Physical Security Supports Cybersecurity | Episode 114

Adversaries who can physically touch a target have a huge advantage when it comes to compromising that target. Mike Almeyda of Force5 joins us to look at tools for physical security that support cybersecurity, especially for the North American NERC CIP standards.
Picture of Waterfall team

Waterfall team

Podcast Episode 114 with Mike Almeyda

Available on

Mike Almeyda of Force5

Mike Almeyda is a Senior Account Manager at Force 5. Mike’s experience is in enterprise risk management and power utility compliance. He served as a Critical Infrastructure Protection (CIP) Compliance Auditor with SERC Reliability Corporation for two years, where he led audit teams in CIP Compliance Audits and spot-checks for over 25 CIP audits. Mike has particular expertise in NERC/CIP compliance enforcement.

Mike’s extensive experience navigating regulations spans both sides of the regulatory table. At Florida Power & Light, Mike served as Manager of Power Delivery Reliability Standards & Compliance and Manager of Training and Execution Assurance. He provided direct oversight to compliance sustainability and quality assurance for the Power Delivery Business Unit, spanning all NERC Reliability Standards. He also led compliance activities, ensuring full compliance with all legislative and regulatory initiatives, as well as reviewed cyber security and infrastructure protection compliance protocols and procedures, ensuring complete alignment with national and regional regulatory requirements (NERC CIP Standards/FERC Orders). Mike later returned to SERC to serve as Manager of Business Process & Risk Assessment, where he provided strategic leadership and tactical planning for the organization, developed the regulatory risk profile for SERC’s area of responsibility, and implemented continuous process improvement methodologies across the corporation.

“…when you remove that first area of defense and you no longer have a human performing that function. You got to ask yourself the question: Well what can I do? How can I provide oversight protection, safety, and security for my site if I don’t have somebody that’s looking over them?”
Share

Transcript of this podcast episode #114: 
Physical Security Supports Cybersecurity with Mike Almeyda from Force 5

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Hey everybody and welcome to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at Waterfall Security Solutions. He’s going to introduce the subject and guest of our show today Andrew has it gone.

Andrew Ginter
I’m very well thank you our guest today is Mike Almeyda. Mike is a senior account manager at Force 5 and Force 5 does physical security for electric utilities and physical security is tied into cyber security you you don’t have cyber if you don’t have physical. So he’s going to talk about physical security and and the connection to cyber.

Nathaniel Nelson
All right? Then let’s jump right into it

Andrew Ginter
Hello Michael and welcome for hello Michael and and welcome to the podcast. Um I should say. Thank you here. We go hello Michael and thank you for joining us. Um. Before we get started can I ask you to say a few words about yourself for our listeners and you know talk about the good work that you’re doing at force 5.

Mike Almeyda
All right? Andrew thank you so much for bringing me on your podcast honor to be here. My name is Mike Almeyda I am a senior account manager at force 5 I’ve been with the company for about 5 years altogether in the power utility space I’m entering my thirteenth year in here I had a previous career in the United States army as an officer for a number of years and my career stems from being a sip auditor working for a power utility and now working for a vendor at force five we focus on reducing risk at every. Entry point of a power utilities facility. So thanks again for having me Andrew.

Andrew Ginter
That’s great. Um, and our topic today is physical security interacting with or supporting industrial cybersecurity. You know we’re we’re the industrial security podcast most of what we talk about is cyber security. How does physical security fit with. Cybersecurity.

Mike Almeyda
Sir it’s a great great question Andrew and I’ll I’ll tell you ah at the at the crux of the matter physical security really ensures that you’re keeping the bad actors out of your facilities. You’re doing your best job to validate. That those individuals have a business need that they’ve met your site specific training they meet out your policies before they come on site and it’s important to limit who comes on your site because therein lies the problem right? The first part of any. Type of criminal or bad actor is always looking to circumvent your physical security process and with the right toolset and the right skillset once they get inside your facility without being challenged that gives them the opportunity to get to areas of your facility that house. Critical infrastructure protection components especially when we talk about cyber securityity this could be network cables switches routers. You name it the moment that they get the physical access into your site. Cyber security is just a keystroke away right.

Andrew Ginter
So so in principle that makes sense I mean I I agree with you. Can you give us an example I mean you know how much trouble can we get into.

