Security for Critical Infrastructure: Focus Interview
For KRITIS "we recommend deploying a unified physical security platform"
In this series, GIT SECURITY EMEA asks three questions to four industry experts about the issue's special focus. This time we asked four experts for their views on security for critical infrastructure.
1. What approach and solutions do you recommend to secure critical infrastructure?
2. What are the biggest challenges in this field and how do you handle them?
3. Please describe a success case where you implemented your system to secure critical infrastructure?
Dennis Johe, Deputy Head of Business Development & Presales Management PEU at Assa Abloy Sicherheitstechnik GmbH:
- Holistic security concept: IT security and data protection are taken into account
- Certified information security management system
- E.ON SE relies on decentralized locking system for access control
1. Building and IT security are particularly important topics for operators of critical infrastructures (KRITIS). Both cyber and physical attacks are on the rise and the law requires those responsible to continuously increase the overall level of security in KRITIS facilities. Operators should therefore rely on a holistic security concept in their institutions that takes IT security and data protection into account, as well as physical security. Electronic locking systems offer a high degree of protection against tampering and intelligent attacks, for example. They combine the best of two worlds: mechanical locking system and digital access control.
2. The compulsory introduction of an attack detection system by May 2023 alone poses major challenges for many KRITIS operators. In 2021, Assa Abloy therefore introduced and certified the information security management system in accordance with DIN EN ISO 27001:2017 for the scope “Development and sales as well as operation and maintenance of products and services for mechanical and electromechanical locking systems”. This is a win-win situation for us and our customers because the certification makes it clear immediately that information security is already taken into account during the development of our products and that production takes place according to the latest international security standards.
3. The energy group E.ON SE relies on our high-quality and decentralised eCliq locking system. Thanks to its flexible structure, digital programming and management, eCliq effortlessly adapts to the constant changes caused by digitalisation and the energy revolution. At the same time, the system meets the high security requirements of the group both mechanically and electronically. These include, for example, the blocking of keys, logging of locking events or time and location-based access restrictions depending on the user’s role and profile. Another important aspect for E.ON was the large variety of cylinder types, which not only integrate doors, but also lockers or switchable locks in machines and vehicles into the system.
Neil Foster, Project Development, Manager at Optex Europe:
- Multi-layered approach: considering perimeter, access points, assets
- Remote areas: sensing technologies required that won’t be affected by other equipment like fibre optic sensors and LiDAR technology
- Nuclear power plants: combination of technologies for high winds and fog created by the sea mist
1. Protecting critical infrastructure is a significant challenge, not least because of the potentially devastating impact a breach or intrusion could have on wider society. Due to the large and complex nature of these sites, combining technologies and systems to create a multi-layered approach to security, that considers the approach, perimeter, access points and assets, is needed to provide early and highly accurate detection. Understanding the operational requirements and environment of each individual site and knowing which areas need protecting the most (i.e which are the most vulnerable and present the greatest risk) is crucial to determine the best solution for that site.
2. Critical infrastructure sites are usually large premises, often located in remote areas that are submitted to harsh and sometimes hazardous conditions. Effective perimeter protection requires sensing technologies that won’t be affected by other equipment onsite or by the natural elements such as wind, rain, vegetation or wildlife. The choice of technologies will also be determined by the scale of the site. Fibre optic sensors and LiDAR technology, for example, can be used to create multiple detection zones within a perimeter and adjust the sensitivity within each zone. Point detection, too, is one of the latest sensing technology advances, enabling the exact location of an intrusion to be pinpointed, which enables a faster response and verification process.
3. Optex has a proven track record when it comes to protecting critical infrastructure. For example, for nuclear power plants their environment presents a challenge due to high winds and fog created by the sea mist, so we combine different technologies – including Rewall long-range PIRs to protect between the inner and outer fence, fibre optic sensors to detect anyone attempting to go over, under or cut through the fence and Redscan LiDAR sensors to create an additional layer of perimeter protection with virtual walls - delivering highly reliable detection across the entire site. A similar multi-layered approach has been deployed to protect data centres and prevent any potential weak point in any single technology been exploited, which is one of the key benefits of working with Optex as we can provide multiple sensing technologies.
David Lenot, Critical Infrastructure practice lead at Genetec:
- Layered perimeter security: Delay, deter and detect intrusion
- Rise of drones: Deploying drone detection can create complexity for the security system
- False alarms caused by animals stepping: a US electricity distribution company could solve the problem
1. With growing perimeter security threats, the need for multi-layered perimeter protection has increased. A combination of different sensors and technologies should be relied upon to protect the boundary, which should comprise the holistic site and property perimeter, the building facade perimeter, and the internal perimeter. This forms a layered approach that helps delay, deter, and detect intrusion.
