Digital Terrorism: Holes in the Firewall?
come up with some pretty good ones. What we're doing is sharing information on how to protect, and how to mitigate, and also developing R&D agenda that we can get funded and develop the technologies," he says.
Lou Leffler, manager projects, North American Electric Reliability Council, agrees. "The electricity industry is very complex, very diverse, with a lot of members in it," he notes. All the industry participants-big investor-owned utilities, government utilities, co-operatives and municipal utilities-must be communicated with, he says. "Every one of them is critical, some more so than others, but it might be some little co-op out in the middle of who-knows-where that serves a military base. They're all important, and we've got to get the word out to them" in the event of a crisis, Leffler says. He also points out that communication from the Electricity Sector Information and Analysis Center is only the beginning, because now the information has to ferret its way down through the organization to the action people in the organization.
While sharing information about cyber protection is encouraged, it's a different story when it comes to sharing real-time data between industry participants. Grid operators, in particular, accumulate critical information that could be valuable to evildoers with access to their systems.
One solution is to segregate critical operations systems from other business systems, which is what the California Independent System Operator does, according to Cal ISO public information officer Gregg Fishman.
The risks of not separating critical operations from corporate enterprise computers are serious. As Schweitzer's Oman says, "the minute you put them together, you no longer have reliability and security. Giving access to marketing information and infrastructure operations is opening the door to literally every hacker in the world." He applauds Cal ISO's approach. "You have to separate grid protection from grid management."
But there is often temptation to combine systems, Oman says. There is a lot of pressure to combine the two because executives want to look at metering information, he says. Instead of setting up a new technology scheme, i.e., a second system not connected to the Internet, with its added costs, executives say "let's just use one system," Oman says. "But the minute you do, everything's toast," he says.
James Sample, Cal ISO's Manager of Information Security Services, says that he believes that the utility industry has taken the right steps in the prevention of cyber attacks, but that sometimes those steps are very inconsistent. "A majority of utilities are privately held and due to cost issues and the lack of federally mandated requirements, security is often overlooked. In addition, there is a shortage of security professionals that understand the utility industry requirements." A good example, he says, is the healthcare industry. Until the Healthcare Information Privacy Protection Act, the health care industry was aware of the need for information security, but implementation across the industry was inconsistent and in some cases non-existent, Sample says. The same was true for the financial industry. "Until the Federal government develops requirements and standards, such as they did with the healthcare and financial