Combining Cyber and Physical Security
As industrial networking evolves, the concepts of physical and cyber security strategies are on converging paths. IP technology offers many benefits for network flexibility, so the two approaches can grow hand-in-hand. Moreover, bandwidth in Ethernet-based protocols is rapidly increasing, enabling fiber-optic and copper media to transmit more data.
As industrial networking evolves, the concepts of physical and cyber security strategies are on converging paths. IP technology offers many benefits for network flexibility, so the two approaches can grow hand-in-hand. Moreover, bandwidth in Ethernet-based protocols is rapidly increasing, enabling fiber-optic and copper media to transmit more data. The ability to push more data through the pipeline has supported the evolution of IP-based access monitoring and security products such as video cameras, including P-T-Z (pan, tilt, zoom) models, plus readers that scan fingerprints, ID cards, and even irises.
Although there is a cost involved with installing both physical and cyber security features, it is generally well worth the effort. As new functions and features are added, dependable industrial network operation is not just nice-to-have, but a must. The more critical the industrial facility and the more important the role of the network, the more security is needed. Industrial security applications run the gamut from guarding outdoor parking lots and storage areas to monitoring remote facilities such as pipelines, wells, mines, power utility substations and pumping stations. In this article, we will look at physical security strategies of two very different operations, considering the interrelated structure of physical and cyber security.
Physical and cyber security functions operate hand-in-hand using the same communication infrastructure.
IP-based utility substation security
The Holyoke Gas & Electric Department, Holyoke, MA, recently implemented a number of IP-based security solutions at its generating stations and substations. (See graphic.) Combining fire, security, and access control into a standardized IP-system allowed HG&E to increase security and simplify management by bringing the control in-house. The system manages physical access to the sites with electronic keys, allowing the department to make basic security changes and garner real-time information from the sensors without having to send personnel to remote sites. Today, access logs, intrusion detection, and fire alarms all report back to a central control station via IP.
HG&E used the same fiber cabling infrastructure for the physical security systems as it already uses for other IP-based network functions. However, secure VLANs (virtual local area networks) keep physical security network traffic separate from data, voice and PLC operations traffic. Because the fiber cabling was already in place, costs for additional networking infrastructure and for adding the physical security components were minimal. HG&E finds that physical security and cyber security go hand-in-hand because securing the network over which the physical security data is sent is an important part of the overall system.
IP-based sports park security
The City of Temecula, CA, installed IP-based security as a part of its P.H. Birdsall Sports Park, which opened fall, 2006. (See graphic.) Designed and installed by IPIntegration, Santa Ana, CA, the security system’s primary goal is to protect the park’s $4 million synthetic-turf fields. However, the 10 high-resolution cameras are a vital trouble detection tool and act as a deterrent to other crime in the park.
As with many IP installations, security shares the same cable infrastructure as other data applications. The cameras stream information via the Internet to viewers who want to watch that day’s sports action or find the best place to park for an event. The cameras are deployed in a manner that provides remote visual access to most of the 44-acre facility. Because the system was installed while the park was under construction, IP wiring was laid in the same trenches that supported light pole installations, buildings, and other structures in the park, saving a considerable amount of money.
As the users in these situations discovered, adding physical security is an easy extension to IP-cabling put in place for other purposes or in a new installation. Unlike traditional analog security devices, IP-based devices allow many more options for users to route and manipulate data, greatly increasing the speed and accuracy when detecting security breaches.
By far the most popular IP-based security device is the video camera. Using IP-based video greatly reduces the cost of a video security system, while simplifying deployment and monitoring of video cameras. The average data rate for a video surveillance camera is between 2 and 4 Mb per second, so a 100 Mb network switch running over fiber can handle up to 25 cameras. The same fiber cabling can support 1 Gb switches, which makes it possible to support many more cameras on a single cable.
Tough by design
Using IP based video allowed for more complete video monitoring of the facility at lower cost than with analog wiring.
