In the rough-and-tumble energy biz, IT departments are paddling hard to stay afloat.
The storm that Enron ignited last fall shows little sign of abating....
IT Security: Who's Investing In What?
so much the issue-except that they're so easy to carry around in your pocket-as it is the availability of the wireless connection." McClure says. Once you have access to a wireless connection from any of these devices, McLure observes, it's a question of how secure the systems behind the firewall are.
Halley agrees. "Wireless has, depending on how it's being used, a tremendous amount of risk associated with it," he says. "Right now, there are not appropriate security controls built into wireless that are widely used and accepted, to make wireless an acceptable transmission medium for critical business data and applications."
Part of the problem is that the energy industry for the most part does not use particularly robust authentication tools. McLure says, "I think we're still looking at usernames, and passwords that are changed every 60 days. We haven't stepped up the stronger authentication as much as we need to yet."
The use of hard or soft tokens is one such authentication tool. A hard token is typically a physical device-like a dongle plugged into the USB port of a computer. McLure explains that when using a hard token, every time a user logs into the system or an application, she pushes a button on the token and it gives a one-time use password. Soft tokens, in contrast, are triggered upon logging into a network with a user ID. McClure says that login notifies the system to send a one-time use password to a cell phone or a PDA. The one-time use password is then entered into the system, and the user can complete the login sequence.
Token systems do not cost much more than single-factor identification kind of tools-user ID and passwords-because of reduction of administrative costs, according to McClure. She says companies see ROI on those kinds of authentication technologies in about 12 months.
Even without such authentication, Halley says critical business data is still being transmitted over wireless devices. "We find rogue wireless access points at almost every client we look at."
But those rogue points do not necessarily mean the end of cybersecurity. Halley points out that the best theory for security is a layered approach. "We might find a wireless access point on a corporate network. However, if you have implemented a second layer that's protecting your energy control systems, you've mitigated that risk. While of course we don't want corporate data to be compromised, you've at least adequately protected your energy delivery systems."
Companies need to take a hard look at who can access what data where, McLure argues. Despite all the attention paid to terrorists and other malicious hackers, the greatest threat to any organization remains one launched from the inside.
McLure says that operations systems need to be separated from personal use systems, like e-mail, and that organizations need to ensure that people only have access to the things they need to have access to, from the places they need to have access to it. "I think in general, you may want your CEO to have access to every system and every piece