Did you know that the U.S. energy industry had the greatest number of reported security threats last year? According to the National Cybersecurity and Communications Integration Center (NCCIC), a 24×7 cybersituational awareness, incident response and management center for the U.S. federal government, the energy industry was the target of 56 percent of all reported attacks in 2013—up from 41 percent in 2012. As the level of cyber and physical security threats continues to rise, companies like Iberdrola USA are taking innovative approaches to mitigate financial, operational, reputational, and compliance risks.
Integrated approach to risk mitigation, protection, and response
Our operations cover nearly 3 million natural gas and electricity customers, 60 renewable energy projects from coast to coast, and we have an energy presence in 24 states. A company of this scale and complexity requires a significant system of corporate security features to secure its people and assets. As Chief Security Officer reporting directly to the CEO, I head a team with the responsibility to ensure that our 5,000 U.S. employees as well as our operations across the country are safe.
Because of the rise in threats over recent years, and the U.S. Executive Order and Presidential Directive to protect critical infrastructure in 2013, Iberdrola USA made the strategic decision to unify all security and compliance functions under one team. This included elevating the reporting structure directly to the Chief Executive Officer. Additionally, we integrated cyber and physical security teams in order to identify and mitigate security threats across all assets. My integrated team provides support to all business units for a unified corporate security group.
Another requirement of our corporate security is the strict adherence to regulations and standards set by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC). These U.S. agencies set standards for reliability, critical infrastructure protection (also known as CIP), and additional protection for cyber-assets associated with transmission substations, generation and energy control systems. To ensure adherence, we’ve designated a team to regularly monitor the evolution of the standards and complete all required reporting. Serious penalties can result from violations—ranging from $1,000 to $1 million, per penalty, per day! However, the potential risks to people and critical infrastructure are of far greater concern.
Our holistic approach ensures Iberdrola can work securely anywhere in the world. We guide our business partners to secure their assets through a risk-based approach, mitigating business risks with centralized, strategic governance and oversight. We employ a unified incident response and threat management approach for cyber and physical assets, while managing NERC compliance. Furthermore, we have instilled in our company’s culture an individual responsibility for employees to report known or suspected violations of applicable laws and regulations, or any departure from the company’s policies and code of ethics.
Innovative solutions for protecting people and assets
In accordance with the physical security requirements from the regulating agencies and the Iberdrola global standard, we put together a physical security plan with long-term efficiencies based on best practices learned from our colleagues. Starting in 2012, standardization of access control and video surveillance began at sites in the U.S., the U.K., and Brazil.
Click here to view the embedded video.
In April of this year, the physical security team began reviewing options to accelerate deployment of these systems. Our array of security components ranges from a simple lock and key or card access to video surveillance and analytics, thermal cameras, and physical hardening elements. Each site needed its own configuration of these components based on the level of risk, but the modular nature makes them scalable and ready to combine to create individual, customized systems for each location or facility.
We began with a review of all our physical sites, including general offices, data centers, walk-in customer payment centers, critical energy control centers, and substation sites. Using risk-based characterization criteria, we categorized each site and developed a “deployment standards matrix” to define specific security components appropriate for each location. For example, we now had the means of differentiating a tier-one site like an energy control center, which may require all of the security offerings in our system, versus an unoccupied storage facility listed as a tier four, requiring significantly less security.
Because threats against the energy industry come in many forms, from equipment failures to natural disasters and even criminal attacks, Iberdrola set out to create a best-in-class system for physical security. Our integrated system meets or exceeds all government mandates for the industry through a web of protective technology woven together by our leading-edge partners. We focus on strengthening reliability and efficiency for our customers while providing the highest level of employee safety and asset protection available.
