When the North American Electric Reliability Corporation (NERC) released its physical security guideline for the electricity sector, it proposed a “systems approach” to security. This approach included a mix of actions designed to deter and delay malicious actors, reduce the opportunity for on-site crime, and impair the ability of unauthorized people to obtain sensitive information.
Access control is a prominent part of NERC’s guideline. Indeed, in NERC’s accompanying Physical Response Security Guideline, a full third of its 18 recommended actions relate to preventing access by unauthorized people.
- No persons should be permitted access to the facility without proper authorization by authorized management.
- Authorized persons will adhere to access control procedures and prevent tailgating or other unauthorized entry.
- Identification badges, permanent or temporary are required for all individuals onsite, including employees, contractors, and visitors.
- Individuals or persons not possessing or displaying an identification badge should be challenged to determine their identity and reason for their presence. Appropriate action should be taken upon this determination.
- Visitors should receive visitors badges, be required to sign in, providing appropriate identification to verify their identity.
- Annually audit electronic or other access programs for critical facilities to ensure proper access authorization.
While this focus on access control is clear, specificity on implementation is not. The variety of circumstances at different facilities precludes a one-size-fits-all solution.
This creates another risk: mistaking the recommendations as parts of a checklist instead of elements of a complete program. When seen as a checklist, security efforts may focus on complying with each recommendation instead of on the most meaningful outcome: implementing a dynamic, comprehensive, and effective physical security program.
When considering protection-in-depth of a facility — that is, several security measures operating in concert to create multiple layers of defense — access control is the front line after the physical walls of the building. It behooves security directors to develop a comprehensive understanding of access control, and implement the tools — Visitor Management Systems among them — that will help them implement the most effective layer of defense.
While these recommendations come from a North American organization, the principles related to access control and protection-in-depth are the valid no matter where on the globe an electricity facility exists.
A risk-first perspective to access control
Physical security must be properly prioritized. Access control risks are asymmetric, meaning risks deemed acceptable by a physical security team may be catastrophic to another team — for instance an IT team.
A U.S. Department of Energy audit of one organization’s cybersecurity program expressed this. The audit report chastised the organization’s “weaknesses related to ensuring appropriate physical access controls,” pointing out that the vulnerability they presented for unauthorized access to sensitive data and systems means that “an organization’s physical security controls are often just as important as its technical or logical access controls.”
Weakness in physical controls result in a vulnerability to social engineering, tailgating, and piggybacking by unauthorized people, including an organization’s own employees.
Access controls and VMS
Access controls present the best early opportunity to detect, delay, and respond to potentially compromising actions, provided the right tools and systems are in place. Visitor Management Systems are a key part of the program, elevating the robustness of this defense layer and the comprehensiveness of the security program as a whole.
To understand how, it is important to go beyond the words in the access control recommendations to consider their intention. Taken together, they seek to ensure three things:
The people in the facility are supposed to be there
Proper authorization, sign-ins, and badging all seek to satisfy this concern. Confirming this with a VMS can be done through visitor pre-registration, custom badging (and self-expiring badges), and access authorization by visit reason or type. This all goes beyond the minimum NERC requirements.
Furthermore, VMS software with integrated ID verification can verify government-issued identification documents with scanners sophisticated enough to be used in airports, reducing the opportunity for social engineering or someone slipping through the cracks by placing himself among a crowd of authorized visitors.
The people in the facility don’t pose any risk
Flagging high-risk visitors during pre-registration or upon arrival is key to ensuring security. A VMS can enable the cross-referencing of guests against external watchlists along with internally-created custom watchlists. This automation provides a curation of external security information while also enabling quick internal updates. This means that if an insider’s authorization is revoked, a watchlist can be updated quickly so that receptionists at other access points can be aware of the person’s new status and deny that person entry in case he or she attempts to gain access.
Among the watchlists available to integrate with Sign In Enterprise are those provided by the International Trade Administration — a list that the US government maintains restrictions on — and those compiled by Visual Compliance, a company that provides an integrated service that includes over 360 watchlists, including those related to finance, politically-exposed persons, and international terrorism.
VMS also allows safety, non-disclosure, and media to be read, viewed, and signed, guarding confidential information and advising guests of risks and procedures related to their visit.
The people in the facility won’t access sensitive equipment or overhear conversations they aren’t authorized to
Guests can accidentally wander into areas of a facility and overhear chatting employees or gain unauthorized access by tailgating or piggybacking.
A VMS reduces the possibility of this occurring by providing the opportunity to communicate clear instructions for guests at the pre-registration stage, by notifying an internal host who can meet and escort the guest upon their arrival, and by validating if and when the host met the guest.
Combined with proper training and processes, the chance of accidental exposure to unauthorized areas or information is reduced.
Satisfying these three conditions goes beyond ticking NERC’s access control boxes. It requires a comprehensive understanding of access control, an identification of discrete access-related risks, and the effective management of each.
In that final category, visitor management systems shine.