Where to start planning for substation and distribution site security
The countdown has begun for the electric utility substation and distribution site. The standards for physical and cybersecurity for U.S. substation and distribution sites will officially move from CIP Version 3 to CIP Version 5 on April 1, 2016. CIP (Critical Infrastructure Protection) levels, as established by the North American Energy Reliability Corporation (NERC), will tighten and utilities need to be ready. But where do you start planning for substation and distribution site security?
April 2016 will be a turning point for "radical change" in the utility industry according to Lila Kee, a participant in the NIST-NCCOE Energy Sector Identity and Access Management Use Case Consortium, which assists utility groups in implementing National Institute of Standards and Technology and NERC CIP standards for identity and access management as part of her job at GlobalSign, a cybersecurity consulting partner to the utility industry.
To get substation and distribution sites ready for the new security standards will require a more robust electronic perimeter and physical security, according to Kee. This will require a framework for identity access. For example, as Kee noted, "NCCOE published use cases involving technicians requiring secure physical and remote access and authorization to perform certain work orders on given substation systems." This National Cybersecurity Center of Excellence (NCCOE) framework is based on a "least privileged" method that only authorizes the tech for a particular period.
With physical security, the items under consideration for substation and distribution sites run the gamut, according to Morgan Tucker, security manager, Accenture, Utility Cyber Security Practice.
"Everything starts with a threat assessment," Tucker said. "What's the posture of your site?"
After the incident of sabotage in April 2013 at Pacific Gas and Electric's Metcalf substation in San Jose, Calif., the Department of Homeland Security (DHS) adopted the point of view that substations are the weak link in the national power grid, according to Tucker.
"The Metcalf incident---someone shot at the substation with a Bushmaster rifle," he said. If people are shooting transformers, you have to question the purpose. Are they targeting the power grid? Testing police response time or just simply out for target practice?
Whatever the reasons that troublemakers have for damaging substations, it highlights the need for security preparation. And that requires you to look at the risk profile in a substation.
"In the past, substations were padlocked and had a master log but had no security," said Dave Karsch, senior global security consultant, physical security with Honeywell Security. "People are looking at remediation including no-cut fence and an early warning system. You have to make sure you get as much early warning as possible to deter the intruder."
Karsch went on to add that utilities need systems outside the fence for proactive early warning of a possible incident. Some experts say that substation sites should now have cameras pointing outward to deter vandals from coming in as well as inward to detect them if they do decide to intrude.
After the Metcalf incident, NERC decided on the new standard. To comply, you need to be able to deter, detect, delay and respond to security threats, according to William E. Reiter II, vice president, security operations, Telgian Risk Solutions. However, no one tells you how, he said, and "You have a lot of options."
Whatever options are selected, an unaffiliated third party must sign off on the plan and put in writing that they agree or disagree with the plan to deter.
Since Metcalf, the system really hardened, according to Reiter. The threat assessment of a substation began to be based on who its customers are. If they include hospitals or government facilities, those substations rise in importance.
To reinforce the need for proper physical security at substations, the federal government has instituted fines of $10,000 per incident per person of people intruding a site and not being properly signed into the site's security log. And agents are on the ground to verify site physical security.
"The U.S. government developed a program to field test compliance and issue violations along with stiff monetary penalties," said Samantha Boles, president and COO, Automated Security IS. "You have to control access---exactly what it says---control access to the facility. Alarms, gates and fencing and security guards are all part of this category."
When NERC made its petition to the Federal Energy Regulatory Commission for CIP Version 5 in 2013, it wrote that the administration and Capitol Hill know that cyber threats will only increase, with President Barack Obama declaring cyber threats "one of the most serious economic and national security challenges we face as a nation."
Even as cybersecurity takes a higher profile, it cannot be considered in isolation.
"The idea of physical and cyber being separate is an old idea," said Ray Cavanagh, a member of the Physical Security Council of ASIS, an international organization for security professionals. "There is no demarcation between cyber and physical security. In general, customers like the concept of not creating different buckets of security. Even if it's physical or cybersecurity, you might be able to have one person handle both."
Since 2013, the cybersecurity stakes have only grown higher for the utility industry. Substation and distribution site assets have to be assessed and properly categorized as CIP Version 5 takes effect.
"Cybersecurity perimeters are being redefined and expanded and additional network segmentation is being implemented to isolate the new functional components," said Nick Streaker, senior ICS threat specialist, TSC Advantage, a risk consultancy. "From a physical security perspective, utilities must implement biometric readers and access control badges for more stringent control of unauthorized physical access prevention and detection. From a cybersecurity perspective, firewalls and data diodes establish security perimeters and enclaves, while encryption protects sensitive data backups and storage."
Overall, as can be deduced from the NERC petition, CIP Version 5 is designed to address the deficiencies of CIP Versions 1 through 3. It follows a general theme of identifying assets. CIP Version 5 helps identify gaps of compliance based on high, medium and low impact. It provides guidance on level of control: high for network controls, medium for large substations, low for local substations. The low-level impact assessment is new.
However, in the end, no amount of security can make up for the deficiencies in human nature.
"Everyone thinks about cybersecurity," Cavanagh said. "But what if you can call in and say, `I'm Joe Schmoe from Sheboygan' and ask people for help with a password? What if you can call and get a password from someone who doesn't know you from Adam? A greater amount of personal security will create trust."
Derek Handova is a veteran journalist and content marketer writing on various B2B vertical beats. He started as associate editor of Micro Publishing News covering the desktop publishing space. He can be reached at email@example.com.
No discussions yet. Start a discussion below.