How can you maintain security in emergencies?

 

Note from Tom: This is my second sponsored blog post on XTec, the leading supplier of PIV card-based identity management systems to federal government agencies. If you don’t know about PIV cards now, the concept is simple: Your employees have a single card for access both to computing systems and physical facilities. System passwords, perhaps the weakest link in any organization’s security, become a thing of the past.

You can learn more about the technology by reading the first post. This post discusses one way XTec can provide a unique security benefit to electric utilities. 

An important part of the electric utility experience in North America is mutual assistance: Utilities that are besieged by storms, floods, fires and other disasters are aided by other utilities that aren’t experiencing the same difficulties. The biggest component of this assistance is personnel who help with restoring lines, substations and other facilities that have been impacted by the disaster.

However, no utility wants to allow strangers to access its facilities without first verifying where they came from. This usually isn’t very easy: Given the urgency of putting these people to work right away, often the only option is to scrutinize the ID card from the utility that employs the person, then hope it isn’t just an elaborate forgery.

There’s another problem with accepting guest workers: Often many, if not all, of the NERC CIP requirements for verification of personnel with access to BES Cyber Systems need to be set aside during the emergency. After all, nobody has time to do a seven-year background check on a worker from a neighboring utility who is needed immediately to replace relays in a flooded substation.

Of course, during the emergency your utility will usually declare CIP Exceptional Circumstances (CEC) to be in effect. However, CEC doesn’t simply erase your obligation to verify that the people who showed up claiming to be employees of a neighboring utility were actually who they said they were; it simply postpones it. Wouldn’t it be great if you could positively authenticate guest workers in the same way you can authenticate your own employees? You can!

XTec has years of experience helping authenticate guest workers in an emergency. XTec has worked with the Federal Emergency Management Agency (FEMA) when they have had to set up field offices to handle disasters like Superstorm Sandy, in which they typically need to authenticate hundreds or even thousands of workers. 

If your organization has deployed XTec, you have access to tools that allow you to rapidly enroll and authenticate both your own employees and those that come to assist you from other utilities in the field – in four ways.

First, XTec can set up mobile enrollment and authentication facilities and staff them as needed. Someone from a different utility (or a contractor employee) just needs to bring two forms of government identification. Once the guest worker has been enrolled, they can be authenticated via a mobile card reader and get to work immediately. Of course, your own employees will only need to be authenticated, since they will already be enrolled.

Second, XTec’s cards are based on the PIV standard used by the federal government. PIV cards are based on open standards and are interoperable across organizations. If any guest workers come from an organization that already uses PIV or CAC cards for authentication (whether or not they’re XTec’s cards), you can import those users into AuthentX, XTec’s Identity Management System. When you have done that, you will be able to authenticate those “foreign” cards and automatically enroll the guest workers in AuthentX. With the access controls in AuthentX, you can then give them authorization to areas and networks you deem necessary, such as substations or warehouses. Finally, you can authenticate the guest workers, so they can get to work.

Third, before leaving for the site, your employees can install a “derived credential” on their smart phone. This can be used in place of their PIV card to download protected documents, access applications and enter permitted facilities with mobile devices.

Finally, once the emergency is over and your utility has declared an end to the CIP Exceptional Circumstances, you will have documentation of exactly who had access to which facility at what time. Even more importantly, you will be able to confirm with the utilities who provided workers that they followed best practices when they onboarded the employees who came to help your utility. This includes conducting the Personnel Risk Assessment required by CIP-004-6 R3, if applicable. You will be able to provide this as evidence to the auditors that you didn’t take any unnecessary risks in admitting workers to your facilities, even during the emergency.

P.S. XTec can save your NERC CIP compliance team huge amounts of time and effort in documenting compliance with at least 36 NERC CIP requirement parts applicable to high, medium and low impact BES Cyber Systems. This includes all requirements having to do with passwords, since XTec can eliminate the need for system passwords in your environment. See the white paper “How XTec can help you comply with NERC CIP requirements”, available at http://www.xtec.com/solutions/critical-infrastructure.html. 

To learn more about how XTec can help secure your organization, email Steve Lindsay at slindsay@xtec.com. Steve and Danny Vital of XTec are presenting a webinar through Distributech to introduce XTec to the electric power industry this Friday, Dec. 18; you can sign up here.