Managing and Protecting Infrastructure Assets

The events of September 11^th focused renewed attention on protection of our nation’s critical infrastructure. Utilities across the nation have an increased awareness of risks and are recognizing the potential vulnerability of their physical assets, and also the assets embodied in their employees, their knowledge base, their information technology and their customers. Utilities must now grapple with the possibility that their infrastructure assets may be targets of direct physical threats — or serve as conduits for indirect physical threats. As the concern for protecting our nation’s infrastructure intensifies, each utility is being asked to reassess its ability to provide safe and reliable services to customers and communities as a whole. However, improvements to protection of utility assets must be performed with constraints of limited capital and operating budgets. Security threats from terrorist and related events are relatively new to the utility industry, so standard industry-wide protocols are just now being developed. Serious security practices have evolved in some discrete areas, such as high-risk government buildings, nuclear power plants, and airline terminals. Utility infrastructure physical assets are typically dispersed, so, standard approaches to security (developed for enterprises with highly centralized assets, such as nuclear weapons production facilities) are difficult to apply. Managers must then face a balancing act between demands for security and the resources needed to enact and finance those actions. This paper describes the Vulnerability Self Assessment (VSAT™) methodology and software that provides a structured, cost-effective approach for utilities to assess their vulnerabilities and to establish a risk-based methodology for making necessary changes. The VSAT™ methodology groups utility assets into the classes of People (utility staff), Physical Plant, Knowledge Base, Information Technology Platform, and Customers. The methodology and software are flexible, customizable, and user friendly. VSAT™ software is equally applicable to deliberately caused or natural disasters. In addition to a library of prototypical assets, included in the software application are threat and countermeasure libraries. As users proceed through self-assessments, VSAT™ automatically documents the analysis process during each step. VSAT™ helps users identify critical asset(s) and potential single points of failure (SPFs). The VSAT™ process culminates in a series of risk-reduction-cost reports that presents findings in clear and concise ways. This is important, because the goal is business continuity and, at the end of the day, VSAT™ provides solutions that enable utilities to mitigate risks of business interruptions at least cost.