RG&E on guard against security threats
RG&E and its sister utility in upstate New York are ahead of the game in terms of infrastructure and computer security, the companies say, though more improvements are in the works.
Rochester Gas and Electric Corp. and New York State Electric and Gas are continuing to install security cameras, some equipped with infrared or digital analytics, at substations and other key facilities.
The companies’ parent, Iberdrola USA, is organizing an internal group to coordinate its response to security threats, working with outside vendors to improve their cybersecurity and working with other companies to improve security on New York’s power grid.
The security enhancements come as the power generation and transmission industry in the United States is facing new security challenges. A story in USA Todayhighlights those challenges and says threats to electric-system physical installations and computer systems are more frequent than most people think.
As part of its report, USA Today published a list of 362 utility security incidents reported to federal authorities from 2011 and 2014.
Eleven of them were in New York, though none involved RG&E or NYSEG. The two companies have 1.25 million electric customers in service territories that stretch from one end of New York to the other.
RG&E, which distributes electricity in Monroe and six other nearby counties, has had several security incidents in recent years that weren’t reflected in the USA Today data.
In 2010, intruders stole a large amount of copper from a used transformer being kept behind a locked fence on the grounds of RG&E’s now-closed Russell Station power plant in Greece. The thieves, who have not been caught, caused an oil spill that contaminated a nearby waterway and necessitated an expensive cleanup.
A software consultant working for RG&E and NYSEG allowed “unauthorized parties” into the companies’ computer system in 2012, exposing customers’ personal information to misuse. There was no evidence any data was taken, though state regulators ordered security improvements.
In 2013, a former Iberdrola USA executive was arrested for breaking into her former employer’s computer system and discouraging people from applying for her old job.
The companies are continuing efforts to avoid incidents like those — or worse.
RG&E and NYSEG officials say they had already begun comprehensive upgrades to both computer and physical security before a significant event that set off alarm bells among utility executives nationwide — an April 2013 sniper attack on a substation in San Jose, California, that caused $15 million in damage.
No one was injured in the early-morning attack, but transformers were damaged and the substation knocked offline. The perpetrators have not been caught and their motive never disclosed, though some utility observers called it a terrorist attack.
That incident caused the Iberdrola USA companies, like others in their industry, to ramp up security measures even more. Iberdrola created an enhanced corporate security group and sped up plans to deploy sophisticated security systems such as infrared cameras and video analytics.
By early 2014, those systems already had helped prevent several hundred incidents at facilities owned by RG&E or NYSEG, spokesman Dan Hucko said. The incidents involved metal thieves or vandals, and were nothing like the California assault, he said a year ago. Iberdrola USA engaged a security consultant to review how key generation and transmission facilities can be better protected from strikes or incursions by terrorists, thieves or vandals.
The company also elevated its IT director, Keri Glitch, to vice president for security, a position with responsibility for guarding against both cyber and physical threats at all of Iberdrola USA’s sites, which include utilities in New York and New England and numerous wind farms and natural gas storage and transmission facilities nationwide.
Glitch was invited to attend the White House Summit on Cybersecurity and Consumer Protection, held at Stanford University in February.
The company moved up the timetable for installing updated security equipment at facilities operated by its three electric utilities — RG&E, NYSEG and Central Maine Power Co.
Iberdrola USA now has two security operations centers that monitor 120 locations using 650 employee ID-card readers, 1,000 cameras and 5,000 alarm points.
Some cameras capture infrared radiation, or heat, allowing them to see people or objects in the absence of visible light. The imaging equipment also can be set to alert operators if equipment such as a substation transformer begins to overheat.
Video camera imagery also is run through analytic software that detects unusual movements — a person walking along a substation fence, say, or a car stopped at the back wall of a building — then zooms in, tracks the movement and sends an alert to the security center.
Hucko said a year ago it had already proved its worth. “Since we’ve installed these advanced systems, we’ve detected and prevented more than 300 incidents in New York alone,” he said.