Crucial To Deployment

Ethernet switch technology plays key role in NERC CIP perimeter security requirements

Common sense—and the North American Electric Reliability Council’s cyber security standards (NERC CIP) for North America—suggests that security in power stations is of utmost importance. With the growth of IP-based network applications throughout the power industry, power plants have increased their ability to control and monitor both central utility operations and remote installations. NERC identifies security concerns and lists out a set of requirements for minimum security in the industry.

Physical security, as defined by NERC CIP, has an IP component to it. The standards-based flexibility of IP-compatible products provides the bestknown solution for the security and surveillance of power plants.

At one nuclear power plant, thermal imaging infrared cameras are installed around the physical perimeter of the facility to provide state-of-the-art threat detection and assessment capability. The plant is protected by a FLIR thermal fence, which provides a full-integrated perimeter alert system.

The perimeter protection solution incorporates both thermal security cameras and the FLIR sensors manager control and management software to create a full virtual fence solution, capable of protecting critical infrastructure sites.

Underlying Network Support

In order to connect the virtual fence with staff in the plant and at central operations, Ethernet switches that can operate reliably under the harsh conditions at the plant were required. Because the perimeter security is integrated with a single ring-based network within the facility, which is required to securely manage a variety of functions, the switches need a variety of port types to support various equipment requirements.

Externally located switches that connect to components of the thermal fence needed to be hardened to withstand harsh temperatures (-40 to 85 degrees C). In addition, they needed to be outfitted with sealed cases that would protect against rain, dirt and other contaminants. While some designers attempt to use commercial switches with elaborate protection schemes or dramatically reduced MTBF expectations, industrially hardened switches—in this case, Magnum 6K field switches—solve the problem with a sealed, convectioncooled model that features an advanced thermal design that allows the case to serve as a heat sink.

Magnum switches offer unique portconfiguration capabilities that provide the highest level of flexibility in specifying port types. The outdoor units are specified with a number of managed PoE ports that enable both data and power to run over a single cable to support the cameras.

Video Data Management

Managing a high volume of security data from the videos requires sophisticated data management capabilities, such as IGMP Snooping and IGMP-L2, because of the high bandwidth requirements of a video surveillance system. For efficiency, it is important to develop a way to selectively manage IP video multicast traffic. The common approach uses the standard Internet Group Management Protocol (IGMP), which requires routers in addition to switches. GarrettCom’s IGMP-L2 is a switchbased system that simplifies the network and eliminates wasted bandwidth consumption while still permitting large numbers of multicast data streams to be efficiently handled with video feeds delivered to suit each viewing user’s needs.

Ring Topology

The switches are organized into interlocking ring configurations that provide rapid fault recovery to meet the plant’s needs for highest reliability. The switches offer fast link recovery using RSTP-2004.

The network topology requires a full range of fiber and copper port options, as well as a variety of bandwidths. Switch capabilities range from server room switches with up to 32 ports and gigabit bandwidth support for fiber backbones to smaller field switches that can support connectivity to the security system components and intelligent electronic devices (IED) within the plant. VLANs are used to provide secure communication tunnels. Secure switch management software can provide an extra level of reliability including functionality, such as SSH and SSL access, Secure FTP connections for large file transfers, software downloads, configuration files, scripts, support for up to 256 VLANs, Modbus protocol support over TCP/IP, TACACS and RADIUS server authentication, and the ability to have external events (Syslog) put into the switch’s Event Log to correlate with local security events.

The use of IP for power utility perimeter security—and, in fact, for all utility networking—adds a new level of flexibility and bandwidth. Although there is concern among some in the industry that IP provides a new level of risk of cyber attack, it is clear that even NERC recognizes that the benefits of the increased functionality outweigh the concerns. Careful and insightful development of security infrastructure can provide security systems that are not only effective today but are futureproof and scalable to meet future needs.

This article originally appeared in the March 2012 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3