Current methods for controlling physical access to cyber systems in wind, solar, and energy storage facilities often rely on padlocks and combination locks installed on vehicle access gates. In theory, when keys are lost, locks are re-keyed or replaced and lock combinations are frequently changed. In practice, frequent personnel change heightens pressure to keep operating costs low whereby remote locations are vulnerable. Many of these facilities are located in isolated areas and do not have sophisticated HID badge access systems, intrusion detection, or video monitoring, leaving them susceptible to intrusion. Furthermore, within most of these facilities, are communications and control equipment that could be accessed by bad actors seeking to disrupt operations, damage equipment, or cause financial harm through cyber system attacks. The North American Electric Reliability Council (NERC) requirement for controlling physical access to cyber systems will apply to many renewable energy and energy storage facilities whose owners and operators must rethink their approach to controlling access or be subject to fines.
Beginning in 2020, owners and operators of low impact BES facilities must control physical access to cyber systems. Current practices using padlocks and combination locks to lock access gates are not likely to meet NERC’s new requirements. Three particular areas of concern include:
Moreover, owners of solar, wind, and energy storage projects of capacity greater than 75-MW that are connected to the BES at a voltage at or above 100-kV, must be able to demonstrate control of physical access to cyber systems, including network switches, gateways and routers, SCADA system human-machine interfaces, intelligent electrical devices, inverter controllers, and related equipment that could be used to gain access to communications and control networks. Entities are required to control physical access based on need, which means:
As with all low impact requirements, the NERC standard requirement only dictates “what” an entity needs to do and does not provide any details on “how” they should meet the requirements. Whether a requirement is sufficiently met is only determined during a NERC audit. However, experts in NERC compliance have reviewed the new requirements and offer this opinion of what could be seen as an acceptable solution for the NERC requirement.
Youtech US Smart Lock technology is a system of keyless locks, digital smart keys, and management applications that controls access to facilities, premises and equipment containing cyber systems:
The solution consists of:
When properly installed on site access gates, control room buildings and cabinets, enclosures, and panels containing cyber systems, Youtech's Smart Lock System provides a level of cyber asset protection much greater than contemporary methods. The Smart Lock System has the ability to: 1) grant and revoke permissions based on business need; and 2) track and record operations allowing facility owner/operators to rigorously control physical access to facilities containing cyber systems.
Looking beyond the requirements of NERC, all energy facility owners and operators should rigorously manage access to their sites, including equipment, cabinets, enclosures, and buildings containing cyber systems. Owners and operators of small roof-top solar, community scale solar, customer-owned battery energy storage, and related facilities could also be subject to access by actors seeking to cause financial or other harm.
The Youtech Smart Lock system provides rigorous control of physical access to facilities containing cyber systems. Owners and operators of low-impact BES facilities, including solar, wind, and energy storage facilities, can greatly enhance security at a level of cost and complexity much lower than badge-based access control systems.
Key benefits of the solution include:
For a fraction of the cost of a typical HID badge system, the same robustness of a lock-and-key system, entities using the Smart Lock System can reap the following security and compliance benefits: