Transitions of Power
- From CIO Digest, April 2009 Issue ( Download This Entire Issue in PDF)
In a sense, the power grid is much like the economy—a complex network of interdependent entities that need each other in order to survive, yet are often estranged and sometimes in competition with one another. Like the economy, if the grid goes down for long enough, over a sufficiently broad area, the consequences are enormous.
The world has already had a grim lesson in the global economic impact of a major physical terrorist attack. But is it possible that hackers with sufficient motivation and resources could impact—even cripple—a country’s power grid through a coordinated cyber attack?
The answer seems to be yes
In March 2007, researchers conducted an experiment in Idaho Falls, Idaho, that was sanctioned by the U.S. Department of Defense. They were able to successfully hack into a power plant’s control station and force a generator turbine to shut down simply by changing its operating cycle, causing it to overheat. Labeled the “Aurora Generator Test,” the experiment was cited in a report to the U.S. Congress in the wake of the highly publicized denial-of-service attacks against the Estonian government that same year.
Internet Protocol: an imperfect solution
The vulnerability uncovered in the Aurora Generator Test has since been fixed, but the experiment underscored the need for power and energy companies to be increasingly vigilant when it comes to network and endpoint security. A major factor in the risk landscape is the inevitable migration, already underway, from proprietary closed networks that are managed as “plant assets” to IP-based networks and devices that must be managed as information technology assets.
“Because IP is such a common standard, denial-of-service and related attacks now have the potential to reach the power stations through the WAN, which they weren’t able to do before,” says Christine Taylor, analyst with Taneja Group, a technology analyst firm based in Hopkinton, Massachusetts. “Substations still have their own proprietary networks in many cases, but they must now communicate via IP over the WAN to the corporation, as businesses are demanding that level of insight and control.”
Although that insight and control brings compelling benefits, not everyone is convinced that TCP/IP over Ethernet is the best transport mechanism. Regardless, it is the way the industry is moving. “The uninformed, non-technical community is asking for information that is quite valuable for good decision making, so there’s a very good reason for having the information,” observes Lynne Ellyn, senior vice president and CIO of DTE Energy in Detroit. “It’s just that the method by which we are able to provide that information is a network protocol that is wide open for malicious activity. Perhaps years ago, if the industry had foreseen the emergence of the smart grid concept, a more secure protocol might have been developed and adopted as standard. However, IP is what we have.”
She adds: “We’re tasked with protecting our infrastructures, and that is what we are doing.” Patching a leaky ship requires fixing more than one hole, so DTE Energy is using a multifaceted approach to security that includes Symantec Multi-tier Protection, Symantec Critical System Protection, and Symantec Enterprise Security Manager, among other solutions. “If you’re vigilant, and you make the investment, you can do a very good job protecting IP networks,” Ellyn says. “But that’s a series of nested ‘ifs’ that must be answered correctly.”
All together now
While a terrorist attack is certainly the most dramatic example of a security breach, Taylor believes it is not the most likely. “Terrorism is a real concern, but what is more likely to impact power companies is simple human error,” she says. “Minimizing that risk requires the ability to analyze data quickly and communicate real-time risk control—both internally and with other entities. The sticking point has traditionally been intellectual property and access rights. In many cases, these companies depend on each other to operate, but sharing data is a challenge in a competitive atmosphere.”
Many regional system operators are already sharing data with transmission utilities, distribution utilities, and generators using the Inter-Control Center Communications Protocol (ICCP)—usually over TCP/IP networks—so they can proactively respond to any problems affecting the grid. “The remote stations that are operating the grids must now transfer proprietary data over to the IP networks will be crucial to the industry moving forward.”
To provide operators and technicians with controlled access to certain network resources, network access control solutions are becoming increasingly popular, she notes. The solutions ensure that connecting endpoints are authorized systems and compliant with all security policies before being allowed to connect. “The requirement for power and energy companies is to share more data and do it faster,” she says. “And governments are starting to ‘hold their feet to the fire’.”
Taming the compliance beast
The Northeast blackout of 2003 prompted the U.S. government to respond with the Energy Policy Act of 2005, which gave the Federal Energy Regulatory Commission (FERC) the authority to approve reliability standards regarding the generation Regulatory is responsible for ensuring that energy utilities conform to the Kingdom’s policies and security requirements. “Security is maturing, and there are now established best practices for managing risk and protecting data that can be enforced,” observes Yahya Ibrahim Abdulrahman, executive director, Information & Communication Technologies, Saudi Electricity Company in Riyadh. “However, maintaining security and compliance at the speed of business is challenging for many companies.”
To manage compliance efforts, many power and energy companies are turning to policy-based archiving and e-discovery tools to increase accuracy and minimize manual labor.
“Compliance and regulatory requirements will be ongoing—that’s just a fact of life in this industry,” says Alex Schroeder, IT manager at ENGlobal, a full-service energy engineering and professional firm based in Houston. “And compliance can get expensive very quickly. Just searching through old data costs us approximately $200,000 a year. We’ve just started using Symantec Enterprise Vault with Discovery Accelerator to archive email and data from projects so that we can save on e-discovery costs and make sure we’re covered in the event of a legal dispute or compliance issue.”
At PowerSeraya Limited, a Singapore-based energy company focused on electricity wholesaling and retailing, compliance is a self-imposed exercise to improve corporate governance. “I tend to view governance and compliance as an enabler and not as an overhead,” says Bernard Lee, vice president, Process and Innovation. “But no matter how you look at it, it’s a very tedious activity.”
With a small IT operations and infrastructure team of only six people, PowerSeraya’s goal is to automate routine compliance-oriented tasks involved with internal and external audits. “We implemented Symantec Control Compliance Suite, which automates the previously manual process of collecting compliance-related data and producing relevant reports,” Lee explains. “This frees up a significant amount of time for our team and enables them to focus on investigating the exceptions that are highlighted in the reports. As a result, we are able to increase the frequency and effectiveness of our controls testing, as well as align our internal policies against the best-practice policies that the product includes.”
Generating power, generating data
Like most businesses today, power and energy companies are struggling to keep pace with ever-growing data stores and protect that data cost effectively. On top of that, new technologies for billing and more granular monitoring of power usage patterns are creating even more data to manage and protect.
ENGlobal has significantly reduced total cost of ownership for IT by bringing backup and recovery in-house after an outsourcing arrangement became too expensive due to rapid data growth. The key enabler is centralized multiplatform backup with deduplication technology. The firm now uses Veritas NetBackup with NetBackup PureDisk to protect critical data at its Houston data center and six major remote engineering sites. “NetBackup PureDisk deduplication technology enabled us to centralize data from both remote offices and the data center into a single, optimized storage system,” Schroeder says. “It’s been a really good move for us, and we’ve saved a lot of time, money, and storage.”
Backup and recovery is only a piece of data protection, however. Guarding against data leakage—whether at the network, desktop, via email, through laptops and handheld devices, or via WAN backups—is becoming top priority for power and energy companies.
Guarding against data leakage—whether at the network, desktop, via email, through laptops and handheld devices, or via WAN backups—is becoming top priority for power and energy companies.
“The recent spate of reported data breaches has illustrated the negative effect that data leakage can have on companies’ reputations and brands,” adds Saudi Electricity’s Abdulrahman. “Since electronic data is so easily copied, moved, and transferred, data leakage is a complex problem that can occur at various levels.”
Half a world away in Detroit, Michigan, DTE Energy is using Symantec Data Loss Prevention as part of its overall information leakage prevention approach. “We’ve been able to better define our information handling rules, and we’ve actually seen some changes in employee behavior around them, as well as a better understanding of what should and shouldn’t be sent out of the company via unsecured means,” says Lanse LaVoy, director, Information and Protection and Security, DTE Energy. “We think it’s driving the behavior that we want.”
|< Previous Page||Page||5||of||5|
Knowing what you don’t know
With so many risk vectors and corresponding technologies in play, it can be difficult for power and energy companies—even very large organizations—to be experts in everything. For smaller businesses, staying on the cutting edge without outside assistance is almost impossible.
“Ignorance is not bliss in IT security. Knowing what you don’t know is a critical starting point,” says PowerSeraya’s Lee. “We leverage the expertise of Symantec Consulting Services to help us conduct exercises like penetration testing and reviewing firewall settings to make sure that everything is suitably closed up and to identify any weaknesses in our environment.”
ENGlobal’s Schroeder takes a similar view on outside consulting services. “You essentially take the experience of your team and add an extra layer of expertise,” he says. “And it’s a true value-add, because you save probably 60 or 70 percent of the time it would take to do it yourself.”
Justifying IT investments in tough times
Most IT managers and CIOs understand the need for constant vigilance and are always on the lookout for technology solutions that will reduce risk and deliver a quick return on investment. But boards and other C-level executives can be less than sympathetic—especially in difficult economic times.
“Information risk managers must use the language of business to have a significant impact with senior management,” Abdulrahman advises. “Moreover, when talking about security programs, they need to apply lessons from the psychology of risk, enhancing their communications with compelling and vivid stories.”
As power and energy companies continue to upgrade and secure their infrastructures, we can only hope that those stories won’t become any more vivid.
Ken Downie is Senior Writer at NAVAJO Company. His work has appeared in Business Finance, Internet World, and Business Credit magazines.