Regulatory and market forces put the pressure on information technology to perform.
Technology isn't in the driver's seat at some energy companies, but it's not as if those companies have reverted to using typewriters, carbons and rotary dial phones. In fact, it's beyond dispute that information technology (IT), in particular, can improve business performance-and nothing is more important to energy companies right now. But with slashed budgets and collapsing credit ratings, how should energy companies spend their precious IT dollars?
Right now, cybersecurity is the hands-down winner for IT spending priorities. The need is pressing, due both to the post-Sept. 11 world we live in and to the imminent rule-making on standard market design (SMD), which has a substantial set of security requirements.
But don't count out other areas of IT. Wireless technologies that transfer data in real time to those who need it can substantially improve operational and customer service efficiency, and operations software that can assess the grid in real time is also much sought after.
At the End of the Double Barrel
The electricity industry is staring down the double-barreled shotgun of world events and regulatory pressure from the Federal Energy Regulatory Commission (FERC) to secure the grid from cyber threats. Efforts were made to improve computer security within the industry before Sept. 11-the electricity industry was already designated as a critical infrastructure sector by the government-but terrorist threats cranked up the urgency. And last July, when FERC issued its proposed SMD, it made it clear that cybersecurity was not optional for energy marketers, power generators or owners of transmission assets-pretty much the bulk of the industry.
What does this pressure translate into, spending-wise? Ken Halley, managing director at PricewaterhouseCoopers, says that increased public scrutiny of industry preparedness against cyber attack is prompting more vulnerability and risk assessments of computer networks, along with penetration testing. Companies are attempting to be proactive and plug any security holes and gaps they find, Halley says. "One of the main priorities we see as a result of those vulnerability tests is a specific focus on energy control systems and SCADA systems," he says.
Appendix G in the SMD covers nine areas of security: governance, security scope, asset classification and control, personnel, access control, systems management, planning, incident response and business continuity.
Halley points out that if the standards in Appendix G were to be approved today-they could still change-virtually every company would need to have a good, well thought-out, and well-executed security plan. "That's really going to drive the investment in security for the next couple years. It takes a lot of time to go from no program to a robust program that is well thought-out enough, that is consistent across all those areas," he says. Companies with a more mature program right now, Halley says, are not going to feel as much pain to meet new FERC requirements. But he notes that companies who have pushed security off and focused on other business initiatives may need to allocate unbudgeted resources for cybersecurity.
Halley estimates 50 percent of the industry will feel some pain in complying with a security plan. Indeed, he says, "The FERC is what I see as the number one driver for security in the industry for many years to come."
Rachelle McLure, national director of solutions at RCG Information Technology, a Houston-based consulting firm, says that the lack of adequate security stems in part from an industry mindset that doesn't always worry about cyber access once a person gets in the door of a facility. She says that companies need to ask themselves what someone has access to once she is in the operations room or the control room. "Do you have some of your operations personnel still able to go check their e-mail from the same machine they're using to control the SCADA systems?" she asks. "I've talked to some folks about that, and their eyes just pop open a little bit, like, 'Oh, we haven't thought about that yet.'"
That reaction has, in fact, been distressingly common, as far as McLure is concerned. "I'm not sure why. I was hoping that was something we would have taken care of a while back. . . . [Y]our operations systems are just that-your operations systems, and then your user systems are separate. Not on the same network. You really need to keep those separated," she stresses.
McLure estimates that roughly 25 percent of the industry has combined, or simultaneous access, to operations and enterprise systems.
Having such large percentages of the industry struggling to catch up to security standards wouldn't be the best of news even in prosperous times. Given today's dire economic climate, how is the electricity industry going to cope? "It's a tough question, and clearly with the industry in difficult financial straits right now, it's going to be a conflict between the business decisions and the risk management decision," Halley says.
"When you add something like the FERC standards, which are going to require an officer to sign off to indicate compliance with those standards, that's a pretty strong business driver to help allocate funds and resources to security that might otherwise be allocated to a top-line or bottom-line value-add to the business," he argues.
Todd Klein, a managing director at Kinetic Ventures, a venture capital firm in Chevy Chase, Md., observes, "Budgets are cut, and utility CIOs [chief information officers] are being told to do more with less. There's no dispute about that. I have a hard time seeing them put off critical IT decisions on things like security, because for immediate needs like that, they will find the dollars to make that investment."
