A holistic security program is needed for energy and utility systems

In the US and even globally there is an increasing emphasis on improving the cyber security of the systems and components controlling such things as electric substations, control centers, gas pipelines, and the associated Supervisory Control and Data Acquisition (SCADA) systems. As an active observer of this industry for many years I can say that the cyber security of these systems is improving; however, there is a new gap or omission brewing.

We are often asked to perform security assessments for energy and utility companies. As we do work at some customer sites we are continuing to note that the emphasis on cyber is certainly in place; however, the physical security of the infrastructure is being ignored. What we are concluding is a holistic security program is missing at some of these companies.

What do I mean by holistic? Essentially holistic security is concerned with the whole security environment in an organization rather than simply focusing on single elements such as cyber, physical, administrative or technical security. In other words, security is viewed as a collection of interconnected and coordinated functions to protect assets and maintain reliability.

Why is the holistic emphasis missing?

The history of security for energy and utility enterprises has primarily been focused on “guns, gates and guards” until around 2008. Overall the security focus was really a military of police mindset. Cyber was very rarely considered. After 2008, in the United States and North America, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards were published and enforcement began with emphasis on protection of critical cyber assets that are important to the reliability of the bulk electric system. The enforcement included inspections and fines for non-compliance. A new emphasis on cyber security emerged; and as a result physical security was placed in a lower echelon.

The observation we offer is based on our own experiences in the field. For instance, we see the singular focus on cyber at various global utilities we inspect. We have seen examples of where physical security is in decline and not being address at substations and generation facilities, including:

External doors and locks are not adequately protected. There are gaps between the doors and door frames and the lock assemblies are not protected with simple metal plates. In several cases we’ve been able to open doors with simple plastic credit cards and gain access to critical cyber assets and copper.
Door hinges are on the outside of the door frame. Because of this practice it would be easy to unscrew the hinges then simply lift the door out of the frame.
Control building perimeters have unprotected windows in doors and walls. We’ve seen windows in doors that could simply be broken physically and then the door opened by reaching inside through the window break.

Large ventilation panels/louvers are unprotected and can allow a person to remove the ventilation screen and then step into the building. The panels are also fastened from the outside and just like the hinge example above can allow for external removal of the screen – which, by the way, is usually not alarmed.

External wireways entering the buildings are not adequately protected and a smaller individual could gain access inside the building by crawling along the wireway.

So, what should an enterprise do? Here are some key suggestions:

Recognize that security is more than “compliance.” And with today’s focus on NERC CIPs in North America don’t forget the physical security practices that need to be done separate from simply complying.

Consider other security resources and references to help sustain a “holistic” security program. For example consider using the ISO27001/2 and ASIS International standards to cover cyber and physical security practices.

Avoid a mentality of “no fines” when wondering what security to emphasize. In other words, if you focus on NERC CIPs and cyber security to avoid fines from the regulators you can miss practical physical security requirements that are needed to protect your assets.

Integrate and include physical security management along with cyber security management. Avoid separating and segregating your security leadership in a way that does not allow for coordinated physical and cyber security outcomes.

Recognize that attackers – both cyber and physical – are not worried about whether you follow the NERC CIP or ASIS or ISO27001/2 rules or not. They want the copper, they want to cause damage, and they want to turn systems off.

In conclusion, the key point is to think about the entire security environment you need to implement. Be coordinated and use a holistic approach to protect both your physical and cyber assets.

(This is the third in a series of opinion pieces written for Asian Power by Ernie. His last article on Assumption of Breach was very actively read.)

Ernie Hayden, CISSP CEH, Managing Principal, Verizon Business