Issue link: https://fhpublishing.uberflip.com/i/1100701
ROUNDTABLE C yber security is rife in the news and it is, therefore, tempting for company boards to place their focus on this issue. However, that would be a mistake. Mak - ing sure physical infrastructure is protected is just as important. Networks should not use a "broad brush" approach to defending their infrastructure. One attendee argued that sites are bespoke and should be treated as such. "Critical sites are different. It's stipulated by government as to what would deem something to be a category five site, a category four site, or a cat - egory three site. When you come out of those categories – then it's down to a business deci- sion. When you get to that level, everything is idiosyncratic," claimed one participant. Trying to standardise any sort of approach to protection is problematic. Oƒen a threat to a company's assets comes from someone who has a key to the site when they shouldn't. This "insider threat" is com - mon for networks, many of whom do not have any way of tracking who still might have a key. This means an unknown number of peo- ple who shouldn't have access to the site any longer still do. One participant even admitted that they know former employees – retired or moved on – who still have access to several sites and use them for parking. Equally, contractors may have access to sites, so it is important for networks to partner with companies they trust and must thor - oughly vet any company they do hire. They should also ensure they keep a log of how many keys are given out to third parties. Even then, the risk that keys could be copied and kept is ever-present. One way of tackling this issue could be to have an automatic key card or an intelligent key system, one attendee suggested. This could be reprogrammed each time someone leƒ. But getting buy-in from the rest of the organisation for such a system is oƒen a chal - lenge. A handful of long-standing employees, for example, may not like the feeling that they are being "monitored" by intelligent keys which can be tracked. One attendee pointed out, however, that the majority of employees are accepting of such changes. There is also the ever-existing possibility that an electronic key system might not work. However, one attendee argued that the tech - nology does exist. "If a key isn't working, the employee would be able to go into an app and reset it," they said. "The technology is there, we're just not making full use of it." A question was posed about whether there should be a regular audit of energy networks' critical infrastructure, for example by the Department for Business, Energy and Industrial Strategy (BEIS). Comparisons were drawn to the water sector, whose critical sites are externally audited regularly. Currently, energy sites are audited as soon as they have NETWORK / 22 / APRIL 2019 Protecting physical assets Cyber security may be high on the agendas of energy network companies. But they also need to remember that physical risks to their infrastructure are also a very real threat. What can they do to prevent uncontrolled access, and protect their physical assets? Risk professionals from network companies met at a roundtable event hosted by Network, in association with Abloy, to find out. Lois Vallely reports.