Critical Infrastructure Protection Starts at the Top

Whether you represent an electric, water or natural gas utility, effective critical infrastructure protection begins with effective strategies that encompass the entire enterprise. Various regulations to protect bulk power generation and transmission such as the NERC standards and customers using credit cards for billing (such as PCI-DSS) do not cover other critical areas, such as protection of customer data or operational technologies across the distribution system or potential threats on the customer-side of the meter.

For water utilities, critical infrastructure protection is particularly challenging. While there are security guidelines such as AWWA’s G430, the majority of water utilities nationwide are woefully underfunded and unable to protect their infrastructure. With no enforceable standards, water utilities are hard-pressed to justify infrastructure security investments.

Gas distribution in the U.S. has even fewer restrictions and has less oversight than both electric and water industries. There are no known critical infrastructure protection guidelines besides little guidance from TSA on pipeline security. While no recent incidents in the gas industry are known to be caused from a security incident, a known vulnerability provides opportunities for security exploitation.

Understanding your organization’s risk levels, vulnerabilities and overall security capability is the necessary first step in developing organization-wide risk management strategies and policies in order to identify critical investment priorities. Organizational assessments provide utility leaders with information that informs investment decisions based on quantifiable risks and benefits – information that justifies necessary infrastructure security investments.

Physical Security critical to Utility Cyber Security
Critical infrastructure protection for utilities differs from other industries because of the amount of technology and assets dispersed over wide geographic areas. Hardening these assets against man-made and natural threats is critical to mitigating utility cyber security threats. Some substations and significant distribution infrastructure could provide easy access to utility networks if not secured.

No company can match Black & Veatch’s experience and knowledge in the area of physical infrastructure security. Working with our clients, we have secured the most sensitive data and assets around the world, including nuclear power generating stations, retired nuclear weapons. We have also worked with clients to secure transmission lines, generation and back-up operation centers, security operation centers, distributed generation systems in foreign countries and energy supplies for U.S. Embassies. Only Black & Veatch can marry this technical expertise with comprehensive enterprise security strategies to maximize the benefit of your security budgets.

Comprehensive security plans can enable utilities to meet and maintain compliance with NERC standards, or other applicable standards (e.g., NIST, AWWA and TSA standards), today and proactively plan for future standards and emerging threats. Black & Veatch is fully independent from security equipment manufacturers and software developers. Technology independence enables us to identify, plan, design and integrate the right solution for your unique requirements.