Crucial To Deployment

Ethernet switch technology plays key role in NERC CIP perimeter security requirements

Common sense—and the North American Electric Reliability Council’s cyber security standards (NERC CIP) for North America—suggests that security in power stations is of utmost importance. With the growth of IP-based network applications throughout the power industry, power plants have increased their ability to control and monitor both central utility operations and remote installations. NERC identifies security concerns and lists out a set of requirements for minimum security in the industry.

Physical security, as defined by NERC CIP, has an IP component to it. The standards-based flexibility of IP-compatible products provides the bestknown solution for the security and surveillance of power plants.

At one nuclear power plant, thermal imaging infrared cameras are installed around the physical perimeter of the facility to provide state-of-the-art threat detection and assessment capability. The plant is protected by a FLIR thermal fence, which provides a full-integrated perimeter alert system.

The perimeter protection solution incorporates both thermal security cameras and the FLIR sensors manager control and management software to create a full virtual fence solution, capable of protecting critical infrastructure sites.

Underlying Network Support

In order to connect the virtual fence with staff in the plant and at central operations, Ethernet switches that can operate reliably under the harsh conditions at the plant were required. Because the perimeter security is integrated with a single ring-based network within the facility, which is required to securely manage a variety of functions, the switches need a variety of port types to support various equipment requirements.

Externally located switches that connect to components of the thermal fence needed to be hardened to withstand harsh temperatures (-40 to 85 degrees C). In addition, they needed to be outfitted with sealed cases that would protect against rain, dirt and other contaminants. While some designers attempt to use commercial switches with elaborate protection schemes or dramatically reduced MTBF expectations, industrially hardened switches—in this case, Magnum 6K field switches—solve the problem with a sealed, convectioncooled model that features an advanced thermal design that allows the case to serve as a heat sink.

Magnum switches offer unique portconfiguration capabilities that provide the highest level of flexibility in specifying port types. The outdoor units are specified with a number of managed PoE ports that enable both data and power to run over a single cable to support the cameras.

Video Data Management

Managing a high volume of security data from the videos requires sophisticated data management capabilities, such as IGMP Snooping and IGMP-L2, because of the high bandwidth requirements of a video surveillance system. For efficiency, it is important to develop a way to selectively manage IP video multicast traffic. The common approach uses the standard Internet Group Management Protocol (IGMP), which requires routers in addition to switches. GarrettCom’s IGMP-L2 is a switchbased system that simplifies the network and eliminates wasted bandwidth consumption while still permitting large numbers of multicast data streams to be efficiently handled with video feeds delivered to suit each viewing user’s needs.

Ring Topology

The switches are organized into interlocking ring configurations that provide rapid fault recovery to meet the plant’s needs for highest reliability. The switches offer fast link recovery using RSTP-2004.

The network topology requires a full range of fiber and copper port options, as well as a variety of bandwidths. Switch capabilities range from server room switches with up to 32 ports and gigabit bandwidth support for fiber backbones to smaller field switches that can support connectivity to the security system components and intelligent electronic devices (IED) within the plant. VLANs are used to provide secure communication tunnels. Secure switch management software can provide an extra level of reliability including functionality, such as SSH and SSL access, Secure FTP connections for large file transfers, software downloads, configuration files, scripts, support for up to 256 VLANs, Modbus protocol support over TCP/IP, TACACS and RADIUS server authentication, and the ability to have external events (Syslog) put into the switch’s Event Log to correlate with local security events.

The use of IP for power utility perimeter security—and, in fact, for all utility networking—adds a new level of flexibility and bandwidth. Although there is concern among some in the industry that IP provides a new level of risk of cyber attack, it is clear that even NERC recognizes that the benefits of the increased functionality outweigh the concerns. Careful and insightful development of security infrastructure can provide security systems that are not only effective today but are futureproof and scalable to meet future needs.

This article originally appeared in the March 2012 issue of Security Today.

Featured

  • Pragmatism, Productivity, and the Push for Accountability in 2025-2026

    Every year, the security industry debates whether artificial intelligence is a disruption, an enabler, or a distraction. By 2025, that conversation matured, where AI became a working dimension in physical identity and access management (PIAM) programs. Observations from 2025 highlight this turning point in AI’s role in access control and define how security leaders are being distinguished based on how they apply it. Read Now

  • Report: Cyber Attackers Continue to Turn to AI-Based Tools to Avoid Detection

    Comcast Business recently released its 2025 Cybersecurity Threat Report, a comprehensive analysis of 34.6 billion cybersecurity events detected between June 1,2024 and May 31, 2025. Now in its third year, the report offers business leaders a unique perspective into the evolving threat landscape and provides actionable insights to help organizations strengthen their defenses and align cybersecurity with business risk. Read Now

  • Axis Communications Creates AI-powered Video Surveillance Orchestra

    What if cameras could not only see the world, but interpret it—and respond like orchestra musicians reading sheet music: instantly, precisely, and in perfect harmony? That’s what global network technology leader Axis Communications set to find out. Read Now

  • Just as Expected

    GSX produced a wonderful tradeshow earlier this week. Monday was surprisingly strong in the morning, and the afternoon wasn’t bad at all. That’s Monday’s results and asking attendees to travel on Sunday. Just a quick hint, no one wants to give up their weekend to travel and set up an exhibit booth. I’m just saying. Read Now

    • Industry Events
    • GSX
  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.