Chapter 6: Security & Risks
6.1 Security Architecture
Lightning protection is a physical-layer resilience requirement that supports cybersecurity indirectly: fewer brownouts and surge events reduce abnormal states that trigger misconfigurations and unsafe bypass actions. The security architecture spans three interdependent layers, each addressing a different aspect of the threat surface. Understanding these layers and their interactions is essential for designing a system that is both electrically safe and operationally secure.
| Security Layer | Scope | Primary Controls | Threat Surface |
|---|---|---|---|
| Layer 1: Physical & Electrical Resilience | Bonding, SPDs, zoning, monitoring | MEB, coordinated SPDs, fiber boundaries, penetration register | Uncontrolled external copper entries; GPR; induced surges |
| Layer 2: Network Segmentation | External/DMZ/Core segmentation | Fiber boundaries reinforce both electrical and security boundaries; zone-based access control | Bypass patching across zone boundaries; unmanaged media converters |
| Layer 3: Operations Control | Change management, logging, alarm handling, incident response | Change control for patching; SPD alarm integration with NMS/SIEM; post-event inspection SOP | Maintenance actions that bypass segmentation; tampering with demarc; lack of logging correlation |
Threat Surface Analysis
The primary threat surfaces for a lightning protection system are the points where the protection boundary can be compromised — either by the lightning event itself or by human action. Each threat surface must be addressed by a specific control, and the control must be verifiable during acceptance and O&M. The following threat surfaces are the most commonly encountered in practice.
Key Threat Surfaces: (1) Uncontrolled external copper entries — any copper cable entering the building without passing through a registered SPD or fiber conversion point. (2) SPD alarm circuits — tampering or miswiring can create silent exposure. (3) Maintenance actions — bypass patching, temporary copper links, and SPD removal without replacement. (4) Shared metallic services and conduits — water pipes, gas pipes, HVAC ducts, and metallic conduits shared with external lines provide unintended coupling paths.
6.2 Electrical Safety
Electrical safety in a lightning protection installation encompasses several hazard categories, each requiring specific controls and acceptance tests. The most critical hazard is the risk of fire or injury from a failed SPD without adequate backup protection. Secondary hazards include shock from inadequate earthing continuity, and equipment damage from incorrect SPD selection or wiring.
| Hazard Type | Root Cause | Control Measure | Acceptance Test |
|---|---|---|---|
| Overvoltage | Inadequate SPD coordination; wrong Up rating; missing stage | Coordinated SPD cascade; verify Up at each stage; include all power paths | Verify SPD schedule against SLD; check Up ratings; confirm all paths covered |
| Overcurrent / Fire | SPD fails short without adequate backup protection; incorrect fuse/MCB rating | Correct backup fuse or MCB upstream of each SPD; rated per manufacturer specification | Panel audit: verify backup device type, rating, and wiring; functional check |
| Short-circuit | SPD SCCR (Short-Circuit Current Rating) exceeded; fault current exceeds device rating | Verify SPD SCCR is compatible with available fault current at installation point | Verify SCCR against prospective fault current from SLD calculation |
| Leakage / Shock | Inadequate earthing continuity; broken PE conductor; incorrect earthing system type | Verify earthing continuity; RCD/RCBO coordination where used; correct earthing system type | Low-ohm continuity test; earth resistance measurement; RCD trip test |
| Overtemperature | Inadequate panel ventilation; overloaded conductors; loose connections | Adequate panel ventilation; correct conductor sizing; controlled tightening with torque wrench | Thermal camera inspection after commissioning under load; torque marks on critical connections |
6.3 Risk Identification and Grading
A systematic risk register is essential for prioritizing design decisions and maintenance resources. The risk register identifies each risk category, provides an example risk scenario, assesses likelihood and impact, assigns a risk grade, and specifies recommended controls. The risk register should be reviewed at design stage, updated during installation, and revisited after any significant event or system change.
| Risk Category | Example Risk | Likelihood | Impact | Grade | Recommended Controls |
|---|---|---|---|---|---|
| Technical | SPD mis-coordination (wrong Up cascade) | Medium | High | High | Stage coordination review + acceptance tests; verify Up at each stage |
| Technical | Long SPD lead inductance negating protection | High | Medium | High | Layout control during design; installation inspection; measure lead lengths |
| Operational | Maintenance bypasses fiber boundary with copper patch | Medium | High | High | Lock patch panels; change control; port labeling; periodic audit |
| Environmental | Corrosion of outdoor bonding connections | High | Medium | High | Corrosion-resistant materials; anti-oxidation compound; periodic torque checks |
| Legal/Compliance | Not meeting local electrical code requirements | Low-Med | High | High | Code review at design stage; documentation of adopted standards; local authority approval |
| Supply Chain | Non-genuine SPD modules with incorrect ratings | Medium | High | High | Approved vendor list; incoming inspection; verify ratings against test certificates |
| Safety | Incorrect backup protection causes fire on SPD failure | Low-Med | Very High | Critical | Correct fuse/MCB per manufacturer spec; verification at acceptance; thermal scan |
| Security | Tampering with demarc cabinet | Low | Medium | Medium | Lockable entrance facility; tamper-evident seals; tamper alarm to monitoring |
6.4 Risk Response and Emergency Plans
Emergency response plans define the actions to be taken when a lightning event or related failure occurs. Three standard workflows are defined below, covering the most common scenarios. Each workflow follows the prevent–monitor–respond–recover–drill cycle to ensure that the response is systematic and that lessons learned are captured for future improvement.
Emergency Workflow 1: After a Nearby Lightning Event (No Outage)
Emergency Workflow 2: Storm Causes Partial Network Outage (Ports Down)
Emergency Workflow 3: Suspected Earthing/Bonding Failure (Sparking or Heat Marks)
6.5 Network Communication Security
Network communication security in the context of lightning protection focuses on preventing the physical protection boundaries from being compromised by network configuration changes. The most common misconfigurations that create security and surge exposure risks are described in the following table, along with recommended responses.
| Misconfiguration | Security/Surge Risk | Detection Method | Recommended Response |
|---|---|---|---|
| Bypass patching across zone boundary (copper patch replacing fiber link) | Creates unprotected surge path to core equipment; also bypasses network security boundary | Periodic patch panel audit; port labeling verification; change management review | Enforce physical port protection; implement change control for all patching; lock fiber-only ports |
| Unmanaged media converters without monitoring | Link status and power faults not detected; potential surge path if converter fails open | Network management system link monitoring; periodic physical inspection | Use managed optics or monitor link status and power; document all media converters in asset register |
| SPD alarm wiring on shared insecure I/O | Alarm signals can be tampered with or lost; silent exposure if alarm wiring fails | Alarm circuit test; physical inspection of alarm wiring routing | Isolate alarm I/O on dedicated secure circuit; document mapping; test alarm function quarterly |
| Lack of logging correlation between weather events and network errors | Lightning-related failures not identified as such; root cause analysis impaired | Review of network error logs after storm events; comparison with weather records | Implement correlation of weather data, UPS events, and network error logs; create storm event checklist |