Physical Security
Planning and implementing physical security is in the responsibility of the end-customer. The following guidelines should be considered.
Obviously, any plant site has a defined boundary as well as entry points on roadways that are typically managed by fences, barriers and guardhouses. There are also areas inside the facility that require additional physical security due to the critical content contained within.
A key element in maintaining physical security is the identification of the Physical Security Perimeter(s) and the development of a defense strategy to protect the physical perimeter within which critical assets reside and all access points. Some control system assets may be classified as critical assets such as controller cabinets, operator and engineering workstations, servers, network components and communication equipment and data highways. Security for critical assets can be provided for with differing approaches such as:
• Card key
A means of electronic access where the access rights of the card holder are pre-defined in a computer database. Access rights may differ from one perimeter to another.
A means of electronic access where the access rights of the card holder are pre-defined in a computer database. Access rights may differ from one perimeter to another.
• Special locks
These may include locks with non-reproducible keys, magnetic locks that must opened remotely.
These may include locks with non-reproducible keys, magnetic locks that must opened remotely.
• Security officer personnel
Responsible for controlling physical access 24 hours a day. These personnel would reside on-site or at a central monitoring station.
Responsible for controlling physical access 24 hours a day. These personnel would reside on-site or at a central monitoring station.
• Security enclosure
A cage/safe/cabinet system that controls physical access to the critical asset (for environments where the nearest six-wall perimeter cannot be secured).
A cage/safe/cabinet system that controls physical access to the critical asset (for environments where the nearest six-wall perimeter cannot be secured).
• Other authentication devices
Biometric, keypad, token, or other devices that are used to control access to a critical asset through personnel authentication.
Biometric, keypad, token, or other devices that are used to control access to a critical asset through personnel authentication.
As a minimum, Hitachi Energy suggests that all control cabinets and enclosures be with unique keys and that the keys are controlled by senior personnel. Protection maybe afforded by the use of door switches that generate a security alarm.
In addition to defining critical assets and implementing a method of controlling access to said assets, a program that actually monitors and logs the physical access enhances physical security. If access is being controlled electronically by card keys, biometrics or keypads, the controlling system should be able to alert security services that unauthorized access is being attempted as well as log all activity. Other approaches may include CCTV, alarm contacts or manual log books on controlled access areas.
Organizations should realize that security is an on-going process not a one-time installation task. Therefore, documentation identifying the access control(s) implemented for all physical access points should be maintained. The documentation should also identify any request for access (its reasons and duration), authorization, and revocation process implemented for each access control system. Individuals, assigned access to critical assets, should be receiving training on a regular interval and periodically reviewed to determine if continued access is necessary. Finally, a process for verification and testing of access controls, monitor and alarms should be in place to ensure they are functioning properly.
• Access control and monitoring
− Monitor access to rooms.
− Evaluate access logs to rooms with critical equipment regularly.
• Site
− Secure access to the site by a fence or a wall.
− Visitors should only be granted access after identification by a security guard / reception at the border of the site.
• Buildings
− Restrict access to buildings to authorized personnel.
− Visitors accessing the building must be under supervision of an authorized personnel member.
• Rooms
− Restrict access to rooms to authorized personnel.
− Visitors accessing the room must be under supervision of an authorized personnel member.
• Cabinets
− Restrict access to cabinets to authorized personnel.
− Locate cabinets in restricted rooms, equipped with locks with unique keys.
− Visitor accessing the cabinet must be under supervision of an authorized personnel member.
• Servers / Workstations
− Place servers and workstations in a closed cabinet in a room with restricted access.
− Allow access to USB-ports and DVD drives only through personally owned administrator accounts.
− After usage of such devices authorized administrators will be responsible to set them back to disabled state.
• Network equipment
− Place all devices, which have no own keyboard or monitor, e.g. a controller, in cabinets with unique keys, in restricted rooms.
• Network cabling
LAN connections can be accomplished in several ways:
− Copper (CAT5/5E/6/7),
− Fiber Optic,
− Wireless.
Copper can be easily tapped if it can be physically accessed.
Wireless is easy to pick up and there is basically no physically way to protect it unless it is used within an electromagnetic shielded room or building. It is therefore recommended not to use wireless in any location.
Fiber cables are more difficult to tap and cannot be picked up in the air.
Fiber cables are more difficult to tap and cannot be picked up in the air.
• LAN connections within a building
For LAN connections within a secure building both copper and fibers can be used.
• LAN connections between buildings
Fibers should be used for LAN connections between buildings.
• WAN connections between sites
Connections between sites using WAN cannot be physically protected and must therefore be protected by the use of encryption and/or an access filter, e.g. a firewall.