Getting Smart with Padlocks

The one constant facing utility operators every day is the real possibility of a physical threat forcing a disruption of operations at their facilities. Given the nature of today’s world, I’m not sure if those fears will ever dissipate. But I do know that with improved technology and increased collaboration, there are some practical solutions available to help power, water and pipeline operators address real security and compliance challenges.

For decades the industry has relied on traditional keyed mechanical, high-security padlocks to protect power stations, substations, high-voltage equipment and cabling across rural areas. While we need to tightly control who can access critical sites, we also want the process for authorized personnel to be quick and easy.

As long as padlocks have been around, managing the distribution of keys, tracking lost keys and key control itself have long been a vexing problem. That is where high-security electromechanical locking solutions offer a versatile way to enhance security and improve access control for utilities. Here’s why.

A Hybrid and Cost-Effective Solution to Meet Regulations and Standards
While keyed mechanical padlocks will always have their place, digital technology has opened new ways to enhance security. That’s true for something as basic as a padlock. To meet the challenges operators face, there are electromechanical locks with a digital key that can be accessed and updated via a mobile app. The app itself provides flexible access and the ability to manage user rights, no matter where you are.

That’s why new industry compliance requirements set forth by the North American Electric Reliability Corp. (NERC) obligate utilities with critical assets to address physical security risks and vulnerabilities. They can do this by taking steps or demonstrating they have.

NERC’s Critical Infrastructure Protection (CIP) standards today require all electric utilities to have a physical security plan and program in place to monitor and manage physical access to protect critical infrastructure. This includes maintaining records of entry—with date and time-–for each individual with authorized, unescorted or unauthorized access to physical access points.

OSHA requires gates be locked to ensure no unauthorized person gains access or gets injured in a substation. Traditionally, utilities have secured their fencing and gates with a padlock and chain, and they continued to do so because of the sheer volume of assets in the field that needed to be secured. In many cases, a facility manager might have a drawer full of keys and could give them to anyone they wanted. Before the NERC standards mandated it, there was no centralized logging or documentation process.

NERC CIP standards that were adopted changed this, requiring utilities to define operational or procedural controls and restrict physical access at its sites. For authorized individuals who needed physical access to critical infrastructure or physical security perimeters, this required the utility to do several things.

They had to implement a minimum of one physical access control system, although two or more are recommended. They had to monitor unauthorized access through all physical access points, plus maintain detailed entry records each time an individual had authorized, unescorted or unauthorized access to physical access points. An alarm or alert had to be issued within 15 minutes if unauthorized access took place, and they were also required to maintain physical access logs capturing the date and time of an individual’s access for a minimum of 90 days.

To meet compliance, one utility combined weatherproof padlocks with an electromechanical access control system that can be administered remotely. They did so after taking into account all the keys they had in the drawer, realizing some had either been lost or stolen over the years. Since everyone in the region was keyed the same, this presented a huge security risk across their network.

For one utility that I worked with, they developed a strategic plan that met or exceeded the NERC CIP guidelines. It required their managers in the field to manage access rights and set an implementation schedule to secure thousands of locking points. They had to do so because it involved facilities in several states.

With their new system in place, they were now able to re-sync keys on a regular basis remotely. When a key is lost or stolen, it can be deactivated. Keys that are not re-synced in a specific time period will not work. And security administrators now have the convenience to issue keys anytime from a central location in an organized and documented manner.

Another improvement is the audit trail capability. Managers can now learn who the keys are assigned to and who has gained access to a facility with a date and time stamp. This is invaluable to maintaining compliance. NERC audits security once every three years and can audit the operator any other time at their discretion. If a problem in auditing is reported, the utility can be fined. If an auditing problem is not reported but discovered later, it could lead to an even larger penalty.

When weighing new locking solutions, you should consider how the efficiency of a hybrid, high-security mechanical-electromechanical access management program can greatly impact your security preparedness and compliance. It’s a critical point to think about when looking at those future and likely stronger NERC CIP security guidelines to come.

Down the road, these locking and access management solutions offer handsome returns over the years. You can streamline personnel and contractor access management efficiency, improve situational awareness and operation resiliency, and have an uninterrupted flow of electricity while minimizing costs in daily operations.

About the Author 
Jerry Burhans is the managing director of ALCEA, a security solutions provider and the brand formerly known as ASSA ABLOY Global Solutions–Critical Infrastructure. His team is dedicated to safeguarding vital infrastructure worldwide so industries and people can function without interruptions. Based in Irving, Texas, he welcomes the opportunity to discuss your security challenges. Contact him via email at jerry.burhans@assaabloy.com.