Security Management at Capital Power
Ross Johnson, CPPSenior ManagerSecurity & Contingency Planning
1
2
Capital Power (CPX:TSX) is a growth-oriented North American power
producer headquartered in Edmonton, Alberta. The company develops,
acquires, operates and optimizes power generation from a variety of
energy sources.
Capital Power owns more than 3,600 megawatts of power generation
capacity at 15 facilities* across North America.
An additional 595 megawatts of owned generation capacity (including the
Shepard Energy Centre) is under construction or in advanced
development.
Capital Power
*As of December 2012. Excludes the 5-MW Clover Bar Landfill Gas plant.
3
Capital Power Generation Portfolio*
4
*Excludes the 5-MW Clover Bar Landfill Gas plant
Security & Contingency Planning
Senior Manager, Security &
Contingency Planning
• Senior Advisor, Physical
Security
• Forensic Investigations
Specialist
• Senior Advisor, Contingency
Planning (20%)
• Security Administrator
• Security Guard Force (11
people)
4
5
1. Security Management Program
2. Security Risk Management
3. Information Security Management
4. Personnel Security
5. Physical Security
6. Security Incident Management
7. Contingency Planning
8. Threat Response Planning
9. Evaluation & Review
10.Continuous Improvement
Security Management Program Elements
6
Security Management Program
Vision Statement
To assist the Corporation in maintaining a competitive advantage by providing successful, innovative, and cost-effective security and contingency planning solutions to ensure the protection of our people, assets, and reputation.
Mission Statement
To protect the Corporation’s people, assets and reputation through leadership, technology, and innovation while building an environment that enables the business through consultation, cooperation, honesty and integrity.
7
How We Will Achieve Our Vision
All solutions produced by Capital Power Security & Contingency Planning will be tested against three questions:
1. Does it meet the security and cost requirements as agreed in advance with the stakeholders?
2. Does it meet the security requirement with the minimum expenditure of money and resources?
3. Does it meet the security requirement with the minimum use of manpower?
A project is not complete until we can answer ‘yes’ to all three questions.
8
• Threat Intelligence
• Public Safety Canada
• Natural Resources Canada
• DHS
• ES-ISAC
• Industry
• Security assessments
• Facility Risk Profile
• Monthly evaluation
• Corporate Hazard Event
Risk Profile
• Monthly evaluation
Security Risk Management
9
• Classification and
labelling
• Handling
• Training
• Incident reporting and
investigation
• Audit, compliance, and
disaster recovery
Information Security Management
10
• Access control
• Employee terminations
• Fraud prevention program
• Governance
• Risk assessment
• Prevention
• Detection
• Investigation & corrective
action
• Security awareness
Personnel Security
11
• Minimum physical security
guidelines
• Vehicle searches
• Signage standards
• Chain-link fencing
standards
• CCTV cameras
• Copper theft prevention
• Guard force management
Physical Security
12
Facility Type
Access Control
Fence with Top Guard
Fenceline Intrusion Detection
CCTV/LightingElectronic
Card Access
Interior Intrusion Detection
Locked Fence
Gates with CCTV
Locked Exterior Access Doors
Visitor Management
Background Checks for all Unescorted Personnel
Signage
Critical Asset
Manned Power Plant
● ● ● ● ●During Silent
Hours● ● ●
Unmanned Power Plant
● ● ● ● ● ● ● ● ● ●
Control Room● ● ● ● ● ●
PEECC ● ● ● ● ● ● ●
Switchyard● ● ● ● ● ● ● ● ●
Non-Critical Asset
Thermal Power Plant
● ● See Note 1. ●During Silent
Hours● ● ●
Wind Facility● ● ● ● ●
Solar Facility● ● ● ● ●
Control Room● ● ● ● ●
PEECCOptional ● ● ●
Switchyard● ● ● ● ●
Office Building/Data Centre
● ● ● ● ● ●
Construction Site● ● ● ● ●
13
Facility Type
Guards Regulatory Requirements
Fixed Post Mobile PatrolsSafeWalk Program
Security ShuttleNERC/ARS CIP-
001NERC/ARS CIP-002 to CIP-009
Critical Asset
Manned Power Plant ● ● ● ●
Unmanned Power Plant
● ● ●
Control Room ● ● ● ●
PEECC ● ● ●
Switchyard ● ● ●
Non-Critical Asset
Control Room ● ●
PEECC ●
Thermal Power Plant ● ●
Switchyard ● ●
Wind Facility ● ●
Solar Facility ● ●
Office Building/Data Centre
Guards may be used if deemed necessary because of local security conditions – Capital Power Security will assist with assessment
Construction Site ●
14
• Incident reporting
• Investigations
• Workplace violence
incident management
Security Incident Management
15
• Business Continuity
Management
• Emergency Response
Program
• Crisis Management
Planning
Contingency Planning
16
• Threat and vulnerability
assessment
• Security measures
• Observation plan
• Random security
measures
• Response plan
• Communications
• Training and review
Threat Response Planning
17
Our next challenge is the
transition to an enterprise
security model, integrating
physical, cyber, and
industrial control system
security
Our Next Challenge
David GodfreySecurity & Facilities Manager
Texas Municipal Power Agency
Texas Municipal Power Agency (TMPA) is a joint action agency created in 1975 by the Texas Legislature to provide reliable electric power in an economically competitive and efficient manner to its four Member Cities.
TMPA owns 470 megawatts of power generation and 11 substations all within the ERCOT region.
Combined TMPA owns over 18,800 acres of land including a reservoir which is open to the public.
Security & Facilities
As in most small organizations the Security & Facilities Manager wears a multitude of hats
• Physical Security Manager• Facilities Manager• Parks & Recreation Manager• Public Relations Manager• Communications Manager• Special Projects Manager
Security Management Elements
1. Physical Security Management• Generation• Transmission• Park• All other land holdings
2. Security Risk Management3. Personnel Security4. Incident Management5. Threat Response6. Security Training
Security Management Goals
• To provide a safe and secure workplace for our employees – People come First.
and• To protect TMPA’s assets and reputation by assessing all agency assets
and providing appropriate security measures that are reliable, effective, and economical.
Security Risk Management
• Threat Intelligence• Joint Terrorism Task Force (JTTF)• Local Law Enforcement• Texas Fusion Center• DHS• ERCOT • ES-ISAC• Our Employees
• Physical Threat Vulnerability Assessment (TVA)• Annual and Spot Check Security Evaluations
Personnel Security
• Access Control• CCTV• Fraud prevention• Governance• Anonymous Hotline• Prevention• Investigation & corrective actions up and including termination
• Security awareness
Physical Security
• Security Policies and Procedures• Access Control• CCTV• Chain-link Fence Standard• Signage• Fence Detection Systems• Law Enforcement Patrol
Security Training
• Yearly Emergency Coordination Exercise(which always includes a security component)
• Periodic security reminders to employees(piggy backing, vigilance, reporting)
• State and Federal Law Enforcement Exercises• Local Law Enforcement Exercises• Local Fire Department Exercises
QUESTIONS?
April 16, 2014
2VP Western Division of G4S Secure Solutions regional conference
Tri-State’s mission is to
provide reliable, cost-based
electric energy to our member
systems consistent with
cooperative principles
3VP Western Division of G4S Secure Solutions regional conference
Tri-State Generation and Transmission Association
is a wholesale power supplier owned by 44 electric
cooperatives and public power districts
Serving a
population of
approximately
1.5 million
people
Tri-State wholly or partially owns, or has power purchase
agreements, for a number of generating facilities located
throughout its four-state service territory
Transmission system
Tri-State owns,
operates and
maintains a 5,213-
mile high-voltage
transmission
network throughout
four states 359 delivery points
250,000-square-mile
service territory
Employees
Tri-State employs nearly 1,600 people at offices,
power plants and field locations throughout the
region
Enterprise security mission
We will be the enterprise-wide resource for Tri-
State regarding the protection of people,
information, and assets. We will partner with
key personnel to plan, deploy, and maintain
programs that promote a customer-oriented,
results driven security culture to support
compliance while promoting a safe and secure
work environment.