Hardened Ethernet switches and the availability of PoE (power over Ethernet) make a big difference when deploying IP-based security devices in an industrial setting. Some industrial facilities operate at reasonably stable and comfortable temperature ranges where office-grade products may occasionally be used successfully. However, the potential for particulate contamination, as well as exposure to corrosive elements, vibration, and electro-magnetic interference (EMI) demands hardened switches in most applications. Hardened switches offer better MTBF (mean time between failures) and thus considerably lower costs of ownership. As video surveillance extends to the outer reaches of a facility—at gates and on perimeter fences, for example—there are no communications rooms within the BICSI-specified 100 meters distance from the cameras. To compensate, hardened switches that can withstand the elements can be located on metal light poles and other convenient locations, where they can be linked with the required cameras and access control devices.
Simply having the cameras in place is not enough. The hardware must be combined with appropriate software for monitoring, controlling and logging physical and cyber access to sensitive areas. The special circumstances of industrial environments may preclude simply dropping IT-based security solutions into the mix. It is important to look for software that takes severe plant requirements for access and simplicity into account.
Industrially-hardened PoE devices are particularly important when equipment is remote or exposed. PoE supports deploying security devices in places where it would be inconvenient, too expensive, or impossible to provide a separate power source.
Analysis, storage, and IGMP
While video surveillance for access control receives most of the attention in terms of plant security these days, there are more types of devices available now than ever before and they can compile massive amounts of data. Data by itself it useless unless it can be stored in a way that permits identification and extraction of key material, along with distribution to the right people for analysis.
With access control technologies, it is necessary to develop secure databases containing specific information:
Who is allowed access to a given area;
Passwords and update protocols;
Histories of attempted breaches;
Alarm/notification trees; and,
Lockout procedures (e.g., IP-based door controllers that secure doors or respond to different access rules once an alarm has been sounded).
Bandwidth savers such as the Internet Group Management Protocol (IGMP) optimize critical data throughput capacity by allowing the network to deliver streaming video data only to specific monitoring sites or storage locations. Typically, Ethernet switches only support “unicast” packets, which require the source to send multiple identical packets, one to each potential destination, consuming (and wasting) massive amounts of bandwidth. IGMP requires ISO Layer 3 central-office routers to implement “multicasting” where packets of information, such as streaming video, move to selected destinations using a single virtual network connection. A recent development, the IGMP-L2 software feature, provides the same capabilities, under certain conditions, using ISO L2 Ethernet switches without the added cost and processing time required to route through an L3 router upstream.
IGMP utilities save bandwidth by optimizing signal distribution.
The same characteristics of IP-based communications that make it simple and flexible also make it a target. If authorized people have access to the data, there is the potential for unauthorized persons to attempt to break into the data transmission. This is true not only for sensitive plant control and monitoring data, but also for the data coming from physical security systems.
Cyber security failures can stem from hackers and intruders, but also from careless employees through negligence. It is important to recognize that casual and sloppy security practices that seemed tolerable a few years ago, don’t work any more. These include such things as less-than-vigilant password protection, insufficient reference checking, and unprotected open terminals. It is not safe to assume that if someone is inside a secure building, he or she can be trusted with free access to everything inside the facility.
SNMP-V3 (simple network management protocol) provides the most basic network security features including password protection, but sophisticated cyber security deployments require more advanced capabilities. These include firewall management, access authorizations, authentication of users and devices, data logging, and end-to-end control. In the power utility industry, North American Electric Reliability Corporation (NERC) offers a mandatory set of Critical Infrastructure Protection guidelines for power utilities in North America that provides stringent guidelines for protection of critical cyber assets and other things. The Crossbow Secure Asset Manager is an example of an integrated data management software and networking system that supports rigorous cyber security implementations. It includes integrated electronic perimeter security tools including IP firewall, access control, event logging, IPsec VPNs (virtual private networks), and SSL/SSH encryption. While devised exclusively for the power utility industry and the IEDs deployed there, its capabilities can be transferred to other industrial implementations.
An article such as this can only scratch the surface of the many issues involved. Physical and cyber surveillance technologies that were state-of-the-art only a few years ago are being rapidly enhanced, extended, or in the case of analog surveillance devices, simply replaced. It is incumbent upon all of us in the industry to devise efficient ways to share knowledge and skills with the objective of providing seamless security systems that stay one step ahead of the bad guys.
Frank Madren is president of GarrettCom. Reach him at firstname.lastname@example.org .