Security Management at Capital Power

Ross Johnson, CPPSenior ManagerSecurity & Contingency Planning

1

2

Capital Power (CPX:TSX) is a growth-oriented North American power

producer headquartered in Edmonton, Alberta. The company develops,

acquires, operates and optimizes power generation from a variety of

energy sources.

Capital Power owns more than 3,600 megawatts of power generation

capacity at 15 facilities* across North America.

An additional 595 megawatts of owned generation capacity (including the

Shepard Energy Centre) is under construction or in advanced

development.

Capital Power

*As of December 2012. Excludes the 5-MW Clover Bar Landfill Gas plant.

3

Capital Power Generation Portfolio*

4

*Excludes the 5-MW Clover Bar Landfill Gas plant

Security & Contingency Planning

Senior Manager, Security &

Contingency Planning

• Senior Advisor, Physical

Security

• Forensic Investigations

Specialist

• Senior Advisor, Contingency

Planning (20%)

• Security Administrator

• Security Guard Force (11

people)

4

5

1. Security Management Program

2. Security Risk Management

3. Information Security Management

4. Personnel Security

5. Physical Security

6. Security Incident Management

7. Contingency Planning

8. Threat Response Planning

9. Evaluation & Review

10.Continuous Improvement

Security Management Program Elements

6

Security Management Program

Vision Statement

To assist the Corporation in maintaining a competitive advantage by providing successful, innovative, and cost-effective security and contingency planning solutions to ensure the protection of our people, assets, and reputation.

Mission Statement

To protect the Corporation’s people, assets and reputation through leadership, technology, and innovation while building an environment that enables the business through consultation, cooperation, honesty and integrity.

7

How We Will Achieve Our Vision

All solutions produced by Capital Power Security & Contingency Planning will be tested against three questions:

1. Does it meet the security and cost requirements as agreed in advance with the stakeholders?

2. Does it meet the security requirement with the minimum expenditure of money and resources?

3. Does it meet the security requirement with the minimum use of manpower?

A project is not complete until we can answer ‘yes’ to all three questions.

8

• Threat Intelligence

• Public Safety Canada

• Natural Resources Canada

• DHS

• ES-ISAC

• Industry

• Security assessments

• Facility Risk Profile

• Monthly evaluation

• Corporate Hazard Event

Risk Profile

• Monthly evaluation

Security Risk Management

9

• Classification and

labelling

• Handling

• Training

• Incident reporting and

investigation

• Audit, compliance, and

disaster recovery

Information Security Management

10

• Access control

• Employee terminations

• Fraud prevention program

• Governance

• Risk assessment

• Prevention

• Detection

• Investigation & corrective

action

• Security awareness

Personnel Security

11

• Minimum physical security

guidelines

• Vehicle searches

• Signage standards

• Chain-link fencing

standards

• CCTV cameras

• Copper theft prevention

• Guard force management

Physical Security

12

Facility Type

Access Control

Fence with Top Guard

Fenceline Intrusion Detection

CCTV/LightingElectronic

Card Access

Interior Intrusion Detection

Locked Fence

Gates with CCTV

Locked Exterior Access Doors

Visitor Management

Background Checks for all Unescorted Personnel

Signage

Critical Asset

Manned Power Plant

● ● ● ● ●During Silent

Hours● ● ●

Unmanned Power Plant

● ● ● ● ● ● ● ● ● ●

Control Room● ● ● ● ● ●

PEECC ● ● ● ● ● ● ●

Switchyard● ● ● ● ● ● ● ● ●

Non-Critical Asset

Thermal Power Plant

● ● See Note 1. ●During Silent

Hours● ● ●

Wind Facility● ● ● ● ●

Solar Facility● ● ● ● ●

Control Room● ● ● ● ●

PEECCOptional ● ● ●

Switchyard● ● ● ● ●

Office Building/Data Centre

● ● ● ● ● ●

Construction Site● ● ● ● ●

13

Facility Type

Guards Regulatory Requirements

Fixed Post Mobile PatrolsSafeWalk Program

Security ShuttleNERC/ARS CIP-

001NERC/ARS CIP-002 to CIP-009

Critical Asset

Manned Power Plant ● ● ● ●

Unmanned Power Plant

● ● ●

Control Room ● ● ● ●

PEECC ● ● ●

Switchyard ● ● ●

Non-Critical Asset

Control Room ● ●

PEECC ●

Thermal Power Plant ● ●

Switchyard ● ●

Wind Facility ● ●

Solar Facility ● ●

Office Building/Data Centre

Guards may be used if deemed necessary because of local security conditions – Capital Power Security will assist with assessment