In isolation, any one sensor will have its limitations. But by combining them it is possible to build a resilient system that is difficult to defeat. That’s why we recommend deploying a unified physical security platform. A unified system is specifically designed to manage multiple security devices in one platform, thereby providing both a unified interface and back-end server infrastructure that offers fluid version upgrades. Unification also allows security personnel, to streamline workflows within a single platform that syncs all security system management capabilities, such as monitoring, reporting, alarm management, authentication, permissions and more.
2. Cybersecurity – Geopolitical tensions are high and cyber-attacks are increasing in frequency and severity. By the end of this year, the expected cost of cybercrime globally is 6 trillion dollars, and this figure is expected to go as high as 10.5 trillion dollars in 2025.
IoT devices such as IP surveillance cameras have become a top target for cybercriminals because of their high computing power and good internet traffic throughput.It is therefore essential organisations select vendors they can trust and whose solutions are designed from the ground up with cybersecurity and privacy in mind.
Rise of drones – Risks to critical infrastructure are growing as criminals increasingly adopt drones as an attack vehicle. Many organisations are deploying detection and countermeasure technologies to combat the threat, but this can create added complexity, if they fail to communicate with the rest of their security structure. The real value of unified systems is that they do all the heavy lifting and steer the operator through every step until an incident is resolved.
3. Faced with increasing security concerns - a leading US electricity distribution company– knew that it needed an integrated security solution to increase perimeter security and boost operational efficiency. A specific issue with its existing solution were false alarms caused by animals stepping over the fence line. Security personnel had to manually verify each of these incidents, leading to frustration and lost time.
Genetec solutions were deployed to unify its many different security systems within a single platform. The process of unification dramatically changed how its operators understood their landscape. With a unified system like Security Center in place, operators are able to cross-qualify intrusion alerts by quickly pinpointing cameras nearby in the mapping module to get a broader view of the situation and confirmed location. This allows them to efficiently verify whether or not they are dealing with a false alarm.
Larry Bowe, Jr. President and CEO, PureTech Systems:
- First step: threat and vulnerability (i.e. risk) assessment - no single solution
- Intrusion deterrence and detection in real-time situational awareness
- Diverse application scenarios: from access scenarios to long-range detection
1. The initial step in securing any critical infrastructure starts with a threat and vulnerability (i.e. risk) assessment. The objective is to identify potential vulnerabilities, assess the magnitude of negative consequences that could result should the threat be realized, and recommend ways to reduce or mitigate the vulnerability. Of course, there are both physical and cyber risks that need to be assessed and mitigated. When designing systems to secure the physical perimeter around critical infrastructure, one must assess the means of access control, ingress/egress procedures, physical barriers, and electronic intrusion detection systems. The optimal (efficient and effective) solutions can come about as a result of this assessment process. No single solution fits every scenario.
2. Our approach focuses on providing intrusion deterrence and detection around any critical infrastructure and real-time situational awareness to aid security personnel in their response. When it comes to physical intrusion detection, the first challenge is to ensure the proper system design that provides needed detection coverage and adequate response time. Proper detection sensors (e.g. thermal cameras, radar, lidar, and/or fiber optic cable) are selected and can be combined as needed to provide the necessary probability of detection. Another challenge is to ensure the technology selected generates minimal nuisance alarms while maintaining a very high probability of detection. If the system is overwhelmed with nuisance alarms, security personnel end up simply ignoring the system. And should a real alarm occur, it will either be ignored or buried in nuisance alarms and missed. Providing automated detection and autonomous response is critical so security personnel are not required to watch the monitoring system 24/7. Rather, the systems can alert them when something of concern occurs and even take automated actions such as invoking deterrence or locking down a facility. This means the systems must have a near-zero nuisance alarm rate. PureTech’s Deep Learning technology “Auto-Verifies” the initial detections from any intrusion sensor and classifies them as either real or nuisance events giving security personnel high confidence that any alarm is likely from a real intrusion. We like to say our software removes the hay (nuisance alarms) so that only the needle (real alarm) remains.
3. In our 17-year history, PureTech has numerous success cases where our geospatial Deep Learning boosted video analytics and Common Operating Picture User Interface have been used to secure small and large perimeters. We have a very diverse set of capabilities and installations for both ground and airborne intrusions. Our use cases range from detecting access control violations, such as tailgating through gates or turnstiles, to providing a full layered solution with triple redundant detection for the most critical of facilities. In other scenarios, our systems enable very long-range detection out 5 or more miles and situational awareness through our C4ISR user interface for border protection.