Like the double helix of a DNA molecule, the cyber and physical security environments of a power-generating facility are, of necessity, intertwined. Cyber security cannot effectively exist without physical security, nor can physical security be effective without cyber controls. Most casual observers view these two domains as discrete or even siloed. However, it’s critical the two programs be integrated in the current security landscape.
To understand the urgency of this, we need to look at the ground rules. The power industry is regulated to protect any asset that ultimately affects the reliability of the Bulk Electric System (BES). One asset connects to another, a group of assets form a system and the aggregated systems enable a utility to generate and transmit electrical power. The goal is to figure out which assets or group of assets need to be protected, how much risk there is of losing them and the probable impact of their loss.
So we build two security “boxes” — one logical, one physical — that we call the Electronic Security Perimeter (ESP) and the Physical Security Perimeter (PSP). The ESP requires physical security to protect the critical cyber assets, and the PSP, in turn, requires electronic security to protect these same assets.
The U.S. Department of Homeland Security has identified 16 critical infrastructure sectors in the U.S. Of these, the energy sector comprises three interrelated segments: electricity, petroleum and natural gas. Virtually all of the other sectors rely on electric power, and while some power generators have extensive experience with infrastructure protection, others are having to radically change their approach to enterprise security.
The North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards dictate physical security from a cyber security perspective. Specifically, the new CIP-014 standard addresses the enhancement of security measures for the most critical BES transmission assets, thereby reducing overall vulnerability to physical attacks.
As an energy sector supplier, your organization can make itself less vulnerable to security breaches by taking a few timely measures:
1. Develop a cyber security policy that outlines your strategy for protecting the cyber assets used to perform each specific critical function.
2. Determine which cyber assets enable your critical functions and group them into critical cyber systems. These systems need to be protected both logically and physically.
3. Diagram each cyber asset to determine its logical mapping to the other devices within the critical cyber system and identify each access point into the system. These ESP access points are the gates to the castle.
4. Diagram the physical security measures that will address the physical protection of the logical layout for the critical cyber systems. If an intruder can gain access to a cyber asset, you can assume it will be compromised.
5. Procure, install and configure hardware and software that enable the physical security system to use cyber security to identify, alert, report and escalate any activity that appears inappropriate.
6. Implement cyber security tools that can turn massive security data into management information that enables sound decisions.
7. Hire and dedicate trained cyber professionals to interpret and take action on this management information. Spend the money and enable the people necessary to create accountability for identifying and mitigating risks.
8. Create metrics to assess the effectiveness of your measures. Monitor, manage and mitigate security risks.
Poorly planned security measures can result in hard-learned lessons. While the concept of an integrated cyber and physical security system is fairly simple, a short-sighted implementation can increase risk and generate needless expense.
For more information, visit www.naes.com or call (425) 961-4700.
