Public Utilities Reports

PUR Guide 2012 Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

IT Security: Who's Investing In What?

Regulatory and market forces put the pressure on information technology to perform.
Fortnightly Magazine - January 1 2003

kingdom to vendors, McLure adds. "But they provide that added protection, and they provide that third party look. The thing is, when you're working on a network, and this is your network, it's your baby, and you know what's going on, you may be less likely to see the holes in it. Whereas someone from the outside is going to have a different perspective on it, and potentially be able to find holes that you didn't even consider."

It's not a matter of technical capabilities that utilities may or may not have, says Halley. Companies clearly have the technical capabilities to do it, he says. The question of outsourcing instead hinges on things like recruiting and turnover for a function that usually needs 24x7 monitoring. "[N]ow you're talking about having people monitor your security during night shifts and on weekends, and some clients aren't interested in getting into that business," he notes. "Those points make it a very compelling argument to outsource, assuming you have a trusted third party." According to Halley, the return on investment (ROI) and the cost analysis his firm has done shows that managed security services can cost many times less than keeping those cyber security functions in house.

Another benefit to outsourcing is the global perspective that a managed service provider has, Halley says. Larger managed service providers like Symantec have clients all over the world. "So when you have incidents that are happening in Germany that are going to hit the United States in five or six hours, you have that lead time," he points out. Global cyber security services provide intelligence that a single organization might not have access to, Halley says.

McLure argues that third parties particularly benefit large organizations that have many systems running. "With the complexity of what they're doing, their network points of access are tremendous."

The Perils-and Promise-of Wireless

Those points of access are growing, mainly due to the proliferation of wireless devices. Both phones and personal digital assistants (PDAs) with Internet access are a boon to productivity in many energy companies, and what meeting would be complete without a PowerPoint presentation from a laptop? Yet, as McLure points out, PDAs aren't inherently secure. While laptops are often issued by the company and equipped with appropriate security and authentication controls, that isn't necessarily the case with PDAs and mobile phones. What often happens, McLure says, is that employees want to use such devices, and the company permits it. But employee-owned PDAs often are synched into corporate networks, and Internet-enabled phones tap into corporate e-mail systems, without any consideration given to their security.

As McLure puts it, "in both small and large organizations, you've got issues with wireless. ... If you don't have them locked down properly or secured properly for authentication and access controls, there may be holes in your organization that you don't know about." Someone could hack into a network via a PDA, because of the availability of the wireless access.

"Whether it's a cell phone or PDA that has the wireless connectivity, the tool itself is not