Crucial To Deployment

Ethernet switch technology plays key role in NERC CIP perimeter security requirements

Common sense—and the North American Electric Reliability Council’s cyber security standards (NERC CIP) for North America—suggests that security in power stations is of utmost importance. With the growth of IP-based network applications throughout the power industry, power plants have increased their ability to control and monitor both central utility operations and remote installations. NERC identifies security concerns and lists out a set of requirements for minimum security in the industry.

Physical security, as defined by NERC CIP, has an IP component to it. The standards-based flexibility of IP-compatible products provides the bestknown solution for the security and surveillance of power plants.

At one nuclear power plant, thermal imaging infrared cameras are installed around the physical perimeter of the facility to provide state-of-the-art threat detection and assessment capability. The plant is protected by a FLIR thermal fence, which provides a full-integrated perimeter alert system.

The perimeter protection solution incorporates both thermal security cameras and the FLIR sensors manager control and management software to create a full virtual fence solution, capable of protecting critical infrastructure sites.

Underlying Network Support

In order to connect the virtual fence with staff in the plant and at central operations, Ethernet switches that can operate reliably under the harsh conditions at the plant were required. Because the perimeter security is integrated with a single ring-based network within the facility, which is required to securely manage a variety of functions, the switches need a variety of port types to support various equipment requirements.

Externally located switches that connect to components of the thermal fence needed to be hardened to withstand harsh temperatures (-40 to 85 degrees C). In addition, they needed to be outfitted with sealed cases that would protect against rain, dirt and other contaminants. While some designers attempt to use commercial switches with elaborate protection schemes or dramatically reduced MTBF expectations, industrially hardened switches—in this case, Magnum 6K field switches—solve the problem with a sealed, convectioncooled model that features an advanced thermal design that allows the case to serve as a heat sink.

Magnum switches offer unique portconfiguration capabilities that provide the highest level of flexibility in specifying port types. The outdoor units are specified with a number of managed PoE ports that enable both data and power to run over a single cable to support the cameras.

Video Data Management

Managing a high volume of security data from the videos requires sophisticated data management capabilities, such as IGMP Snooping and IGMP-L2, because of the high bandwidth requirements of a video surveillance system. For efficiency, it is important to develop a way to selectively manage IP video multicast traffic. The common approach uses the standard Internet Group Management Protocol (IGMP), which requires routers in addition to switches. GarrettCom’s IGMP-L2 is a switchbased system that simplifies the network and eliminates wasted bandwidth consumption while still permitting large numbers of multicast data streams to be efficiently handled with video feeds delivered to suit each viewing user’s needs.

Ring Topology

The switches are organized into interlocking ring configurations that provide rapid fault recovery to meet the plant’s needs for highest reliability. The switches offer fast link recovery using RSTP-2004.

The network topology requires a full range of fiber and copper port options, as well as a variety of bandwidths. Switch capabilities range from server room switches with up to 32 ports and gigabit bandwidth support for fiber backbones to smaller field switches that can support connectivity to the security system components and intelligent electronic devices (IED) within the plant. VLANs are used to provide secure communication tunnels. Secure switch management software can provide an extra level of reliability including functionality, such as SSH and SSL access, Secure FTP connections for large file transfers, software downloads, configuration files, scripts, support for up to 256 VLANs, Modbus protocol support over TCP/IP, TACACS and RADIUS server authentication, and the ability to have external events (Syslog) put into the switch’s Event Log to correlate with local security events.

The use of IP for power utility perimeter security—and, in fact, for all utility networking—adds a new level of flexibility and bandwidth. Although there is concern among some in the industry that IP provides a new level of risk of cyber attack, it is clear that even NERC recognizes that the benefits of the increased functionality outweigh the concerns. Careful and insightful development of security infrastructure can provide security systems that are not only effective today but are futureproof and scalable to meet future needs.

This article originally appeared in the March 2012 issue of Security Today.

Featured

  • Cloud Adoption Gives Way to Hybrid Deployments

    Cloud adoption is growing at an astonishing rate, with Gartner forecasting that worldwide public cloud end-user spending will approach $600 billion by the end of this year—an increase of more than 21% over 2022. McKinsey believes that number could eclipse $1 trillion by the end of the decade, further underscoring the industry’s exponential growth. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • Securing the Future

    In an increasingly turbulent world, chief security officers (CSOs) are facing a multitude of challenges that threaten the stability of businesses worldwide. Read Now

    • Guard Services
  • Security Entrances Move to Center Stage

    Most organizations want to show a friendly face to the public. In today’s world, however, the need to keep people safe and secure has become a prime directive when designing and building facilities of all kinds. Fortunately, there is no need to construct a fortress-like entry that provides that high level of security. Today’s secured entry solutions make it possible to create a welcoming, attractive look and feel at the entry without compromising security. It is for this reason that security entrances have moved to the mainstream. Read Now

Featured Cybersecurity

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3