Youtech Case Study

Controlling Physical Access to Cyber Systems in Low Impact Bulk Electric System Facilities

Current methods for controlling physical access to cyber systems in wind, solar, and energy storage facilities often rely on padlocks and combination locks installed on vehicle access gates. In theory, when keys are lost, locks are re-keyed or replaced and lock combinations are frequently changed but in practice, frequent personnel changes, pressure to keep operating costs low, and remote locations all combine to create vulnerabilities. Many of these facilities are located in isolated areas and do not have sophisticated HID badge-based access systems, intrusion detection or video monitoring leaving them susceptible to intrusion. Within most of these facilities are communications and control equipment that could be accessed by bad actors seeking to disrupt operations, damage equipment or cause financial harm through cyber system attacks. Upcoming requirements from the North American Electric Reliability Council (NERC) for controlling physical access to cyber systems will apply to many renewable energy and energy storage facilities whose owners and operators must rethink their approach to controlling access or be subject to fines.  


Challenges

Beginning in 2020, owners and operators of low impact BES facilities must control physical access to cyber systems. Current practices using padlocks and combination locks to lock access gates are not likely to meet NERC’s new requirements. Three particular areas of concern include: 


  • Issuing lock combinations, keys and master keys without a rigorous management program that tracks key and combination possession and requires re-keying/replacing locks when keys or combinations are lost or possession is no longer traceable;
  • Limiting access control to entry gates and not securing inverter cabinets and communications and control enclosures containing cyber systems; and
  • Not keeping detailed records of personnel requiring and gaining access, business needs defining access requirements, and when access is granted and gained.


Owners of solar, wind and energy storage projects of capacity greater than 75-MW that are connected to the bulk electric system at a voltage at or above 100-kV, must be able to demonstrate control of physical access to cyber systems including: network switches, gateways and routers, SCADA system human-machine interfaces, intelligent electrical devices, inverter controllers, and related equipment that could be used to gain access to communications and control networks. Entities are required to control physical access, based on need, which means:


  • All low impact BES Cyber Systems are identified, located and access is physically secured; 
  • Personnel with business/operational needs to access cyber systems, including employees and contractors, are identified and documented;
  • Owners/operators grant and revoke access based on changing business/operational needs; and
  • Access to BES Cyber Systems is monitored and documented.


As with all low impact requirements, the NERC Standard Requirement only dictates “what” an entity needs to do and does not provide any details on “how” they should meet the requirements.  Whether a requirement is sufficiently met is only determined during a NERC audit.  Experts in NERC compliance have reviewed the new requirements and offer this opinion of what could be seen as an acceptable solution to NERC auditors.


Solution

Youtech US Inc’s Smart Lock technology is a system of keyless locks, digital smart keys, and management applications that allows the control of access to facilities, premises and equipment containing cyber systems:  The solution consists of:

  • Electronically operated locks including padlocks, panel-mounted locks, cabinet and enclosure locks and interior/exterior door locks; 
  • Electronic keys with RFID and Bluetooth communications;
  • Mobile application for communication with keys and managing and tracking workflow; and
  • Cloud or premise based back office software for managing and tracking permissions and operations.


When properly installed on site access gates, control rooms and buildings, and cabinets, enclosures and panels containing cyber systems, the Youtech Smart Lock System provides a level of cyber asset protection much greater than contemporary methods.  The Smart Lock System’s ability to dynamically grant and revoke permissions based on business need and track and record operations allows facility owner/operators to rigorously control physical access to facilities containing cyber systems. 


Looking beyond the requirements of NERC, all energy facility owners and operators should be rigorously managing access to their sites, the equipment therein and especially cabinets, enclosures and buildings containing cyber systems.  Owners and operators of small roof-top solar, community scale solar, customer-owned battery energy storage and related facilities contain cyber systems that could be subject to access by actors seeking to cause financial or other harm.  


Benefits

The Youtech Smart Lock system provides rigorous control of physical access to facilities containing cyber systems.  Owners and operators of low-impact bulk electric system facilities, including solar, wind and energy storage facilities, can greatly enhance security at a level of cost and complexity much lower than badge-based access control systems.  Key benefits of the solution include:

  • Smart locks require no batteries and are designed to operate for a lifetime in the harshest conditions providing excellent security at low cost; 
  • A single smart key can manage thousands of smart locks greatly simplifying lock and key management;
  • Operating permissions are issued or revoked dynamically eliminating the need to replace or rekey locks when personnel and contractors change or when a key goes missing;
  • Operating permissions can be managed on individual, group, department or site basis;
  • Operations can be issued sequentially and based on the state of other locks enhancing equipment and personnel safety; 
  • All locking/unlocking actions are recorded with date and time stamp providing a robust audit trail;
  • Record of physical location of locks and their status (e.g. locked or unlocked) is constantly maintained; and
  • Record of all personnel, business role, permissions, permission history and date and time stamped history of device operation is constantly maintained.


For a fraction of the cost of a typical HID badge system, and the same robustness of a lock-and-key system, entities using the Smart Lock technology can reap the following security and compliance benefits:

  • Rigorous control of access to cyber systems to meet latest NERC requirements for low impact BES facilities
  • Real-time electronic provisioning and revoking of access rights on an individual or group basis
  • Automated logging and audit trail creation
  • Reduced time to manage site and facility ingress/egress


For more information

Contact: Youtech US, Inc (916) 293-3283  youtech@youtechus.com

image3