Download PDF version Contact company

Protecting North America’s power grid is a thankless job. Day in and day out, the good citizens of the United States and Canada wake up with the assumption that when they get out of bed each morning and flip on the lights, the room will illuminate, the coffee pot will come to life and their mobile phone will have been fully charged. After all, we live in a modern First World society, where we have come to depend on timely and efficient power at our fingertips. In reality, that reliable electricity that we all enjoy has many people working around the clock to ensure its reliability, resiliency and security. Today’s grid operators are inundated with natural and man-made threats. As utilities tackle the monster of the moment, which is the evolving cybersecurity threat, we must not take our eyes off the more primitive threat.  

Security Threats To US Grid

Electricity is perhaps the most vital of the critical infrastructures and key resources that support our society. The mission of the North American Electric Reliability Corporation (NERC) is to ensure the reliability of the North American bulk power system (BPS). While electric utility companies are responsible for administering the day-to-day operations of the electric grid, regulators such as NERC and the Federal Energy Regulatory Commission (FERC) are charged with the overall responsibility of ensuring reliability and security. NERC develops and enforces Reliability Standards, annually assesses seasonal and long?term reliability, monitors the bulk power system through system awareness, operates the Electricity Information Sharing and Analysis Center (E-ISAC) and educates, trains and certifies industry personnel. Normal everyday operations of the system are the responsibility of utility owners and operators.

Currently, the most significant reliability threat to the U.S. grid
is associated with squirrels and balloons, and not religiously inspired terrorists

During emergencies, NERC supports industry actions to respond, mitigate and restore the BPS to normal operation by facilitating effective information sharing and communication with and between NERC registered entities, government agencies and the media. This information is not focused on operational decision making; but instead provides utilities data, best practices and mitigation strategies to help recover from crisis. Obviously as a regulatory body, NERC must stay out of emergency response until the utility has best mitigated the threat or reliability issue.

Currently, the most significant reliability threat to the U.S. grid is associated with squirrels and balloons, and not religiously inspired terrorists. However – and more applicable to grid operators – we have recently seen noteworthy interest in disabling or destroying critical infrastructure. Coordinated attacks specifically targeting the grid are rare, but an attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage. With an interconnected grid of over 450,000 miles of high voltage transmission lines (100 kV and higher) and over 55,000 substations (100 kV and larger), the targets of opportunity are endless.

Currently, the most significant reliability threat to the U.S. grid is associated with squirrels and balloons
An attack by a disgruntled former employee, ideologically motivated activist, or a criminal stumbling across a “soft target”, could inflict significant damage

Critical Infrastructure Protection

Critical infrastructure protection is a cyclical process incorporating prevention, detection, mitigation, response and recovery. The key to this protection is the identification of credible threats, which will assist energy companies in assessing risks and potential vulnerabilities (weaknesses) of their facilities. Once a threat has been thoroughly analyzed, it is then possible to institute preventative measures to deter, detect and delay an attack. Of course, critical infrastructure protection planning must always include mitigation, response and recovery actions in the event an attacker is successful.

While the security of the grid is a shared responsibility between the government and the private sector, the primary responsibility rests with utility owners and operators. Utility security staff have a responsibility to ensure they are able to receive and act upon criminal intelligence and be prepared to identify risks and vulnerabilities associated with security threats. Any protection program that is developed must be as efficient and cost-effective as possible, as budgets are limited and ratepayers are sensitive to wasteful spending. Effective security programs rely on risk management principles and associated tools to establish priorities, allocate budget dollars and harden infrastructure sites. Physical security protection encompasses defensive mechanisms to prevent, deter and detect physical threats of various kinds. Specifically, these measures are undertaken to protect personnel, equipment and property against anticipated threats. Properly conceived and implemented security policies, programs and technologies are essential to ensure a facility’s resistance to threats while meeting demand, reliability and performance objectives.

Unfortunately, many do not realize
the amount of reports, guidelines,
standards and assessments that
have been developed for use

Electricity Industry Physical Security Standards

Significant progress has been made in the electricity industry surrounding the issue of security. Unfortunately, many do not realize the amount of reports, guidelines, standards and assessments that have been developed for use. The industry has gone through multiple iterations of mandatory Critical Infrastructure Protection (CIP) Standards that focus on security protections. The CIP Standards, while not perfect, may be an example for other sectors to immolate. These standards are a minimum baseline for compliance and utilities should not assume that because they have a good compliance program they are somehow immune from attack. In addition, many electric utilities undergo a sector-wide Grid Security Exercise (GridEx) every two years to hone their skills and provide updates to their security practices and policies. This is in addition to annual exercises mandated by the cyber standards. It is fair to say that the industry has been very responsive to the evolving security threat and the mandatory requirements found within CIP compliance.

As a result of the 2013 California substation attack that destroyed $15 million dollars in infrastructure, industry now has a physical security standard. This standard was created to protect the most critical transmission substations and control centers in North America. While protections vary, many utilities have upgraded their security measures to include concrete or non-scalable perimeters, robust access control, cameras, lighting and armed guards. It is highly likely that we will one day see similar standards put in place to better protect non-nuclear generation facilities, but only time will tell.

Physical security protection encompasses defensive mechanisms to prevent, deter and detect physical threats
Many utilities have upgraded security measures to include concrete perimeters, robust access control, cameras, lighting and armed guards

The piece that the industry continues to struggle with is information sharing and the ability to quickly obtain actionable threat intelligence; an issue which has been combatted head-on through the sharing of security information amongst utility partners. Large utilities with the manpower and resources to address this initiative are changing the security model from reactive to proactive. If you understand your adversary’s tactics, intent, and capabilities, you can develop strategies to combat their attacks and better plan for future threats. Better, more proactive security, can be achieved through information sharing agreements and partnerships with other utilities, regulatory agencies and intelligence partners. Many utilities do not have the dedicated resources to dissect and aggregate this data and are thus unable to react appropriately, or wind up drawing inaccurate conclusions. As a result, the electricity sector is demanding more access to actionable intelligence and threat streams. With this added intelligence, utilities can better pinpoint threats to specific systems and focus efforts on system recovery and restoration. This will undoubtedly drive better, more informed responses to security incidents.

The FBI, DHS and the DOE have made considerable strides in improving information sharing,
and giving classified access to intelligence products

Improving Information Sharing

Over the past few years, the FBI, DHS and the DOE have made considerable strides in improving information sharing and giving classified access to intelligence products such as bulletins, alerts and secret level briefings. These products have been used to mitigate threats, reduce risk and update internal security policies. Additionally, this data flow has enhanced communications between security teams, management and board members by providing authoritative threat warnings. This ultimately drives better investment strategies by more directly connecting security priorities with business risk management priorities. Unfortunately, utilities still see risks in sharing information with federal partners. Recently, the Washington Post released an article with a salacious headline falsely suggesting that the grid was hacked via Russian malware. Even after correcting the story, the question remains: who leaked the information to the Washington Post? Utilities all over the country were witnessing an information sharing failure.

We must assume that at some point in the future a North American utility will suffer from a planned and coordinated attack against electrical infrastructure. Have we looked at credible threats closely enough and did we prepare our people to respond, recover and communicate? As an industry, we will be judged and hard questions will be asked about how seriously we considered the threats and what we did to mitigate future attacks. Success will be determined by how quickly we are able to respond and the swiftness of system recovery. There is no doubt that security is an “all hands” approach by everyone involved.

Download PDF version Download PDF version

Author profile

In case you missed it

Why Face Recognition As A Credential Is The Ideal Choice For Access Control?
Why Face Recognition As A Credential Is The Ideal Choice For Access Control?

