gridBy Mike Reicher
mike.reicher@langnews.com,@mreicher on Twitter
The Los Angeles Department of Water and Power, the nation’s largest municipal electricity utility, neglected to make fundamental security fixes at its critical power facilities, according to City Hall consultants who recently followed up on 9/11-era recommendations.
Nearly 15 years later, they found basic recommendations ignored and that the problems remained, an assessment obtained by this news organization revealed.
The critical transmission center had no working security cameras or alarms on its doors. Delivery trucks could enter without inspection or documentation at another major power hub. Weeds, brush and trees were so overgrown at one generating station that saboteurs could hide without detection.
“While significant security improvements have been made since 2001, Navigant found that site personnel are concerned for their safety as they have had security breaches in the past, including confrontation with unauthorized individuals.”
— Los Angeles-based Navigant Consulting

With transmission facilities spanning five states and 3,507 miles, the DWP supplies electricity to more than 1.4 million customers.
If sophisticated intruders breached a major power hub, they could cripple the local economy and daily life by cutting off power to transportation systems, home refrigerators, military installations and other key facilities.
The agency’s lapses highlight how the nation’s utility industry has been slow to improve security, experts say — a topic that gained renewed attention after the recent San Bernardino terror attack.
City officials, consultants and DWP observers blame the agency’s decentralized governance and management for the failure to address the security gaps. Until those systemic issues are fixed, they say, vulnerabilities will persist.
“Security should be our primary focus,” said Councilman Felipe Fuentes, who chairs the Energy and Environment Committee, “but all of this underscores our need to fortify the governance structure of the utility.”

Every five years, City Hall hires outside consultants to analyze the sprawling DWP, with its roughly 9,000 employees. They make recommendations on topics from security to customer service. Los Angeles-based Navigant Consulting conducted the 2015 “Industrial, Economic and Administrative Survey,” which was publicly released by Controller Ron Galperin in December.
Officials redacted the section that describes the specific security shortcomings, but this news organization obtained an unredacted copy.
“Navigant onsite staff did not observe any cameras in working order or intrusion detection on the perimeter fencing or access points,” the authors wrote about a transmission facility that manages power for millions of homes. “While significant security improvements have been made since 2001, Navigant found that site personnel are concerned for their safety as they have had security breaches in the past, including confrontation with unauthorized individuals.”
The 2001 “Security and Terrorism Threat Assessment” found no intrusion alarms on any exterior building doors at the facility, according to Navigant.
Federal regulators require major transmission facilities to have “physical access control systems” with electronic doors that alert operators when breached, according to Kevin Carey, a physical security specialist at Grid Subject Matter Experts, which advises major utilities. Surveillance cameras, while not required by law, are considered a best practice in the industry, he said.
“The government is concerned about the absolute protection of these assets,” Carey said. “The risk could be a power outage, though it would have to be someone with really technical capabilities to make any changes to that system.”
Navigant chose to inspect these facilities because of “their criticality to the department’s day-today operations,” according to the report.
At one major power distribution center, the consultants found that employees weren’t inspecting delivery trucks nor logging the names of the drivers, despite security experts making those and other recommendations in 2001. Carey said that federal regulators typically require major distribution centers to log deliveries.
Some gaps fixed
The DWP declined to make available Patrick Findley, the director of the Security Services Division, for an interview. In a written statement, department officials said some of the gaps identified by Navigant have been fixed, or are in the process of being fixed. Others “were not recommended or rated much lower priority by law enforcement and our security team,” the statement said.
“All of LADWP’s critical water and power facilities have been fully reviewed and inspected by local and regional law enforcement experts in threat assessment and counterterrorism,” the statement said. “Through these efforts significant steps have been taken to harden and protect both water and power facilities.”
Utility officials said that the DWP complies with standards set by the North American Electric Reliability Corp. and is undergoing a new federally mandated security review.
After 9/11, utilities took security more seriously. The federal government approved critical infrastructure protection standards in 2008, after a lengthy regulatory process. Typically, utilities strive to comply with those standards and make any additional security improvements as they can afford them, Carey said. Sometimes, the pace is slow.
“W hy ha sn’t this all been done? The electrical utility industry is vast. It’s huge,” he said. “These security measures are rolling out at a pace the utility industry can handle.”
Who’s accountable?
At the DWP, the problems can be traced to management, which doesn’t have clear procedures to ensure security fixes are actually made, the Navigant consultants found. While the central security division can instruct the power managers to make improvements, the responsibility to act rests with the individual facility managers. Ultimately, nobody is held accountable.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
 

Leave a Reply

Your email address will not be published. Required fields are marked *