Construction Site ●

14

• Incident reporting

• Investigations

• Workplace violence

incident management

Security Incident Management

15

• Business Continuity

Management

• Emergency Response

Program

• Crisis Management

Planning

Contingency Planning

16

• Threat and vulnerability

assessment

• Security measures

• Observation plan

• Random security

measures

• Response plan

• Communications

• Training and review

Threat Response Planning

17

Our next challenge is the

transition to an enterprise

security model, integrating

physical, cyber, and

industrial control system

security

Our Next Challenge

Questions?

18

Ross Johnson, CPPrjohnson@capitalpower.com1 (780) 405-5542

David GodfreySecurity & Facilities Manager

Texas Municipal Power Agency

Texas Municipal Power Agency (TMPA) is a joint action agency created in 1975 by the Texas Legislature to provide reliable electric power in an economically competitive and efficient manner to its four Member Cities.

TMPA owns 470 megawatts of power generation and 11 substations all within the ERCOT region.

Combined TMPA owns over 18,800 acres of land including a reservoir which is open to the public.

Security & Facilities

As in most small organizations the Security & Facilities Manager wears a multitude of hats

• Physical Security Manager• Facilities Manager• Parks & Recreation Manager• Public Relations Manager• Communications Manager• Special Projects Manager

Security Management Elements

1. Physical Security Management• Generation• Transmission• Park• All other land holdings

2. Security Risk Management3. Personnel Security4. Incident Management5. Threat Response6. Security Training

Security Management Goals

• To provide a safe and secure workplace for our employees – People come First.

and• To protect TMPA’s assets and reputation by assessing all agency assets

and providing appropriate security measures that are reliable, effective, and economical.

Security Risk Management

• Threat Intelligence• Joint Terrorism Task Force (JTTF)• Local Law Enforcement• Texas Fusion Center• DHS• ERCOT • ES-ISAC• Our Employees

• Physical Threat Vulnerability Assessment (TVA)• Annual and Spot Check Security Evaluations

Personnel Security

• Access Control• CCTV• Fraud prevention• Governance• Anonymous Hotline• Prevention• Investigation & corrective actions up and including termination

• Security awareness

Physical Security

• Security Policies and Procedures• Access Control• CCTV• Chain-link Fence Standard• Signage• Fence Detection Systems• Law Enforcement Patrol

Security Training

• Yearly Emergency Coordination Exercise(which always includes a security component)

• Periodic security reminders to employees(piggy backing, vigilance, reporting)

• State and Federal Law Enforcement Exercises• Local Law Enforcement Exercises• Local Fire Department Exercises

QUESTIONS?

April 16, 2014

2VP Western Division of G4S Secure Solutions regional conference

Tri-State’s mission is to

provide reliable, cost-based

electric energy to our member

systems consistent with

cooperative principles

3VP Western Division of G4S Secure Solutions regional conference

Tri-State Generation and Transmission Association

is a wholesale power supplier owned by 44 electric

cooperatives and public power districts

Serving a

population of

approximately

1.5 million

people

Tri-State wholly or partially owns, or has power purchase

agreements, for a number of generating facilities located

throughout its four-state service territory

Transmission system

Tri-State owns,

operates and

maintains a 5,213-

mile high-voltage

transmission

network throughout

four states 359 delivery points

250,000-square-mile

service territory

Employees

Tri-State employs nearly 1,600 people at offices,

power plants and field locations throughout the

region

Enterprise security mission

We will be the enterprise-wide resource for Tri-

State regarding the protection of people,

information, and assets. We will partner with

key personnel to plan, deploy, and maintain

programs that promote a customer-oriented,

results driven security culture to support

compliance while promoting a safe and secure

work environment.

