How Vulnerable are U.S. Utilities?
Securing the electric power grid is a top priority for critical infrastructure protection in the United States. Historically, access control and surveillance at power grid facilities varied by type and location, primarily focusing on public safety and preventing vandalism or theft. More recently, federal agencies, Congress, and the utility industry have increased focus on the vulnerability of the power grid, especially the high-voltage transmission system, to terrorist attacks that could cause widespread, extended blackouts.
Until 2013, the emphasis was on power grid cybersecurity. However, a 2013 rifle attack on an electric transmission substation in Metcalf, CA, shifted attention to the physical security of critical power grid assets. Since 2014, security risks to the power grid have become a greater concern in the electric utility industry.
Whether threats come from terrorists, disgruntled former employees, or pranksters, unauthorized access and tampering at a utility facility can disrupt electrical power supply and utility operations. The Federal Energy Regulatory Commission (FERC) has mandated physical security standards for substations, citing the Metcalf attack and other incidents. In response, Congress passed legislation to strengthen power grid physical security and facilitate recovery from attacks.
Achieving and Maintaining Physical Security Regulatory Compliance
Today, NERC's Critical Infrastructure Protection (CIP) Standards mandate that all electric utilities implement a physical security plan and program to monitor and manage physical access, protecting critical infrastructure, cyber assets, and Bulk Electric System cyber systems.
To comply, utilities must define operational or procedural controls to restrict physical access. For authorized individuals requiring access to critical infrastructure or security perimeters, utilities should:
- Implement at least one physical access control system; two or more are recommended.
- Monitor unauthorized access through all physical access points.
- Maintain records (automated or manual) of entry, including time and date, for each individual with authorized, unescorted, or unauthorized access.
- Issue an alarm or alert upon unauthorized access.
- Keep physical access logs capturing the date and time of individual access.
Standard CIP-006 focuses on managing physical access to Bulk Electric System (BES) Cyber Systems to protect them from compromise. Standard CIP-014 requires identification and protection of Transmission stations and substations, and their associated primary control centers, whose failure could result in widespread instability or cascading within an Interconnection.
Role of Locking Systems in Critical Infrastructure
Utilities need to support resiliency strategies that assess, prevent, detect, and recover from events. This includes perimeter hardening, cybersecurity, communications, equipment redundancy, and protecting critical assets. Secure locks are indispensable tools for addressing complex security scenarios.
For internal use, locking devices on doors, elevators, machines, shutters, cabinets, and switchgears prevent unauthorized access. In critical infrastructure, locks must resist extreme temperatures, dust, toxic substances, fire, and explosions. For outdoor sites, locks must perform in challenging environments like ice, snow, and rain, securing gates, fences, doors, and key safes.
Critical infrastructure facilities often operate across large geographic areas with multiple remote locations and a high number of personnel needing access, including third-party contractors. Locking systems must accommodate these challenges.
A high-security locking system that combines electronic and mechanical security, providing an intelligent combination, is beneficial. Programmable keys are powered by batteries, energizing the lock cylinder upon insertion. Communication between the cylinder and key is encrypted. Programmable cylinders do not require wiring, ensuring fast installation and minimal on-site maintenance. An audio indication and LED indicators inform the user if the key has the necessary access rights.
Key management software and programming devices allow administrators to program, amend, or delete keys remotely and instantly. Keys can be assigned short authorization time windows to minimize risks from lost keys. Security managers can generate timestamped audit trails for any lock or key, tracing access workflows.
In Summary, Utilities are Looking for:
- Flexible access and key management for permanent staff, part-time staff, and third-party contractors.
- Interior and exterior locking points supporting doors, elevators, machines, windows, shutters, cupboards, cabinets, gates, fences, and switchgears.
- Global access to management software with minimum IT investment and support.
- Multiple administration possibilities with various roles (e.g., receptionist, security manager), requiring minimum administration time.
- Easy support for NERC CIP audits for physical security.
- Easy key and access management for different users and their requirements.
- Health and safety compliance, working with existing processes.
