Are You Prepared for the Next Attack?

Written by Darin Dillon on February 29, 2024. Posted in C-Suite Perspective.

Do you believe the energy sector has become a critical watchpoint because of its unprecedented constant attacks? You’re not the only one. More than 700 documented attacks from 2010 to 2020, ranging from cyber to physical to natural hazards, serve as real-life reminders that leaders in the utility space must remain focused on how best to protect our most vital assets, including information technology (IT), operational technology (OT) and SCADA systems for process automation.

Do you recall the horrific physical attack in 2013 on California’s critical infrastructure that exposed the extreme vulnerability of our grid system? A government report leaked to the Wall Street Journal in March 2014 stated, “The U.S. could suffer a coast-to-coast blackout if saboteurs knocked out just nine of the country’s 55,000 electric transmission substations.”

What would a coast-to-coast blackout look like? Imagine no electricity for weeks or months—no fuel, water, food, healthcare or money access. Ultimately, civil unrest and rioting would be the common denominators because the electric grid is today’s foundation for ensuring stable communities. Simply stated, we don’t know how to live without electricity.

You may be surprised to learn that the electric utility industry is the most highly regulated in its operations and security compared to all other industries. With over 20,000 regulations faced by electric power generation, transmission and distribution entities, compliance is an arduous task as these regulations focus on business interruption, supply chain management, natural catastrophes, cyber incidents, fires, explosions and climate change.

Much of the grid was constructed decades ago with security measures not factored into the original designs. What’s the impact? Today we are experiencing vast expansion in the methods to secure these assets against both cyber and physical attacks. With the evolving awareness of the critical need to secure our energy sector, authority was given to the North American Electric Reliability Corp. (NERC) to step in as the enforcement arm.

NERC’s mission is “to assure the effective and efficient reduction of risks to the reliability and security of the grid.” Since its founding, NERC has evaluated which sites are of greatest concern via Critical Infrastructure Protection (CIP) regulations, which outline how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security through resilience.
Critical infrastructure not only needs to find effective systems to be compliant with current NERC CIP regulations, but the most advanced companies also need to build versatility into their infrastructure to grow with changing regulations and other yet-to-be discovered threats. Currently, there are a variety of software solutions available for automating compliance for NERC CIP audits. Some specific physical access control systems are designed with the ability to produce a variety of reports through scripts that address the complexities of NERC CIP audits. The benefit of these tailored systems is not only the peace of mind of knowing at any given time whether one is in compliance, but additionally, having the right system can save countless hours of preparation for an audit.

When selecting the right physical access control system, one should have working knowledge of the CIP regulatory requirements and industry best practices. The best design approach would be to select components that are open, proven, scalable and best of breed.

Open Architecture – Select solution providers allowing multiple options for hardware/software (i.e., being an open platform and possessing an open API), as this will provide protection of current and future investments in technologies.
Proven Products – Seek proven solutions and components that have an established history in the marketplace to ensure efficient plus reliable long-term use of all implemented solutions.
Fully Scalable – Select a scalable system that enables growth to an unlimited number of end-point devices, such as readers, cameras, inputs and outputs.
Best of Breed – Many manufacturers claim they do it all, but rarely does any entity do all things well. Selecting best-of-breed components/solutions and integrating necessary solutions drive toward a more positive end-user experience for system operations

Leaders in the utility industry have a responsibility not just to the companies they work for but to the communities they serve to ensure the continuity of the grid’s performance. Our lives revolve around access to the pulse of electrons; therefore, securing the grid should be a top priority for anyone who has influence over its operation. It’s not just about meeting regulations but also about taking the extra step in designing the most secure infrastructure possible.

About the Author: Darin R. Dillon, CPP, is the senior director of energy at LenelS2 (www.lenels2.com). He is a leading security integration advisor to the energy, chemical and critical infrastructure industries with a focus on optimizing performance, mitigating security risk and improving organizational resiliency in the security ecosystem. Reach him at darin.dillon@carrier.com.

MARCH-APRIL 2024

Featured

Darin Dillon

Darin R. Dillon, CPP, is the senior director of energy at LenelS2 (www.lenels2.com). He is a leading security integration advisor to the energy, chemical and critical infrastructure industries with a focus on optimizing performance, mitigating security risk and improving organizational resiliency in the security ecosystem. Reach him at darin.dillon@carrier.com.