Public Utilities Reports

PUR Guide 2012 Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

Cyber Security: A "Virtual" Reality

Two years after 9/11, the industry remains vulnerable.
Fortnightly Magazine - September 15 2003

of inflicting that harm is largely a mystery.

Jim Francis, vice president of the security services group at Kroll Inc., says he has seen improvements in physical security-more observation, camera monitoring, improvements in fencing, and greater training and definition of roles of those involved in security.

Security personnel trained in counter-terrorism become better reporters and observers of what is going on in and around facilities, Francis says. Since we now know from al-Qaida training manuals that its agents canvass their targets, Francis says that properly trained security guards know what indicators to look for. He's also seeing better crisis response times.

But Francis concedes that these improvements are bright spots in a picture that isn't uniformly sunny. For the industry at large, he says, it's more likely than not that the training of security officers is still a problem.

"Lots of utilities have in fact removed drawings, plant layouts, etc. from Web sites to prevent somebody from being able to find that Achilles' heel," notes Francis.

Yet those efforts appear to have had little effect on hiding information on the electricity and gas critical infrastructure from terrorists and others.

In July, The Washington Post reported that a local graduate student at George Mason University had mapped every business and industrial sector in the American economy, layering on top the fiber-optic network that connects them-including the connections used by power companies. The student, Sean Gorman, started the project as his dissertation. He compiled his map from materials found on the Internet, none of which were classified.

In early June, Bill Rush, assistant institute physicist at the Gas Technology Institute (GTI), asked a second-year engineering student, his summer intern, to try to map out an attack protocol on the gas distribution system. The instructions: Use only information found on Web sites. The intern had no expertise on the gas system when he started the project. Rush says that he and some others at GTI helped the intern with some questions. "But we didn't really know where to go either," Rush points out.

Before two months were out, the intern could map the pipelines, compressor stations-indeed, the entire system-of any gas utility company within eight hours.

But didn't most companies remove anything that looked like a facility map or location from their Web sites? And didn't the Federal Energy Regulatory Commission (FERC) and the Department of Transportation remove large swathes of similar information from their Web sites? Yes and yes.

So How Did the GTI Intern Do It?

Rush told the intern to look for the street addresses of key components and facillities in a gas utility system, particularly those related to SCADA system operation. Rush notes that information seemingly unrelated to operating a SCADA system can be pieced together from disparate sources to derive equipment location. Even free online mapping services can be a source of information about such facilities.

Once the list of likely addresses is developed, a reverse lookup directory-there are dozens, if not hundreds of these on the Web-can yield any phone numbers connected to that address. After that, it's a