Mike Almeyda
Yeah, so this actually is ah it brings up a funny story. Not really funny, but a really important story understanding why cybersecurity is so important. So as I mentioned in my introduction I did spend ah a number of years in the military and and I was deployed. This is back in 2008 I got a phone call from my brigade communications officer about two o’clock in the morning and she told me which is this is now a declassified operation but we had to disable. Every single Usb drive across all of the computers in my area of operation and at the time I probably had over 2000 pcs and I was geographically dispersed in 9 locations in Iraq and had 24 hours to do it. My soldiers and I completed the mission. But the reason we had to do that. Is because there was a signature of of a malware that was attempting to send information from our our secret internet protocol to Russia and what we discovered in our after action review was that it appeared that the the. Virus or the the trojan horse originated from a Usb stick that someone had plugged into our network whether it was inadvertently or inadvertently more than likely it was probably a soldier who went to the morale recreational welfare center to go and and talk home contracted the virus on that.

Mike Almeyda
Device and brought it back and put it in it to our secret computers. But the reason I bring this story up and and the importance of it is if you allow just about anybody to come onto your site without properly vetting them and making sure they meet those credentials. They can easily take a jump device. Plug it into one of your network switches or plug it into a computer that controls some of your industrial control systems and Wreak Havoc just like we experience which by the way set us back about a decade in terms of Technology. So I would absolutely consider that something you should look at when. Deciding whether or not you want to let the right people in on your site.

Nathan
you know Andrew when it comes to somebody physically at a plant. It’s not even something that I really associate with cyber I just assume that a cyber attack occurs when some. Remote entity tries to get in through technological systems. Not when somebody’s literally at a plant is this something that happens outside of the context of like Stuxnet and if so are there any defenses against it.

Andrew Ginter
Um, yes you know yes and yes let me give you sort of ah a more mundane example to start with um you know I was working at at industrial offender a long time ago. We were you know. Building software and we had to test it and so we had ah a large test bed and to standardize our testing we would reset the entire test bed to um, sort of a known state between runs. And that meant taking ah you know Linux Cds and we we’d take an image backup. So the hard drive. Basically you know every sector on the hard drive from 0 to as as big as as big as a hard drive was and you know between runs we would just put the image back on the hard drive and start from exactly the same state so we had to do this. And you know I gave the the linux boot cd and all of the the backup cds to one of my colleagues who’d never done this before explained how to do it why away 2 hours later he comes back and he says Andrew do you know that with this linux boot cd I can boot. Any device in the office here and read all of the data off the hard drive you know and I said yes I said welcome to the dark side if you can touch it. It’s yours now this was back in the day.

Andrew Ginter
Before hard drives or flash drives were routinely encrypted so to your answer is it is it real. Is it mundane. Yes, back in the day you boot into linux and you can read it. You know every every bit on the hard drive nowadays. This is why the modern world. Modern equipment is is encrypted. The hard drives are encrypted if you try to do this. You’ll get garbage back? Um, but you know the bad news is that not all of the equipment in industrial control systems is modern, a lot of it’s still older and you know even. Modern equipment is vulnerable if you can touch it. You have a huge advantage so sort of a second example is um chinese intelligence agencies have been accused of doing this to visitors in China people who visit China are encouraged to use throwaway devices and not log into. Any of their important cloud-based systems while they’re visiting why because chinese intelligence agencies have been accused of tapping the hotel on the shoulder you know having you know, tapping tapping the your business partners that that you’re there to visit on the shoulder saying. You know, take this man out for a 3 hour binge somewhere. Um and then tap the hotel on the shoulder get into the hotel room. Ah you know, look at the the laptop figure it out and leave you know, do it again the next day and come back and this time they know exactly what model laptop you have.

Andrew Ginter
They’ve got the tools they take it apart. They insert a device you know a very tiny device between the keyboard controller and the motherboard and now this tiny device is recording all of your keystrokes. They come back at the end of your visit and do the same thing removing the device putting your device all back together again and now they’ve got on that little chip. All of the keystrokes that you’ve entered all of your passwords that you’ve used in the last three days um they log into your systems and you know you’re sunk. So. And in the modern world. This is why many of the cloud systems if you want to log into them have two-factor authentication so to your question. Yes, if you can touch something you have a huge advantage in terms of compromising it and yes this is why. We see two-factor authentication. This is why we see encrypted hard drives. This is why we see a lot of modern technology being applied because this is a real problem

Andrew Ginter
Okay, so so can we talk about you know that’s that’s the problem. Can we talk about the solution I mean um, it it sounds simple. Do we not have is this not why we have guards gates and guns.

