Safeguarding the Power
Providing protection for some of the nation’s most valuable assets
- By Brittany Lauridsen
- Feb 01, 2016
You are on duty at a large power station when you hear a gunshot
coming from the South side of the facility. This shot triggers your
security systems sniper detection alarm. The camera quickly turns
its focus to the sniper’s location. Once the sniper’s location is
noted, the monitoring center calls local law enforcement with the
information and the threat is mitigated. Without a security system, detrimental
damage could have occurred, leaving thousands of people without power.
IMPORTANCE OF SECURITY IN THE UTILITY MARKET
Recent events have highlighted the necessity for security in order to reduce risks at
a utility facility. An increased threat level or higher probability of hostile actions
towards a facility’s assets, operations, or staff raises a financial risk for a utility
facility along with an increased risk to public safety. An integrated security solution
provides the means to manage potential risks by reducing them to acceptable
levels or removing them completely.
Security in the utility market is being used to provide protection for our nation’s
most valuable assets and to increase the overall detection, assessment, communication,
interdiction, and potentially, neutralization abilities of the utilities against
any threats posed to a critical facility. Common risks and threats include terroristic
activity and copper thefts. Protection is accomplished through a combination of
physical protection barriers, security technology, remote monitoring, manned security
and procedural changes.
To help minimize risk and threat levels of the valuable assets held in these facilities,
mandatory rules and regulations have been put into effect. Rules and regulations
may vary depending on facility and vertical including NERC/CIP compliance
standards, NRC Security Regulations and DHS CFATS. Many services are
offered by security firms to assist in meeting these compliance and regulation standards.
The best defense is a mixture of the following: risk and threat consulting,
man guarding, design and engineering, technology integration and implementation,
procedural development, training and system performance testing.
In addition to mandatory compliance and regulation standards, most utility
facilities strive to work with an experience security organization to put an effective
and reliable security system in place in fear of potential harm to employees and
personnel, a negative impact to the environment and disablement or disruption of
plant/system operations. By enhancing a facility’s security and defensive posture,
the security organization ensures that current threats are mitigated and increased
employee and public safety is accomplished. This type of protection also improves
the public’s perception in local communities around these utility facilities. This
type of investment shows that the utility is putting forth the effort to reduce the
risks to their community by eliminating potential targets for hostile actions.
DETERMINING THE BEST SOLUTION
Utility companies design their security systems around a threat/risk assessment and
regulatory compliance standards. The assessments lay the foundation for what risks
need to be addressed and evaluated to determine what level of security is required to
mitigate those risks while meeting or exceeding the regulatory standards.
Once assessments are completed, the utility company often works with a
systems integrator to design a plan for their facility moving forward based on criticality, accessibility, recoverability, vulnerability, effect and the ability to be
recognized. This plan is often used for corporate security standards across a
utility’s fleet. Standardization of solutions across a fleet provides efficiencies for
security operations for system monitoring, system training, maintenance and
spare inventory of replacement parts.
STEP-BY-STEP DEVELOPMENT
Every security organization has its own detailed implementation plan. An example
of a phased implementation approach when working with a customer to
find a customized solution is as follows:
- Conduct a risk/threat assessment
- Develop a design plan—choose technologies
- Review/test selected products
- Finalize systems/technologies in the design
- Deploy and install the system
- Train and create procedures and system performance testing
The first and most crucial step in this approach is to conduct a risk/threat
assessment. The assessment identifies current and past events that could pose a
threat to the company’s employees, assets, and operations. To complete this phase,
there is a close partnership that needs to be established between various organizations
to ensure that all of the essential information is gathered.
Once the proper information has been collected and the threat has been identified,
the chosen Systems Integrator develops conceptual designs, utilizing various
technologies to provide the adequate protective strategy and measures to mitigate
the threat. During this phase, cameras can be lifted to their potential locations and
screen shots will be taken, showing customers potential fields of view. Cameras are
then laid out on a geospatial map to show areas of coverage.
Before installation occurs of any of the chosen systems, quality assurance tests
are conducted to ensure the products meet the design specifications. All components
are tested according to the design, quality assurance and compliance standards.
After the systems pass the tests they are then finalized in the design space
and factory acceptance tested for system deployment. The system is then installed
into the specified facility and tested again using similar factory acceptance testing
criteria. The final stage of the phased implementation approach is accomplished
by providing training in security operations, IT, engineering, and maintenance,
through the creation of procedures and system performance testing.
UPGRADING AND INSTALLMENTS
As threat levels rise, facilities are increasing their defense by adding additional
rings of security, specifically walls and fences around the perimeter. In addition
to physical barriers placed around facility perimeters, many facilities are increasing
their defense strategies through technologies such as thermal cameras, video
analytics, and intrusion detection systems. The installation of these systems assists
utility facilities in providing increased exterior detection, assessment, communication,
and interdiction.