But complying with the FERC SMD security standards will not be easy. It's not a straightforward project, according to Halley, because it takes a long time to achieve a mature security system. "It can't really be done [quickly], even if you throw unlimited resources and people at the problem. … You go through the process of creating a governance program, policies, and standards, but it's really the people throughout a company that have to be knowledgeable about those, and two, take them seriously, and three, implement them. So there's a huge awareness piece that has to go along with this."
Halley says achieving the FERC standards within a year is a definite possibility because companies can implement at least some piece of each of the FERC requirements. But getting it to the point of properly functionality, where security systems are working and mature, and where there is employee awareness and acceptance, requires a cultural sea change. "That's always going to take a longer period of time," Halley says. "[E]ven though they [FERC] are going to require certification by January 2004, actually achieving the intent of what they're trying to do is going to take more than 12 to 18 months."
Companies in the coming year are likely to be spending their cybersecurity dollars on authentication and access control tools, according to McLure. Those tools can include physical tools, software tools, surveillance systems for physical security, card access/biometric types of technology, the actual network authentication and access control tools, or combinations of those items, McLure says. She also says she's been seeing a lot of security policy development. "[Y]ou just can't have [security] as shelfware. It is something that has to be a living policy, it is something that has to be reviewed and audited on a regular basis, so I think we're seeing more money invested there."
Looking Outside the Box
With a looming FERC deadline and many companies getting a flat-footed start, the pressure is on. Utilities are legendary for wanting to develop and control their systems from inside, but the time pressure is making many companies take another look at outsourcing some cybersecurity functions. "Whereas in another part of the business utilities may be less likely to go to an outsource vendor, in this area we've seen more attraction, more rapidly, than in other areas," Klein says.
If the SMD happens, Halley says, outsourcing of intrusion detection and firewall management is probably the most likely option. Managed security services make sense "particularly for small to midsize utilities that may not have the expertise to implement some of the technologies that are going to be needed," he says.
Halley says he's not entirely sure why one company would keep security in house while others outsource. One large factor, though, is a company's risk tolerance, according to Halley. "There are some companies that know their limitations and capabilities, and they're fine with allowing security to be an outsourced function. There are other utilities that see security as extremely mission-critical, and do not feel a third party should have anything to do with securing their assets, and they'll keep it in house," he says.
Beyond the need for speed, McLure says there are other advantages to outsourcing cybersecurity. "It's always a good idea to not have the fox minding the hen house. So, having a third party that does periodic assessments that gives you that extra layer of intrusion detection, that managed security service, I think is a good thing." Hiring a managed security service does not mean that companies turn over the keys to their kingdom to vendors, McLure adds. "But they provide that added protection, and they provide that third party look. The thing is, when you're working on a network, and this is your network, it's your baby, and you know what's going on, you may be less likely to see the holes in it. Whereas someone from the outside is going to have a different perspective on it, and potentially be able to find holes that you didn't even consider."
It's not a matter of technical capabilities that utilities may or may not have, says Halley. Companies clearly have the technical capabilities to do it, he says. The question of outsourcing instead hinges on things like recruiting and turnover for a function that usually needs 24x7 monitoring. "[N]ow you're talking about having people monitor your security during night shifts and on weekends, and some clients aren't interested in getting into that business," he notes. "Those points make it a very compelling argument to outsource, assuming you have a trusted third party." According to Halley, the return on investment (ROI) and the cost analysis his firm has done shows that managed security services can cost many times less than keeping those cyber security functions in house.
Another benefit to outsourcing is the global perspective that a managed service provider has, Halley says. Larger managed service providers like Symantec have clients all over the world. "So when you have incidents that are happening in Germany that are going to hit the United States in five or six hours, you have that lead time," he points out. Global cyber security services provide intelligence that a single organization might not have access to, Halley says.
McLure argues that third parties particularly benefit large organizations that have many systems running. "With the complexity of what they're doing, their network points of access are tremendous."
The Perils-and Promise-of Wireless
Those points of access are growing, mainly due to the proliferation of wireless devices. Both phones and personal digital assistants (PDAs) with Internet access are a boon to productivity in many energy companies, and what meeting would be complete without a PowerPoint presentation from a laptop? Yet, as McLure points out, PDAs aren't inherently secure. While laptops are often issued by the company and equipped with appropriate security and authentication controls, that isn't necessarily the case with PDAs and mobile phones. What often happens, McLure says, is that employees want to use such devices, and the company permits it. But employee-owned PDAs often are synched into corporate networks, and Internet-enabled phones tap into corporate e-mail systems, without any consideration given to their security.
