• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

Security convergence in a utility environment

Oct 11, 20164 mins
Critical InfrastructureIT LeadershipIT Skills

It’s important that your physical and information security methods, procedures, and safeguards are not designed in isolation.

Whatever you call it, IT/OT/Physical convergence, a holistic security approach, or the integration of all security disciplines, the benefits far outweigh the negatives. Arguably, convergence can be defined as the integration of logical security, information security, operational security, physical security, and business continuity.

Considering the various facets of security threats (terrorism, identity theft, data breaches, insider threats, etc.) one side of the security spectrum simply cannot protect an organization to its greatest potential. While electric utilities in North America remain effective at addressing traditional threats such as severe weather, vegetation management and routine transmission disruptions, the evolving nature of physical, cyber and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations. An interconnected grid that incorporates computing, communications, markets and physical assets unfortunately presents potential attackers with previously unknown opportunities that require a holistic approach to security.

Bringing together different security silos into one combined organization can be a lot easier when a single executive sits at the top. When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question or concern. Converging or integrating IT and OT groups with the physical security group is one of the solutions that can help prioritize risk and create more comprehensive security business plans. Merged organizational charts are an effective and legitimate way to ensure cooperation and accountability in the event of security events.

While traditional security is about protecting the perimeter, a significant number of breaches are occurring due to internal threats. A disgruntled employee or a contractor that has not been fully vetted are already inside your organization and present a real threat. Someone having an engineering background who understands critical grid components could wreak havoc on a system, or even destroy equipment. It goes without saying, an employee with true insider knowledge of the electric transmission or distribution system can cause significant damage and system failure.

Organizations have begun to acknowledge the importance of detecting and preventing insider threats. Just as it is vital to have methods to detect external threats, it’s also important to protect your organizations assets and systems from unauthorized insider misuse or destruction.

Physical security networks and IT infrastructures have been running as separate networks in years past. Since video monitoring systems and access control systems started using the TCP/IP open network, however, IT is being applied to the realm of physical security more often. Access control, such as card and biometric recognition, along with visitor management programs, all use an IT platform. Similarly, video management technologies (cameras, thermal observation units) gunshot detection, and intrusion alarms use related IT systems.

Once integrated, departments collaborate to ensure physical access to buildings is linked closely with logical access to computers and network resources. Similarly, actions to revoke an employee’s physical access can be used to trigger automated network denial on the logical side – ensuring both departments are consistently on the same page when it comes to enterprise security.

The ability to systematically collect and analyze threat data and to accurately report the current security condition is critical in the face of emergent hostile attacks, and enables utility security professionals to detect threats and maintain situational awareness. A utility’s security operations center (SOC), which relies on cameras, perimeter intrusion detection, and motion activated alarms depend on IT infrastructure for success. Likewise, a company’s cyber infrastructure, NERC CIP program, and industrial control systems rely on physical security mitigation measures to keep systems inaccessible to physical threats. It only makes sense that today’s utility encourage merged security programs.

Security convergence requires leadership and political will because the reality is that data breaches, copper theft and physical damage to substations are going to continue to occur, and corporations need to measure these risk factors. The changing security threat landscape and the need to make risk-based decisions dictate an integrated approach to security management. The era of security silos is vanishing, and those companies that can get past the nostalgia of organizational security independence will be the survivors.


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.