The Western Area Power Administration’s (WAPA) service underpins the everyday commerce, public services, and lives of millions in the United States. It’s hard to overstate WAPA’s importance. The agency — a part of the US Department of Energy — markets and delivers hydro electricity to 15 central and western states.
By the numbers, WAPA is huge. It oversees $4 billion worth of infrastructure. It operates nearly 330 substations, manages 26 facilities, and serves nearly 680 wholesale power customers.
These responsibilities demand heavy security considerations. The Department of Homeland Security’s most recent Energy Sector-Specific Plan notes that “[t]he Energy Sector continues to face physical security risks, including attacks to the physical electric infrastructure,” and that evolving risks — including security — must be accounted for as “essential functions—including hospitals, water and wastewater systems, transportation, and telecommunication—depend on the reliable supply and delivery of electricity and other fuels to operate.” Indeed, one of the priorities in WAPA’s own strategic roadmap is to “strengthen its capabilities in physical security and cybersecurity.”
Despite this agreement on the importance of security, WAPA’s processes have been found wanting.
A 2003 audit by the Office of the Inspector General “noted that Western’s risk assessments were inadequate.” A 2010 follow up showed that WAPA “had not implemented physical security enhancements recommended in completed risk assessments,” and a 2016 follow-up report noted that WAPA still had not “[e]stablished adequate physical security measures and practices for its critical assets,” finding it had not consistently:
- “Established adequate physical security measures and practices for its critical assets”
- “Addressed physical security measures recommended in prior risk assessments”
- “Conducted performance testing to ensure that security measures for physical assets were performing as designed”
Critical infrastructure remained highly vulnerable.
It behooves security directors to take note of how such vulnerabilities remained in such a crucial organization. The following examination considers the audit’s account of the vulnerabilities along with potential solutions based on the first principles of security and change management.
Inadequate access control records
The audit follow up noted that existing processes “did not ensure that access to critical assets was adequately controlled.” In some cases, once perimeter keys were distributed, they weren’t tracked. There was no tool to provide insight into where a key went after it was given out. No paper log, no software. When someone left the organization, no log updates were made. It is safe to say that access control was spotty.
“[G]ate and door key listings were not updated and in some instances did not exist. Moreover, there was no process to ensure keys were returned upon the departure of an employee.”
The inability to perform access control audits or determine with certainty whether a key is in the appropriate hands at any given time leaves an enormous security hole.
How is it that such a significant security vulnerability could remain unaddressed for so long? That comes down to how authority was organized.
Fragmented authority and misaligned priorities
Legitimate attempts at physical security improvement were made at WAPA. The organization created the Office of Security and Emergency Management (OSEM), a central assessment office dedicated to conducting reviews and developing policy adjustments to enhance accountability and overall security. OSEM was geared up to support the creation of action plans that would correct the weaknesses noted earlier.
But there was a snag. OSEM had authority over the program. Regions had authority over prioritization, funding, and implementation. Unless there was agreement between OSEM and each of the regions, the risk that security issues – identified years before – would remain.
Doubt persisted. The report states that a WAPA official was “surprised by how little the regions had spent on physical security in the past,” and continued with the following pessimistic words:
“Based on Western’s history of not always implementing recommended physical security measures, as identified in this report and our prior report, we share this official’s concern that the regions may continue not to prioritize, implement, and fund needed physical security measures.”
How could this be prevented?
A reading of the report prompts three major questions:
- How can an organization maintain real-time knowledge of who has access?
- How can it dependably track keys after they’ve been distributed?
- How can it create alignment among different stakeholders who each have the ability to sink an initiative?
Since security is our sandbox, we’ve contemplated each of these questions from a first-principles perspective, and have worked to develop elegant solutions.
In the age of secure electronic logbooks and visitor management systems (VMS), there’s no reason to resort to paper logs or spreadsheets. The problems with such logs are myriad. The ability to perform an audit is arduous. There is no mechanism to ensure updates are made in real-time. There is a possibility that handwritten information is incomplete and overlooked.
A basic first step to improving this information collection is the creation of an easily searchable database that contains all relevant information about the keys. An electronic logbook with a VMS would enable convenient and thorough auditing for compliance. More advanced features may include the automated disabling of electronic keys when desired, and a suite of capabilities built in to manage and gain visibility of people who enter the premises.
When authority over assessment, funding, and implementation is split among multiple bodies, it’s critical to bridge differences in perspective, values, and judgment to avoid cracks in the security program. Solutions need to be designed with the motivations and concerns of each stakeholder in mind. It pays to understand the program from each person’s perspective. Successful implementation and adoption depends on a solution that solves the legitimate pain points for each group involved.
To promote adoption, it is key to remove as much friction from security processes as possible. If a software solution like a VMS is employed, ensuring that it has a well-designed user experience and that it integrates with other software tools that security personnel use every day will increase the probability of a successful implementation. If the vendor provides adoption services — processes designed to expedite and simplify change management — this will also improve the chances of its effective use.
A final word
Despite the power grid being among the most critical infrastructure elements in the United States, security vulnerabilities cropped up in WAPA regions. The reasons were classic: organizational misalignment along with ineffective or non-comprehensive processes.
Bringing these problems to light is the first step toward solving them. Learning vicariously through WAPA’s experience and implementing the appropriate tools to manage security, can avoid similar missteps at other organizations.