By Greg Kemper
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) includes the Energy & Utilities sector on its list of 16 critical infrastructure sectors that are so vital that any incapacitation or destruction would have a debilitating effect on the country. And U.S. Presidential Policy Directive 21 identifies the sector as uniquely critical because it provides an enabling function across all infrastructure sectors. Countries around the world recognize the importance of protecting critical infrastructure and invest heavily to secure its continued operation.
Major transformation in the sector – a shift toward renewable energy, and to a digital distribution model that has engendered new cybersecurity risks and regulations, increases the complexity of security. To evolve with the landscape, utilities and providers need to evolve security approaches accordingly. Unifying physical security systems -- video monitoring, access control, and license plate recognition, with evidence management, intrusion, and decision management systems, can help organizations harden critical infrastructure, foster a safer work environment, and stay ahead of regulatory changes.
The move toward renewable energy
As governments set clean energy targets for the future, the sector is having to provide solutions on an external timeline. To meet these goals, the sector is seeing an increase in mergers and acquisitions (M&A). Cross-border investments in renewable energy, combined with a convergence of oil, gas, and power utilities, mean that M&A are happening on a wide scale. At the same time, the sector is also moving from an analog, scale-driven, centralized energy model to a digital and distributed model. An unintended result of this transformation has been a rise in security-related challenges. Industry leaders are looking to standardize and centralize their solutions as they inherit legacy systems that were intended to perform in isolation. They’re asking themselves how they can secure a growing number of assets across a dispersed and expanding territory.
Cybersecurity risks and new regulations
Cyberattacks from sophisticated hacker groups are on the rise in virtually all arenas. As critical infrastructure, the Energy & Utilities sector is especially vulnerable. Leaders must now align their physical and cybersecurity networks to protect their businesses from evolving threats, and to meet the new regulations governments and other bodies are implementing to protect critical infrastructure. To keep pace, Energy & Utilities organizations need to modernize their security technology, updating it not only meet current and future needs, but also to go beyond securing people and assets, by helping to simplify compliance, increase cybersecurity, and improve operations.
The power of unification
Operational downtime can have a far reaching and potentially catastrophic impact on other critical infrastructure, and it can cost millions. Keeping a country running smoothly requires having compliance, security, and operations working in unison. Energy & Utilities organizations need a portfolio of unified security solutions that are designed with critical infrastructure owners in mind. They should select options that offer more automation and greater insights into their operations. A unified security platform should bring together video monitoring, access control, and license plate recognition with evidence management, intrusion, and decision management.
Helping to simplify the compliance process
The North American Electric Reliability Corporation (NERC) ensures the reliability of bulk power systems by developing, monitoring, and enforcing a variety of industry-specific standards, including those for cyber and physical security. One of NERC’s main physical security requirements is that Energy & Utilities organizations must record all access control activities, maintain logs for authorized access, and monitor critical facilities for unauthorized access 24/7. In the event of an access breach, NERC stipulates that organizations must investigate and categorize the alarm incident and implement the appropriate response plan within 15 minutes. Verification of the alarm details as well as the response must be documented and are subject to an audit and review by the NERC Regional Entity. Regulatory penalties can cost up to $1 million per day per violation.
A unified security system enables organizations to optimize evidence reporting, making it easier to comply with regulations. With a modern digital evidence management system they can securely collect, manage, and share digital evidence from different sites. They can move away from burning DVDs to automating the sharing of digital evidence with internal and external auditors as well as regulators and law enforcement. At the same time, a collaborative decision management system allows organizations to digitize their Standard Operating Procedures (SOP). Creating digitized SOPs helps guide personnel in their response to events by predefining a wide variety of criteria. This ensures compliance across a distributed organization, including when exporting and sharing workflow diagrams and incident reports with auditors.
Strong cybersecurity is key
The rise in cyberattacks have changed the risk scenario from ‘if’ it may happen to ‘when.’ Modern physical security devices and systems are increasingly interconnected, which helps keep people and organizations secure, but increases the risks of criminal cyber activity. Greater connectivity of systems over the internet means that a vulnerable device can become a gateway to an organization’s data and sensitive information. A poorly protected camera, unencrypted communication between a server and client application, or out-of-date firmware all have the potential to be exploited by cybercriminals. Security systems can no longer focus solely on physical threats. Organizations must choose hardened solutions that also work to protect all other systems and information connected to the network against criminal cyber activity.
Because no single approach is enough, any solution deployed within the Energy & Utilities sector must include multiple layers of defense. Solutions must use strong encryption, authentication, and authorization protocols to protect data captured for management, analysis, and storage.