Chapter 6: Security & Risks

Security Architecture, Electrical Safety, Risk Identification, and Emergency Response

6.1 Security Architecture

Lightning protection is a physical-layer resilience requirement that supports cybersecurity indirectly: fewer brownouts and surge events reduce abnormal states that trigger misconfigurations and unsafe bypass actions. The security architecture spans three interdependent layers, each addressing a different aspect of the threat surface. Understanding these layers and their interactions is essential for designing a system that is both electrically safe and operationally secure.

Security Layer Scope Primary Controls Threat Surface
Layer 1: Physical & Electrical ResilienceBonding, SPDs, zoning, monitoringMEB, coordinated SPDs, fiber boundaries, penetration registerUncontrolled external copper entries; GPR; induced surges
Layer 2: Network SegmentationExternal/DMZ/Core segmentationFiber boundaries reinforce both electrical and security boundaries; zone-based access controlBypass patching across zone boundaries; unmanaged media converters
Layer 3: Operations ControlChange management, logging, alarm handling, incident responseChange control for patching; SPD alarm integration with NMS/SIEM; post-event inspection SOPMaintenance actions that bypass segmentation; tampering with demarc; lack of logging correlation

Threat Surface Analysis

The primary threat surfaces for a lightning protection system are the points where the protection boundary can be compromised — either by the lightning event itself or by human action. Each threat surface must be addressed by a specific control, and the control must be verifiable during acceptance and O&M. The following threat surfaces are the most commonly encountered in practice.

Key Threat Surfaces: (1) Uncontrolled external copper entries — any copper cable entering the building without passing through a registered SPD or fiber conversion point. (2) SPD alarm circuits — tampering or miswiring can create silent exposure. (3) Maintenance actions — bypass patching, temporary copper links, and SPD removal without replacement. (4) Shared metallic services and conduits — water pipes, gas pipes, HVAC ducts, and metallic conduits shared with external lines provide unintended coupling paths.


6.2 Electrical Safety

Electrical safety in a lightning protection installation encompasses several hazard categories, each requiring specific controls and acceptance tests. The most critical hazard is the risk of fire or injury from a failed SPD without adequate backup protection. Secondary hazards include shock from inadequate earthing continuity, and equipment damage from incorrect SPD selection or wiring.

Hazard Type Root Cause Control Measure Acceptance Test
OvervoltageInadequate SPD coordination; wrong Up rating; missing stageCoordinated SPD cascade; verify Up at each stage; include all power pathsVerify SPD schedule against SLD; check Up ratings; confirm all paths covered
Overcurrent / FireSPD fails short without adequate backup protection; incorrect fuse/MCB ratingCorrect backup fuse or MCB upstream of each SPD; rated per manufacturer specificationPanel audit: verify backup device type, rating, and wiring; functional check
Short-circuitSPD SCCR (Short-Circuit Current Rating) exceeded; fault current exceeds device ratingVerify SPD SCCR is compatible with available fault current at installation pointVerify SCCR against prospective fault current from SLD calculation
Leakage / ShockInadequate earthing continuity; broken PE conductor; incorrect earthing system typeVerify earthing continuity; RCD/RCBO coordination where used; correct earthing system typeLow-ohm continuity test; earth resistance measurement; RCD trip test
OvertemperatureInadequate panel ventilation; overloaded conductors; loose connectionsAdequate panel ventilation; correct conductor sizing; controlled tightening with torque wrenchThermal camera inspection after commissioning under load; torque marks on critical connections

6.3 Risk Identification and Grading

A systematic risk register is essential for prioritizing design decisions and maintenance resources. The risk register identifies each risk category, provides an example risk scenario, assesses likelihood and impact, assigns a risk grade, and specifies recommended controls. The risk register should be reviewed at design stage, updated during installation, and revisited after any significant event or system change.

