It was electricity, gas, oil and water back then. But when Congress passed and President George Bush signed the USA Patriot Act of 2001, those and a lot other sectors got bundled into critical infrastructures and suddenly inherited a more intense security profile.

The shared government-private sector goal: that any physical or virtual disruption of the operation of the critical infrastructures of the United States be rare, brief, geographically limited in impact, manageable, and minimally detrimental to the economy, human and government services, and national security of the

Vital Assignment Bridge

Bridges, critical infrastructures which carry vehicle and train traffic, need protecting from vandals and more dangerous individuals. Intrusion detection technology can help out, often without nuisance alarms. Photo courtesy Protech

United States.

No doubt, it’s a tough, ever-changing assignment. Made worst in recent years by the growing concern, and increasing evidence, of cyber attacks, according to Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG). His research, based on a survey of 285 security professionals at 18 industries designated as critical infrastructure, found a vast majority have experienced a serious data breach. “We see an increasing volume of incidents, potentially more harmful. And the bad guys know what they are doing,” says Oltsik.

On the facility side, security executives at critical infrastructure enterprises ranging from Karl Perman at Exelon and Dan Buchanan at Marathon Oil to Bruce Trites at Southern California’s Otay Water District all are employing an intelligent mix of technologies and services that include intrusion detection, emergency notification, security video, electronic access control and identity management. They also consistently re-evaluate their tools to readjust to threats, government regulations and business needs.


Moving to an Integrated Approach

Still, according to Marquis Laude, head of Integrated Security Solutions, a vendor-independent integrator of high level security systems, there’s been an additional huge change in the critical infrastructure sector. “It’s the integrated approach,” he points out. Various security, computer and communications systems are coming together with “greater emphasis on a centralized command and control” and intuitive graphical user interfaces. “Management of these systems is crucial.”

In addition to the complexities of evolving security solutions, enterprise security executives and their system integrators must also contend with sometimes confusing and conflicting government, military and industry-specific rules, regulations and mandates. For example, Laude’s firm must stay on top of and be experienced with the Department of Defense, Department of the Army, U. S. Army Corps of Engineers, Bureau of Reclamation, Defense Logistics Agency, Department of Justice, Department of Interior, Bureau of Land Management, Federal Bureau of Investigation, U.S. Customs Immigration and Naturalization Service, U.S. Air Force and the Department of Homeland Security, to name just a few.

Analytics can play a role in protecting critical infrastructure, if applied correctly.

“At a lock and dam project,” observes Laude, “tow barges can get too close to the closing lock. One did and caused a lot of dollar harm. So we used video analytics to alert to a barge getting too close. We had to adjust the system a number of times to get the alarm just right, just the tip of the tow, before the system took action.”

 

Cameras as a Security Tool

Security video, of course, is a crucial tool in protecting critical infrastructures.   

Love Field Airport in Dallas was showcased last year to a delegation of international airport executives. Sponsored by the U.S. Trade and Development Agency and managed by the American Association of Airport Executives, the Dallas Love Field airport tour provided delegates with the opportunity to learn about successful airport modernization projects, including the development of advanced safety and security procedures and environmental standards as well as upgrades to airport ground services and maintenance practices.

Technology at Love Field, as at other airports, includes high-definition cameras as well as installation of encoders to leverage the airport’s existing analog cameras, complementing the megapixel HD cameras.

Up north, the Metropolitan Council in Minneapolis/St. Paul has a transit video solution from Verint Video Intelligence Solutions. The Metropolitan Council oversees transit operations in the Twin Cities’ seven-county metro area. “The solution will provide state-of-art surveillance capabilities to the region’s fleet,” says Arlene McCarthy for the Metropolitan Council. “Most importantly, the video security solution supports the Council’s commitment to providing best-in-class safety and service to our customers.”

Local, state and federal law enforcement and homeland security officials also see increased value in storage, retrieval and forensics use of security video. For instance, the Hillsborough County (Florida) Sheriff’s Office incorporates a Pivot3 video surveillance storage platform to consolidate servers and storage in a scale-out application.

