SD&I went to industry leaders to discuss the intricacies of securing critical infrastructures, including power grids, utilities and other sensitive facilities. Here’s what they had to say about pressing infrastructure issues and how they address those with specific technologies.

What are some of the concerns regarding security at critical infrastructure locations—power grids, water treatment facilities, utilities and data centers, for example?
Mike Taylor, senior director of Business  Development, AMAG Technology, Torrance, Calif.: The concerns are many and they are different for each site.  With the very real possibility of a terrorist attack on these sites, we have started to spend more time looking at their vulnerabilities. For years the U.S. has focused on theft and vandalism. We must guard against cyber attacks on data storage sites, disruptions to our critical power grids and even protect against someone poisoning our water supplies. Our focus has changed forever.

Bill Newill, president, Baran Access Solutions, Mission Viejo, Calif.: There has been an increased level of security implemented and often mandated for these facilities over the past seven years. Concerns include whether or not the security requirements are stringent enough to make a difference. Do these critical locations have flexibility in determining which technologies will best protect their facilities and can they take advantage of a ‘mix’ of technologies that will accomplish their security goals while meeting the necessary budgets to complete each project? That’s what we need to know right off the bat.

Lee Cravines, CEO, GCT Systems, Concord, Calif.: Some of my concerns are the errors made by the people responsible for monitoring security systems. In other words, the personnel who are monitoring the systems that are designed to protect high-security platforms must perform their duties well. Security systems are only as good as the security personnel who control them. Human error is the biggest threat to the success of any security system.

Bill Scott, manager, Business Development, Gallagher Security Management Systems, Sanford, Fla.: Most electric and water utilities share the same problems at their main stations as well as at their remote sites such as the need to integrate perimeter security, gate access/security, building access control, building security, IT facility and cyber security. Installing these systems requires the ability to get the data from the network of remote sites back to a central location where all sites can be monitored. Government regulations are already being implemented to require these capabilities, with serious financial penalties if incidents occur and approved security systems are not in place.

Tom Turner, vice president of Marketing, Q1 Labs Inc., Waltham, Mass.:Of paramount concern is visibility into the network and security infrastructure that surrounds bulk power systems and SCADA networks.  Visibility means the ability to monitor and correlate all information that is pertinent to the systems themselves, the networks they run on and the security devices that are in place to protect them. There is concern with threats that range from malicious to targeted penetration attacks by terrorist organizations. They are also faced with CIP and NERC compliance deadlines, so utilities need threat management and compliance validation solutions in place.

What are some technologies integrators are using to protect sensitive facilities?
Taylor: Integrators are doing a better job integrating technologies. Over the past few years there is a new level of systems integrator deploying the newest in edge technology, intelligent access control systems and video analytics into building security networks for applications to run on.
Newill: Biometrics has made some great strides in being much more widely accepted and installed as a key part of a sensitive security programs. Variations to the old standard fingerprint and handprint solutions, as well as vastly improved facial recognition software programs, have become particularly useful to security plan designers. Explosives detection has also made great advances recently and is being used in many new unexpected applications. Credentialing has improved dramatically after implementation of HSPD-12 and the FIPS-201 program.
Cravines: IP capabilities have helped minimize the threat to sensitive facilities. However, there is no simple security solution in today’s growing need for security.  One needs to ensure that all systems are customized to its own environment. The way we approach this is to find out what our customers’ concerns are and build a customized system to meet their needs.
Scott:  Integrators should be working with utilities in planning for future regulations and security challenges.
Turner: To meet NERC and CIP directives and to improve their threat detection capabilities, integrators are starting to deploy products that collect and correlate information from the network, security devices, systems and applications in a central location.
Are you getting involved in the IT programming/software side of the solution?
Taylor:We are dealing with the IT departments for our customers and over 90 percent of our solutions ride on a customer network or a custom-designed security-only network at the customer’s site. Many of our customers have sites all over the world.  These sites require a strong network team and knowledge base.
Scott:Gallagher provides software solutions to meet a wide variety of current and future utility operator requirements. In addition to a full-featured access control and security monitoring software package, we offer integrated visitor and contractor management, drug and alcohol testing controls, emergency management solutions, etc.
Turner: As a security software manufacturer, Q1 Labs is working with the IT security departments of regional utilities, water authorities, Independent Systems Operators (ISO) and energy companies.
Looking ahead, what are emerging trends in protecting these and other types of sensitive facilities, including DHS and others?
Taylor: Many new trends are still evolving. What we are seeing is a higher level push from the government to secure not only their sites, but the information used at each site and the transactions created at these sites. The increase of government requirements such as FIPS 201, HSPD 12, TWIC and others are only the start of security in the post 9/11 world.
Newill:Since many of these sensitive facilities already benefit from advanced systems to protect their critical role, I have to mention a greatly over-used term, “convergence.” It has become obvious that our security systems today must be converged (using a high-level of integration) with existing, new and vastly more complex systems. It will usually require a team of experts to implement convergence of complex systems solutions using existing technology to operate in these types of environments.
Scott: The ability to integrate all types of plant and remote site security systems into one consolidated package is just becoming possible. Providing higher levels of security, ease of operation, improved monitoring capabilities and improved levels of service and support will be expanded in the future through increased IP based capability. Also, improved wireless integration and new software packages designed to meet future regulations are emerging trends.
Turner: The integration of different sets of surveillance data in order to catch complex and surreptitious attacks is an emerging trend. Also evolving are specific SCADA signature sets in network IPS.