PSE Consulting, Design & Engineering



Welcome to the final NERC CIP Technical Article Series on Critical Infrastructure Protection of Electrical Systems at a high tier risk level. The last seven issues built from the ground up and in chronological order the need of energy suppliers and distributors for accurate vulnerability assessments, system studies, and the nuances of specifying, analyzing, demonstrating, procuring, installing, testing, and certifying remote sites that are of intrinsic high value. We assumed all Tier 1 facilities were at high risk and in need of sophisticated security electronics on site in order to establish penetration and site compromise upon system activation.

I use the phrase “upon system activation” in a particular way. Because there is a chain or sequence of events which must occur. The intruders or compromised situation must be physically acknowledgeable whether in heat, light, sound, magnetic field, electrical discharge, mechanical disturbance by weight, interference by volume, or other types of sensors. So first, the sensor must trigger, then the cable must transmit or radio frequencies modulate to some kind of receiving panel. Whether it’s existing SCADA or a dedicated alarm system, the panel must receive, process, and then output through an electronic communication channel the nature of the violation.

It is our receiving of this information, whether it is binary, such as a contact closure from a passive infrared detector, or analog such as video transmitted through digital means that we need to “see.” The monitoring system that receives this information must: 1) be well‑established, 2) have a process for receiving and distributing information, and 3) have a mechanism for verification and evidentiary capability for investigation and possible criminal prosecution. Without any one of these three important pillars, the operation will be deemed incapable of performing to meet regulatory requirements.

Integrators sell equipment, devices, and installation to make a profit on you as the client. You, as the Chief Security Executive, must be able to ask specific questions of the integrator regarding the overall compliance of the sites and the receiving system in cases of challenge. Often times, SIA (Security Industry Association), UL (Underwriters’ Laboratory), and ANSI (American National Standards Institute) will maintain compliance standards for these receiving systems.

So by example, if an event were to occur and there was an issue regarding the veracity of information, evidentiary chain, or investigative thoroughness, the system will be forensically analyzed. This means that each piece of equipment will be reviewed for compliance. It may be expected that UL compliance is mandatory through the chain.

This means that with the best of intention, the integrator’s recommendation, your technical staff’s acquiescence, and your IT department’s influence, the system “chain” will end up providing an end‑to‑end system that is deemed non‑compliant and forensically “full of holes.” This will certainly be disturbing to those who arm the system, those who use the system, and those who are responsible for the system.

Important Questions

The important questions to process are numerous. But let’s start with some of the simplest. How many points will be monitored? How many types of devices?

Some facilities operators will probably be used to monitoring 300 points and six device types. Perhaps even accomplishing security through existing SCADA. No big deal.

But now let’s assume you have 3,000 points and 30 types of devices or more.

Look not just at the equipment, but procedural orders that back up each type of device and what the procedure is for an alarm. Did you know false alarms of security systems are regulated in most states for homeowners and commercial properties? In fact, with many false alarms, you may be charged a minimum law enforcement response “ticket.”

So with procedural orders, you also need response orders, investigation orders, and repair work orders when the systems are down. Because you need to know when the system is down. Here are some more questions.

Is your system going to be real‑time or historic to “backtrack” what the event was, when it occurred, or a blend of both? Is the intention alarm management or first responder activation?

How will you determine if it’s a real alarm or false alarm? Will you use video processing and try to view the event in real‑time? Do you even have the communications capabilities, or will you be left with a $10,000 bill per month per camera? Only to be surprised when you’re paying more for video over cell than you are for the people who are employed to watch the video.

Will you be metricizing the activities? And what measurements will be used? Or, will the system be integrated into your existing SCADA alarm system (which is usually ill‑advised due to its software engine being developed for completely different purposes)?

Comm Center Communications Options

Sometimes, microwave or new broadband communications services are required. This can cost easily as much as the equipment. So what are some of the salient points that technical security teams and those in responsible charge should incorporate to ascertain end‑to‑end compliance? Here are seven suggestions for mapping out a bullet‑proof plan:

First -

Investigate what communications capabilities exist and investigate options for other possibilities.

