Security Industry Association Director of Industry Relations Ron Hawkins recently delivered a presentation on critical infrastructure protection at the Energy, Utility & Environment Conference. Here is a condensed version of his remarks.
The risks and security challenges that utilities must manage have increased substantially in recent years. Electricity, obviously, has always been part of the national critical infrastructure, but as threats have evolved, the grid has become more of a target. National Security Agency Director Adm. Mike Rogers said last year, "It is only a matter of the when, not the if, we're going to see a nation-state, group, or actor engage in destructive behavior against critical infrastructure in the United States."
The threat has been most clearly seen in Ukraine, where Russian hackers launched multiple attacks against that country's electric grid that plunged portions of the nation, including the capital of Kiev, into darkness.
But it is not just a cyber-issue.
In 2013, gunmen took out 17 transformers at the Metcalf Transmission Substation near San Jose, Calif. in what appeared to be a professional job. Then-FERC Chairman Jon Wellinghoff described it as "the most significant incident of domestic terrorism involving the grid that has ever occurred." And last year, The Wall Street Journal reported on "dozens of break-ins … that show how, despite federal orders to secure the power grid, tens of thousands of substations are still vulnerable to saboteurs."
So, utilities, like other facilities, are fighting a two-front war, and weaknesses in either one can create vulnerabilities in the other. Insufficient physical protections can allow on-site access to computer systems, and inadequate cybersecurity can be exploited to manipulate networked physical defenses.
I would like to discuss four key aspects of security technology and how they relate to critical infrastructure protection—robotics; cloud, mobility and the Internet of Things; big data; and cybersecurity.
Security work can be tedious, and no person can maintain constant awareness for an entire shift. But a machine does not get tired or distracted or bored. So, we are now starting to see robots doing patrol duty, especially when the work is, as one member of the security industry put it, "dull, dirty or dangerous." They are intelligence-gathering devices that can collect and relay sights and sounds, rapidly read and process license plates, and even test the air for dangerous chemicals, all while adding a new level of deterrence.
Robotics can be deployed both on the ground and in the air, and unmanned aerial vehicle (UAV) technology, in particular, holds both promise and risk for critical infrastructure sites. On the positive side, drones can be equipped with cameras and sensors and used by security teams. The drone regulations announced by the FAA last year, though, are strict, limiting their use to line-of-sight, under 400 feet, during the day and not over people. These rules will likely evolve—waivers are already possible—and the standard use of automated drones beyond line-of-sight should be not too many years away.
But technology, of course, can be used for either good or bad. Many people in the energy sector have serious concerns about people flying drones over their sites, whether simply to see what is going on, to gain business intelligence or for more nefarious purposes. And countermeasures remain challenging. Geofencing can be defeated, and jamming a drone, using GPS spoofing, or shooting it down will probably result in legal ramifications. About the only thing that can be done, at this point, is to gather as much information as possible and try to locate the operator.
Those robots and drones will be connected to the Internet, and with more and more cameras, card readers, alarms and other equipment going online, security has become a component of the Internet of Things. As with drone technology, this can be very good, with Internet connections enabling such things as mobility and cloud storage.
Mobility makes data available anywhere, not just in a security operations center. This can improve the response times and effectiveness of security personnel. The cloud, meanwhile, in addition to providing a secure storage solution, allows facilities and enterprises to increase efficiency through building automation and to implement security-as-a-service.
With all of these devices tied into the Internet of Things and generating vast amounts of information, what, exactly, can be done with it? Big Data, when handled correctly, enables such things as video analytics and predictive analysis. Both technologies are still in their relatively early stages. But while they're not yet at the point that is depicted in some moves and TV shows, they can be, like other security technologies, a force multiplier. Even simple analytics like line-crossing, are useful tools, and predictive analysis has the potential to connect disparate pieces of data to identify possible vulnerabilities and threats—especially insider threats.
However, just as drone technology can both create and solve security challenges, so, too, can the networking of security equipment. With everything online, a security system, if it is not deployed correctly, can be vulnerable to anybody with an Internet connection.
It is essential, then, that physical security and cybersecurity be brought together. U.S. Cyber Consequences Unit Director Scott Borg said, "As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level."
Without this collaboration, somebody, whether onsite or far away, might turn out the lights.