Interview with Michael Schmidt, Head of Company Security, RWE Aktiengesellschaft Essen
RWE is one of the five leading electricity and gas suppliers in Europe. The concern is active in power generation, energy trade as well as the transport and sale of electricity and gas. Over 70,000 employees supply more than 16 million customers with electricity and around 8 million customers with Gas. In the 2010 business year, RWE achieved a turnover of around € 53 billion. Our scientific editor Heiner Jerofsky spoke with the Head of Company Security, Michael Schmidt about the importance of his area of responsibility as well as about security objectives and strategies, and his personal opinion of the situation.
Could you explain the Company Security division to our readers, its prime tasks and role within the worldwide concern?
Michael Schmidt: The spectrum of company security is broad. Starting with a risk analysis, we take on responsibility for strategic aspects like object protection, event protection, personal and information protection, but also travel security, forensics and cyberforensics, crisis management, Business Continuity management and Security Regulatory Affairs belong to the essential tasks of company security. The strategy provides the framework and the guidelines and builds the corresponding processes. Security compliance audits then close the control loop. The company security is established within RWE, and its importance has been confirmed many times in previous years. The responsibilities mentioned before were discussed together with the various companies within the concern, and interfaces and reporting channels with the Security Division agreed upon. Company Security is always there operatively, for example, for forensics, emergency exercises and individual subjects (such as evacuation of the DEA employees in North Africa) when multiple concern companies are affected or if there is an unusual situation. Through the speed of modern-day communications (internet, Twitter etc.) we have found that the big problems or questions always land at group headquarters. The Company Security division is located in the Group Center of RWE AG, and I report from there to the Personnel Director.
The Corporate Governance of RWE dictates that I am also technically responsible within a specified framework for the subject within the group companies. Company Security - as a higher-ranking, controlling organizational unit - consists of experts for the various areas of expertise. There is one ‘single point of contact‘ Security Manager in each group company who looks after the operative implementation. Besides that there is a ‘Security Services‘ division within RWE Service GmbH in which the operative services are bundled. I am also joint divisional Head in order to guarantee uniform management. That means: "What I strategically plan, I must also operatively implement". With this degree of realization in this way we get close to the so-called Business Enabler.
How complex are the security requirements of an energy provider in fact?
Michael Schmidt: If you just consider electricity as something natural that comes out of the socket then power supply looks very simple. If you look behind the scenes, however, you see very complex, partially inter-networked structures. From the security point of view, there are central administration buildings with many employees and decision-makers. There are technical control centers and also ‘trading floors‘. On the generation side there is a portfolio of large fossil power stations that are permanently manned and smaller installations, such as those for renewable energy sources, where as a rule there are no employees on site. In front of the large fossil power stations are the supply lines of the energy carriers or, in the case of RWE, our own coal mining. RWE operates the only crude oil drilling and pumping rig in Germany. By comparison, the distribution of electricity demands a completely decentralized structure. There are only very few permanently manned locations, a multiplicity of switching stations at different voltages (transformer stations, local network stations etc.) and lots of lines and masts in between them. I could continue the list indefinitely and would not even start to relate our activities abroad. The message here is: you have to understand the physical and commercial sides of the business and set priorities on the basis of an integrated total security concept, otherwise there is a real danger that you end up just spinning your wheels.
What particular objectives and strategies do you and your employees follow primarily and how high is the damage for your concern that arises from criminal activity?
Michael Schmidt: We have defined six significant strategic measures:
- Security framework: finalizing guidelines, structures and processes.
- Object protection: clustering of objects according to minimum standards, an inventory of the current situation, identifying target vs. actual deviations, (re)equipping of objects according to priorities, setting technical standards and introducing standards into the purchasing processes.
- Information protection: establishing media and technology-wide information protection. Company security took over strategic IT security from the IT division over two years ago and the merger has paid off.
- Crisis management: improvement of organization, equipment, interfaces and exercise situations. The evacuation of employees in North Africa at the beginning of the year showed how important a functional crisis management team can be.
- Travel security: here the company security division is needed as the point of contact. The processes have been so automated in the meantime that we are alerted immediately of planned trips to regions or countries that are considered critical and we can initiate any necessary measures.
