Security convergence in a utility environment

Whatever you call it, IT/OT/Physical convergence, a holistic security approach, or the integration of all security disciplines, the benefits far outweigh the negatives. Arguably, convergence can be defined as the integration of logical security, information security, operational security, physical security, and business continuity.

Considering the various facets of security threats (terrorism, identity theft, data breaches, insider threats, etc.) one side of the security spectrum simply cannot protect an organization to its greatest potential. While electric utilities in North America remain effective at addressing traditional threats such as severe weather, vegetation management and routine transmission disruptions, the evolving nature of physical, cyber and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations. An interconnected grid that incorporates computing, communications, markets and physical assets unfortunately presents potential attackers with previously unknown opportunities that require a holistic approach to security.

Bringing together different security silos into one combined organization can be a lot easier when a single executive sits at the top. When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question or concern. Converging or integrating IT and OT groups with the physical security group is one of the solutions that can help prioritize risk and create more comprehensive security business plans. Merged organizational charts are an effective and legitimate way to ensure cooperation and accountability in the event of security events.

While traditional security is about protecting the perimeter, a significant number of breaches are occurring due to internal threats. A disgruntled employee or a contractor that has not been fully vetted are already inside your organization and present a real threat. Someone having an engineering background who understands critical grid components could wreak havoc on a system, or even destroy equipment. It goes without saying, an employee with true insider knowledge of the electric transmission or distribution system can cause significant damage and system failure.

Organizations have begun to acknowledge the importance of detecting and preventing insider threats. Just as it is vital to have methods to detect external threats, it’s also important to protect your organizations assets and systems from unauthorized insider misuse or destruction.

Physical security networks and IT infrastructures have been running as separate networks in years past. Since video monitoring systems and access control systems started using the TCP/IP open network, however, IT is being applied to the realm of physical security more often. Access control, such as card and biometric recognition, along with visitor management programs, all use an IT platform. Similarly, video management technologies (cameras, thermal observation units) gunshot detection, and intrusion alarms use related IT systems.

Once integrated, departments collaborate to ensure physical access to buildings is linked closely with logical access to computers and network resources. Similarly, actions to revoke an employee’s physical access can be used to trigger automated network denial on the logical side – ensuring both departments are consistently on the same page when it comes to enterprise security.

The ability to systematically collect and analyze threat data and to accurately report the current security condition is critical in the face of emergent hostile attacks, and enables utility security professionals to detect threats and maintain situational awareness. A utility’s security operations center (SOC), which relies on cameras, perimeter intrusion detection, and motion activated alarms depend on IT infrastructure for success. Likewise, a company’s cyber infrastructure, NERC CIP program, and industrial control systems rely on physical security mitigation measures to keep systems inaccessible to physical threats. It only makes sense that today’s utility encourage merged security programs.

Security convergence requires leadership and political will because the reality is that data breaches, copper theft and physical damage to substations are going to continue to occur, and corporations need to measure these risk factors. The changing security threat landscape and the need to make risk-based decisions dictate an integrated approach to security management. The era of security silos is vanishing, and those companies that can get past the nostalgia of organizational security independence will be the survivors.