Regulatory and market forces put the pressure on information technology to perform.
Technology isn't in the driver's seat at some energy companies, but it...
IT Security: Who's Investing In What?
and three, implement them. So there's a huge awareness piece that has to go along with this."
Halley says achieving the FERC standards within a year is a definite possibility because companies can implement at least some piece of each of the FERC requirements. But getting it to the point of properly functionality, where security systems are working and mature, and where there is employee awareness and acceptance, requires a cultural sea change. "That's always going to take a longer period of time," Halley says. "[E]ven though they [FERC] are going to require certification by January 2004, actually achieving the intent of what they're trying to do is going to take more than 12 to 18 months."
Companies in the coming year are likely to be spending their cybersecurity dollars on authentication and access control tools, according to McLure. Those tools can include physical tools, software tools, surveillance systems for physical security, card access/biometric types of technology, the actual network authentication and access control tools, or combinations of those items, McLure says. She also says she's been seeing a lot of security policy development. "[Y]ou just can't have [security] as shelfware. It is something that has to be a living policy, it is something that has to be reviewed and audited on a regular basis, so I think we're seeing more money invested there."
Looking Outside the Box
With a looming FERC deadline and many companies getting a flat-footed start, the pressure is on. Utilities are legendary for wanting to develop and control their systems from inside, but the time pressure is making many companies take another look at outsourcing some cybersecurity functions. "Whereas in another part of the business utilities may be less likely to go to an outsource vendor, in this area we've seen more attraction, more rapidly, than in other areas," Klein says.
If the SMD happens, Halley says, outsourcing of intrusion detection and firewall management is probably the most likely option. Managed security services make sense "particularly for small to midsize utilities that may not have the expertise to implement some of the technologies that are going to be needed," he says.
Halley says he's not entirely sure why one company would keep security in house while others outsource. One large factor, though, is a company's risk tolerance, according to Halley. "There are some companies that know their limitations and capabilities, and they're fine with allowing security to be an outsourced function. There are other utilities that see security as extremely mission-critical, and do not feel a third party should have anything to do with securing their assets, and they'll keep it in house," he says.
Beyond the need for speed, McLure says there are other advantages to outsourcing cybersecurity. "It's always a good idea to not have the fox minding the hen house. So, having a third party that does periodic assessments that gives you that extra layer of intrusion detection, that managed security service, I think is a good thing." Hiring a managed security service does not mean that companies turn over the keys to their