Risk Category Example Risk Likelihood Impact Grade Recommended Controls
TechnicalSPD mis-coordination (wrong Up cascade)MediumHighHighStage coordination review + acceptance tests; verify Up at each stage
TechnicalLong SPD lead inductance negating protectionHighMediumHighLayout control during design; installation inspection; measure lead lengths
OperationalMaintenance bypasses fiber boundary with copper patchMediumHighHighLock patch panels; change control; port labeling; periodic audit
EnvironmentalCorrosion of outdoor bonding connectionsHighMediumHighCorrosion-resistant materials; anti-oxidation compound; periodic torque checks
Legal/ComplianceNot meeting local electrical code requirementsLow-MedHighHighCode review at design stage; documentation of adopted standards; local authority approval
Supply ChainNon-genuine SPD modules with incorrect ratingsMediumHighHighApproved vendor list; incoming inspection; verify ratings against test certificates
SafetyIncorrect backup protection causes fire on SPD failureLow-MedVery HighCriticalCorrect fuse/MCB per manufacturer spec; verification at acceptance; thermal scan
SecurityTampering with demarc cabinetLowMediumMediumLockable entrance facility; tamper-evident seals; tamper alarm to monitoring

6.4 Risk Response and Emergency Plans

Emergency response plans define the actions to be taken when a lightning event or related failure occurs. Three standard workflows are defined below, covering the most common scenarios. Each workflow follows the prevent–monitor–respond–recover–drill cycle to ensure that the response is systematic and that lessons learned are captured for future improvement.

Emergency Workflow 1: After a Nearby Lightning Event (No Outage)

1
Prepare: Keep spare SPD modules and torque tools on site; maintain documented baseline readings for earth resistance and bonding continuity.
2
Monitor: Check SPD alarm status (visual indicators and remote contacts); review UPS event logs; check network switch error counters for port errors or link flaps.
3
Respond: Perform visual inspection of all SPDs within the defined response window (typically 24 hours); check MEB and rack bonding bar connections for heat marks or looseness.
4
Recover: Replace any degraded SPD modules (indicated by status window or remote alarm); retest critical continuity points; update event log.
5
Drill: Conduct quarterly tabletop review of this workflow; verify spare parts inventory and tool calibration.

Emergency Workflow 2: Storm Causes Partial Network Outage (Ports Down)

1
Isolate: Disable affected copper ports to prevent repeated damage from residual surges; identify affected zone.
2
Verify: Check whether fiber boundary was bypassed (copper patch across zone boundary); audit patch panel for unauthorized connections.
3
Inspect: Inspect signal SPDs for failure; check earthing and bonding integrity at affected zone; verify SPD earth lead connections.
4
Restore: Replace failed switches or media converters from spares; document root cause; implement corrective action to prevent recurrence.

Emergency Workflow 3: Suspected Earthing/Bonding Failure (Sparking or Heat Marks)

1
Safe Isolation: Power down affected distribution safely following electrical safety procedures; do not re-energize until root cause is identified.
2
Inspect: Inspect bonding connections, tray joints, and MEB terminals; identify loose, corroded, or damaged connections; re-terminate and torque to specification.
3
Retest: Re-test bonding continuity and earth resistance before re-energizing; verify results against baseline.
4
Report: Conduct post-incident report; update installation standards and inspection checklists to prevent recurrence; notify relevant stakeholders.

6.5 Network Communication Security

Network communication security in the context of lightning protection focuses on preventing the physical protection boundaries from being compromised by network configuration changes. The most common misconfigurations that create security and surge exposure risks are described in the following table, along with recommended responses.

Misconfiguration Security/Surge Risk Detection Method Recommended Response
Bypass patching across zone boundary (copper patch replacing fiber link)Creates unprotected surge path to core equipment; also bypasses network security boundaryPeriodic patch panel audit; port labeling verification; change management reviewEnforce physical port protection; implement change control for all patching; lock fiber-only ports
Unmanaged media converters without monitoringLink status and power faults not detected; potential surge path if converter fails openNetwork management system link monitoring; periodic physical inspectionUse managed optics or monitor link status and power; document all media converters in asset register
SPD alarm wiring on shared insecure I/OAlarm signals can be tampered with or lost; silent exposure if alarm wiring failsAlarm circuit test; physical inspection of alarm wiring routingIsolate alarm I/O on dedicated secure circuit; document mapping; test alarm function quarterly
Lack of logging correlation between weather events and network errorsLightning-related failures not identified as such; root cause analysis impairedReview of network error logs after storm events; comparison with weather recordsImplement correlation of weather data, UPS events, and network error logs; create storm event checklist