In the field of access control, face recognition has come a long way. Once considered too slow to authenticate people's identities and credentials in high traffic conditions, face recognition technology has evolved to become one of the quickest, most effective access control identity authentication solutions across all industries. Advancements in artificial intelligence and advanced neural network (ANN) technology from industry leaders like Intel have improved the accuracy and efficiency of face recognition. However, another reason the technology is gaining traction is due to the swiftly rising demand for touchless access control solutions that can help mitigate the spread of disease in public spaces. Effective for high volumes Face recognition eliminates security risks and is also virtually impossible to counterfeit Modern face recognition technology meets all the criteria for becoming the go-to solution for frictionless access control. It provides an accurate, non-invasive means of authenticating people's identities in high-traffic areas, including multi-tenant office buildings, industrial sites, and factories where multiple shifts per day are common. Typical electronic access control systems rely on people providing physical credentials, such as proximity cards, key fobs, or Bluetooth-enabled mobile phones, all of which can be misplaced, lost, or stolen. Face recognition eliminates these security risks and is also virtually impossible to counterfeit. Affordable biometric option Although there are other biometric tools available, face recognition offers significant advantages. Some technologies use hand geometry or iris scans, for example, but these options are generally slower and more expensive. This makes face recognition a natural application for day-to-day access control activities, including chronicling time and attendance for large workforces at construction sites, warehouses, and agricultural and mining operations. In addition to verifying personal credentials, face recognition can also identify whether an individual is wearing a facial covering in compliance with government or corporate mandates regarding health safety protocols. Beyond securing physical locations, face recognition can also be used to manage access to computers, as well as specialized equipment and devices. Overcoming challenges with AI So how did face recognition become so reliable when the technology was once dogged by many challenges, including difficulties with camera angles, certain types of facial expressions, and diverse lighting conditions? Thanks to the emergence of so-called "convolutional" neural network-based algorithms, engineers have been able to overcome these roadblocks. SecurOS FaceX face recognition solution FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces One joint effort between New Jersey-based Intelligent Security Systems (ISS) and tech giant Intel has created the SecurOS FaceX face recognition solution. FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces and facial expressions, including those captured under changing light, at different resolution levels, and varying distances from the video camera. Secure video management system A common face recognition system deployment begins with IP video cameras that feed footage into a secure video management system connected to a video archive. When the software initially enrolls a person’s face, it creates a "digital descriptor" that is stored as a numeric code that will forever be associated with one identity. The system encrypts and stores these numeric codes in a SQL database. For the sake of convenience and cost savings, the video server CPU performs all neural network processes without requiring any special GPU cards. Unique digital identifiers The next step involves correlating faces captured in a video recording with their unique digital descriptors on file. The system can compare newly captured images against large databases of known individuals or faces captured from video streams. Face recognition technology can provide multi-factor authentication, searching watchlists for specific types of features, such as age, hair color, gender, ethnicity, facial hair, glasses, headwear, and other identifying characteristics including bald spots. Robust encryption SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 To support privacy concerns, the entire system features an encrypted and secure login process that prevents unauthorized access to both the database and the archive. An additional layer of encryption is available through the use of Self-Encrypting Drives (SEDs) that hold video recordings and metadata. SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 (short for Advanced Encryption Standard). Anti-spoofing safeguards How do face recognition systems handle people who try to trick the system by wearing a costume mask or holding up a picture to hide their faces? FaceX from ISS, for example, includes anti-spoofing capabilities that essentially check for the "liveliness" of a given face. The algorithm can easily flag the flat, two-dimensional nature of a face mask, printed photo, or image on a mobile phone and issue a "spoof" alarm. Increased speed of entry Incorporating facial recognition into existing access control systems is straightforward and cost-effective Incorporating facial recognition into existing access control systems is straightforward and cost-effective. Systems can operate with off-the-shelf security cameras and computers. Users can also leverage existing infrastructure to maintain building aesthetics. A face recognition system can complete the process of detection and recognition in an instant, opening a door or turnstile in less than 500ms. Such efficiency can eliminate hours associated with security personnel checking and managing credentials manually. A vital tool Modern face recognition solutions are infinitely scalable to accommodate global enterprises. As a result, face recognition as a credential is increasingly being implemented for a wide range of applications that transcend traditional access control and physical security to include health safety and workforce management. All these capabilities make face recognition a natural, frictionless solution for managing access control, both in terms of performance and cost.

