The utilities industry has the rare challenge of being accountable both for its own security and for the public’s. The penalties for even a small lapse in compliance are severe, let alone an actual breach. And as recent announcements by NERC make clear we can only expect Critical Infrastructure Protection (CIP) standards to get more rigorous over time.
Security solutions using short range RFID wireless technology can simplify compliance efforts and improve the security posture of utilities in a variety of ways.
1) Managing Laptops and Transient Electronics
Recent high-profile data breaches have ratcheted up the public’s and NERC’s interest in ’cyber hygiene.’ Case in point, the $2.7 million fine handed out earlier in 2018 to a west coast electric utility for exposure of sensitive data by a contractor.
This need for increased data protection will pose a serious challenge for utilities as laptops and other mobile electronics have become even more integral to managing grid operations. It will require enhanced management over not only who has access to which devices, but in documenting who accessed which devices and when.
Electronic asset lockers automatically generate transaction logs customizable for NERC compliance reporting. You get complete records of who signed out which laptops and when they returned them. You can set time restrictions on specific devices so managers are notified if devices are not promptly returned at the end of a shift.
Asset transactions are made efficient using contactless RFID tags coded to each employee’s access needs, so productivity stays high. Advanced asset lockers even offer in-place charging so idle devices are always ready.
2) Fine Grain Access Control in Restricted Facilities
Access control in complex generation and distribution facilities means more than just controlling static perimeters. Access to certain infrastructure may be tied to background check status or active certifications, which change over time as personnel are reassigned or contractors are brought in.
Complex access control needs are best managed when an electronic access control system can integrate with a utility’s directory services system, the IT tools used for managing personnel and job types.
Instantly check which employees have up-to-date certifications or logged mandatory training. Enable or disable access just to relevant spaces. Using RFID access tags means these changes are updated in real-time so staff can always efficiently get where they need to go. And to be fully accountable to entity auditors you can export customized access reports as needed.
3) Managing Legacy Infrastructure
A lot of legacy infrastructure still in use was designed before current cybersecurity concerns arose, especially relays and reclosers. Many of these were designed to use shared passwords that are now too sensitive to store electronically. While these shared passwords are allowed in CIP standards, they require strict controls.
Add small form lockers to a modular electronic asset management system that can store paper records of your shared passwords. Enable double authentication for highly sensitive passwords to require a supervisor to be physically present for staff to sign them out. For rapid access during incident response asset lockers can be configured with an emergency override too.
4) High Volume Key Management
NERC is interested in requiring utilities to manage physical keys with the same rigor as electronic swipe cards. This could be a challenge for many utilities, especially larger ones accountable for thousands or evens tens of thousands of keys. Adding another layer of complexity is the fact that many of these keys are for meter rooms in customer spaces, like private residences or high rises.
Technicians will receive a work order referencing a particular key from these racks of thousands, grab the correct one—hopefully, and return it when the order is completed. This system is highly prone to human error.
Electronic key management systems automate all aspects of key control. They can be scaled to support any sized key set. The central management system is scalable as well, so you can test a deployment at certain sites and deploy across the rest of the organization as needed. There’s no need to do a single switch over, so you can maintain up time at all facilities.
For highly sensitive keys, like for control rooms or turbine facilities, RFID key exit systems can alert managers and security personnel when a key is ever taken outside your set perimeter.
5) Emergency Response & Preparedness
NERC has also begun pushing an All-Hazards approach to preparedness planning. But it can be difficult to design effective response plans that are flexible across a broad range of incident types. For example, the measures useful in response to a wildfire are going to be very different from those useful in the event of a terrorist attack.
Emergency muster systems provide real-time location data on staff during emergency situations, automatically recording the last known location of all tagged personnel. The system is designed to be accessed in the field by designated emergency response teams, and provides information on each individual not reported safe, including emergency contact information and detailed response checklists.
The electric utility industry is under increased pressure to tighten its security posture by both the public and regulators. The threats the industry faces will only continue to mount, but fortunately the number of available solutions is growing as well.
Contact Real Time Networks today to learn how key and asset security solutions can help ensure compliance with NERC and CIP standards.
About the Author
Shannon Arnold is the VP of Marketing and Strategic Partnerships at Real Time Networks.