With a sound policy in hand, utilities can ensure that they provide appropriate access to their various facilities.
PERHAPS NO OTHER INDUSTRY HAS access control challenges as diverse as those utilities face. Challenges range from protecting downtown administrative facilities to securing remote electric generating stations and massive dams. To meet these challenges, a utility security manager must first establish sound corporate policies. Management at the Salt River Project (SRP), a water and electricity utility with which the author is associated, took a critical step in establishing a meaningful security policy in late 1998 by initiating a study to assess the vulnerability of its infrastructure. What SRP found out was that the methods employed to ensure physical security--electronic access control and contract security--were adequate; however, the employees of the company (both the security services department and general population) needed a more structured policy so that individual access problems could be addressed. For example, there were problems with employees' use of ID cards, the movement of visitors and vendors, and variation in security practices among facilities.
SRP crafted a facility security policy that communicated executive management's policies to the employee population. Specifically, SRP made it a requirement for all facilities to use ID badges and for all employees to wear these badges at all times. SRP established another policy that required visitors and vendors to be escorted at all times by employees, as opposed to roaming free through the facilities. A final policy standardized security procedures used by the various facilities.
The following overview examines utility security issues as they apply to the industry at large, with examples of how SRP has addressed these concerns at its own facilities.
The utility security manager must coordinate protection for three types of facilities: administrative facilities; operational facilities, which include generation, service, and transmission facilities; and distribution facilities used to provide the product to the end user.
Administrative. Administrative buildings must be protected because they usually house such support divisions as executive offices, financial centers, data systems centers, human resources, and customer service centers. Factors in the security equation include whether the corporation occupies one building or several, whether the building is shared by multiple tenants, whether there are multiple buildings that are occupied in a campus setting, and whether there are parking lots or parking structure problems.
Customers should always be separated from the work force for various reasons, including the prevention of workplace violence and espionage. For that reason, access control administration becomes much easier if administrative business units are physically segregated into two groups, as is done at SRP. Employees who regularly deal with customers and visitors should occupy one area of the facility, with all other staff occupying other areas.
SRP makes sure that areas of a facility that customers and visitors occupy regularly have public entrances so that they needn't move through production areas to reach the customer service department. Alternatively, all departments with customer contact might be placed in a separate building.
Access to the other areas of the administrative function must also be considered. Many specialized areas such as executive offices, computer rooms, communication rooms, money handling areas, and specialized marketing offices present special challenges. Access privileges should be given only to individuals who work in those offices.
Most security managers understand why access should be restricted in executive areas, computer rooms, and cash vaults, but less obvious areas such as marketing offices deserve consideration as well. …