Public utilities and their associated infrastructure are some of the most high-value targets for terrorists and criminals alike. From 1970 onward, numerous documented attacks have been against both utility physical infrastructure and network systems in the United States. That doesn't even begin to consider the effects of natural disasters on these exact vulnerable locations. It should be no surprise that governments have started to mandate certain steps to protect public utility infrastructure across the board.
Regulatory Steps
Protecting the electric, gas, and water system components ensures that these necessary lifelines become more resilient from the many threats they face. Whether it is the terrorism threat we mentioned just above, solar storms, or even wildfires that threaten these critical infrastructure networks, a loss of services can devastate the area. While it is impossible to secure every segment of these systems entirely, it is likely to harden the targets and provide them with better security.
America's Water Infrastructure Act of 2018 requires any public water utility serving an area of 3,300 or more people to conduct risk assessments and prepare or revise an emergency response plan. In 2021, the U.S. Department of Energy took several steps to further secure the nation's electrical utilities from threats from foreign states and their agents.
Those are just two examples of recent efforts at the federal level to enhance security planning at our critical infrastructure locations. Numerous more targeted steps are also being taken at the state and local levels to adapt public utilities' security posture better. Third-party software security is also a major concern, as these utilities use vendors to supply control systems, monitor distribution, and even process payment. Ensuring appropriate cyber security is equally as important as the physical security steps that are being taken.
Security Enhancements
Looking at some of the most recent advancements in security technology, we've compiled a list of the best ways to protect public utility infrastructure better. We've broken down our recommendations into two areas: physical security and cyber security.
Physical Security
The North American Electric Reliability Corporation sets regulatory standards for power system monitoring, compliance, and operational procedures. They mandate the development and implementation of physical security plans for all transmission stations, substations, and primary control centers. All phases of an electrical utility company are equally crucial regarding security, which goes for all public utility infrastructure.
Security Staff
While it would be ideal to have law enforcement or armed security present to guard each piece of electrical infrastructure or other utility, it simply could be more cost-effective and feasible with some of the remote locations of pipelines or transmission lines. Those resources are better placed at installations like power plants, electrical generating stations, or other centralized facilities with a greater number of personnel and equipment or a facility with a higher risk level for any number of reasons.
Surveillance Cameras
This may seem overly simplistic, but the benefits of a quality surveillance camera system far outweigh the costs. They serve a two-fold purpose; active monitoring of a surveillance system can provide early warning of a security incident at utility facilities, and after an incident has occurred, recorded and backed-up camera systems can provide investigative leads that can prove invaluable to a criminal or civil probe into the matter.
Integrating these camera systems with some of the access control methods we discuss can allow your monitoring staff to determine if a direct response or further actions are necessary. Even artificial intelligence programs can monitor your camera systems for you and push out notifications to selected staff when abnormal events occur. Some of these systems even harness machine learning to become accustomed to normal activity at the site and further reduce false alerts.
Access Control
Several access control techniques can be applied above and beyond the standard fencing and padlocked gates that are unfortunately too common at many locations. Fob access for any gated utility facility provides accountability and a log of who accessed the secured area and when. Microwave sensors can be placed to install invisible barriers that trip an alarm when the beam is broken. Sensors can also be installed on fences to detect cutting or climbing, and you can even have cables buried underground that can sense when that ground is crossed by something of a certain size or weight.
Drones and Other Advanced Technologies
For more remote locations, it's possible to patrol pipelines or transmission lines with drones. This can be accomplished from a distance and cover ground that could be exceedingly difficult or time-consuming for security personnel to get to or traverse. Drones could also be deployed in response to specific threats like wildfires or other conditions that may make it unsafe for utility personnel to observe the utility facilities directly.
Acoustic sensors can harness the same AI and machine learning capabilities referenced above to detect vehicular sounds, human voices, or even gunshots at utility facilities. Thermal sensors can be installed to detect humans or deployed as part of an anti-drone suite of upgrades. Some utilities are exempt from regulations prohibiting interference with drone activity as a matter of security, and a combination of cameras, thermal imaging, and jamming technology can force hostile drones to land or return to their previous flight path instead of continuing their activity.
Cyber Security
Physical security is essential, but with more and more of our critical infrastructure connected to the internet, cyber security is equally essential to protect public utility infrastructure. Just as U.S. agencies have mandated increased physical security, critical infrastructure protection is an international concern. German authorities lowered the threshold for adherence to the requirements of their IT Security Act 2.0 in 2021 after over 140 successful cyber attacks against water and electrical utilities took place in 2020. They want to ensure that even small utility companies protect themselves against cyber attackers.
Access Control
As we mentioned regarding physical sites, controlling who can access your facility is critical, especially when securing critical infrastructure. According to Proofpoint, 99% of all cyber attacks require human assistance. That assistance can be limited if your employees are only allowed access to the information and control systems they truly need to do their job.
Centralized password management, true identity authentication, multifactor authentication, and secure data storage must all be leveraged to ensure that your networks remain secure and access is only granted to trusted and authorized personnel. Privileged access management is a central tenet of the IT Security Act 2.0, and that is only possible by safeguarding the electronic identities of your employees.
Network Segmentation
As we just mentioned, privileged access management is a key tool that must be used to maintain the integrity of distribution systems. By separating the IT infrastructure from the technical components of control networks, you can ensure that only specific employees subject to other stringent login requirements can access those higher-security networks. This further limits the risk of compromise from third parties and enhances network cyber security.
Continuous Monitoring
Many vendors provide cloud services and other cyber security solutions that can apply to a public utility looking to secure their systems better and protect public utility infrastructure. Regardless of the software solution you turn to, you must continue actively monitoring the networks, applications, and systems in place. Install updates, patch vulnerabilities, and respond promptly to system alerts in accordance with your enterprise incident response plan.
At Venture Lynk Risk Management, we provide best-in-class enterprise risk management services. Our seasoned team members can evaluate, manage, and mitigate various challenging enterprise risks. Specializing in the high-risk fields of healthcare, financial services, government, public services, and more, our staff can supply a custom ERM solution for any situation you may be facing. Contact us to see what we can offer your enterprise today.