On any given Sunday, Jeff Triplette dons a "zebra suit" to work as a referee in the National Football League. But keeping 350-pound linemen under control is easy compared with his day job: Triplette also serves as vice-president for risk management at Duke Energy Corp. (DUK). The Charlotte (N.C.) energy giant owns and operates dozens of power plants in the U.S., Canada, Mexico, and Asia -- including three nuclear plants in the Carolinas. In the U.S., Duke's natural-gas operations include more than 18,200 miles of pipelines and 250 billion cubic feet of storage capacity. Triplette's task is to ensure that such juicy targets -- as well as Duke Energy's 25,000 employees -- stay safe and sound.
He had to think about all these things before September 11, 2001. But he has to think about them a lot harder since, as fears have grown that terrorists might one day target the nation's energy and transportation infrastructure. Duke already is spending a modest (considering its $18 billion in annual revenue) $5 million to $6 million per year on such things as improved security for its computer systems, more guards at certain facilities, and on a new crisis control center for the entire company.
Triplette has also installed risk-assessment software that helps Duke discover what areas require extra attention and upgrading. "We've put systems in place to make sure we can protect the facilities and the public," Triplette says. "I'm not going to say that it's fail-safe. But we have taken every measure that's reasonably possible to deal with these situations."
TARGETED SPENDING. Duke's approach is about par for the course in protecting so-called critical infrastructure against the threat of terrorist attack. Across a wide range of industries, from telecom to state and municipal water systems to power plants, pipelines, and chemical plants, companies have reacted to September 11 with measured steps aimed at maximizing the amount of extra security they get for the money they spend. "We don't have the resources to protect every potential target or eliminate every potential vulnerability," says K. Jack Riley, director of the public-safety program at think tank RAND Corp. "So we need to use our resources on the things that pose the greatest risk and the targets that are the most vulnerable."
By and large, this has meant a lot of old-fashioned legwork, heaps of new cooperation between government agencies and the private sector, and a helping of new technology. Many details of infrastructure protection are classified. However, most analysts believe that America's critical infrastructure is safer to some degree than before the September 11 attacks on New York and Washington, if only because managers are thinking about how to protect it.
Take the telecom sector. To some degree, big phone carriers have beefed up cyber and physical security. Some have even taken extraordinary steps. "They've buried data centers that were previously exposed to make them less susceptible to attack," says Jeff Goldthorp, chief of the network technology division at the Federal Communications Commissions' office of engineering. The biggest advocate of change, Goldthorp says, has been a semi-obscure industry body called the Network Reliability & Interoperability Council, or NRIC.
SMOOTHER HANDOFFS. After a series of phone network outages 10 years ago, a group of carriers that included AT&T (T) and Verizon (VZ) formed NRIC. Ever since, they've met periodically to address telecom issues that are best tackled as a group -- such as how to keep service running after a natural disaster. Post-9/11, the 50-member group switched its focus to terrorist attacks and homeland security.
Some of what NRIC has done since then is a no-brainer. The group codified "best practices" for securing cyber assets and physical networks. Best practices means basic standards -- such as steps to ensure that multiple layers of cyber defense protect key data systems. The group also created a streamlined process to allow for network handoffs in case of an emergency.
"Say that something bad happens to a Verizon network, and another carrier can handle the emergency traffic. Now we have a mechanism in place to make that happen much faster and more smoothly," explains Pam Stegora Axberg, a vice-president for network operations at Qwest (Q) and chairperson of the NRIC steering committee. Before, lawyers had to draw up contracts to implement sharing of facilities in case of a disaster.
"ROBUST THREAT." Other pieces of the nation's infrastructure also are getting more scrutiny. The Nuclear Regulatory Commission, which oversees U.S. nuclear power plants, is in the process of putting together more realistic and more regular drills for plant security guards, who have been given better weapons. It's also doing new studies on the survivability of nuclear plants in case of aerial assaults. "It's a more robust threat threshold than existed prior to September 11," says Roy Zimmerman, deputy director of the NRC's Office of Nuclear Reactor Regulation.
Funding has also trickled into agencies that need it the most. The NRC got an extra $30 million in fiscal 2002 to help offset the cost of better security training and testing. The Environmental Protection Agency received $80 million last year and $150 million this year to help enhance homeland security.
Of course, critics continue to argue that the U.S. is spending too little on infrastructure safety -- and that the White House has created too many unfunded mandates that states, cities, and the newly created Homeland Security Dept. must figure out how to fulfill despite a lack of money to do so. They also worry that the mammoth Homeland Security Dept. has too little money to achieve it goals.
PUSHING BACK. Steve Flynn, a senior fellow at the Council on Foreign Relations and an expert in transportation security, points to the Transportation Safety Agency, which he claims received $800 million less than it was promised in 2003. "There are barely the resources to keep the aviation side afloat," he says. "So the TSA has had a difficult time moving into trucks and rail." Moreover, he complains, "virtually all of the money [Homeland Security] is receiving is for operations. It isn't to address any of the serious infrastructure problems the transportation industries face."
Some industries have resisted basic security measures that legislators have tried to make law. The chemical industry has fought against stepped-up security testing at its facilities and inspection regimes to better determine whether they're fulfilling existing mandates. U.S. airlines have also fought efforts to get them to match each bag loaded into the hold on domestic flights to a passenger sitting on the plane. And the White House has proposed a national cyber-security policy that corporate technology experts worry is too modest.
Still, it's clear that government agencies and companies that operate power plants, dams, ports, and planes all are now thinking about where the next 9/11 could occur -- and how to prepare for it. That mindset bodes well for the security of the nation's infrastructure. By Alex Salkever