In 2022 utilities experienced more than 100 attacks against substations and other physical infrastructure. While the U.S. Department of Energy has dedicated $45 million to prevent cyberattacks on the grid, these recent incidents are at the forefront of public discussion on how utilities can better protect their physical infrastructure to reduce the risk of such attacks negatively impacting the electrical grid.
Barco specializes in advanced display and connectivity solutions for industries. Many electric utility transmission and distribution control rooms use Barco’s Control Room LED/LCD and Rear-Projection video wall products. With its extensive utility presence, Barco is familiar with the challenges utilities face in light of these attacks.
PSC recently spoke with Barco’s Lee Pagnan, National Sales Manager – Utilities, and Jonathan Wheeler, Sr. Sales Engineer, regarding utilities’ physical security concerns. This post is part 2 of a 2-part series covering their conversation. You can find part 1 here.
PSC: Regarding supply chain security, are your customers asking tough questions such as how you secure your devices and whether they comply with cybersecurity best practices?
Barco: Well, CIP-013, which deals with cyber security supply chain risk, has helped in bringing those important discussions to the forefront. We provide significant security documentation. Our customers are talking about how they’re going to apply CIP-013 to any purchase they make. All Barco products come through the proper supplier channels. We use third-party companies to audit, and ultimately comply with DHS mission critical product requirements. This eliminates the risk of getting put onto a blacklist, because not only do we supply the power company, but we also supply federal governments that have stricter policies depending on where we’re putting our product.
PSC: Is compliance self-attestation, or do you employ a third party to validate compliance–and is that third party mandated by any regulatory agency?
Barco: You can self-certify, but that’s basically meaningless. Cost-wise, when we’re competing against somebody who is doing all their manufacturing in someplace like China, CIP-013 has really helped weed out the manufacturer/suppliers that should not be in that space as it relates to TAA (Trade Agreement Act) compliances.
BARCO has an Architectural Security team in-house that advises on our products through development. Prior to the launch of a new product, we employ a third-party company to audit our systems for any physical or cyber security vulnerabilities. We incorporate any feedback they have into the final release of our products.
Once that is complete, BARCO will submit for an Advisory Ruling through the Department of Homeland Security. That documentation is then readily available to be shared, upon request, under NDA.
PSC: Are you seeing similar trends in Europe and elsewhere?
Barco: BARCO is a European company with business in over 90 countries worldwide. By 2026 we are going to be implementing the standards found in water utilities, pipelines, and gas.
Europe may seem a step behind the US, but Europe will be implementing standards, not just guidelines. This will really help clarify some of the gray areas we come across in the US. Another cool thing about this is that these standards will be adopted not just by public sector utilities, but also by large corporations across the EU.
PSC: What is the appropriate amount of monitoring?
Barco: The big risk is, how many simultaneous attacks can we get hit with before it becomes unsustainable to recover? What do we monitor and how far do we monitor? From the insurance company’s standpoint, if you pay upfront to mitigate a problem, the insurance company is going to want that.
PSC: Do you find that utilities will run camera feeds from their substations into the distribution and transmission control rooms or do they typically just run them into a separate physical security command control room?
Barco: This is definitely an evolving trend. Over the past five years, we have seen a significant increase of focus on physical security systems. Historically, this is a mixture of camera feeds from remote facilities such as a substation to perimeter surveillance and PSIM systems of their control center building. About 50% of our clients do bring this security content in to their System Operation Center. Where the evolution comes in is that we’re now seeing 25% of electric utilities stand up a dedicated security operation center, in some cases multiple mission critical spaces dedicated to physical and cyber security of their assets.
PSC: Regarding physical intrusion and physical intrusion monitoring, what are your thoughts regarding Best Practices? Do you have any feedback on what utilities typically spend on intrusion detection?
Barco: A malicious physical or cyber-attack on the electric grid can cost 10 times the cost of a monitoring system. As an active player in the security operations market for a long time, we have refined our best practices as technologies have changed. We have learned that the key to is getting all the various systems and data into a Common Operating Picture (COP) and to automate things as much as possible.
The importance of advanced security systems and automation is that the amount of data an operator can monitor efficiently is limited. Studies tell us that an operator can efficiently monitor 8-20 security cameras, although my personal belief is you can monitor up to 12 different camera feeds at any given time. Chances are though that most have got more than 12 cameras in place. Given this, automating system response when an intrusion is detected is very important.
PSC: When it comes to integrating monitoring cameras into a utility, do you have architectural best practices for that?
Barco: Yes, we prefer to use a computer located in the control room connected to the Video Management System (VMS) i.e., Genetec, Milestone, then connecting the HDMI or DisplayPort outputs of that VMS computer to an encoder for ingest into Barco video wall solutions. This architecture allows for separation between networks, while allowing for full control of the VMS system form a PC in the control center. While Barco can accept cameras into to our systems keeping networks isolated is an architecture that is standard practice in electric utility control rooms for NERC/CIP.
PSC: Physical intrusion monitoring can be integrated into a utility or outsourced to a third party. Which model are you seeing?
Barco: We see both and the model used really depends on if grid security falls under a corporate security team or if there is a dedicated security team. Generally, the larger IOU’s outsource security through SLA’s, but that is relatively uncommon on the cooperative or municipal level.