Mike Almeyda
You know we we absolutely do Andrew we have guards gates and guns. But I can tell you that with the recent financial economical strains especially on big businesses. It’s becoming more challenging to borrow money and so what I’ve seen recently. Especially one of my large customers is that they’ve made a decision to move away from a contingent guard force because the cost is astronomical at the end of the day they’re beholden to their shareholders and so when you remove that first area of defense and you no longer have a human performing that function. You got to ask yourself the question. Well what can I do? How can I how can I provide oversight protection safety and security for my site if I don’t have somebody that’s looking over them and you know you know this Andrew B in the power utility space power plants are the it’s the bread and butter of how. Power utilities not only make money but allow us to flip a switch and let the lights go on. So if we can’t afford to allow a physical person to do that. We have to do something different. And that’s one of the reasons why at force 5 we we provide solutions for outage management and really help provide internal controls that can vet individuals making sure that they have a proper business need. They’re not on some watch list.

Mike Almeyda
Have your site specific training. So you have confidence knowing that individuals who come on your site. Not only are who they say they are but have the appropriate business need and also meet all the training and policies you’ve set in place to protect your organization in the first place.

Andrew Ginter
And okay and that that makes sense and and I’m going to ask you about more you know more about what you folks do in in a moment but but work with me. You know if if you’ve got organizations that have done away with their guards I mean I mean what happens if. You know worst case, you know someone ignores your your security fence brings a ah saw cuts through the fence cuts through the doors on the way into the plant into the server room I don’t know with a Usb in his hand. Um, do you not need guards at least for incident response I mean what. What do you do? If you don’t have guards and you’ve got a situation like this.

Mike Almeyda
Right? And and this this ties back into your incident response plan as you just mentioned right? So the first thing you have to do is if you know you’re going to move away from a contingent workforce or contingent guards. You have to make sure that your policies and procedures adapt to that right? If you’re not if your policies and procedures say notify a guard and obviously you’re not using guards you need to make sure that there’s something in place to follow and really it boils down to your level of risk tolerance right? Do you really want your employees confronting somebody they think is a bad actor. Or would you probably want them to do something like call 9 1 1 call a security company. Whatever it is and more than likely your sock has probably done both already because they have videos most power utility companies I know have video footage pointing at those critical facilities and so if they see somebody that. That’s not recognizable. They’re they’re probably going to go ahead and start putting in their protective or the the protective controls to make sure that they they do that. But the truth is the the more realistic so situation is somebody finding a way to get into your site. During a major outage so they can blend in with the environment and do things being undetected.

Andrew Ginter
So so that makes sense in principle. You know if if there’s ah, an intruder in the site. There’s no guards you call 9 1 1 you call the authorities your sock might have done that for you but there’s operational. Decisions that have to be made if someone has you know cut into the survey room if someone is wandering around the facility with ah with a hammer in their hand. Um, and you know with clearly malicious intent. They’ve cut their way into the facility. The the authorities aren’t there yet. Do you keep generating power. Do you keep. Producing oil out of the refinery what you know isn’t there a decision point that has to be has to be made about about you know what do we do with someone on on site like that do we have to shut down out of out of safety.

Mike Almeyda
It’s a really really awesome question Andrew and and I guarantee you you’re going to hear different answers from different people but I can tell you you know Mike Tyson had this famous quote and it says you know everybody has a plan until they get punched in the mouth. So when you think about that. At the end of the day your your policies procedures your your your business continuity plan should absolutely have those steps in there and if they don’t really it comes down to the station manager. It’s it’s his decision on what to do in that scenario I guarantee you. Your executives are probably concerned about profitability and are also concerned about making sure that the plant generates money to keep the lights on but in that moment the plant manager might be about safety and security for his employees and so at the at the end of the day I think the responsibility falls on the plant manager whether he. Continues to have operations going or he chooses to shut down and there’s a lot of factors considering in that right? If if they’re in a you know let’s just say this happens in the summertime and it’s at the peak of day and it’s hot and and and you’re at your peak load. You probably don’t want to shut down your site. But if it’s something that happens in the middle of the night where it’s not really a peak load there. There probably will be more considerations to actually have the plant shut down while you deal with the security issue that makes sense.

