it might provide evidence. So we look at ways to control access to the parking lot. The camera is just part of the solution. Our needs [for technology] go where the client takes us.” The role of technology should be seen as a force multiplier rather than a replacement for personnel. “Clients need to be better educated about what they need,” says Hope. “Clients say ‘I need a camera in this corner to protect this room,’ but cameras can’t protect anything. Without policies and procedures, cameras are ornaments.” The value of our industry’s products and systems are highest when they best serve the customer’s needs.
Helping utility companies meet the new CIP-14 standard is an urgent new challenge On April 16, 2013, snipers fired for 19 minutes on PG&E Corp.'s Metcalf electric power transmission station near San Diego, California, knocking out 17 giant transformers that supply electricity to Silicon Valley. At least 100 rounds were fired from at least one high-powered rifle. The power grid was rerouted to avoid a blackout, but it took 27 days to make repairs and get the substation back up and running. The incident got the attention of regulators and security professionals in the utility industry. There are some theories the incident was a dress rehearsal for a terrorist attack. To address such risks, the North American Electric Reliability Corporation (NERC) has adopted reliability standards to minimize the security risks and vulnerabilities related to the reliable operation of the nation’s bulk power systems. The standard will guide owners and operators of such facilities to develop, validate and implement plans to protect against physical attacks that might compromise the operability or recovery of such facilities. The NERC Board of Trustees adopted the related CIP-014-1 standard at its May 13, 2014, meeting and will submit the standard to the Federal Energy Regulatory Commission (FERC). Adopting New CIP-14 Standard - Challenge Helping utility companies meet the new CIP-14 standard is an urgent new challenge – and opportunity – for the physical security marketplace, especially for suppliers of perimeter security technologies that could provide early warning of an attack on a remote transmission site. “I have seven or eight teams working on it right now,” says R.J. Hope, department manager, global security services for Burns & McDonnell, an A&E firm. Protecting remote, unmanned locations particularly lends itself to a technology solution, he says. Historically such sites have relied on fence-based systems, but the systems tend to generate false alarms when the wind blows debris or a deer walks by. Even a 1 percent false alarm rate can be too high if an operator is monitoring 1,000 different substations. A promising technology Hope sees is ground-based radar, which can expand the range of perimeter security systems even beyond a fence or other barrier and let operators know “the bad guy is coming as soon as possible.” One company that supplies such systems is SpotterRF, which specializes in small-size, low-power systems for use in wide area ground surveillance. One SpotterRF product has a range of 1,200 meters and covers an area of more than 940,000 square meters (233 acres). Ground-based radar could be combined with video systems. The new CIP-14 standard is an opportunity for the physical security marketplace, especially for suppliers of perimeter security technologies that could provide early warning of an attack on a remote transmission site In addition to early detection, systems are needed that reduce the amount of data flowing into a main hub room. Other critical data – such as SCADA alarms, system performance feedback, etc. -- cannot be compromised by bandwidth-hogging video. Recording video remotely and backing it up during slower off-hours can help address the problem. Impact Of CIP -14 Standard On Security Industry The expected impact of the new utility standard follows a familiar pattern in the security market – security spending is generally precipitated either by a regulation, such as CIP-14, or by an event. For example, a company might look for new security if someone were hurt in a parking lot or if there were a large internal theft ring. Another example of how regulations can increase security spending was the impact on the chemical marketplace of the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS). Spending related to CFATS compliance peaked around 2010 or 2011. The push for compliance with CFATS has now largely come and gone, says Hope. Companies are now mostly compliant with the regulation’s 18 risk-based performance standards aimed at facilities that “present high levels of security risk” based on the chemicals they manufacture, store and/or distribute. Burns & McDonnell has consulted with dozens of clients in recent years that handle one or more of the 300-plus “chemicals of interest” on the CFATS list, including common substances like hydrogen peroxide and acetone used in manufacturing processes, says Hope. Impact Of CFATS Regulation On Security Equipment The lagging impact of CFATS regulation on the security equipment marketplace might come from companies whose business changes to include a CFATS-targeted chemical or to increase an amount they handle, thus making them subject to CFATS’s risk requirements. Also, the paperwork burden of documenting CFATS compliance continues to take a toll on end users, especially among chemical distributors whose mix of chemicals changes significantly and often, based on client demand. Many chemical distributors have hired new employees just to handle Department of Homeland Security (DHS) compliance, says Hope. Although CFATS’s “risk-based standards” did not specify use of any certain equipment, many end users looked to equipment solutions as a tool to achieve CFATS requirements of surveillance, access control and measures to “deter, detect and delay.” CFATS demonstrated the power of regulatory compliance to drive security purchases, and now NERC’s CIP-14 standard is poised to have a similar impact on the U.S. utility sector.