Utilities are an important element of critical infrastructure and, as such, must be protected to ensure that the daily lives of millions of people continue without disruption. Protecting utilities presents a unique range of challenges, whether one considers the electrical grid or telecommunications networks, the local water supply or oil and gas lines. Security technologies contribute to protecting these diverse components, but it’s not an easy job. We asked this week’s Expert Panel Roundtable: What are the security challenges of protecting utilities?
From the perspective of physical security, utility companies face a distinct set of challenges. As part of a city's critical infrastructure, we must protect and manage them to a level of detail not required in other industries. They keep us safe, warm, hydrated and the lights on. I think their biggest threat is terrorism, natural disasters or accidents as the safety of the public is at risk, the impacts far-reaching. Therefore, the biggest challenge would be ensuring that staff have completed the work assignments necessary to reduce the risk or impact of an incident as there are so many moving parts. To manage this risk, operations invest in inspections and audits to proactively identify and reduce the risk of an incident. Unfortunately, this means companies are dependent on historical data to measure and manage their exposure to risk. A real-time view of physical operations would dramatically reduce the risk.
Utilities require a unique approach when it comes to security, since critical infrastructures such as pipelines, electrical grids and telecommunication networks require the highest degree of uptime. Threats can come from outside (or internal) agents, natural disasters, aged or damaged equipment, even operator fatigue. Regulatory compliance adds an additional layer of rules and risk that requires security to be looked at through a holistic company-wide lens. Additionally, these critical infrastructures are geographically expansive with security concerns covering multiple counties, states and even countries. A well-designed control room and security plan can help monitor the myriad of data points generated by the operational and security environments. By aggregating and visualising this data in an intelligible, digestible format, security stakeholders can quickly assess and respond to those threats and mitigate enormous potential damage.
From theft and unauthorised perimeter intrusions, to potential terrorist activities, utilities must actively prepare for, monitor and respond to a wide range of security events often over vast areas, and in varied weather conditions. And while utilities have always faced threats to their physical infrastructure, threats from cyber-attackers are on the rise. Managing access control rights to ensure that employees, contractors and visitors only have access to authorised areas, while ensuring compliance with strict industry regulations only adds to the complexity. To meet all these challenges, utilities are adopting cybersecure, unified security systems, where video surveillance, access control, license plate recognition, and visitor and identity management can work together with other sensors such as perimeter detection, intrusion, and communications. When all physical security components are managed by the same platform, security personnel have access to a dynamic operating picture of incidents in real-time.
Utilities are not just a business concern; they are a vital part of the national infrastructure and their security is of upmost importance. Both physical, and increasingly cyber-related attacks, are proving to be considerable threats to the security of these vital services. Water, mobile telecoms and solar/wind farms are all examples of networks that are often located outside built-up or secure areas and can be targeted by criminals or other nefarious groups. If an attack takes place, you need to ensure security teams can respond in a timely manner, even in the most remote locations. Equally, false alarms can cause a headache, so excellent remote monitoring and robust engineering of these systems are essential. Another aspect that sometimes gets overlooked is the data element of utilities – the organisations that run these have vast amounts of personal data (including financial) which on an unsecured network could be rich pickings for criminals.
Utilities need a high level of protection at all times as any damage to these services can cause disruption, loss of revenues and loss of life. As such, utilities are especially prone to vehicle attacks. Thus, they need vehicle access control system protection. A favored barricade for utility properties, because of their many remote locations, is a very high-security, shallow-foundation barrier that incorporates a special locking system that prevents terrorists from disabling or dismantling it. The harder a terrorist works at attempting to immobilize this barrier to get a vehicle through, the tighter the unit actually locks up. In such locations, it is kept in the “up” position. The barrier is set in a foundation only 46 cm deep yet will survive and operate after a 5.4 million foot-pound impact. That’s equivalent to a 29,484 kg truck hitting it at 80 kph, protecting against a “second hit” risk.
Utilities face many security challenges including a need to protect geographically dispersed, often unmanned sites. Utilities have long used mechanical keys and combination locks, which provide little security, as keys can be lost or stolen, and combination codes are often shared. A better solution utilises a Bluetooth locking device such as a padlock or lock controller that can only be unlocked with a secure mobile credential on an employee or vendor smartphone. The system can operate even in areas lacking cellular coverage, and all communications between the phone and lock are encrypted. Security is enhanced because mobile keys can’t be shared, and the credential can be revoked or granted anytime by system administrators. Phone biometrics and assigned PIN codes provide another layer of security. System administrators can access a real-time activity log, ensuring job accountability. Additionally, the system can produce audit trails to assist in regulatory compliance.