As McLure puts it, "in both small and large organizations, you've got issues with wireless. ... If you don't have them locked down properly or secured properly for authentication and access controls, there may be holes in your organization that you don't know about." Someone could hack into a network via a PDA, because of the availability of the wireless access.
"Whether it's a cell phone or PDA that has the wireless connectivity, the tool itself is not so much the issue-except that they're so easy to carry around in your pocket-as it is the availability of the wireless connection." McClure says. Once you have access to a wireless connection from any of these devices, McLure observes, it's a question of how secure the systems behind the firewall are.
Halley agrees. "Wireless has, depending on how it's being used, a tremendous amount of risk associated with it," he says. "Right now, there are not appropriate security controls built into wireless that are widely used and accepted, to make wireless an acceptable transmission medium for critical business data and applications."
Part of the problem is that the energy industry for the most part does not use particularly robust authentication tools. McLure says, "I think we're still looking at usernames, and passwords that are changed every 60 days. We haven't stepped up the stronger authentication as much as we need to yet."
The use of hard or soft tokens is one such authentication tool. A hard token is typically a physical device-like a dongle plugged into the USB port of a computer. McLure explains that when using a hard token, every time a user logs into the system or an application, she pushes a button on the token and it gives a one-time use password. Soft tokens, in contrast, are triggered upon logging into a network with a user ID. McClure says that login notifies the system to send a one-time use password to a cell phone or a PDA. The one-time use password is then entered into the system, and the user can complete the login sequence.
Token systems do not cost much more than single-factor identification kind of tools-user ID and passwords-because of reduction of administrative costs, according to McClure. She says companies see ROI on those kinds of authentication technologies in about 12 months.
Even without such authentication, Halley says critical business data is still being transmitted over wireless devices. "We find rogue wireless access points at almost every client we look at."
But those rogue points do not necessarily mean the end of cybersecurity. Halley points out that the best theory for security is a layered approach. "We might find a wireless access point on a corporate network. However, if you have implemented a second layer that's protecting your energy control systems, you've mitigated that risk. While of course we don't want corporate data to be compromised, you've at least adequately protected your energy delivery systems."
Companies need to take a hard look at who can access what data where, McLure argues. Despite all the attention paid to terrorists and other malicious hackers, the greatest threat to any organization remains one launched from the inside.
McLure says that operations systems need to be separated from personal use systems, like e-mail, and that organizations need to ensure that people only have access to the things they need to have access to, from the places they need to have access to it. "I think in general, you may want your CEO to have access to every system and every piece of data in every system, when he's sitting at his desk in his office," she says. "But if he's at an Internet kiosk in an airport, maybe he doesn't need to have access to everything."
Yet despite the cybersecurity headaches they create, wireless devices are here to stay. As venture capitalist Klein points out, "[I]rrespective of anything that happens to Enron or Dynegy or anybody else, our economy is converting to a real-time economy, a digitized economy. In order for utility customers businesses-to operate and function, they need a level of power quality substantially higher than anything that has been provided in the past. So that means information to manage that distributed network will have to be invested in, irrespective of the pace at which deregulation occurs."
Klein thinks that anything that helps utilities manage their networks better and more quickly to serve customer needs-real-time pricing technologies and network management technologies, for example-is somewhat impervious to deregulation trends.
Nancy Floyd, a managing director at Nth Power, a Palo Alto, Calif.-based venture capital firm, agrees. The wireless communications area for electricity companies is interesting, Floyd says, in part due to the industry moving to communications-neutral listening devices that will talk through public networks. More significantly, she says, the change is not just about getting the data, it's what you do with the data. "There's been a lot of work done on the software side that routes data to the people who need it so they can have it immediately," Floyd points out.
Floyd thinks that the business case for wireless is there, and that some new technologies offer a very compelling ROI for utilities. "I think it probably will be deployed more at the commercial and industrial level, and it will enable utilities to do … real-time pricing, things that have been talked about for years, where you really can see the business case now," she argues. "Smart metering systems are more than just capturing data; it's making sure that the data gets to the hands of the people who need it, in real-time." If there's an outage, for instance, data goes not only to the customer account manager at the utility, but also to the facility manager who works for that customer.
The shift to metering with software and the communications-neutral network means that software will track different kinds of events that happen on the system. The beauty, according to Floyd, is that the information routing "is done in real time, distributed to the people who need that information, so they can act on it as quickly as possible."
While smart metering is often hailed for its ability to send price signals to customers in real time, the appeal for Floyd also lies in the difference smart metering can make to reliability. The use of wireless and smart metering is driven, Floyd says, by the need to balance the system. "As a business issue, it's very, very compelling, and it's also a reliability issue - reliability to immediately sense that an event has taken place, down to the customer level, and to be able to get that information into the hands of people who need to do something about it."
