Using physical security to meet NERC cyber security standards

The North American Electric Reliability Corporation (NERC) ensures the reliability of the bulk power system in North America. As such, NERC develops, releases and maintains standards, one of which is the Critical Infrastructure Protection Cyber Security Standards which are designed to provide the necessary assurances of protection for the equipment that monitors and controls the generation and distribution of power through the grid in North America.

These cyber security standards recognize the operational demands for maintaining a reliable bulk electric system, and they address the security of the cyber assets which support critical reliability functions and processes. There is a very real threat to the power grid if these systems are compromised, and these cyber security standards are designed to help block unauthorized attempts to physically or logically access the critical power control and monitoring systems.

The NERC Critical Infrastructure Protection Cyber Security Standards are organized as standards CIP-002 through CIP-009. Presently the third revision of these standards is in place. A fourth revision will combine CIP-002 through CIP-009 into CIP-011 and will be enforced starting in late 2011.

As part of the security for those mission-critical power control systems, a physical access control system (PACS) can be used to secure the physical security perimeter and to control physical access to the equipment that defines the electronic security perimeter of the NERC-regulated facility. Additionally, the PACS must support the features necessary to facilitate a company's policies, procedures, and documentation requirements as defined in NERC's CIP standards.

The basic use of an access control system in the energy infrastructure environment is to prevent unescorted physical access to the facility's critical cyber assets. Enforcement of credential expiration and revocation is essential for cyber security compliance, but enforcing credential compliance is difficult to do and has been one of the top violations cited in the NERC spot checks. With a centrally managed PACS, the security team is able to produce reports on credentials, manage those credentials and maintaining accurate compliance. Those standard reports available from a PACS may also be used prove compliance when needed for quarterly regulation reviews.

Since the PACS is itself a cyber asset, it must meet the minimum standards for such a system including supporting unique logon credentials for each operator with a username and password. NERC requirements demand a strong password: one that is case sensitive, at least 6 characters long, and includes lower and uppercase, numeric, and special characters.

Additionally, NERC says that recovery plans must be established for critical cyber assets that follow conventional business continuity and disaster recovery practices. The system must be able to monitor operations such that a backup system can be deployed automatically or manually depending on the criticality of the system.

Finally, many of the electric power generation and distribution companies have facilities that are regulated to comply with the Transportation Worker Identification Credential (TWIC) program implemented by the Transportation Security Administration. The TWIC card is an electronically enabled (smart card) identity document, and TSA performs a background check before issuing the card to an individual. For firms and organizations that TWIC applies to, this will affect the choice of the access control system. In the case of TWIC compliance, security managers will need to select a PACS that can accommodate the extra fields needed for the credential ID number. A system that can handle the card can be used to associate the individual with their access privileges, thus eliminating the need to carry an additional credential.

While physical access control is a significant part of a security system to protect cyber assets as well as the entire facility, an integrated security management system will link in multiple physical security systems and efforts, including the following: the physical access control system, video surveillance, intrusion detection management, visitor management, security patrols, intercom and alarm management. As such, it would be recommended that NERC-regulated entities consider a security management system approach to a technology investment. By using a security management system approach, a single integrated system can be used for meeting several NERC Critical Infrastructure Protection Cyber Security Standards as well as to manage security across the facility.

About the author: Adam Shane is a product manager for AMAG Technology, and he tracks and researches government standards and regulations which affect the physical access control systems market.