Securing a facility tends to start from the outside, working inward. It is crucial
to have a secure perimeter in order to protect the assets inside. In order to enhance
facilities physical security systems and defense-in-depth, utility facilities are implementing
visitor/identity management systems, outward looking thermal camera
systems, radar, intrusion detection, gunshot detection, access control systems as
well as PA systems and lighting.
Often times utility facilities will have security systems already in place, but they
are no longer meeting compliance regulations or are simply no longer working
for the task at hand. The most common system upgrades facilities are seeking assistance
with are intrusion detection systems, video management systems, access
control systems, PSIM and cyber security systems.
SECURITY CHALLENGES
In today’s world, there are greater risks
than ever before. Security organizations
are capable of providing the most
cutting-edge and in-depth solutions
on the market but, like most organizations,
utility facilities are faced with
the challenge of budget constraints
and lack of resources. To offset budget
challenges, Utility Facilities can work
with multiple divisions within a facility
including Security, IT, Operations,
Project Development, and many more
to provide a multi-departmental work/
budget share. Enhanced security technology
and systems not only increase
security countermeasures, but can also
provide upgraded IT infrastructure and
operational enhancements for the facility.
By linking the multiple company
divisions, a facility can strategically
upgrade in a single project, rather than
multiple capital expenditures. This creates
a “win-win” strategy for the entire
organization.
Another challenge facilities face is
a lack of understanding government
regulation requirements Compliance
standards and regulation requirements
can have some fuzzy areas and it can
be hard to gauge if a particular rule
applies. Teaming up with a seasoned
security integration team or organization
can be greatly beneficial. Their
knowledge and experience from previous
projects can clear up blurred areas
and help mitigate the chance of misinterpreting
any regulatory requirements.
A NEED FOR INCREASED SECURITY–
REAL-WORLD EXAMPLE
The energy sector’s significance is undeniable
to enhancing the connectivity,
function, and advancement of today’s
modern world. Energy infrastructures
are crucial to maintaining the basic
operations and safety of citizens in
today’s societies. When faced with the
reality of attacks and the potential
for widespread disruption or termination
of energy services for hundreds of
thousands of people, the need to secure
these facilities with multi-layered protections
and lines of defense is drastically
elevated.
This held true for a world leading
energy and utility company. Considering
their broad range of services and
number of customers spread across the
country, the organization required a
comprehensive, multi-layered integrated
physical security system that would
not only provide robust protection for
its services, but would meet all present
and future government mandates
set for the energy and utility industry.
Their customers rely on the power they
provide, so physical security is crucial.
They sought the assistance of an
experienced integrator to design and
implement the necessary upgrades required
to meet NERC CIP regulatory
standards under CIP Version 5 for compliance.
Although their current system
was working, they were aiming to increase
detection and enhance response
time by upgrading technologies and
including thermal cameras. There was
also a necessary shift from the DVR platform to an NVR solution. The
project began with upgrading the existing
access control systems and closed
circuit television systems, with plans to
create a single, centrally monitored and
administered electronic access control
system and video management system
across service territories.
The resulting system designed and
engineered by their chosen integrator
is focused on strengthening reliability
and efficiencies for customers, providing
the highest level of employee safety
and asset protection and maintaining
both companies’ commitment to
leading-edge defense technologies and
services. Within the total integrated
solution, each platform is designed to
manage risks, protect people and valuable
assets, reduce costs, and optimize
the security process, should there ever
been a disaster or attack on any critical
structures or facilities.
In partnership with their integrator,
this energy/utility company is poised to
set a new global standard of innovation,
increasingly responsive protocols,
improved capabilities and operations
in the energy and utility industry. Supported
by the flexible, powerful, multilayered
integrated security platform,
they can face the increasingly high-risk
future of the energy industry with confidence,
remaining committed to quality,
uninterrupted services.
LOOKING TO THE FUTURE
As technology changes on an almost
daily basis, so does the threat. To ensure
a facility is providing an ample level of
protection to negate these ever changing
threats, the security organization must
constantly reassess it security plan.
In the past, the traditional concern
existed around the physical perimeter.
There are ongoing physical protection
system upgrades to meet various compliance
standards and each utility is
implementing the most up-to-date technology
to deter, detect, and delay the
various threats. As mentioned earlier,
these technologies include gunshot detection
systems, acoustic sensors, thermal
cameras with analytic detection envelops
and geospatial mapping systems.
Today the threat of a cyber-attack is
just as real and dangerous as those in
the physical security realm. Utilities are
implementing traditional security measures,
leveraging new technology, and
most importantly treating their digital
infrastructure as an integral part of their
protection strategy. At the same time the
digital assets and technology that drive
the physical security systems are being
incorporated into the overall IT management
with domain integration, antimalware,
hardening, and centralized logging
becoming common place. System
manufacturers are responding to these
changes. Where a security appliance
was previously treated as a “black box,”
now it offers support for anti-malware,
firewalls and other
technologies.
This article originally appeared in the February 2016 issue of Security Today.