Entities within the utilities industry must be protected at all costs, as they are essential to a nation’s security, economy, environment, public health and safety. Any threat to compromise or disrupt these public, private and government organizations directly threatens the stability of a nation and its people. However, the industry faces numerous security challenges, including a wide range of threats, such as natural disasters, terrorism and criminal activity. It is also faced with rapidly expanding demands to respond immediately to incidents at remote or vast facilities, often with limited funding and skilled staff. Utilities that continually leverage a unified command and control platform for information collection and analysis are achieving greater situation management and are able to respond more effectively to incidents. It’s also important to recognise the significant regulatory requirements for utilities and the need for quick, efficient and comprehensive forensic investigation and reporting.
Like most, utilities face challenges in securing against both physical and cyber-threats. With regard to physical security, the challenges range from protecting the critical infrastructure and assets against terrorism and natural disaster, or even human error and mechanical failures. As well, there are a number of challenges in ensuring communications and data are protected against insider and external threat from hackers. While the use of technology plays a significant role in the tools that are used to mitigate risks and help address the challenges of being aware of what is happening in and around the utilities landscape, the human factor remains top of the list in making sure the technology is both implemented and used correctly in order to maximize the benefit through situation awareness and real-time response to an incident.
It is normal for us all to have high expectations when it comes to our utilities. Lights should always turn on when we flip the switch, clear water to run when we turn on the sink, and our smartphones always have a signal. For most Americans, these utilities are very reliable, and we expect them to work 100% of the time. Our utilities are part of our critical infrastructure, which means they need to maintain reliability for our lives to be uninterrupted. To protect this infrastructure multiple layers of defense are required. One important challenge is staying ahead of the cyber-threats and understanding the tactics, techniques, and procedures of threat actors. Implementation of cybersecurity best practices, training, testing of training, log management, and reporting on controls day in and day out are just a few examples of what it takes to stay ahead of cyber-threats.
Utilities encompass production, distribution and security around external threats and internal emergencies. Protecting utilities such as water, electricity, oil and gas, or communication means addressing all four of these areas. Production facility systems have to be aware of dangerous internal changes — overheating, over pressure, current spikes — or emergency events like explosions, leaks, and fires. From an external threat perspective, security systems have to secure a perimeter, secure sensitive locations and processes, and send alerts if a breach or suspicious behavior occurs. The utility distribution arena has different security needs. These facilities face internal threats including pipe leaks, power line damage, fires, as well as the external threats of sabotage or theft. Both product and distribution facilities need personnel mustering, evacuation and situational awareness across large areas in the event of an emergency. These measures have to locate, define and alert personnel to danger, providing information to get people to safety.
Utility substations typically face critical challenges ranging from theft, vandalism and the threat of terrorist events to compliance regulations from the National Electrical Reliability Commission (NERC) and Critical Infrastructure Protection (CIP) programme. Additionally, utility security leaders and their site managers face a daunting task of balancing compliance regulations, integration hurdles, and decisions on deploying technology––all while having to work within budget constraints. It is imperative that security vendors who pursue the utility vertical listen carefully to the voice of the customer. Helping to ease the pain of the budget constraint is an essential business best practice. FLIR has developed technology that marries radar and thermal pan-tilt cameras to cover more of the substation footprint for better efficiency. This is particularly effective in remote substation locations. Today’s advanced solutions for securing substations have also become more cost-effective while increasing in performance and overall value.
Utilities present unique challenges for security professionals. This can include compliance with specific standards such as the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) for electrical utilities. These standards specify how electrical utilities are to monitor access points, protect cyber-security assets and monitor the perimeter. Other utilities may have similar regulations with which to comply. Depending on the type of utility, the perimeters can be large and may be in remote areas where network bandwidth may be limited. Efficient codecs such as Wisestream II and H.265 can be used to transmit high quality images over 4G or LTE connections while minimising infrastructure costs. Thermal cameras provide excellent long-distance perimeter coverage, especially in low light conditions. Multi-sensor cameras cover larger areas using a single PoE connection. The ability for security systems to automatically hand-off positional data to long-range, vari-focal infrared PTZ cameras with auto-tracking can deliver usable video at distances of 1600 feet, even at 0 LUX.