- Creation of security awareness: after establishing them with company management, we are now trying to anchor security matters more with the employees. The recently completed reworking of our Intranet to a security portal is just the first step in this.
To answer the second part of your question: our company-wide reporting channel system for suspicious activity is now running into the third year and is becoming ever better accepted. Here the forensics division works hand-in-hand with the authorities. Current weak spots are the theft of materials, copper theft above all, spurned on by the price rise in recent years. The swaying of public opinion against the ‘atomic concerns‘ has also led to an increase in crime, such as damage to our property, but in individual cases also directed at our employees. Energy suppliers continue to be a hot discussion topic and a target of the extreme political left-wing.
According to security experts, energy suppliers must fulfill particularly high standards for the protection of their employees and systems. Attacks and interruptions to the gas or electricity supply have a significant effect on the whole population, commerce and our prosperity. Could you give our readers a broad overview of your security concept?
Michael Schmidt: You are talking about the subject of critical infrastructure. There are various activities at a political level regarding this and, together with the other large suppliers, we are in contact with the politicians. We work in various committee together and orientate ourselves internally toward recommendations such as the ‘Basic protection concept‘. What I view critically, however, is the development of ‘horror scenarios', in particular with supposed terrorist activities, with the demand that the energy suppliers should now please preventatively configure the entire system to be ‘absolutely safe against all external influences'. Such a networked structure cannot be completely secured; much more to the point is the securing of important switching centers and the provision of recovery capacity. A secure energy supply has always been a legally stipulated task in our industry. Further, corresponding recovery capacity of material and employees has been and is maintained. Whether the components then fail because of an attack or for technical reasons is secondary for the downstream processes of technical recovery. As Security, we assist by providing increased protection of the switching points and systems as well as the protection of materials. Add to this our contribution to crisis management and business continuity management. We are currently looking more closely at possible threats through the networking of telecommunications systems. The discussion about critical infrastructure also highlights the conflict between competitive demands and those of security. If the state requires a higher level of protection, for example through risk scenarios, than the analysis of the suppliers envisages, then the question must be answered of who carries the additional cost. This applies particularly to sections of the networks where the incentive legislation commits the network operators to achieve efficiency targets and improvements. The politico-economic objective is the reduction of transit charges.
Security is a flexible term and is always achieved when nothing happens. The effort associated with preventative measures is therefore difficult to justify, as long as no large losses occur. Could you explain your security philosophy to our readers and also how you manage the balancing act between effective protection measures and affordable costs?
Michael Schmidt: I cannot confirm a sudden crisis neither for RWE nor during my time at Deutsche Post World Net. Here, as there, there is definite recognition by the entire Board of Management of the need for functional security to protect employees and materials as well as immaterial assets. Naturally there are conflicts over the distribution of internal resources that you have to deal with. To survive here it is always necessary to get a picture of the type and scale of fraudulent activity. One really needs ‘real time information‘ and, to be taken seriously, one cannot draw on global threat scenarios. One also needs the same transparency with regard to the resources and investments for security. The necessity, synergy potential, bundling effect, technology or personnel requirement as well as make-or-buy decisions must be permanently questioned. Benchmarking and market comparisons should not be foreign to a security division. RWE is currently in the situation that the most varied solutions are being used in the very historically developed constitution, in particular in object protection. But through centralized Company Security, that has only existed in this form for a few years, we are able today to drive standardization forward together with the group companies. In this way it is possible to improve the level of protection and also the cost situation. Naturally these are trade-off options that at some point will reach their end.
The atomic power stations, right up until their demolition, all other power stations and systems but also the electricity and gas networks must be well protected against terrorist and criminal attacks. How do the security personnel operate and what particular qualifications do you demand from your security personnel in such important positions?
Michael Schmidt: Nuclear legislation applies to the atomic power stations and the state monitoring authorities have very explicit requirements here. It is incidentally a very competent and beneficial security partnership in which we discuss the subject, and not just since the events of 11 September. With electricity and gas networks there are ‘interstates‘, ‘highways‘, ‘urban‘ and ‘rural‘ roads. RWE has not operated gas ‘interstates‘ in Germany, and together with our ex-subsidiary Thyssengas went the ‘highways‘. The electricity ‘interstates‘ are grouped with Amprion, in which RWE holds a 25.1 percent stake. We also don‘t lose the subject of security from our focus here either.
