Critical Infrastructure Security: Never Optional

Dec. 3, 2020

Almost everywhere, the fabric of modern society rests on a set of technically dense systems commonly referred to as critical infrastructure. On the upside, this networked flow of water, goods, traffic, power, information, communications, fuel and finance delivers unprecedented benefits and a steady rise in quality of life.

At the same time, however, it presents vulnerabilities heretofore unimagined. The failure of a single substation can bring down the power grid of an entire region. A breach in a lone data center can cause monetary chaos a continent away. An erroneous maintenance procedure could put multiple aircraft in serious jeopardy.

Although technical flaws in such systems might be subtle and complex, they remain repairable through sound engineering practices. Unfortunately, human causes represent a different case. History has demonstrated repeatedly that crime, vandalism, terrorism and other socially aberrant behaviors are an enduring fact of life. And so it is that security measures have become a permanent fixture in critical infrastructure at nearly every scale, from global transport to local wastewater treatment.

A Multidimensional Challenge

In times past, security management largely concerned itself with the physical aspects of asset protection. Locks, doors, cabinets, gates and other such barriers formed the basic core. However, the complexity of modern organizations introduced a set of challenges centered on the administration of access control: Who can get to what and when, and under what circumstances? Often, a broad and dynamic mix of employees, subcontractors and other parties must be accounted for when adhering to established security policies.

As a result, the relationship between security assets and personnel becomes a challenging part of management. To be effective, the security system must provide adequate protection yet avoid compromising an organization’s efficiency and productivity. At the same time, the system must be implemented in the most cost-effective manner possible.

Consider the following truths:

  • Physical security must be reconciled with administrative security.

To this day, locking devices remain a mainstay of physical security. Often, they form the very foundation of an organization’s defenses against outside intrusion.

That said, they’re only as effective as the administrative systems that control their deployment and use. Frequently, businesses and facilities operate within a diverse level of users, each requiring their own level of access. For example, subcontractors might be cleared for maintenance areas but not laboratories, and so on. A running inventory might be required to track access devices and keep a traceable record mandated by regulatory bodies.

  • Remote sites pose unique vulnerabilities that require specialized solutions.

Physical proximity plays an important role in an organization’s security architecture. Central plants and administrative facilities provide ample opportunities for sophisticated systems that extend to electronic locks and video surveillance.

Remote sites, however, don’t. For the most part, these sites rely on conventional mechanical locks to secure critical access areas, such as cell towers, gates, well sites, server racks, traffic-control cabinets, repumping stations and chemical feed stations, just to name a few.

Mechanical locking systems present numerous administrative challenges. Conventional keys are untraceable and duplicated easily. Often, management can lose track of how many keys are in service and, perhaps more important, to whom they’re assigned. In many instances, keys even might remain in circulation even after their owners no longer have access privileges, opening the possibility of malicious behavior.

Consider the case of a subcontractor who is laid off but fails to turn in their key and can’t be contacted. Nothing short of replacing all the locks will remedy the situation fully — a painful but sometimes necessary solution.

Also, the locks themselves become a point of vulnerability, particularly at remote sites. The keyway leaves mechanical locks vulnerable to being picked. This might expose expensive or mission-critical equipment to theft or vandalism.

In short, conventional lock and key systems can fall far short of providing an adequate level of security in many critical-infrastructure industries.

One Possible Solution

CyberLock offers a method of implementing and maintaining an access control system, regardless of how or where the locks are dispersed. It centers on a combination of smart locks and keys, each electronically enabled and unique in its identity. All locks and keys are programmable and able to store critical information about their use and access privileges.

On the lock side, more than 420 different electronic cylinder types are fitted with circuitry that controls access. Retrofitting to a CyberLock system becomes a matter of replacing existing mechanical cylinders, rather than replacing the entire lock.

Each cylinder is energized upon contact with a battery-powered smart key, which eliminates the necessity for expensive rewiring. The cylinders’ design makes them resistant to temperature extremes and tampering. In addition, the sealed keyway prevents common lockpicking techniques.

On the key side, the smart keys include programmable functions and data storage. Each has a unique ID code, which makes it easily traceable. The key retains a list of the locks it’s authorized to open, stores access schedules unique to that particular key and identifies the assigned user.

Maximum Control, Minimum Effort

Ten different CyberLock smart-key designs provide management with the freedom to select the most efficient system configuration for their specific requirements. Wireless connected smart keys allow remote updating of targeted keys in the field, which can reduce administrative overhead substantially. Designated keyholders receive new access permissions without time-wasting return trips to the office. All the while, each key continuously transmits an audit trail to a central location, where it can be used to trigger any number of management functions.

For instance, if a subcontractor’s safety certification had expired, their key can be deactivated automatically until their certification is renewed and then reactivated wirelessly. If a key were reported stolen, it can be deactivated permanently, thus avoiding the costly replacement of numerous locks. Also, each key can be programmed to adhere to a specific schedule that defines authorized access times.

When it comes to security management, no two organizations have identical requirements. A state transportation department differs from a regional power utility and so on. Accordingly, CyberLock CyberAudit-Web software adapts to almost any organizational setting and integrates easily with other administrative software, such as Supervisory Control and Data Acquisition (SCADA) systems. It can be configured to meet any requirements posed by governmental compliance and accountability mandates.

For more information, go to www.cyberlock.com.

John Moa is director of sales at CyberLock.