Incorporating Best Practices Into a Modernized Physical Security
Interview with David Grubbs, Director, Regulatory Affairs and Compliance at City of Garland, TX
As the Department of Homeland Security has reported, cyber security threats to the utility industry are increasing in number and sophistication. Because of this challenge, the North American Reliability Corporation (NERC) is increasing the Critical Infrastructure Protection (CIP) regulatory requirements to ensure organizations and facilities are meeting basic standards in this area. Marcus Evans had the privilege to hear from David Grubbs before the upcoming Utility Cyber Security & CIP Compliance Conference, January 15-17, 2013 in Atlanta, GA. Below he shares with us his perspective on how CIP standards are affecting cyber security within electric utilities. The responses below strictly reflect the views and beliefs of David Grubbs, and not necessarily those of City of Garland, TX.
What are some of the newer efforts being utilized to protect the physical assets of utilities?
David Grubbs: Electric utilities continue to improve both physical and cyber security efforts to counter known and unknown threats. In physical security, many upgraded security features have been added including: card access at many locations, electronic padlocks that require the regular reauthorization of keys and can be set to ignore keys identified as lost, video monitoring, fence tamper detection and motion sensors. The most important aspect of improving security is properly training personnel and achieving a security mindset within the industry. The CIP Standards make a start at this, but only include personnel with access the CIP Critical Cyber Assets.
Can you elaborate on the benefits of applying CIP standards to non-critical assets?
DG: The CIP standards are a good starting point for any security system. They are however, inadequate to fully protect any asset. Security is achieved by a defense in depth. Much as an onion has numerous layers, good security systems should have numerous layers of which the CIP standards are only a few of the layers. Frequently, the best defenses are those no one knows about. Unfortunately, at least through version 4, the CIP Standards are somewhat prescriptive. Many of the security aspects of a facility, and even which facilities have security, can be guessed because of the CIP standards. Beginning with version 5 of the CIP standards the industry will have more flexibility to install the appropriate security for a facility rather than specific security practices.
Why should utilities consider organizational security to be just as important as safety?
DG: Security systems are inherently designed to keep the “bad guys” out. Excellent security systems can easily be defeated when someone inadvertently leaves a door open or invites the “bad guys” in. The most common ways of entering a system are by social engineering. Asking innocent sounding questions, a hyperlink in an email that appears to be from your boss, or getting someone to plug in a USB drive or CD are the easiest way to get into a secure system. A second source of lost information is a lost laptop or the USB drive that contains sensitive information.
The article from Intelligent Utility, http://www.intelligentutility.com/article/12/10/cyber-risk-conversation, explores the potential motivation behind cyber attacks aimed at utilities in the format of a hypothetical conversation between utility executives. If you had a chance to join the conversation, what comments/counterarguments would you give?
DG: I have had several very similar conversations with industry executives across North America. Different entities have differing risk profiles to the various threats identified in the discussion. Certain companies may be more of a target to certain organizations, such as environmental extremists, while others might be less so. There is some risk for all of these threats to each of us. Some organizations, because of their small size, might believe they are immune to such activities because no one knows they are there and theorize that someone would not be interested in attacking them. By the same logic, an attacker might go after a smaller organization believing their security is less organized than at a larger entity and easier to penetrate, thus making a smaller entity a more attractive target. None of these is true in all circumstances, but are potential considerations when designing a security system.
As someone who has attended marcus evans events in the past, what do you think attendees can take away from this conference?
DG: There are three primary takeaways from a marcus evans conference. First is the educational aspect. Attendees learn how other comparable companies are coping with the issues; from compliance, to security, to organizational structure, to budgeting. Second, are the relationships you build with the speakers and fellow participants. Being able to discuss ideas with others, both during the conference and afterward, can give significant insight into issues. Third, and perhaps most important, it gives you a chance to break out of a rut and do something different. We are all guilty of continuing to do what we have been doing and as long as nothing jolts us, we just keep on doing it. A conference, such as this, gives us the opportunity to review our own programs in the light of the best practices of others. It allows us to refocus on the needs of our organization and gives us a new enthusiasm for pursuing the ideas we developed at the seminar.
Mr. Grubbs joined the City of Garland in 2002 and has held numerous positions within the City. He is currently serving as the Director of Regulatory Affairs and Compliance reporting directly to the Managing Director of the Electric Utility on Regulatory, Compliance and Transmission Planning Issues. Immediate prior to joining Garland, Mr. Grubbs worked as a consultant developing wind energy and compressed air energy storage generation units.