Floyd does not see the demand for real-time information diminishing. "The good and the bad of energy industry restructuring is that customers have become more aware that energy is a solvable problem," she says.
Klein also perceives deregulation as a catalyst of change in the industry's attitude about technology, whether it be software or wireless. "[P]eople often talk about whether deregulation is the driving force behind many of these changes. Whether or not you believe deregulation is the driving force, there is sort of a Big Bang effect of deregulation that does capture people's attention," he posits.
Klein acknowledges the notion that real-time pricing for real-time pricing's sake has not taken hold. But, he says, "when there's a business opportunity associated with it, such as in this case where a utility can re-sell the information itself, we have seen it adopted. That's the distinction. Figuring out what the right business model is to capture that information and then resell it, that's been the challenge."
There isn't much dispute that modernizing your information technology will improve your business, Klein adds. "The fact is, despite all the bad news that has occurred in the utility industry, Wall Street has not given utilities an earning holiday," he says. Utilities are going to have to improve operations, he says. "There's simply no other way to maintain their status as good corporations in our economy. There's just no way to avoid that."
The outsourcing debate rages in the customer care arena.
In the late 1990s and into 2000, outsourcing of IT functions was hot. Experts predicted that one day soon, companies wouldn't buy software packages. Instead, they would simply sign up for a yearly service contract with some flavor of application service provider (ASP) for all kinds of computing needs. But with the dot-bombout, outsourcing, too, fell out of favor in some quarters.
Yet, there are those who believe that outsourcing's value proposition is fundamentally sound. So we asked two vendors of customer information systems and customer relations management software to weigh in on whether outsourcing is on the verge of making a comeback in the utility sector.
Steve Kim, chief technology officer at Orcom, a Philadelphia-based outsourcing company, thinks that in the next few years, more and more customer information systems (CIS) projects will be forced to happen. That's largely due to the age of many utilities' legacy systems, which makes them difficult and expensive to maintain, according to Kim. "I think you'll see CIS replacement projects becoming more and more prevalent. From that, because of the economic climate, I think you'll see outsourcing catch on more and more as well."
Kim argues that outsourcing, rather than small implementations, give companies more bang for the buck. "It takes the burden of implementing their systems away from them, which I think is very important with the IT budgets the way they are."
Jennifer Schenberg, Orcom's vice president of marketing and corporate communications, says that almost one out of four implementations fail, regardless of scale of project, so it reduces risk to outsource.
But can't companies choose to just hang on another year, and hope that the economic climate improves?
Kim says that some will be able to, but "some of the systems are so old-there's just not a lot of Cobol programmers anymore. Unless they want to freeze any kind of capabilities that they've got, they've got to do some maintenance on these systems." Even from a maintenance standpoint, he says, maintenance costs, along with some customization or enhancing costs-necessary if companies want to tackle even small projects-all get expensive. "Sometimes you have to spend a little money in order to save money down the road, and I think that's what their challenge is," Kim says.
David Decker, vice president, sales and marketing at Colchester, Vt.-based Systems & Software, a provider of software systems, isn't so sure outsourcing makes sense. He says outsourcing is a model that everyone thought was a great model, but that has been "an enormous failure."
Decker says that in the case of those who outsourced customer functions, "most utilities realized that only they can care for their customers the way they need to be cared for-you can't give that to somebody else and have it done better." Cost also was a factor, he says. The cost of somebody else managing data centers, some of the services provided by customer service departments, and all of the infrastructure, turns out to be more expensive for companies than doing it themselves, according to Decker.
But with tight budgets, would it make more sense for companies to go to an outsourcing model if they have an old legacy system and they need some new functionality, without much cash?
Decker doesn't buy that argument. "My feeling is if you outsource it, you're going to spend more money doing it. . . .
[Something] we hear every single time we do an implementation is people saying, 'We're very willing to change the way we do business, and conform to a packaged solution.'" That lasts about two or three months into the implementation, he says, and then he hears, "You know, we can't change the way we're doing this, that, and the other thing." Yet, companies offering an ASP solution have to keep their package the way it was originally proposed, because an ASP company cannot run 20 different versions of their software for 20 different customers, according to Decker. "So there's a real sacrifice that takes place there from the utility side, or complexity that certainly gets added to the ASP side, which usually gets passed back to the utility as an increased cost." -J.A.
Articles found on this page are available to Internet subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.