Andrew Ginter
Well, that makes sense. You mentioned you mentioned Nerrk sip a couple of times. Um I know there are rules in nerc sip about physical security. Can you can you talk about those rules I mean um, oh pause hand. Um, ah okay so something else, you’ve said a couple of times you talked about outages now you know the questions I’ve been asking you I’ve kind of been assuming we’re talking about physical security during operations when there’s you know. The usual complement of people on site when you’ve got power coming out of the the power plant when you got you know gasoline going through the pipeline. You’ve talked about outages a couple of times. Why? Why are you talking about outages. What’s what’s special about them.

Mike Almeyda
So outages are something that that commonly occur for large generation facilities. So if you think about a car every every so often you’ve got to bring your car in for maintenance. So that way it keeps running well power plants run on the same schedule. There are certain components. Those plants that have to shut down for maintenance and so during these times you can have a large contingent workforce coming on site. In fact, there’s ah, there’s a plant that I visited not too long ago produces about three thousand four hundred Megawatts of of generation and at their peak outage. They can have about. 1500 people on site that are contractors that you don’t know them. They don’t know you but they were there to perform a service for a certain period of time and so when you think about having a large group of people you don’t know anything about them all over your power plant. Around your most criscritical assets that creates a security challenge. It also creates a safety challenge because they’ve they’ve probably never been on your site before sometimes they but have to bring vehicles on your site. So now every person in every vehicle that’s on your site creates a liability unless. You find a way to validate them and ensure that they have a proper business needs. So it’s important. This is an important part of the power utility space because if those plants don’t get everything done that they have to get done and outage and they have to extend their outage for any reason it puts strain on the on the bulkal electric systems on the on the interconnects as a whole.

Mike Almeyda
Because now someone’s got to pick up the slack for the power. That’s not being generated so again. Yes, It’s a for profit industry that generates power for dollars but at the same time if you can’t fulfill your obligations how the whole entire landscape is expecting you to then it puts. Unnecessary strain on the system as a whole and that can create issues like rolling Blackouts and whatnot which we all remember from 2003 but that wasn’t due to ah that wasn’t due to a plan outage but the point is we have to make sure that during those outages we’re getting everything done that we have to to keep the system online. And we’re also making sure that safety and security is a focal point of ensuring that none of those contingent workers are going to be in a position where they can do something to sabotage or inhibit your ability to provide services to your customers.

Andrew Ginter
Yeah I mean in theory that makes sense. Um, you know a it’s a lot of people B you know, let’s talk. Let’s talk Nerrksip if we can you know we’re we’re in a you’re you’re giving the power plant example. Um.

Mike Almeyda
Sure.

Andrew Ginter
Let’s say part of the the outage is to expand ah the capacity of the server room so we can put more servers in there to do more stuff you know more predictive maintenance more whatever and so one of the people who’s got to go into the server room is an electrician they’re setting up the new rack. Or 3 with you know, uninterupable power supplies. They’re connecting it to the power they’ve had to add some new breakers they’re in there working for a couple of days doing electrical stuff. Um, but this is the room that contains all of our control system computers. Um. How does that work. You know the plant is down. It’s not producing power. You know, do you just let the electrician in there. What’s the rule.

Mike Almeyda
Yeah that’s ah, it’s a it’s a really important rule and this is this is right in sip 6 when you have somebody you have a critical or you have a physical security perimeter that’s defined in nerc si there’s 2 ways you can do it. Right? If this is a contingent worker that you know that you’ve done ah a personnel risk assessment on you’ve performed a 7 year background check they have a valid business deed to be in that space unescorted you most certainly can give them privileges to go into that space space unescorted. In my history of being not only an auditor but working for power utility this is going to be the exception not the rule and the reason is because this is somebody that’s doing work or service for a small period of time and they’re not going to be back and so you typically want to reserve those types of. Authorized and escorted physical access for people that you trust that are going to be there from a longevity perspective more frequently. What we see is when you have a visitor coming into a physical security perimeter or psp for short, you have to. Escort them at all times within line of sight so you’ve got to make sure you document what their name is who they’re there to see document. What the reason is for them being in there. What time they arrived what time that they left this is typically done manually from but.

