Tony Babicz, Director of Sales – The Americas at Commend, discusses the landscape of security at utilities sites and why audio is the way forward.

Utilities security

Babicz began by outlining the current landscape of security for utilities sites – emphasizing that for these challenging yet vital environments, it’s highly important to ensure that both physical and cybersecurity ecosystems are sufficient.

Due to their critical nature, utilities sites need to be protected, however, he noted that this is becoming increasingly difficult as the threat landscape evolves.

“Many utilities companies are actively seeking strategic relationships with integrators and manufacturers who understand the NERC critical infrastructure protection (NERC-CIP) landscape,” Babicz said.

“They are focused on advancing their cybersecurity posture and doing their best to enhance their physical security system to deal with the ever-increasing threats put on utilities infrastructure.”

He said that the reality is that while many utilities sites have security measures in place, many of these are reactive measures; few are preventative.

Therefore, if a threat such as an active shooter is present, these systems will only alert security teams and personnel following the initiation of an incident.

“Most can detect a shot, but they really need to prevent that from happening in the first place,” he said.

“And preventative measures are, I think, the biggest piece of the puzzle.

“Once somebody is shooting, it might be already too late if they hit a piece of equipment or even injure someone.

“They’ve already done the damage.”

Babicz therefore explained that this is why it’s important to detect a potential damaging event before it happens.

Using tools such as analytics with video or analytics with audio enables security personnel to work proactively.

For example, video analytics can be used to view hundreds or thousands of different camera angles that a human could not possibly monitor all at once.

If a person is detected where they shouldn’t be, then the system allows them to alert colleagues and effectively manage the situation.

Particularly at utilities sites – which typically take up large areas – this enables teams to act swiftly and prevent any issues occurring as a result of a bad actor.

Babicz also explained that cybersecurity remains a key focus for utilities sites, with standards around industrial controls playing a vital role in protecting critical infrastructure from attack.

“At Commend, we ensure that as a manufacturer, everything we produce is built with privacy and security by design and secure by default,” Babicz said.

“Certifications like IEC 62443 and ISO27001 are critical components in the cyber framework.

“IEC 62443 focuses on cybersecurity of the entire lifecycle of a product.

“This means there are specific sections in the framework for the manufacturer, the systems integrator and the asset owner (end user).

“It’s truly a joint responsibility across the ecosystem where trust between parties in paramount.”

Further considerations

One of the main considerations that utilities sites need to take into account regarding security is the advance of the industrialized internet of things (IIoT), Babicz claimed.

He explained that this is when operational technologies (OT) and the IoT come together, to create more efficiencies.

With many pieces of IoT equipment, lots of data is produced by these systems.

When all this data comes together, it enables the automation of entire ecosystems and therefore improved operations.

“That’s a huge challenge and the industry is just starting to solve it now,” said Babicz.

“The more you can remove the human side of the decision-making process and have those frameworks there, the less likely it is that there will be mistakes or intrusions into the network.”

Babicz also touched upon the idea of zero trust. A zero trust philosophy means that access into any system is heavily restricted.

Only allowing access to individual devices and specific user rights for a given period of time helps to mitigate the risk of an internal threat.

Access and identity are closely monitored to ensure that if there is a bad actor in the system, the damage they can inflict is minimized.

Lastly, Babicz discussed manpower; he commented that this resource is generally stretched thinly, meaning that any way to automate or update processes automatically results in a better system overall.

“When you start looking at what it takes to actually implement and keep and maintain a system, it is a big task.

“So, our job as a manufacturer is to ensure that we are creating the tools that make it more efficient to keep infrastructure updated.”

He also mentioned that from a cybersecurity perspective, it’s important to consider what the password and password change policies are.

For example, finding a system that forces password changes on first login, requires a minimum password length of 12 characters and doesn’t allow for default usernames and passwords to be implemented.

Audio analytics

Babicz highlighted how important audio is to security – while video is a key feature, he explained that often, it’s possible to hear things before we see them.

Fire alarms, gunshots or any other noises that are out of the norm can be detected by audio analytics and set off an alert.

The next step is to then alert people on the ground, to create situational awareness of what’s happening.

For example, if a bad actor is trying to breach a certain perimeter, then the person in the control center knows right away.

They can then warn people in the building – by both broadcasting via audio systems but also changing signage so that reactionary measures can be taken to reduce the impact of the event.

If that person does happen to get on site, workers know to be vigilant and stay alert to an intruder. Whatever processes or procedures are in place can be initiated.

New developments

The next steps to advance security for utilities sites, according to Babicz, include creating multifunctional systems.

“Solutions need to do more than just view and surveil – with analytics we have that ability,” Babicz explained. “It’s the same thing with intercoms.”

He said that while video analytics provides the eyes on a situation, audio analytics is the ears – and the more senses there are, the better.

Babicz also said that the future lies in bringing even more senses into a situation, to effectively replace what a human might be able to detect.

Additionally, he remarked that there is a trend toward developing automation tools that aid in reducing nuisance alarms.

Babicz explained that Commend is focused on how to use conversational AI to provide a tool for workers at utilities sites, to reduce the burden on personnel.

This provides the ability for the conversational AI to answer certain questions and guide workers or contractors through a process normally handled by staff members in the security operations center (SOC).

Final thoughts

“We’re in a really interesting spot right now for utilities,” said Babicz.

“I do think that there are utility companies doing a really good job of securing these facilities, but the threats just continue to increase.”

Babicz concluded that the most important steps going forward will be for manufacturers of security solutions to deeply understand the critical infrastructure protection requirements and deliver solutions which aid in compliance.

This article was originally published in the April edition of Security Journal Americas. To read your FREE digital edition, click here.