Everbridge Control Center Deployed By G4S To Accelerate Abu Dhabi Global Market Square’s Physical Security Digital Transformation
Everbridge Control Center Deployed By G4S To Accelerate Abu Dhabi Global Market Square’s Physical Security Digital Transformation

The Abu Dhabi Global Market Square (ADGMS), located on Al Maryah Island, in the United Arab Emirates capital, Abu Dhabi, is a high-profile, architecturally compelling business and hospitality hub. Many of the most globally prestigious companies inhabit the buildings, in the award-winning financial center. Abu Dhabi Global Market Square ADGMS also hosts frequent international dignitaries and large-scale public events, including the Abu Dhabi national New Year’s fireworks display. Abu Dhabi Global Market Square was the first project in the UAE, to achieve LEED Core and Shell (LEED-CS) Gold pre-certification, by the US Green Building Council (USGBC). The Abu Dhabi Global Market Square (ADGMS) consists of: 450,000 sq. m of office space, a lavish retail section and luxury business hotel offerings, 4 Grade-A commercial office towers with 30 floors each, 4 km waterfront promenade, Over 2,000 cameras, and Over 1,000 doors. Unconnected security systems and situational awareness gaps Because of its iconic status, the Abu Dhabi Global Market Square faces many unique challenges to security, including: Political pressure - Because of ADGMS’s status and frequent high-profile international visitors, any disruption to operations - be it natural disaster, activism, terror or other critical events, could cause issues on a national scale. Protection for VIPs - Regular visits from prestigious VIPs, such as sheikhs, the royal family, and global business leaders, elevates security risks and the need for executive protection. Unobtrusive security - ADGMS is a public space with tenanted offices, meaning that security must be robust, but unobtrusive and follow all global data, and privacy regulations. Physical location - Being situated on an island is an extra security risk, complicating the ability to enter and exit the space, during planned and unplanned critical events or emergencies. Architecture - The buildings in ADGMS are mostly glass, with many levels, making it difficult to secure. Previously, a number of systems were deployed to help with security and life safety, such as CCTV, access control, fire detection, and building management. However, these were not connected and left gaps in situational awareness, which ADGMS found unacceptable. In light of the above challenges, ADGMS building managers felt it essential to harden security, across the market square, within these buildings and in connecting areas. Risk intelligence & integrated control of physical assets Martin Grigg, Principal Consultant and Project Lead for PTS Middle East was selected to design and oversee the project Abu Dhabi Global Market Square approached PTS Middle East (PTS Consulting Group Ltd.), a multi-national security and digital transformation consultancy, which carried out the threat, risk and vulnerability assessment, designed the mitigation measures, and provided oversight of the installation and commissioning of the entire system. They were also tasked with ensuring that the system met the operational requirements and was fit for purpose, and proportional to the risks, faced by ADGMS. Martin Grigg, Principal Consultant and Project Lead for PTS Middle East was selected to design and oversee the project, right from concept to completion. Everbridge Control Center deployed Following the assessment, G4S, a British multi-national risk consultancy company, headquartered in the United Kingdom, was selected to deliver the project, based on its experience in helping secure many of the region’s most prestigious locations. G4S is also a global partner with Everbridge, and together, they have secured people, assets and infrastructure for numerous organizations. G4S selected Everbridge Control Center to integrate and manage all the technology, which is coming into their Security Command Centre (SCC). Everbridge Risk Center was also deployed to provide real-time threat intelligence to ADGMS. Critical issues solved by Everbridge technology: Consolidation of four control rooms into one, reducing the office space needed for security - This premium space is now free and able to be re-purposed as rentable office space, Reduction of man guarding costs, as fewer resources are needed to secure the facility, Real-time situational awareness allows for reduced risk, accelerated response times and keeps stakeholders informed, Everbridge Control Center provides event driven, unified interface and automated SOP presentation, Everbridge technology provides flexibility to adapt, as requirements change, Reduction in time taken to identify a security incident and resolve it, Intelligence from the facial recognition systems is proactively used to welcome friends and identify known criminals, Risk intelligence to identify events, such as sandstorms, allows ADGMS to act faster, enabling them to reduce the risk to people and operations, and Automated reporting capabilities save huge amounts of time and resources - A report that took 20 minutes can now be automated in seconds.

How Are New Management Systems Innovating The Hospitality Industry?
How Are New Management Systems Innovating The Hospitality Industry?