Enterprise security

responsibilities

Security force management

Investigations

Compliance with Tri-State’s NERC cyber security standards program

Compliance with Tri-State’s DHS chemical facility anti-terrorism standards program

Electronic security systems management

Federal agency and law enforcement liaison

Electronic security systems installation

Security vulnerability assessments

Security force management

37 armed G4S CPO officers in 5 locations

Headquarters

Lobby entry

SOC

Area vehicle patrol

3 generation facilities

1 coal mine

1 G4S program manager

Recurring training & testing

InvestigationsType of Investigation Department/Position Responsible

Assaults & Crimes against persons: Employee/Employee EMPLOYEE SERVICES

Assaults & Crimes against persons: Outside Party/Contractor ENTERPRISE SECURITY

Check Fraud CASH MANAGEMENT

Copyright / Proprietary Information LEGAL or OUTSIDE LEGAL HELP

Disciplinary Investigations for Misconduct EMPLOYEE SERVICE

Due Diligence BUSINESS UNIT LEADING ACQUISITION

EEOC (Equal Employment Opportunity Commission) EMPLOYEE SERVICES

Employee Misconduct EMPLOYEE SERVICES

Environmental Incidents ENVIRONMENTAL

Internet/Email Misuse IT OPERATIONS

Inventory Discrepancies/Unexplained Shrinkage: Inventory INVENTORY CONTROL MANAGER

Inventory Discrepancies/Unexplained Shrinkage: IT ENTERPRISE SECURITY

Mechanical Failures PLANT MANAGERS

Misuse or Abuse of Computer or IT Systems IT OPERATIONS

OSHA Complaint CORPORATE SAFETY

Outages or Switching ErrorsRELIABILITY COMPLIANCE, TRANSMISSION SYSTEM OPERATIONS

Personnel Security and Background ENTERPRISE SECURITY and EMPLOYEE SERVICES

Regulatory Compliance CORP. SAFETY, EMPLOYEE SERVICES, ENVIRONMENTAL, LAND RIGHTS,

FINANCIAL SERVICES, RELIABILITY COMPLIANCE

Sabotage: Cyber IT OPERATIONS

Sabotage: Employee EMPLOYEE SERVICES

Sabotage: Generation or Production ENTERPRISE SECURITY

Sabotage: Reliability RELIABILITY COMPLIANCE

Safety Related Accident CORPORATE SAFETY

Substance Abuse/Fitness for Duty EMPLOYEE SERVICES

Theft: Computer/Laptop ENTERPRISE SECURITY

Theft: Inventory INVENTORY CONTROL MANAGER

Theft: Tri-State Property (by EXTERNAL party) ENTERPRISE SECURITY

Theft: Tri-State Property (by INTERNAL party) EMPLOYEE SERVICES

Travel & P-Card Misuse EMPLOYEE SERVICES

Workers Comp 3rd PARTY HIRED BY TSGT

Compliance

Compliance with Tri-State’s NERC cyber security

standards & DHS chemical facility anti-terrorism

standards programs

Evolving requirements

Documentation

Audits

Initial & ongoing expense

Enterprise-wide awareness

Electronic security systems

management

Access Control

Johnson Controls P2000 system

350+ readers in 30+ facilities

Surveillance

ONSSI Ocularis VMS

300+ cameras in 20+ facilities

Axis & VideoIQ – 100% digital IP

Transitioning legacy equipment to Axis 5MP IP

Security operations center

Yearly capital improvements – 20 per year

Security systems technician on staff

Federal agency and law

enforcement liaison

Participation locally in:

InfraGard

ASIS

UASI

Quarterly regional contact:

FBI

DHS

State homeland security

Local county sheriff

Local police

Security vulnerability

assessments

Recurring written assessments

3 years for priority assets

HQ, BCC & Hangar

Larger power plants

Regional service centers

5 years for others

CT generation facilities

Small service centers

Brief results & recommendations to management

Challenges

Government regulation

NERC CIP

CFATS

Metal theft

Safe and secure environment with budget

constraints

Security officer training

Security culture and awareness within business units

Preparing for electric utility security in 2020 and

beyond

16VP Western Division of G4S Secure Solutions regional conference