The decision to buy, build, and/or sell information technology assets carries many pitfalls, especially for a regulated utility.
IT Security: Who's Investing In What?
Regulatory and market forces put the pressure on information technology to perform.
Technology isn't in the driver's seat at some energy companies, but it's not as if those companies have reverted to using typewriters, carbons and rotary dial phones. In fact, it's beyond dispute that information technology (IT), in particular, can improve business performance-and nothing is more important to energy companies right now. But with slashed budgets and collapsing credit ratings, how should energy companies spend their precious IT dollars?
Right now, cybersecurity is the hands-down winner for IT spending priorities. The need is pressing, due both to the post-Sept. 11 world we live in and to the imminent rule-making on standard market design (SMD), which has a substantial set of security requirements.
But don't count out other areas of IT. Wireless technologies that transfer data in real time to those who need it can substantially improve operational and customer service efficiency, and operations software that can assess the grid in real time is also much sought after.
At the End of the Double Barrel
The electricity industry is staring down the double-barreled shotgun of world events and regulatory pressure from the Federal Energy Regulatory Commission (FERC) to secure the grid from cyber threats. Efforts were made to improve computer security within the industry before Sept. 11-the electricity industry was already designated as a critical infrastructure sector by the government-but terrorist threats cranked up the urgency. And last July, when FERC issued its proposed SMD, it made it clear that cybersecurity was not optional for energy marketers, power generators or owners of transmission assets-pretty much the bulk of the industry.
What does this pressure translate into, spending-wise? Ken Halley, managing director at PricewaterhouseCoopers, says that increased public scrutiny of industry preparedness against cyber attack is prompting more vulnerability and risk assessments of computer networks, along with penetration testing. Companies are attempting to be proactive and plug any security holes and gaps they find, Halley says. "One of the main priorities we see as a result of those vulnerability tests is a specific focus on energy control systems and SCADA systems," he says.
Appendix G in the SMD covers nine areas of security: governance, security scope, asset classification and control, personnel, access control, systems management, planning, incident response and business continuity.
Halley points out that if the standards in Appendix G were to be approved today-they could still change-virtually every company would need to have a good, well thought-out, and well-executed security plan. "That's really going to drive the investment in security for the next couple years. It takes a lot of time to go from no program to a robust program that is well thought-out enough, that is consistent across all those areas," he says. Companies with a more mature program right now, Halley says, are not going to feel as much pain to meet new FERC requirements. But he notes that companies who have pushed security off and focused on other business initiatives may need to allocate unbudgeted resources for cybersecurity.
Halley estimates 50 percent of the industry will feel some