Energy and utility providers face unique challenges when it comes to the protection of high value assets. Data centers can store servers in purpose-built facilities and tightly control access. Meanwhile, banks and casinos can lock away money in secure vaults that are guarded around the clock and almost impossible to penetrate. Yet, much of our energy infrastructure is public-facing, unmanned and remote.
Behind the scenes huge numbers of employees and external contractors require access to energy and utility infrastructure to be able to monitor, protect and maintain the likes of electricity substations, pumping stations and broadband cabinets. The greatest cyber vulnerabilities therefore arise not in the online world but in the physical realm.
The management and oversight of who had access and when is a vital consideration. And with the on-going convergence of physical and cybersecurity, its one that will only grow in importance over time. It’s why analogue approaches to access control, key management and physical security operations no longer works.
Shoring up physical security
By their very nature, energy and utility provide must operate across wide geographies. Naturally, this means organizations have difficulty maintaining oversight into operations. For example, many outsource asset maintenance to third parties, requiring them to look after valuable equipment, often located far from the main facility. However, this approach often leaves no audit trail of who has looked at what equipment, and few can prove the work has actually been completed. What’s more, physical locks are often used to secure these kinds of infrastructure, but this offers no form of access control or digital records.
Furthermore, physical keys also present logistical complexities, as the master key is usually stored at head office, requiring those who need access to pick it up and return it afterwards – adding travel time to billing. The alternative, cutting multiple keys then increases risk, as just one rogue employee could cause untold damage that it could be very difficult to discover, investigate or prove.
For this reason, it’s time to digitize the security of energy infrastructure. With wireless locks and the appropriate security platform there is no reason why access to vital unmanned assets shouldn’t be controlled and granted in just the same way it is to a centralized facility such as a head office, data center or bank. Intelligent digital keys allow organizations to automatically grant access to any kind of facility or cabinet based on an employee’s role, work schedule and requirements.
Furthermore, external contractors can be granted access in real-time upon reaching the site. In each case this automatically provides evidence of the site visit, and an accurate log of for how long – which streamlines the billing process, and more importantly, ensures an audit trail. Access control has long been a key requirement to manage the entryways of buildings, but now it needs to be translated into all critical national infrastructure in all its forms.
Addressing cyber risks
Given the abundance of legacy infrastructure in the energy sector, digitization has, rightly, become a top priority for many energy companies. While it offers an array of operational advantages, a greater level of interconnectedness does create new cybersecurity considerations. What’s more, the severity of these attacks will likely only increase with advent of new technologies, such as 5G, so it’s vital that organizations establish comprehensive security strategies before we reach the next wave of innovation.
Hygiene factors such as changing default passwords, routinely installing security updates and managing access credentials go a long way to ensuring new functionalities do not come at the expense of greater cyber risk. It’s certainly worth the trade-off given that the old analogue approach offers so little protection against cyber and physical attacks caused by individuals having an inappropriate level of access to physical infrastructure through limited visibility and oversight.
Balancing digitization and security
To address the unique geographic and organizational gaps in their networks and visibility, energy companies must make security a central pillar of operations. This will ensure any holes in defenses are filled, while increasing the speed of detection, reaction, and response. Similarly, it’s vital that organizations ensure their drive towards digitization is carried out in conjunction with advancing security practices. As increased connectivity and more smart devices present an attractive opportunity for criminals and organizations must have adequate defenses in place to stop them.
While the vulnerabilities posed by unsecured unmanned infrastructure may seem like a complex challenge, the first step is relatively simple. Using a unified security platform and wireless locks it is possible to instantly revolutionize the way that access to remote infrastructure is granted, verified and audited. Instantly introducing a higher standard of resilience, accountability and visibility across operations.
GENETECSteve Green is RSM at Genetec. Genetec Inc. is an innovative technology company with a broad solutions portfolio that encompasses security, intelligence, and operations. Genetec develops cloud-based solutions and services designed to improve security, and contribute new levels of operational intelligence for governments, utilities, critical national infrastructure, enterprises, and the communities in which we live.
For further information please visit: www.genetec.com