Samuel B. answered 28d
AWS Certified Cloud Practitioner Exam Tutor"
IDENTIFY — ID.AM-1: Physical Asset Inventory
High-voltage switching gear and associated bus infrastructure; power line carrier communication equipment; wireless radio transceivers; SCADA/ICS instrumentation and sensors; control building servers and workstations; network switches, routers, and communication media terminations; uninterruptible power supplies and backup generation; physical access control hardware (locks, gates, fencing); metering equipment; and environmental monitoring devices (temperature, humidity, intrusion sensors).
PROTECT — PR.AC-2: Physical Access Protection
The substation perimeter should be secured with chain-link or anti-climb fencing topped with barbed wire, with a single controlled vehicle entry point. The control building requires keycard or key-fob access with audit logging. High-value equipment enclosures should have secondary locks. Lighting covering all perimeter and entry points deters opportunistic access. Warning signage (high voltage, no trespassing) establishes legal standing and deters casual intrusion. Cable conduits and communication lines should be buried or armored where exposed. Tamper-evident seals on critical equipment enclosures provide physical evidence of interference.
DETECT — DE.CM-2, DE.CM-8
Perimeter intrusion detection via motion-activated cameras with remote monitoring feeds to the utility's operations center. Door and gate contact sensors on all entry points with alarms tied to a central monitoring system. Vibration or shock sensors on equipment enclosures to flag tampering. Power line carrier and wireless communication channels should be monitored for anomalous signal patterns that could indicate jamming or spoofing. Network traffic monitoring on the control system LAN for unexpected connections or protocol anomalies. Environmental sensors (smoke, temperature spikes) that could indicate equipment damage or fire resulting from sabotage.
RESPOND — RS.AN-1, 2, 3
Upon alert, the operations center verifies the event through camera feeds before dispatching. A tiered response protocol applies: low-priority alerts (single sensor trigger, no visual confirmation) generate a logged ticket and scheduled inspection; high-priority alerts (confirmed visual intrusion, multiple sensor triggers, or communication anomaly) generate an immediate dispatch of security personnel and notification to the utility's incident response team. Law enforcement is contacted for confirmed physical intrusion. For communication or SCADA anomalies, the network segment is isolated and manual control procedures are activated. All events are logged with timestamps, sensor data, and personnel actions for post-incident analysis.
RECOVER — RC.RP-1
A documented recovery plan should include: pre-positioned spare components for critical instrumentation (fuses, communication cards, sensors); vendor support contacts and SLAs for switching gear repair; backup communication paths (if primary wireless is disrupted, fall back to landline or cellular); manual switching procedures that allow operators to restore power routing without SCADA if control systems are compromised; and a tested backup configuration for control building servers so systems can be restored from a known-good state. After any incident, a lessons-learned review updates the recovery plan and asset inventory as needed.