Adopt 'security impact review,' law firm tells energy industry

Nov. 9, 2001
Given the concern about security of the US energy infrastructure, companies should consider adopting security impact reviews that would be similar to environmental impact statements, a Houston law firm said. The recommendation and others were part of a new report by Bracewell & Patterson on possible threats to the industry.

By the OGJ Online Staff

HOUSTON, Nov. 9 -- Given the concern about security of the US energy infrastructure, companies should consider adopting security impact reviews that would be similar to environmental impact statements, a Houston law firm said.

Companies should adopt such a model voluntarily to help weigh security ramifications of key business decisions rather than waiting for the US Congress to impose a system, the counterterrorism, public, and corporate security law group of Bracewell & Patterson LLP said.

The recommendation and others were part of a new report by the law firm on possible threats to the industry.

Despite security upgrades, the country is still vulnerable at many points along the energy chain. But some efforts at improvement have resulted in unintended consequences, the report said.

Some states have quit issuing new drivers' licenses to haul hazardous materials because they don't have systems in place to carry out federal antiterrorism legislation that requires criminal background checks of hazardous material drivers. The result could be serious short-term consequences for shipments of propane, oil, and gas, according to the report.

On the other hand, the law firm said there are indications some segments of the industry are returning to preSept. 11 "normalcy, if not outright complacency." Maritime patrols off the Indian Point 2 nuclear plant have ended, it said, even though nuclear power plants and spent fuel are especially attractive targets.

The National Guard has been deployed to guard nuclear plants in some states, but in 2000 and 2001 the Nuclear Regulatory Commission's Operational Response Evaluation documented six major security lapses. With a 2001 budget of just $130,000, Bracewell & Patterson called the NRC evaluation program "woefully underfunded."

Most energy infrastructure could be repaired if damaged by a terrorist attack, but some components are at greater risk and could result in serious harm to the country, the report concluded. Terrorists could cripple the US energy distribution system if they launched a coordinated attack against major pipelines, but the risk for most stretches of the system is low, it said.

Likewise, the electric transmission system, with important exceptions, is not a significant terrorist target. Bottlenecks such as California's often overloaded Path 15, which carries power to and from the US Northwest are "extremely vulnerable, prime targets," according to the report. Likewise, the primary transmission line linking Minneapolis and Chicago through Central Wisconsin is frequently overwhelmed and, if attacked, could black out a large segment of the country.

Depending on the fuel electric power plants use, they could be at "great risk" because the plants are usually located near urban areas and because they could produce a serious blast or chemical plume, according to the report. The US government has closed traffic lanes and otherwise limited access to many federal dams and hydroelectric plants, which the reports called a special case.

Not only do these massive dams offer the potential of disrupting power generation, they also expose people downstream to potential flooding and most are lightly guarded. The design of the facilities, coupled with security aimed at vandals and thieves, not sophisticated terrorists, "leaves many of these plants vulnerable," said Bracewell & Patterson.

Long distance terrorism
Under the current threat scenario, the report said a terrorist operating out of the Mideast could take entire power grids off line or disrupt a refinery with almost no threat to his physical security and little chance of detection. Experts have raised serious concerns that widespread use of supervisory control and data acquisition (SCADA) systems could make the energy industry vulnerable to cyberterrorism, Bracewell & Patterson said.

US companies have detected efforts to break into these systems. In response, the Electric Power Research Institute and the Department of Energy have begun a joint program to assess the California Independent System Operator's vulnerability, according to the report.

With so much at stake, the report concluded the private sector doesn't have the wherewithal or the experience to take complete responsibility for ensuring the security of all energy infrastructure that is potentially at risk to terrorism. It advocated an increase in the Department of Energy's critical infrastructure security budget.

In fiscal 2001, the DOE's security budget totaled $45.3 million but $32.3 million was targeted at protecting federal facilities. Only $13 million was targeted to assisting the private energy sector with just $1.7 million intended for system protection and $600,000 budgeted to monitor intrusions and responses.

"No one can reasonably expect any one company or set of companies to secure a major US port or guard a nuclear facility from an air assault," it said. "Nor can we expect these private actors to be able to build the necessary infrastructure redundancies into the system without the active support of the government."

The law firm also advocated addressing the "looming liability" that can potentially subject companies to new claims. Noting many energy companies are already experiencing difficulties obtaining insurance, it said "steps need to be taken to ensure the insurance industry can and will continue to provide the necessary coverage."