“The Sheriff’s Office feels video surveillance is a powerful investigative tool as well as a visible deterrent,” says Craig McEntyre, manager, business support bureau, Hillsborough County Sheriff’s Office Information Services Division. The camera project, dubbed “Eye On Crime,” allows deputies to keep a focus on trouble spots, monitor streets for emergency situations and provide residents with an increased feeling of safety. SiteSecure, a systems integration firm based in Sanford, Fla., was tapped along with Avrio RMS, a surveillance integrator with municipal surveillance expertise, to develop a wireless surveillance system that funneled video data back to district headquarters without requiring expensive cabling.

When it comes to access controls, the federal government and military have made great advances with various common access card projects, especially personal identity verification or PIV cards. Security technology has responded.

For example, Codebench integrates its software with access control software of RS2 Technologies to offer a fully compliant FIPS-201 physical security access control solution.

PIV designs are examples of the convergence of threats and solutions for critical infrastructures based on physical and logical needs.

 

Cyber Threats Increase in Number, Danger

But it is logical to realize the growing need to protect critical infrastructure from cyber threats. There is a lot to do, however.

In the ESG report, Assessing Cyber Supply Chain Security Vulnerabilities within the U.S. Critical Infrastructure, startling results include:

  • Sixty-eight percent of the critical infrastructure organizations surveyed have experienced at least one security breach in the past 24 months, and 13 percent suffered more than three security breaches in the past 24 months.
  • Twenty percent of respondents working at critical infrastructure organizations rated the effectiveness of their organization’s security policies, procedures, and technology safeguards as either “fair” or “poor.”
  • Seventy-one percent of the critical infrastructure organizations surveyed believes that the security threat landscape will grow worse in the next 24-36 months – 26 percent believe it will be “much worse.”

“This report highlights that many critical infrastructure organizations can immediately benefit by adopting basic cyber security and supply chain security best practices,” says Oltsik. One important point to be considered by all security executives at critical infrastructure sites: Most of the organizations surveyed are not doing the appropriate level of security due diligence on the technology products they buy. Most critical infrastructure organizations are not auditing vendors’ security policies or checking into where the products they buy are designed or manufactured. This could lead to the deployment of insecure products on critical infrastructure networks or in their facilities.

 

Intrusion Detectors: An Old-Time Friend, Re-Energized

Before security video and card access controls, most critical infrastructure facilities depended on intrusion detection systems. Today, they still do, among the layers of technologies. But intrusion detection has evolved and improved.

Take solutions from Protech, for example, which provides high security indoor intrusion sensors for the military and government sectors, but a specialty is outdoor protection with its outdoor dual technology sensor. A “stereo Doppler” technology gives the sensors a low nuisance alarm rate, according to Larry Thomas of Protech/Protection Technologies. It’s a retrofit world. Dams, bridges, water and gas utilities, refineries. Such projects are different than correctional facilities, for example, which are built with security in mind. Many facilities are remotely located. And they are high risk from terror threats as well as vandalism and metal theft.

 

What is Critical Infrastructure? Most Everything, These Days

Critical infrastructure describes assets that are essential for the functioning of a society and its economy. Most commonly associated with the term are facilities for:

  • Electricity generation, transmission and distribution;
  • Gas production, transport and distribution;
  • Oil and oil products production, transport and distribution;
  • Telecommunication;
  • Dams, bridges, rivers;
  • Water supply (drinking water, waste water/sewage, stemming of surface water (e.g. dikes and sluices));
  • Agriculture, food production and distribution;
  • Heating (e.g. natural gas, fuel oil, district heating);
  • Public health (hospitals, ambulances);
  • Transportation systems (fuel supply, railway network, airports, harbors, inland
  • shipping);
  • Financial services (banking, clearing);
  • Public security services (police, military); and
  • The Internet.