Posted on 16th Jan 2020
We live in an era of boundless innovation, but times have never been more precarious when it comes to security. News of hacks and high-profile data breaches are all too common. According to a Cybersecurity Ventures report, cybercrime is projected to cause more than $6 trillion in damages by 2021 — a number that could swell drastically given the fact that as little as 10 percent of cybercrime is actually reported.
The evolving threatscape isn’t limited to cybersecurity, either. Physical security is a mounting concern, driven by such factors as the precipitous rise in gun violence, the emergence of consumer aerial surveillance drones, and the growing number of new attack vectors created by technologies like the Industrial Internet of Things (IIoT). The global physical security market was pegged at approximately $157 billion in 2018, with expected growth of 9.4 percent by 2025.
For energy utilities, the need for clamped down physical and digital security is uniquely important. The Department of Homeland Security regards the energy sector as one of the most critical infrastructure sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital…that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
As surging demand forces the energy sector to continue rapidly expanding, operators must take a more proactive stance in safeguarding their facilities – digitally and physically.
Cybersecurity
Energy utilities have become overwhelmingly digital. From access control panels to video surveillance and intrusion detection systems, a substantial portion of power plant infrastructure today can be remotely managed thanks to the emergence of IIoT. Data collected and shared across the various security components thanks to advanced analytics can help utility operators understand real-time operating conditions, historical performance and maintenance requirements, enabling faster and more informed decision making.
But that convenience must be balanced with responsible security management. For many utility companies, the only way to gain meaningful visibility across potentially hundreds of sites is to embrace an integrated single pane of glass monitoring. Integration involves a layered approach to security that encompasses both process and system technology, making systems easier to use and maintain which allows facility managers to focus on other critical operations in the plant. It not only provides a unified window into geographically disparate assets, but also makes it more efficient and cost-effective to maintain software and firmware updates.
A smartly integrated security system is also key for regulatory compliance. The regulatory landscape is becoming more complex as countries continue to pass legislation such as GDPR. By aggregating access control and security data onto a single system, utility operators can more easily demonstrate that their facilities are up to code. With penalties that can quickly spiral into the millions, compliance will only become a more pivotal concern for utilities moving forward.
Physical security
While cyber threats tend to dominate headlines because of their scale, physical security nonetheless remains a pressing need. In this age of remotely-accessible anything and cloud-enabled everything, it’s important to bear in mind that not all security vulnerabilities are external in nature. Without stringent access control policies, an employee can easily introduce malware to the network just by plugging in an infected USB drive. What’s worse, the employee could well be an unwitting accomplice, merely the hapless victim of a skillful hacker. Organizations must remain vigilant in guarding against insider threats and educate their employees on how to avoid being compromised.
Beyond traditional power generation plants, physical security is just as important for renewable energy facilities as well. As the industry shifts toward renewables, the sheer size of a typical solar or wind farm as well as its often remote locations present an immense challenge for renewable energy utilities where standard perimeter protections like high security fencing isn’t always cost efficient.
In fact, the most critical element to fortifying such an enormous perimeter is a monitored security system comprising video surveillance, access control and intrusion technologies with analytic capabilities that can discern between real threats and innocuous events to avoid costly and unnecessary shutdowns. For a PIR detector, there’s little difference between an intruder and a stray ball going over a fence.
Utilities today must also contend with a much wider range of threats than they are accustomed to. It’s no longer just about guarding against intruders on foot; aerial threats must be considered too. Some pioneers in the energy sector have begun incorporating drone technology into their perimeter defense, both as a first-response system as well as a countermeasure to unauthorized drones.
As threats and security technologies evolve, it’ll be important to work with an expert security partner to design an integrated system that is reliable, efficient and prevents downtime.
Moving forward
For many energy companies, there’s no bigger threat than the unknown. When an operator decides to upgrade an existing system or install a new one, the first step should always be to conduct a comprehensive audit process with a security partner. By studying how each individual utility facility operates – taking into account the amount of power it generates – your security partner can pinpoint the facility’s exact security needs and identify opportunities for better processes while ensuring compliance regulations are met. Moreover, while every installation can borrow something from best practices, a security solution should be fully customized.
Perhaps the most common obstacle facing organizations in their journey toward a modernized, integrated security model is the breaking down of longstanding internal team silos. All too often, the IT department is simply unwilling or uninterested in dealing with the security department. That may have been a tenable position in the past; but in order to adequately respond to today’s threats, these groups must come together and work as a team. Even the HR department has a role to play in safeguarding access to vital data and resources.
The energy industry is currently in the midst of one of the fastest growth periods in decades that is driving a greater need for an integrated security system that considers both digital and physical protection. As demand continues to climb, utility operators can no longer wait for something to go wrong before investing in stronger security. The power is, quite literally, in their hands.
About the author: Dave Karsch is the director of regulated markets, Honeywell Commercial Security. He has been with Honeywell for more than a decade, managing security programs to stay ahead of today’s current and next-gen products, and designing solutions for top clients to meet their security and business needs. Specifically, Karsch works to help utility companies understand and fulfill all NERC/CIP compliance issues, and possesses a deep knowledge of CIP-014, which will be discussed in this presentation. He coordinates webinars and presentations to educate the field on these topics, and is active in programs directly with NERC and EPRI.