A great deal of technical effort is required to protect all the systems. Which technologies for control centers, perimeter protection, access control and video surveillance have in your opinion proven themselves in practice for a concern of your size?
Michael Schmidt: I would not like to talk here about individual technological aspects; that would go too far in this context. In general we lay down the specifications for, amongst others, alarm systems, video and access control systems for company security by putting the products into the electronic buyer‘s catalog. The companies within the concern then use this service and we thereby ensure the compatibility of the security systems that are used. One major recent aspect was the further development of the Service Card, the RWE employee ID card. The chip-based version that we used before had some weak points and was hacked so a concept for a new development on the basis of best practice had to be generated immediately. The resultant White Paper, that was published in trade magazines and also issued at various conferences, initiated new developments from the manufacturers in the direction of the requirements we described. RWE developed the necessary software together with another DAX company. As a result, we intend to establish the approach as a standard of the International Organization for Standardization (ISO). It‘s quite a novelty that a customer shows the way to his suppliers! Of course, we‘re always open to technical improvements such as thermal cameras, biometric systems or drones that we sometimes use or want to use. But despite a love of security technology, we mustn‘t lose sight of the overall process. The video camera alone doesn‘t improve the level of protection, leaving the pure deterrent factor aside. Behind the camera there is a whole chain of effects, starting with the connection back to a constantly manned location, the correct recognition and evaluation of events up to appropriate intervention and restoration to the original state. We have to keep the whole thing in mind and we need trained security staff for that.
Supply companies are moving in a rapidly changing market. As well as the opportunities, risks must also increasingly be taken into account because the security situation changes daily and can very quickly become a dangerous company crisis. What fundamental measures have you taken in crisis management to be able to react to such critical developments and have your plans and approaches changed since the atomic accident in Japan?
Michael Schmidt: Our concept is built on stability and reliability. Our motto "Act, don‘t react" bans any form of impulsive moves to the past. The atomic accident in Japan has led to a whole palette of measures like no other event. As you know, there were some ‘stress tests‘ afterwards that also included security checks. Apart from that, we never rest on our laurels and we successively improve our crisis management. So we work together with federal offices, in security partnerships, through dialog in security associations, with exercises like Lükex. We have gained valuable knowledge through the evacuation of our employees from Egypt and Libya. One of the next challenges will be re-entry into Libya, when the situation there is more stable.
Our readers are experts, users and manufacturers from all industries and many locations who try to solve security problems using organization, technology and personnel. How do you manage to continuously evaluate the specific situation and endangerment of individual installations and what are the current main security priorities?
Michael Schmidt: Because of the large number of objects, the clusters and the corresponding security requirements are well defined. The most important element was to anchor the budget for the security aspects into the currently running processes. Everyone will always sympathize with recommendations to improve security, but what is the use of that if no money is there. Apart from that, we have a specialist department that comprehensively and competently handles the subject of security equipment. The team watch the market very closely and are therefore always up-to-date. Together with the evaluation group in my division, we always have our ears to the ground for situation and danger analyses and can promptly recognize and solve any security issues.
The cooperation with various different government security agencies is both necessary and important for many objects and tasks. How important are information, assessments and situation appraisals from these sources and what information and specialists do you include in each relevant regional situation appraisal?
Michael Schmidt: Very important! We generally carry out our own regular open-source analysis; for this we draw in particular on the know-how of the Security Managers of all RWE group companies and that of the government agencies and associations (ASW, VSW, ACFE, ASIS, BDI AFS, BKA GP Initiative etc). With regard to travel security we use the resources of a provider of country analyses.
How do you consider the general security situation for such large companies in Europe and worldwide to be?
Michael Schmidt: The general security situation is getting more difficult internationally. Energy supply has, apart from just the market requirements, ever more national and social components. The provision of inexpensive energy is a highly critical matter for the stability of many countries. Of course, this criticality is known by those that want to undermine some state regimes and thereby the internationally active energy suppliers inevitably drop into focus. Added to that comes the problem of internationally organized crime while state security structures are not being globalized. My personal wish is therefore the energetic construction of security authorities that operate at a European and international level. For Germany, however, I can only praise the approach of the security authorities to industry. We are on the right path here.