Protecting physical assets

Cyber security may be high on the agendas of energy network companies. But they also need to remember that physical risks to their infrastructure are also a very real threat. What can they do to prevent uncontrolled access, and protect their physical assets? Risk professionals from network companies met at a roundtable event hosted by Network, in association with Abloy, to find out. Lois Vallely reports. 

Protecting physical assets

Cyber security is rife in the news and it is, therefore, tempting for company boards to place their focus on this issue. However, that would be a mistake. Making sure physical infrastructure is protected is just as important.

Networks should not use a “broad brush” approach to defending their infrastructure. One attendee argued that sites are bespoke and should be treated as such. “Critical sites are different. It’s stipulated by government as to what would deem something to be a category five site, a category four site, or a category three site. When you come out of those categories – then it’s down to a business decision. When you get to that level, everything is idiosyncratic,” claimed one participant. Trying to standardise any sort of approach to protection is problematic.

Often a threat to a company’s assets comes from someone who has a key to the site when they shouldn’t. This “insider threat” is common for networks, many of whom do not have any way of tracking who still might have a key. This means an unknown number of people who shouldn’t have access to the site any longer still do. One participant even admitted that they know former employees – retired or moved on – who still have access to several sites and use them for parking.

Equally, contractors may have access to sites, so it is important for networks to partner with companies they trust and must thoroughly vet any company they do hire. They should also ensure they keep a log of how many keys are given out to third parties. Even then, the risk that keys could be copied and kept is ever-present.

One way of tackling this issue could be to have an automatic key card or an intelligent key system, one attendee suggested. This could be reprogrammed each time someone left. But getting buy-in from the rest of the organisation for such a system is often a challenge. A handful of long-standing employees, for example, may not like the feeling that they are being “monitored” by intelligent keys which can be tracked. One attendee pointed out, however, that the majority of employees are accepting of such changes.

There is also the ever-existing possibility that an electronic key system might not work. However, one attendee argued that the technology does exist. “If a key isn’t working, the employee would be able to go into an app and reset it,” they said. “The technology is there, we’re just not making full use of it.”

A question was posed about whether there should be a regular audit of energy networks’ critical infrastructure, for example by the Department for Business, Energy and Industrial Strategy (BEIS). Comparisons were drawn to the water sector, whose critical sites are externally audited regularly. Currently, energy sites are audited as soon as they have been built, but there aren’t additional audits following this.

The consensus was that such regular audits shouldn’t happen in the energy sector. “BEIS is there to ensure that policy and compliance is in place. I don’t think they need to get involved with the nitty gritty, and I don’t think they’ve got the resources to do that anyway,” said one attendee. Networks do, however, need to have a standard and a level of response to be able to protect their sites.

The roundtable discussion turned to how network companies should deal with the threat of accidents involving people on critical sites who shouldn’t be there. Sometimes a person – for example a teenager showing off – may enter a site without authorisation. In this instance, it is still the responsibility of the owner of the site to ensure they are safe. But how? One way is to make sure any hazards are signposted clearly.

As times change and technology moves on, what used to be considered the best way to protect assets is not always the best way anymore. Roundtable attendees decided changing the way critical assets are run and infrastructure protected will take a culture change within the organisation. The onus is on those responsible for the safety of these assets to prove to the rest of the business that changes need to be made. If they are successful in doing so, the threat to such infrastructure can be reduced. Network utilities need to be preventative rather than detective, automatic rather than manual, in order to save on costs.

For further information about Abloy click here.  

 

Views from the speakers:

 
 

“I want our organisation to have the foresight to assess what the risks are in the future, the insight to understand who we are as a business and what our risks are, and the hindsight to learn from the past.”

David Mounfield, senior resilience & security advisor, Cadent Gas

 

“One of the issues we face is culture and understanding of what we are trying to achieve. It could be perceived that some think security is nothing until they want it to be everything.”

Greg Forde, security manager South East & London, SGN

 

“We need to get the whole organisation involved, including shared services. You could have that smart key as part of a starters, leavers, movers process – how far can it be integrated into HR processes?”

Ben Bond, controls and compliance manager, National Grid

 

“A good security culture is essential within the company requiring support at senior level to ensure it is given a high profile and the necessary resources.”

Paul Rackley, E&I asset manager, Wales & West Utilities

 

“Physical security of assets is vital for utility companies, to prevent unauthorised access and provide long-term controlled access to those with authorised site access to complete daily tasks.”

Rob Bennett, senior market development manager, Abloy

 

Comments

Login on register to comment

Login Register


    Related content


    Related supplier content