Technology has certainly become an intrinsic part of our day-to-day lives, from the retail industry, to food and beverage outlets, and even within the health and fitness industry. It’s all around us, in varying formats, making processes more efficient. It has refined some of our older approaches, and in the hospitality industry, this is certainly true. Technological advances are leading the way forward for the future of hotels, and with the sector now free from COVID-19 restrictions, venues are looking for ways to improve the guest experience with technology. A staggering recent statistic has suggested that 75 percent of activities in hospitality could one day become automated — so where exactly are we heading on this journey into the future of hotels? Join Cairn Collection, owner of The Stirling Highland, and explore a whole host of innovations that are changing the face of hotel management systems. The 21st-century check-in desk The breadth of technology that is slowly becoming more widely available is transforming the hospitality industry The digital age is constantly finding new ways to innovate and prove its value and worth for modern consumers, and the breadth of technology that is slowly becoming more widely available is transforming the hospitality industry. In the past, connotations of a check-in desk were long queues and excessive pieces of paper — from room service menus to a mini-catalog of highlights of the local area. Technological innovations such as face recognition are one of the major ways that this process is changing. Using artificial intelligence A handful of hotels have already trialed or introduced artificial intelligence (AI) into their daily running, and it looks set to become far more mainstream by 2025. From paying the bill by using biometrics to allowing hotel managers to handle data more efficiently, AI looks set to be welcomed with the potential for it to reduce costs by 13 percent. The entire hotel check-in process could become automated, making one of the most established parts of the hotel experience redundant — but staff could be freed up to engage with customers, allowing them to get into their rooms quicker in the meantime. Many venues have even gone fully paperless when it comes to checking in, choosing instead to upload the process to cloud computing systems where information can be stored and viewed by connected devices. Convenience is the key More hotels operate their room unlocking facilities through mobile phone-connected technology, NFC After having checked in to a hotel, guests will want to explore the room that they’ve booked. Doing so has never been easier, and the classic magstripe locks which were once the most commonly used method of accessing hotel rooms are being progressively phased out. More and more hotels now operate their room unlocking facilities through mobile phone-connected technology, near-field communication (NFC).  This technology allows for data transfer at up to 424 kb per second, and it is enabled when connected devices come into contact with each other. Mobile key systems Most mobile key systems require guests to download and activate a key through the hotel’s digital app, and upon arrival, they can use the activated key to unlock the door to their hotel room. Combined with online/digital check-in services, guests can use the e-key to check in early or at a time that suits them best, knowing that they don’t have to wait around to pick up a physical key. Small touches like this build a sense of brand familiarity for customers, as well as streamline their hotel experience, and this distinguishes them from competitors. Hotel management systems Hotel management systems need to account for the experience that guests have while staying at the venue Of course, hotel management systems also need to account for the experience that guests have while staying at the venue and technology can do a lot to enhance this. Hotels have to innovate the spaces that they are presenting to their customers and technology has become a valuable asset to help enhance customer satisfaction, as the hotel room is certainly not simply a place for rest anymore. Voice-enabled devices Voice-enabled devices are becoming common features in rooms, with popular models such as Google Assistant, Apple’s Siri, and Amazon Echo providing guests with information on the local area — if you’re looking for the perfect backdrop to the business dinner you’re attending, just ask Alexa! Hotels could even record and distribute their personalized voice messaging to help reinforce the brand presence into the technology. Technology can help you attract and retain customers by offering services above and beyond what they’d usually receive A room and then some As the generational switch to millennials and Gen Z continues, the need for an experience has grown and, through a mixture of technology, hotels can cater to these revised consumer needs. From setting up messaging platforms to providing a remote control that monitors absolutely everything in the room — from atmospheric mood lighting to music streaming services and more, a hotel room can be whatever the user wants, and the experience is therefore generated by the customer. Technology doesn’t stop advancing, and there are constantly new, refined approaches to hotel management systems that have marked a stark departure from ways of the past. With guests returning after over a year of COVID-19 restrictions, competition for their business is even tougher. Technology can help you attract and retain customers by offering services above and beyond what they’d usually receive.