Change of Plans: What ECs Need to Know About Critical Infrastructure Protection

By Deborah L. O’Mara | Jun 15, 2019
Hacker Digital Security Image Credit: Shutterstock / Brovkin / Tony Studio / Igorstevanovic

As additional regulations, standards and laws continue to proliferate in the critical infrastructure landscape, keeping up with the rules and regulations and specifying the right technology is imperative for electrical contractors in this field.

Critical infrastructure, according to the Department of Homeland Security (DHS), is defined as “assets, systems and networks, whether physical or virtual, considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

DHS outlined 16 critical infrastructure sectors under Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Protection and Resilience. Those sectors include: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.

PPD-21’s premise is that the federal government has to work with public and private partners to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats.

Cyber-crime takes center stage

On Nov. 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018, which elevates the mission of the DHS’s National Protection and Programs Directorate. This law identifies and assesses potential risk for the critical infrastructure sectors. CISA coordinates security and resilience efforts and provides technical assistance to infrastructure owners and operators. It also folds in comprehensive cyber protection through CISA’s National Cybersecurity and Communications Integration Center, including cyber situational awareness, analysis, incident response and cyber defense capabilities.

With cyber threats proliferating, the objectives of critical infrastructure protection (CIP) have changed, said Stuart Tucker, vice president of Enterprise Solutions, AMAG Technology, Philadelphia.

“The target has moved, and there has been a change in focus as the government looks at what can be done differently,” he said. “Ten years ago, the focus was on the physical threat for a facility, whereas today the biggest threat is operational, where bad people or actors try to take a physical infrastructure out in a way that has a cascading effect. If someone blows out a water system or knocks out an electrical grid, there’s a widespread effect on more people.”

Tucker said, in the energy space, CIP is detailed by the North American Electric Reliability Corp. (NERC), a not-for-profit international regulatory authority with the mission to effectively and efficiently reduce risks to the reliability and security of the power grid.

In April 2013, an orchestrated assault was carried out on Pacific Gas and Electric Co.’s Metcalf Transmission Substation in Coyote, Calif., near San Jose. Gunmen fired on 17 electrical transformers and caused more than $15 million worth of equipment damage, but it had little impact on the station’s electrical power supply. This attack resulted in the CIP 0-14 NERC standards for physical security, designed to identify and protect transmission stations and transmission substations and their associated primary control centers.

“Critical infrastructure protection is constantly evolving,” Tucker said. “Cyber is a now a big part of these regulations and equally important as physical security. There is never a time when ‘good enough is good enough.’ The threats will continue to change, and there will be different ways to protect these facilities.”

Sophisticated technology is providing integrated solutions, ranging from thermal imaging cameras, physical access control and biometrics, intelligent sensors, analytics, radar and drones.

Burns & McDonnell, an engineering, architecture, construction, environmental and consulting solutions firm based in Kansas City, Mo., specializes in the utility sector. Because the definition and scope of potential critical infrastructure targets have expanded with new threats and risks, it now takes into consideration customers and clients as well as the primary target, according to Terry Harless, Senior Technical Consultant, Business & Technology Solutions, Burns & McDonnell.

Harless is also following the America’s Water Infrastructure Act of 2018: Risk Assessments and Emergency Response Plans, which requires community drinking water systems serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs). The components the risk assessments and ERPs must address, and establishes deadlines for water systems to certify to EPA the completion of the risk assessment and ERP.

Harless constantly vets and tests solutions designed to meet the specifics of the critical infrastructure markets and utility customers to determine potential customer implementation.

“There are quite a few new technologies being used in this sector. Solutions that are advancing include video analytics in thermal cameras, which can now identify objects approaching the site and determine if it’s an animal, person or simply an inanimate object or something blowing in the wind. Ground-based radar is becoming advanced and gives operators or security personnel a valid assessment of what’s approaching, even at the farthest reaches of the perimeter. The drone is also becoming sophisticated, and while utilities are still a bit leery of the technology, some clients are monitoring drones to understand how many are flying over their facility.”

Drone activity can be monitored by RF signals, radar and sound.

In access control, biometrics and digital certificates are authenticating and verifying identities beyond simply acknowledging the person carrying a credential or card. Perimeter sensors recognize something moving and gauge the object’s speed and direction.

Do your homework

“Electrical contractors need to read up on and know all the regulations,” Harless said. “Many are installing cameras and running conduit and cabling but are not doing the programming or the ‘smarts.’ Definitely read up on the regulations and pursue manufacturer training to become certified on systems. It’s important to hire the right people with the expertise on the system as well as those well-versed in software and programming.”

Stuart Tucker of AMAG Technology said, to be successful in the critical infrastructure market, ECs need a team member who understands the requirements—a subject matter expert who can discuss the impact of standards and requirements as it applies to the client.

“You need to understand a variety of standards, regulations, directives and initiatives, and read up on best practices from [the National Institute of Standards and Technology] as well as related standards such as Personal Identity Verification Federal Information Processing Standard 201. Those regulations are also constantly changing, so you need expertise in all the specific areas you would like to play in.”

Tucker advises ECs to partner with manufacturers and technology providers who themselves are experts and have a stake in critical infrastructure protection.

“These days, prospects and customers don’t simply want boxes. They want someone to advise them on what they should do. When you can provide that kind of service and expertise it puts you in the position of holding a competitive advantage.”

About The Author

O’MARA writes about security, life safety and systems integration and is managing director of DLO Communications. She can be reached at [email protected] or 773.414.3573.





featured Video


New from Lutron: Lumaris tape light

Want an easier way to do tunable white tape light?


Related Articles