Enterprise security
responsibilities
Security force management
Investigations
Compliance with Tri-State’s NERC cyber security standards program
Compliance with Tri-State’s DHS chemical facility anti-terrorism standards program
Electronic security systems management
Federal agency and law enforcement liaison
Electronic security systems installation
Security vulnerability assessments
Security force management
37 armed G4S CPO officers in 5 locations
Headquarters
Lobby entry
SOC
Area vehicle patrol
3 generation facilities
1 coal mine
1 G4S program manager
Recurring training & testing
InvestigationsType of Investigation Department/Position Responsible
Assaults & Crimes against persons: Employee/Employee EMPLOYEE SERVICES
Assaults & Crimes against persons: Outside Party/Contractor ENTERPRISE SECURITY
Check Fraud CASH MANAGEMENT
Copyright / Proprietary Information LEGAL or OUTSIDE LEGAL HELP
Disciplinary Investigations for Misconduct EMPLOYEE SERVICE
Due Diligence BUSINESS UNIT LEADING ACQUISITION
EEOC (Equal Employment Opportunity Commission) EMPLOYEE SERVICES
Employee Misconduct EMPLOYEE SERVICES
Environmental Incidents ENVIRONMENTAL
Internet/Email Misuse IT OPERATIONS
Inventory Discrepancies/Unexplained Shrinkage: Inventory INVENTORY CONTROL MANAGER
Inventory Discrepancies/Unexplained Shrinkage: IT ENTERPRISE SECURITY
Mechanical Failures PLANT MANAGERS
Misuse or Abuse of Computer or IT Systems IT OPERATIONS
OSHA Complaint CORPORATE SAFETY
Outages or Switching ErrorsRELIABILITY COMPLIANCE, TRANSMISSION SYSTEM OPERATIONS
Personnel Security and Background ENTERPRISE SECURITY and EMPLOYEE SERVICES
Regulatory Compliance CORP. SAFETY, EMPLOYEE SERVICES, ENVIRONMENTAL, LAND RIGHTS,
FINANCIAL SERVICES, RELIABILITY COMPLIANCE
Sabotage: Cyber IT OPERATIONS
Sabotage: Employee EMPLOYEE SERVICES
Sabotage: Generation or Production ENTERPRISE SECURITY
Sabotage: Reliability RELIABILITY COMPLIANCE
Safety Related Accident CORPORATE SAFETY
Substance Abuse/Fitness for Duty EMPLOYEE SERVICES
Theft: Computer/Laptop ENTERPRISE SECURITY
Theft: Inventory INVENTORY CONTROL MANAGER
Theft: Tri-State Property (by EXTERNAL party) ENTERPRISE SECURITY
Theft: Tri-State Property (by INTERNAL party) EMPLOYEE SERVICES
Travel & P-Card Misuse EMPLOYEE SERVICES
Workers Comp 3rd PARTY HIRED BY TSGT
Compliance
Compliance with Tri-State’s NERC cyber security
standards & DHS chemical facility anti-terrorism
standards programs
Evolving requirements
Documentation
Audits
Initial & ongoing expense
Enterprise-wide awareness
Electronic security systems
management
Access Control
Johnson Controls P2000 system
350+ readers in 30+ facilities
Surveillance
ONSSI Ocularis VMS
300+ cameras in 20+ facilities
Axis & VideoIQ – 100% digital IP
Transitioning legacy equipment to Axis 5MP IP
Security operations center
Yearly capital improvements – 20 per year
Security systems technician on staff
Federal agency and law
enforcement liaison
Participation locally in:
InfraGard
ASIS
UASI
Quarterly regional contact:
FBI
DHS
State homeland security
Local county sheriff
Local police
Security vulnerability
assessments
Recurring written assessments
3 years for priority assets
HQ, BCC & Hangar
Larger power plants
Regional service centers
5 years for others
CT generation facilities
Small service centers
Brief results & recommendations to management
Challenges
Government regulation
NERC CIP
CFATS
Metal theft
Safe and secure environment with budget
constraints
Security officer training
Security culture and awareness within business units
Preparing for electric utility security in 2020 and
beyond
16VP Western Division of G4S Secure Solutions regional conference
Top Related