Mike Almeyda
Probably say about 80% of utilities. Do it manually. But again that that creates a challenge right? because if you don’t if you have sloppy handwriting or you’re not putting in the correct information and there should be an event then you’re relying on what’s written on that paper to see who is in that space who is the escort to try to decipher what happened. I Can tell you that there’s been a lot of times on the on the physical security side where an incidents happen and when they go back and try to figure out who is in the space. They couldn’t decipher the handwriting. So now they have to go and rely on cameras and and rely on different angles and talk and call up the person who they believes in the video. And as you’re doing that. It’s taking time and the more time you take the more likely whoever it is that was doing the malicious act probably is going to get away with it and and be undetected.

Andrew Ginter
Ah, and you know the standard that’s called sip Zero zero six si double o six talks about physical access control it. It says stuff like you know if you have an important. Ah.

Andrew Ginter
A piece of the electric system that is covered by nercipp that’s medium impact or high impact because there’s sort of 3 categorizations low medium and high in the nercipp if it’s medium or high. You have to have a process that restricts physical access to these systems. It’s usually described you know colloquially as a 6 walls rule. You have to have a floor you have to have a ceiling you have to be sealed floor and ceiling and on 4 walls you have to have a you know a system in place keys or technology or something that prevents random people from walking in. Um, you have to have a way to. They use different words but you have to avoid to clear people who are allowed into it. You know if you let people in whenever they want they have to be trusted people so they need to have background checks. They need training they you know they need to know what they’re doing if you have uncleared people like the electrician who needs access to the space. They have to be supervised constantly by a cleared person. You have to have technology in place to monitor if somebody enters the room who’s not authorized. You have to have alarms in place to detect unauthorized access all of this you know is part of sit. Zero zero six because um to a greater or lesser extent if you can touch a system you can compromise it or you you certainly have ah a tremendous advantage in terms of compromising it pause.

Andrew Ginter
We’re and we’re so so let’s get into the the details about about the good work. You folks are doing at force 5 you have solutions in this space. What do you have? who’s using it. You know how does this work.

Mike Almeyda
So we got started. Ironically, we got started in the si space I actually worked for a utility company and I discovered force five at the at the recommendation of a peer and at the time we’re talking about sip six here. We were in. When there was 8 regulatory regions at the time we were in all of them and so we had manual paper logs at these physical security perimeters and as you can imagine we were. We were getting audited by all 8 regional entities and we would probably get audited every year and it’s something that we consistently had a problem with and so. when when I when I approached force 5 I said hey listen I’m going to make your business requirements. Very simple for you I want an appliance that includes software and hardware I want it all 1 I want something that can easily be used. Regardless of the austerity of any type of environment whether it’s a power plant. It’s a substation. It’s a control room. It’s a corporate lobby I want the look and feel to be the same and I want a dedicated support line I don’t want to have to figure out what the hardware needs to be you figure it out for me. You all all I have to do is pick up a phone or send an email and get help and that’s how gatekeeper was birth and so we we now have an automated solution which is the only escort-d drivenven self-service logging kiosk in the industry today that enforces.

Mike Almeyda
Those policies of nerc sip at your psps and so instead of relying on paper handwritten errors trying to decipher that we have the ability to enforce your policies and procedures. So whoever the authorized escort is he or she is the only person that can use the system and start a visit. Your visitor can’t we put all the onus on the person with the responsibility and that’s how we got our start in nerc sip and then I’d say about a year and a half later we were approached by a plant manager that said hey that’s great. But I don’t care about those requirements I have hundreds of people coming to my site during an outage. They don’t need to be escorted I just need to make sure that they have met all the training. They’re not on some sort of watch list that they have a business need to be there if you can figure that out then I see a path for your solution and so force 5 worked with. With some of the outage coordinators and some of the plant superintendents and and plant managers and that’s how the the evolution of the outage management solution of gatekeeper was birth and so in this scenario we we use full height turns styles we can provide a building or or no building and we. Augment those turns styles with our kiosk to perform access controls and so if you think about what’s important to a plant manager. They want to make sure that this person has the site specific training to enter the site. They want to make sure that they’re not on some sort of watch list or have been terminated or kicked off a plan in the past.

Mike Almeyda
And they want to make sure that they have a valid business need during an outage. So when you you take all those pieces and you assign them to an identity. Our Kios in a quick moment when you use biometrics they can either use their fingerprint or they can use their face. Once they come to the kiosk and identify themselves. The system does all those checks quickly and if you meet all the criteria to enter the site and we fire the turnstiles and if you don’t we deny entry and if you match a watch list. Not only do we not deny entry but we send out emails text messages and robocalls. To interested parties letting them know that somebody that’s a bad actor is at the front gate of your facility.

Andrew Ginter
And you know you mentioned biometrics I mean it’s It’s great. Biometrics are high tech you know are they necessary I mean most places I go they use badges.

Mike Almeyda
Right necessary and and and necessary are are are definitely good questions. So I could tell you that for your trusted environment. Badges are okay and they’re okay because you you you know who the people are and. You know that they they have already been validated by your company when you talk about your untrusted environment which is the the reality here with a conting your workforce in my experience in my career I’ve seen a plethora of things happen. In fact, one time when I was working for utility I happen to be at a plant. And there was a large group of contingent workers with a plant with a leader like there was ah a contingent workforce leader that was overseeing all those people and towards the I’d say after lunchtime this gentleman grabbed all the badges from his staff and let them out. There there was another outage happening not too far away that they had a contract for and the priority for that company was that those staff be there and at the end of the day when he went to go swipe out his badge. Guess what he did he not only swiped out his badge but he swiped out the badge of his entire team and so. For our company. We went up paying for 10 to 12 individuals that left early right? So with badges the the problem with that is all they’re intended to do access control looks at the card serial number make sure that it matches an authorized.

Mike Almeyda
Entry on that list and lets him in when you use biometrics. It’s very hard to fake a face or a finger right? So you have to have something physically that’s unique to you and so what we found is not only is it expedite the process of logging people in. But it also gives you stronger validation knowing that the individual who presented that credential whether it be facial recognition or or biometric fingerprint when you have them presenting that credential. It’s a higher confidence of validation. So you know that they can’t hand their thumb. And they can’t hand their face to somebody else because you can only use it to go in and you could only use it to go out and we this the system is smart enough to know if you’ve went in 1 time we were not going to let that same identity in because it’s already in the system.

Andrew Ginter
Pause. So you know it sounds like that that scenario that that you gave there with the with the badges you know the benefit that the system was was providing the plant is ah. You know is not really a security benefit in the sense that it’s you know, keeping out people who shouldn’t be there. It was kind of an operational benefit and you know in a sense this is this is commonplace a lot of a lot of folks that we have on talking about different approaches to to solving problems in the industrial security space. A lot of the time those approaches have sort of. Ancillary operational benefits. So you know you’ve given us 1 do you have other examples of of ah you know how you can use what appears to be a security tool to you know, just make the plant more efficient.

Mike Almeyda
it’s it’s funny you say that Andrew because one of our our customers recently this year gave us a interesting story I’m going to share with you where they we always tell our clients make sure that you tell your contingent work for. Workforce when you use a solution is for a safety and security perspective because they’ll be more apt to adapt it in everyday routine. But 1 thing that that he shared with me was he’s always used this same scaffolding company for a long period of time and over the years he said he thought he was getting build or overcharge for certain certain type of of activities. They were performing and he could never validate it because for tn m or time and materials contractors. It’s it’s paper based count cards for for time cards time sheets right. So he’d say 50% of the time he’d he’d argue back and he’d win in 50% of the time he’d pay the invoice and so as soon as he leveraged our solution. He got his first invoice from the company and when he looked at it he said ah you know this doesn’t seem right and so he decided on his own Accord. You know what? um. Ah, go into gatekeeper and look at the resources that I got for the week and what he discovered when he put his invoice alongside the the record of who had actually been on the site. The invoice was for nearly double the amount of of individuals he had on the invoice. So let’s just say it was 40.

Mike Almeyda
He only got twenty and they were supposed to work 40 hour shift ah for the week and they only worked 20 hours and so when he went back to this guy. He said hey I got your invoice but I’m not paying it because you overcharge me and the guy’s like come on man you know we always go through this conversation every time we have an outage you know I won’t do that to you. And he said I get it I said but I just pulled my report from the solution that we have for safety and security or gate and I can tell you down to the second who was on my site and I can tell you that I got half the resources on this invoice at half the time. So I’m not paying this invoice and and the gentleman’s like well let me let me look into that and and and. Find out what what the problem is and the next day he calls him back. He goes oh I sent you the wrong invoice I apologize here’s the right one and and and he kind of might my my client kind of chuckled but he said ever since that that scenario happened. He never has gotten overcharged for an invoice because they now look at this as a time sheet. So again, it’s a safety and security solution. But the the contingent workers looking at as a time sheet and in addition to that one of the things he’s been able to discover in using the data that was typically stale written on paper. Now that it’s in a database. He actually can predict whether or not he’s going to have enough resources as I mentioned earlier you know if you you don’t have the resources to meet an outage and you have to extend it that puts some strain on the power system. Well using this solution. He can say well I was supposed to have.

Mike Almeyda
40 resources at 40 hours a week but for the past three weeks I’ve only had 20 resources at 20 hours so there’s ah, there’s ah he can predict predict that he’s going to fall short in that area and maybe do some other other methods to help. Condense that time a little bit shorter or bring in additional resources to compensate for the lost time that that he had because he didn’t get the resources. He was promised so that’s that’s a operational thing and and 1 other story that I want to embellish here for a moment that I think is important is is the security aspect. And I think this is operational because operational risk is something that everybody should consider especially when you have industrial control systems. We had a customer who had a a contractor that that got into an incident with the plant manager and as a result of that incident. He was placed on a wash list and walked off the site and told that he was not allowed to come on that site ever again a few weeks later that contractor decided to go work at a different site for the same company the same utility company just under a different outage and. It just so happened when he arrived the the watch list identified him as being a person that shouldn’t be on the site and that plant manager happened to be there that day because he he worked the zone and so he looked at that that individual says.

Mike Almeyda
Don’t ever come back to one of my plants ever again. You’re not allowed here and as a result of that the company the vendor company he worked for terminated his services because he could not perform it so Lo and behold several weeks go by this individual gets a job at a new vendor company. That happens to have a contract for an outage at the same power utility company and when he showed up for the outage and placed his finger on the reader it detected him regardless of what uniform he wore we were still able to identify that this is the same individual that’s on the watch list. He should not be on site. So. The the customer was extremely happy because there were 3 use cases in a span of 6 weeks where an individual who was someone that should not be on site was caught and was identified prior to allowing that individual to get on site. So. That’s a great example of the robustness of a solution. So safety security financial reconciliation any of those things are important to your plants.

Nathaniel Nelson
Most the ah the point that Mike just made definitely speaks to what’s been sticky in my mind throughout this interview which is that ah the technology that he’s describing seems most useful to me or rather most commonly useful. Not necessarily in that crazy state-sonsored like stuxnet scenario where you’re dealing with spies but where you’re dealing with more run-of-the mill insider threats which I imagine are going to be much more common for customers of his. Um, although it occurs to me as well. I don’t know if I’m misunderstanding the exact nuances. Of the technology here that it might make more sense to have like a list of people who are allowed on a site and then just exclude everybody else by default rather than having like an expressly bad list and then going from there unless there’s a good and a bad list.

Andrew Ginter
Um, in my best understanding and I didn’t quite ask the question this way but in my understanding there are both an allowed and disallowed list. It’s not like you allow everybody except people on the on the the disallowed list. Um, you don’t let any stranger into the site. My understanding is that.

Nathaniel Nelson
Understand.

Andrew Ginter
Before you let someone in they have to be entered into the system you might presumably enter them into the system when they arrive but you know, um, presumably you know assuming they have someone to vouch for them. They’re their host at the site. Um, but even if you have an allowed list. Um, you know the the biometrics I think come into play when you have a disallowed list. You’ve got biometric information for the the people that that are disallowed. You know in the example of of the the worker who changed vendors. They might well have you know I imagine they could have registered with their new employer with a subtly different name using a nickname instead of you know the long spelling of their full name and they show up as a different name a subtly different name working for a completely different employer making their first visit to the site. So. They are on the allowed list. But then the the disallowed list catches them because of the biometrics identify them as the same person with a different name who’s been banned from the site.

<DROP> So yeah far as I know it. It does both of them and it’s ah it’s a little bit complicated.

Andrew Ginter
Cool Some some very convincing use cases. Um, you know, let me ask you? We’ve been talking about about what you folks do um, can you talk about the future. What’s what’s coming in this space.

Mike Almeyda
Well I think and this is kind of ironic because we’ve talked a lot about visitor management and and how we we you know ensure the right folks come on site but more recently there’s been. A lot of shootings at substations. In fact, last year I think it was over 113 shootings at substation. So. It’s definitely got the attention of a lot of executives in the space and as a result of that we’ve we’ve partnered with the company and we’re now we’re now producing what’s called boss. It’s a ballistic overlay shield system and and the the intent of this is to provide enhanced ballistic protection security and resilience for substations and critical assets by reducing those potential attack vectors and threats right? So you think about those. That room that we talked about that hypothetical room with all this network and security equipment being shot at now is ah is a physical threat. But again you damage that equipment. It creates a problem and so we’ve we’ve developed a solution based out of. Poly you’re I think it’s polyethylene is the proper pronunciation but it’s been tested by the us military for over 2 decades but the solution we have now can stop a 7 6 2 round which is typically fired from a 3 ah 8 winchester rifle hunting rifle.

Mike Almeyda
Or an a K 47 So as you look at some of these threat vectors and threat actors that type of caliber lower is probably what they’re going to use to target your your substation whether it’s just a ah disgruntled worker trying to get back or really somebody that’s trying to do Damage. This is a ah ah big threat that we’re seeing that is certainly got. The the attention of many power utility executives and we feel like in our ability to call ourselves a risk company. This certainly fits the bill when we talk about how do we reduce risk from those type of attacks at some of the most critical systems like transformers or whatnot. In the power Utility space.

Andrew Ginter
There you go I mean distressing that this is the world we live in but it is I mean this is I guess this is why we have jobs you know, physical security cybersecurity. They interact. Um you know? Thank you for joining us and providing these insights. Before we let you go can you can you sum up for us. Pause.

Mike Almeyda
So at the beginning Andrew we werere talking about tying physical security and how it relates to cybersecurity right? So if we take cybersec securityity at the crux of it. That’s the place where you can predominantly do the most damage undetected. In your facility and so if you know that that’s one of the higher risk to your facility to your infrastructure you want to make sure that that is protected from a physical standpoint and and taking cyber securityity back to physical if I had a a handful of takeaways here’s what I’d tell you. Understand the risk that you have to your environment and what your tolerance is for it if manual processes like paper you’re willing to accept that risk then this this is probably not for you. But if someone circumventing your security getting to. And ah getting someone like an electrician to a switch room where you’ve got problems where you’ve got critical infrastructure that can get if it gets damage can cause a big problem. You probably want to automate it and when you look at automating it. You want to make sure that you can validate in force and discover things about your organization. Right? So you log the visitor you validate their identity that they have an appropriate business need to do that. You enforce your policies and procedures and you discover trends about the information that you’re getting if this sounds like something that that piques your interest or it’s a need at your power utility.

Mike Almeyda
Visit force five dot com we only work with power utility companies or feel free to reach out to me. You can find me on Linkedin just look up Mike Almeyda the same name you see in the podcast title Andrew. Thanks again for having me on today. It’s been a pleasure.

Nathaniel Nelson
Pause Andrew usually I ask you for a last word here, but this episode has given me a lot to think about. Um I think that the overall takeaway for me is that physical security is. Dovetailed always with cyber security that they are necessarily interlinked and when you don’t have the former. You can’t have the latter and also you know we’ve done over a hundred episode to the show. Ah I think that we sometimes take the physical security side for granted. By talking about you know everything else that happens on the computers as if that is just going to be taken care of but at the end of the day you know you need people like Michael to do that basic assumed implicit work. Um, so that then we can talk about the more sophisticated defenses that we spend all our time on.

Andrew Ginter
Absolutely I mean one of the the principles that you know I talk about at conferences sometimes um, you know we talk about the cyber perimeter a lot of people say oh, but the cyber perimeter is it. You know is there really is it dead because you know there’s experts on the it side say the cyber perimeter is dead. And I come back with yes, but and it might be dead on it. Networks. But you know that’s not the point. The point is that all important industrial facilities have a physical security perimeter all of them. They all have you know. If not guards gates and guns at at at least you know offence and you know a system like force 5 at the turnstile letting people into and out of the site controlling access to the site. There’s always a physical pereter. You don’t let the public walk into a dangerous facility. And you certainly don’t want you know random malicious actors walking into a dangerous facility. So yes, absolutely There’s always a physical perimeter. It’s essential to cybersecurity. You don’t have cybersecurity unless you have physical security so you know good call.

Nathaniel Nelson
Well thanks to Michael Almeyda for speaking about this with you Andrew and Andrew is always thank you for speaking with me this has been the industrial security podcast from waterfall. Thanks to everybody out there listening.

Andrew Ginter
It’s always a pleasure. Thank you Nate.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox