Youtech Case Study

Controlling Physical Access to Cyber Systems in Low Impact Bulk Electric System (BES) Facilities

Current methods for controlling physical access to cyber systems in wind, solar, and energy storage facilities often rely on padlocks and combination locks installed on vehicle access gates. In theory, when keys are lost, locks are re-keyed or replaced and lock combinations are frequently changed. In practice, frequent personnel change heightens pressure to keep operating costs low whereby remote locations are vulnerable. Many of these facilities are located in isolated areas and do not have sophisticated HID badge access systems, intrusion detection, or video monitoring, leaving them susceptible to intrusion. Furthermore, within most of these facilities, are communications and control equipment that could be accessed by bad actors seeking to disrupt operations, damage equipment, or cause financial harm through cyber system attacks. The North American Electric Reliability Council (NERC) requirement for controlling physical access to cyber systems will apply to many renewable energy and energy storage facilities whose owners and operators must rethink their approach to controlling access or be subject to fines.  


Challenges

Beginning in 2020, owners and operators of low impact BES facilities must control physical access to cyber systems. Current practices using padlocks and combination locks to lock access gates are not likely to meet NERC’s new requirements. Three particular areas of concern include:

  • Issuing lock combinations, keys and master keys without a rigorous management program that tracks key and combination possession and requires re-keying/replacing locks when keys or combinations are lost or possession is no longer traceable;


  • Limiting access control to entry gates and not securing inverter cabinets and communications and control enclosures containing cyber systems; and


  • Not keeping detailed records of personnel requiring and gaining access, business needs defining access requirements, and when access is granted and gained.


Moreover, owners of solar, wind, and energy storage projects of capacity greater than 75-MW that are connected to the BES at a voltage at or above 100-kV, must be able to demonstrate control of physical access to cyber systems, including network switches, gateways and routers, SCADA system human-machine interfaces, intelligent electrical devices, inverter controllers, and related equipment that could be used to gain access to communications and control networks. Entities are required to control physical access based on need, which means:

  • All low impact BES access to cyber systems are identified, located, and physically secured; 


  • Personnel with business/operational needs to access cyber systems, including employees and contractors, are identified and documented;


  • Owners/operators grant and revoke access based on changing business/operational needs; and


  • Access to BES cyber systems are monitored and documented.


As with all low impact requirements, the NERC standard requirement only dictates “what” an entity needs to do and does not provide any details on “how” they should meet the requirements.  Whether a requirement is sufficiently met is only determined during a NERC audit.  However, experts in NERC compliance have reviewed the new requirements and offer this opinion of what could be seen as an acceptable solution for the NERC requirement.


Solution

Youtech US Smart Lock technology is a system of keyless locks, digital smart keys, and management applications that controls access to facilities, premises and equipment containing cyber systems: 

The solution consists of:  

  • Electronically operated locks including padlocks, panel-mounted locks, cabinet and enclosure locks and interior/exterior door locks; 


  • Electronic keys with Bluetooth communications;


  • Mobile application for data-driven communication, managing and tracking workflow; and


  • Cloud or back-office software for managing and tracking permissions and operations.


When properly installed on site access gates, control room buildings and cabinets, enclosures, and panels containing cyber systems, Youtech's Smart Lock System provides a level of cyber asset protection much greater than contemporary methods.  The Smart Lock System has the ability to: 1) grant and revoke permissions based on business need; and 2) track and record operations allowing facility owner/operators to rigorously control physical access to facilities containing cyber systems. 


Looking beyond the requirements of NERC, all energy facility owners and operators should rigorously manage access to their sites, including equipment, cabinets, enclosures, and buildings containing cyber systems.  Owners and operators of small roof-top solar, community scale solar, customer-owned battery energy storage, and related facilities could also be subject to access by actors seeking to cause financial or other harm.   


Benefits

The Youtech Smart Lock system provides rigorous control of physical access to facilities containing cyber systems.  Owners and operators of low-impact BES facilities, including solar, wind, and energy storage facilities, can greatly enhance security at a level of cost and complexity much lower than badge-based access control systems.  


Key benefits of the solution include:  

  • Smart locks requiring no batteries, are designed to operate for a lifetime in the harshest conditions providing excellent security at low cost; 


  • A single smart key can manage thousands of smart locks greatly simplifying lock and key management;


  • Operating permissions are issued or revoked dynamically eliminating the need to replace or re-key locks when personnel and contractors change or when a key goes missing;


  • Operating permissions can be managed on individual, group, department, or site basis;


  • Operations can be issued sequentially based on the state of other locks enhancing equipment and personnel safety; 


  • All locking/unlocking actions are recorded with date and time stamp providing a robust audit trail;


  • Records of physical location of locks and their status (e.g. locked or unlocked) is constantly maintained; and


  • Records of all personnel, business role, permissions, permission history and date, and time stamped history of device operation are constantly maintained.


For a fraction of the cost of a typical HID badge system, the same robustness of a lock-and-key system, entities using the Smart Lock System can reap the following security and compliance benefits:  

  • Rigorous control of access to cyber systems to meet latest NERC requirements for low impact BES facilities


  • Real-time electronic provisioning and revoking of access rights on an individual or group basis


  • Automated logging and audit trail creation


  • Reduced time to manage site and facility ingress/egress

image53