For most people, holding the door for another person is a natural instinct. However, when entering a Physical Security Perimeter (PSP), this instinct is not appropriate and will often result in violation of CIP-004 or CIP-006. It is important to remember that organizations typically have multiple PSPs, with the most critical – like the IT data center – having the most restricted access.
To maintain compliance with NERC CIP Standards, an entity must log and monitor all personnel with authorized unescorted access entering a PSP. Often, a physical access control system does the logging and monitoring – an authorized person uses their identity badge to unlock a door by holding it against a proximity card reader or other mechanism. Once the card reader has identified the access for the identity badge, it will unlock the door, retaining a record of the entry and the access level of the individual entering. If the individual attempting entry does not have the appropriate access level, they will not be able to unlock the door.
If several colleagues (all authorized for unescorted access) enter at the same time and only one person swipes their badge to unlock the door, then there is no record of the other individuals who enter. This practice, commonly known as tailgating or piggybacking, is a CIP compliance violation because entry into the PSP is not logged.
Access to a PSP by a person without authorized unescorted access, a visitor, requires continuous escort by an authorized individual. The entry and exit of any visitor must be logged and monitored, usually using a paper log or a temporary visitor pass. The visitor’s identification and date and time of extra and entry are recorded in the log. Visitors are monitored through continuous escort by authorized personnel.
You can help prevent tailgating and unescorted access incidents at PSPs by:
- Knowing that not all company employees with an identity badge have access to the PSPs – company employees may not be authorized for unescorted access and should be treated as visitors if they need to access the PSP
- Realizing that your access to a PSP doesn’t necessarily allow you access to other PSPs
- Understanding who is around you as you enter and exit a PSP
- Preventing others from entering a PSP with your access card
- Challenging individuals who do not have visible company identification and are not properly escorted to provide an explanation of their activities