Public Utilities Reports

PUR Guide 2012 Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

IT Security: Who's Investing In What?

Regulatory and market forces put the pressure on information technology to perform.
Fortnightly Magazine - January 1 2003

pain in complying with a security plan. Indeed, he says, "The FERC is what I see as the number one driver for security in the industry for many years to come."

Rachelle McLure, national director of solutions at RCG Information Technology, a Houston-based consulting firm, says that the lack of adequate security stems in part from an industry mindset that doesn't always worry about cyber access once a person gets in the door of a facility. She says that companies need to ask themselves what someone has access to once she is in the operations room or the control room. "Do you have some of your operations personnel still able to go check their e-mail from the same machine they're using to control the SCADA systems?" she asks. "I've talked to some folks about that, and their eyes just pop open a little bit, like, 'Oh, we haven't thought about that yet.'"

That reaction has, in fact, been distressingly common, as far as McLure is concerned. "I'm not sure why. I was hoping that was something we would have taken care of a while back. . . . [Y]our operations systems are just that-your operations systems, and then your user systems are separate. Not on the same network. You really need to keep those separated," she stresses.

McLure estimates that roughly 25 percent of the industry has combined, or simultaneous access, to operations and enterprise systems.

Having such large percentages of the industry struggling to catch up to security standards wouldn't be the best of news even in prosperous times. Given today's dire economic climate, how is the electricity industry going to cope? "It's a tough question, and clearly with the industry in difficult financial straits right now, it's going to be a conflict between the business decisions and the risk management decision," Halley says.

"When you add something like the FERC standards, which are going to require an officer to sign off to indicate compliance with those standards, that's a pretty strong business driver to help allocate funds and resources to security that might otherwise be allocated to a top-line or bottom-line value-add to the business," he argues.

Todd Klein, a managing director at Kinetic Ventures, a venture capital firm in Chevy Chase, Md., observes, "Budgets are cut, and utility CIOs [chief information officers] are being told to do more with less. There's no dispute about that. I have a hard time seeing them put off critical IT decisions on things like security, because for immediate needs like that, they will find the dollars to make that investment."

But complying with the FERC SMD security standards will not be easy. It's not a straightforward project, according to Halley, because it takes a long time to achieve a mature security system. "It can't really be done [quickly], even if you throw unlimited resources and people at the problem. … You go through the process of creating a governance program, policies, and standards, but it's really the people throughout a company that have to be knowledgeable about those, and two, take them seriously,