Electric grid security standard creates opportunity and confusion
20 July, 2015
category: Corporate, Government
Where cyber and physical meet
On the physical security side, D’Agostino says few companies have taken a proactive approach to the threat of attack. Most companies are interested in addressing only the failures of a security audit, he says, because then significant penalties can come into play.
“That’s the sorry security story everywhere. Even with everything that’s going on, no one really invests in this stuff unless they have to,” he says. Regulations, however, could force this hand.
D’Agostino believes the new standard will drive up the demand for physical security vendors. However, he contends that the cyber security aspects of physical security systems are where the possibilities exist for vendors to make their offerings stand out. “It’s not physical security alone, but the cyber-physical combination where the industry has a real opportunity,” he says.
The cyber security aspects of physical security systems are where D’Agostino spends most of his time helping customers. He says that vendors shouldn’t focus too closely on what’s in CIP-014, but instead take a more general look at what’s going on in the world of critical infrastructure protection. Almost all of the other NERC CIP standards emphasize cyber security. “If you only focus on the new physical security piece of this, you’re not really looking in the right place,” he says.
The physical security requirement is new and evolving, and doesn’t contain a tremendous amount of detail, which would drive features for vendors to explore, D’Agostino says. “I would be very surprised if there is a vendor in the marketplace who can make the claim that they’ve got some unique capability that sets them apart from others to better address NERC CIP-014,” he says.
The physical security requirement is new and evolving, and doesn’t contain a tremendous amount of detail, which would drive features for vendors to explore
During a webcast with the Security Industry Association, Brian Harrell, director of operations for NERC’s Electricity Sector Information Sharing and Analysis Center, noted that physical security in the industry is not a completely new idea.
NERC previously published guidance for developing physical security plans through its CIP committee and held training exercises in 2011 and 2013 that simulated breaches at power plants where attackers used improvised explosive devices. “The physical security piece in this industry is not new,” he says.
Market opportunities
SightLogix president John Romanowich believes the new requirements could provide opportunities for companies like his. The company focuses on physical security through intelligent video surveillance.
Electric grid security was one of the main applications that led to the company’s creation nearly 11 years ago. “I’ve been at many a conference where people feared the cascading consequence of the grid going down. And I think that the event out west – the Metcalf substation attack – made it much more alive in the minds of Congress and other stakeholders,” Romanowich says.
One of the things companies like SightLogix appreciate about the new standard is that it’s a lot easier for utilities to convince their state or municipal governing bodies to raise customer rates when a law mandates a security change. These kinds of upgrades will require regulatory approval before utilities can invest in them. “The mandate is going to drive the funding, which is kind of exciting,” Romanowich says.
Romanowich believes the new standard could bring physical security more in line with his company’s business model. SightLogix offers thermal cameras that use GPS-based video analytics. A single sensor can cover an area the size of a football field or larger, and the cameras can capture video down a facility’s fence line or throughout the entire substation.
The Metcalf station had only monitoring camera in place, which Romanowich says brought to light the need for better detection and prevention. “There’s this misunderstanding that if I have cameras, I have security. You do have security, but it’s forensic security. You’re going to have a video of someone doing something bad the day after it happened,” he says. “So without detection, you don’t have security,” he says.
D’Agostino believes utility companies will be calling on vendors to help them understand how all of the different security pieces fit together, and he’s been seeing utilities seek out help. “That’s where a security professional can add a lot of value,” he says. “But it requires an investment and it’s not necessarily the case that you get a big return on that investment.”
The new standard doesn’t require the transmission owners and operators to do much other than have a security plan, which includes a risk assessment, some counter measures and documentation, D’Agostino says. Auditors will look at how a facility does its risk assessment, whether that assessment is valid, what level of risk it rates itself, and then whether the facility did things that were appropriate for the level of risk involved. “So this is Compliance 101 stuff, quite honestly,” he says.
