Digital Terrorism: Holes in the Firewall?
available to those who need it, and not at all to those who don't." Yet it is difficult to draw those lines, and the criteria being used to make those decisions is still evolving.
Leffler says, "[w]e're still learning that. But, for example, does the public need to learn the output of a generating station? Does the public need to know the transmission flows on key critical transmission lines? I don't think so." Both operators and markets also needs access to data so that they can make good decisions, he says, and such information is made available to them. But Leffler balks at items like industry maps detailing transmission lines, generating stations, and other key critical facilities locations being made available to the public. In addition, he says that items like future plans, bottlenecks or congestion areas in the transmission grid should not be available. "We don't want to highlight frailties, for the obvious reasons. We live in a different world now, and we've got to guard our information appropriately. "
FERC is indeed trying to help set such policy, but it's no easy task to balance the need to protect the critical infrastructure yet maintain the hallmark of an open society, easy access to a wide variety of information. So far, according to a senior FERC official, the agency has not restricted access to pending plans filed at the agency. One of the main points of contention about restricting such information comes down to environmentalists' and citizens' concerns about future plants and transmission line placement, along with concerns about the environmental impact of existing plants. Generating plants are essentially large chemistry sets, with supplies of chemicals that in the wrong hands could be misused. Easily available lists of specific types and quantities of chemicals could prove a tempting target to would-be terrorists. Yet at the same time, those who live near such plants want to know what could be affecting their environment. As Ellen Vancko, spokeswoman for NERC says, "The question is the degree of specificity. We're not saying that the public doesn't have a right to know what's going on in their community."
A Business Decision
As Rush says, "I think one of the things that really, really needs to be understood is that security is a business decision just like any other." What that means, he says, is that utilities need to make truly informed security decisions. In order to do that, you need quantified risk assessments. Figure 2 provides an overview of an information security program model that can be used to guide the risk management process.
Vancko agrees. "You have to look at cyber security as every business does, when it has a vested interest in protecting its assets, its shareholders, property, whether intellectual or physical, from disruption." The industry is going to do that, she predicts. The industry proved they will take the necessary measures to protect infrastructure during Y2K, she says. "I think there will be peer pressure at minimum, and if the government determines that there's weaknesses, then they may decide they need to