Second -

Opt for communications solutions that are practical

Third -

Plan for monitoring, whether an existing SCADA control room or a new security center; always requiring a fallback position for storms, environmental actions, fire, or other activity within the space.

Fourth -

Determine if your centralized monitoring system is to be custom, card access-based, PSIM-based, or a SCADA add‑on.

Fifth -

Determine if the operation center will be virtualized so anyone, anywhere, anytime can view it with built‑in fallback capability.

Sixth -

Will enterprise servers be used? And if so, where, how many, and why?

Finally -

Define system administration, policy, electronic recordkeeping, metrics, and monitoring.

Service with a Smile

Remember, the system you install, the communications you use to incorporate alarms and viewing, and the equipment at the comm center all end with service, licensing, spare parts, warranties, integration, and software service agreements. Each of these elements can add from 5% to 10% of the original cost of the installation each and every year. It is a widely accepted opinion that within a 10‑year period, most security operations will spend two to three times the cost of the equipment on staff alone. But with the changing of security services to licensing, software service agreements, and heavy reliance on IT maintenance, these costs could actually rise significantly higher than expectations during design.

It is rare to find in-house experience with multi-site, complicated enterprise systems within an Owner’s or transmission provider’s technical security group. As consultants on a national scale, and celebrating our 30th anniversary, Professional Systems Engineering, LLC has been involved with hundreds of system designs, configurations, and comm center monitoring. Our engineers will often be involved in more systems of a divergent and complicated nature in one year than one transmission operator employee under a corporate purview in 10 to 15 years.

Whether it’s 1,500 locations and the assembly of Request for Proposals or Request for Quotations, or a large governmental policing facility covering an entire state, Professional Systems Engineering’s consultants and engineers work daily with clients as diverse as energy providers to police departments.

If you have benefited from this series, please let us know. Send an email. Are there more points that we should expand on? Any ideas will be refreshing. Please be safe.

CIP START Technical Bulletin was issued by Professional Systems Engineering, LLC (PSE) and prepared by Jerry ‘Dutch’ Forstater, PE, PSP. Mr. Forstater is a Professional Electrical, Electronics, and Communications Engineer licensed in 13 states and is Board Certified by ASIS in Physical Security. The firm has provided independent consulting and security strategy, design, specification, and construction expertise for 30 years. He is a graduate of the ASIS International Security Management Program through University of Pennsylvania’s Wharton School of Business, is a graduate of Worcester Polytechnic Institute, and has been providing significant corporate, utility, industrial, commercial, and related security and public safety programs since 1986. He is Chairperson of ASIS International Philadelphia/Delaware Valley Chapter and former Board Member of the International Association of Professional Security Consultants. He is a Director of the Philadelphia-Delaware Valley Society of Fire Protection Engineers. PSE has provided significant physical security, electronic security, security lighting, and public safety 9-1-1/agency monitoring for law enforcement and corporate clients/agencies throughout the United States on installations that are critical to Homeland Security, infrastructure protection, and the public at large.

Home - Security Systems EngineeringInfo - Security Systems Designemail - Communications EngineeringPSE LinkedinPSE Facebook - Security Systems Engineering
Reproduction in whole or in part in any form or medium without express written permission of
Professional Systems Engineering, LLC is prohibited.
Copyright © 2000-2016 Professional Systems Engineering, LLC. All rights reserved.

Technical Bulletins

Technical Bulletin #1 - "Define the Assets"

Technical Bulletin #2 -"Identify Threats and Vulnerabilities"

Technical Bulletin #3 - Analyze Features and Benefits"

Technical Bulletin #4 -"Justify Costs and Value Engineering"

Technical Bulletin #5 -"Specify"

Technical Bulletin #6 -"Implement"

Technical Bulletin #7 -"Test and Confirm"

Technical Bulletin #8 -"Monitor (and Maintain)"

Technical Bulletin #9 -"CIP START Technical Bulletins Compendium"

Security & Communications Engineering