Canadian and Mexican grids, those systems must likewise be analyzed and their hardening plans coordinated with those of the United States. The defense and national security communities in the country have developed tools for vulnerability analysis of physical sites and have used them extensively for over 20 years. Recently, there has been some success in transferring these tools to parts of the energy infrastructure. They should be made available to the rest of the electric power industry. By applying these analytical tools to all critical grid components, the systems approach to electric power security would identify key vulnerabilities in a facility and determine the relative value of possible security-upgrade options. These tools should include methods that help define appropriate use of (1) surveillance of critical sites and equipment, (2) hardening selected sites, (3) barriers to prevent intrusion, and (4) masking of selected equipment.
Recommendation 6.2: The electric power industry (as well as the oil and natural gas industries, discussed later in this chapter) should undertake near-term studies to identify vulnerabilities to physical attack on equipment and controls. These studies should include connected Canadian and Mexican assets. The tools for analysis of vulnerabilities used in the defense community should be transferred to the energy operators for these studies, along with adequate training in their application.
For the nation as a whole, the identification of vulnerabilities requires sophisticated models and simulations of the infrastructure. Because these efforts will require a great deal of information (most of it not easily available to any one individual player) on such issues as threats and interdependencies, some infrastructural segments have started establishing information sharing and analysis centers. This is largely an ad hoc phenomenon, which should be placed on an organized, rational basis. In so doing, sensitive data on equipment, its location, and its vulnerability will have to be examined and protected from those lacking a need to know, necessitating an information classification system. This issue is germane to the oil and natural gas sectors as well.
Recommendation 6.3: Action should be taken to facilitate information sharing between energy sector components. Specifically, the government needs to adjust its policies in order to allow a reasonable balance between the industry’s access to information on vulnerabilities and threat scenarios, on the one hand, and the protection of such information to ensure national security, on the other. In addition, industry’s concerns about antitrust and liability issues, as well as freedom-of-information (FOIA) risks, need to be addressed. Government support for energy sector information sharing and analysis centers is essential. Also, the security classification system for information must be reviewed, and modified accordingly, in light of the new terrorist threats.