The Protecting Utilities Lunch at ISC West this week, hosted by the SIA Utilities Advisory Board, brought together experts, solution providers and thought leaders who are working on the front lines of critical infrastructure protection. With both cyber and physical attacks on electric, water and public utilities increasing in prevalence, the panel looked at how the security industry is working hard to support its partners at critical infrastructure sites with powerful solutions that meet compliance demands and deter, detect and defeat bad actors.
Keynote Presentation
In the keynote presentation by Frank Dawson, director of Operations, Corporate Security, Southern Company, he provided real-world insights on the risks that utilities must mitigate and the standards they must meet. As someone who came from a background in law enforcement, Dawson started the conversation by pointing out that his original mindset and approach to security when he joined Southern Company was based off what he calls a paradigm specific to his role as a police officer but one that did not translate to the world of security.
“Shortly after I started, I realized that policing is different than security because with policing, you're reactive – something has already occurred, and you're called to the scene, whereas with security, you're trying to be proactive and protect assets,” he explains. “And that's a totally different mindset. So regardless of how much experience I had prior to coming to the company, that didn't really count if I kept that same approach in my new security role.”
In his time with the company, Dawson says he has learned how to leverage all the technology today – with the help of subject matter experts at his company, and by working with technology partners and groups like SIA – to maximize the potential of security as something that could be preventive rather than just responsive.
“One of the things that we have internally [at Southern Company] is called our Physical Security Technology Team,” he explains. “Inside of that team are SMEs, and these are subject matter experts who really understand their space. So, we have representation from IT, we have representation from a NERC-CIP, as well as each one of the operating company's representatives on there, because it may be something that's more specific to their needs.”
By bringing all these experts to the table, they can help each other work through the myriad challenges involved with securing these top critical infrastructure assets that are becoming more of a target by bad actors on both the physical and cyber-security space.
Panel Discussion
Following the keynote presentation, a panel discussion followed, featuring Dave Stolerow, National Business Manager, Security, Siemens, Phil Coppola, Business Development Director for Mobile Solutions, HID; Erick Reynolds, National Business Development Team Lead, Hanwha; and Vince Ricco, Senior Global Alliances Manager for Wasabi.
Asked what keeps them up at night, the panel touched on some areas that the industry struggles with when it comes to protecting utilities.
Stolerow, who works with the utilities and critical infrastructure companies and customers in developing modernized solutions for security, operations, and resilience planning, says much of his focus is on advising and helping to design for the best use of technology, which often includes integrations and long-term life cycle planning.
“When you think about where customers are struggling, everything that Frank talked about [in the keynote] is true – the overabundance of technology, AI, and all the new inputs coming in,” he notes. “So how do you manage all that data – how do you bring those points into actionable insights versus just noise? And when you look at the convergence of cyber and physical … and then you look at the vulnerability of a failure across access control allowing a threat on the cyber side, you also have compromised cyber that can disrupt physical systems.”
Coppola agrees, adding that there is still some progress needed when discussing the physical credential in the critical infrastructure/utility space, which “also needs to modernize to the same standards that cybersecurity is leveraging,” he asserts. “If you think about it today, if you try to access any business system inside of any of your networks, what do you have to do? Single sign-on, multi-factor authentication, and some sort of Microsoft or Google authenticator … because I need to know unequivocally that the person that's accessing this system is who they say they are. And then we bring somebody in, we hand them a piece of plastic that's never been upgraded nor is it upgradable, and then we let them go out into the field to service our system. This to me is the biggest risk and biggest vulnerability in the critical infrastructure space and legitimately does keep me up at night because it only takes one instance of social engineering for somebody to gain access to a card.”
About the Author
Paul Ragusa
Paul Ragusa is senior editor for Locksmith Ledger International, an Endeavor Business Media Security publication.