- Integration possibilities with HR systems, access control systems, and task management software.
Medeco Intelligent Key Systems are a Smart Business Decision
In response to NERC CIP Standards 006 compliance, utilities have deployed various solutions. CIP-014 is less prescriptive, leaving the specific security plan to the utility. Medeco offers solutions like the Medeco XT electronic locking system and the Medeco CLIQ electro-mechanical locking system, providing controlled access, accountability, physical security, and system management.
Medeco Intelligent Key Systems offer benefits similar to electronic access control systems but retrofit existing hardware without hardwiring, reducing installation time and cost. Medeco locks are built to high standards, offering strong protection against forced entry and tamperproof features in an attack-resistant design.
While some utilities opt for elaborate Electronic Access Control (EAC) systems, the major drawback is installation cost due to extensive hardwiring. Medeco Intelligent Key Systems are powered by electronic keys, requiring no hardwiring and continuing to function during power failures. Medeco XT Intelligent Keys use rechargeable batteries (1,800 openings per charge), and Medeco CLIQ Intelligent Keys use replaceable coin cell batteries (20,000 cycle life). These systems can be deployed in all interior and exterior climates.
Installation of a Medeco Intelligent Key system is straightforward: remove the old cylinder and install the new one, ensuring fast and efficient deployment for CIP Standards compliance.
Medeco CLIQ and Medeco XT are the two main systems offered.
Trusted Security for Critical Infrastructure
Medeco Intelligent Key Systems offer the following benefits:
- Key Management and Access Control: Respond quickly to security threats, lost keys, or personnel changes with expiring key validation and remote programming. One key can access doors, cabinets, gates, and outdoor areas. Flexible access, electronic scheduling, and key management ensure the right person is in the right location at the right time. Administrators have freedom to manage the system anytime, anywhere.
- Access Control for Mobile Workforce: Bluetooth connectivity with iOS or Android mobile phones allows users to update keys (access rights) wirelessly, anywhere, anytime.
- Audit Accountability: Audit information recorded in both the lock and key provides a time-and-date stamped record of every event, including authorized accesses and unauthorized attempts. The CLIQ system offers customized software integration possibilities via an XML/SOAP Web Services interface.
- Physical Security: Medeco XT and CLIQ systems add intelligent features without compromising physical security. Attack-resistant design and tamper-proof features provide strong protection against forced entry.
- Reduce Costs: Cost-effective solutions eliminate the need for administrators to update keys or replace batteries. Reduced operational costs stem from using existing hardware, easy wire-free installation, and keys providing power to the cylinder. Medeco offers a hosted Software as a Service (SaaS) solution using Amazon Web Services (AWS) or AWS GovCloud, reducing IT infrastructure costs. Medeco has achieved ISO/IEC 27001:2013 certification for its information security management. Service availability includes 24/7 monitoring and optional professional support.
The CIP Compliance Solution that is Easy and Cost-Effective
In a world of unpredictable disruptive events, utility security is paramount. Federal actions require North American power utilities to comply with rigid physical security regulations. Replacing a vulnerable mechanical key system with a Medeco Intelligent Key System is one of the most cost-effective and efficient ways to meet and sustain compliance with key NERC CIP Standards. It provides all the benefits of an electronic access control system without the high cost of hardwiring.
Medeco Intelligent Key Systems are a significant component in a power utility's effort to dramatically lower the cost and complexity of CIP physical security compliance. Numerous small, medium, and large utility customers across the USA and Canada use Medeco Intelligent Key solutions (CLIQ and XT) for protection and compliance.
For more information about Medeco Intelligent Key Systems, contact:
- Andy Hummel
US Business Development Manager
Medeco Security Locks, Inc.
andy.hummel@assaabloy.com
(919) 740-3433 - Gene Cronin
XT Product Line Manager
Medeco Security Locks, Inc.
gene.cronin@assaabloy.com
(732) 320-0287 - Ashok Acharya
CLIQ Product Line Manager
Medeco Security Locks, Inc.
ashok.acharya@assaabloy.com
(540) 380-1777
