Is Something Missing in Utility Security?
Posted on November 15, 2002
Because of heightened security requirements within the United States and the volatility of the business environment, Utilities are seeing the need to move quickly to ensure their service industry is secure and advising their clients/customers they can depend on their utility.
According to a number of Government Agencies and National Security Experts the Utility/Energy industry is vulnerable and ranks high on the list of potential targets by terrorists. All this having been said, Utility Executives struggle with improving security of their forty to fifty year old infrastructures, that were not built with security in mind, and they also have to deal with deregulation, additional state and federal regulations, and of course the big question, how to pay for it all with the economy slipping?
Utilities are constantly reminded of how easy it is to access their facilities and control systems. In addition, we have all heard that it is impossible to protect a Utility because of remote facilities and infrastructure. We have also heard that an attack on the Utility industry, or using Utilities to terrorize could have devastating effects on our nation, our citizens, and the economy. There is also the scenario it is impossible to protect a Utility 100% from an attack, be it a cyber attack, or an attack on a Utility facility or infrastructure. You cannot totally secure a Utility and we all know that, however, making it tough to penetrate is possible.
A number of state regulators are looking at, and some are requiring security assessments be conducted at Utility facilities. This must be done before a Utility can request a rate adjustment to pay for security. Many Utilities are having security assessments done as a regular course of business and putting recommended security improvements in place. The majority of Utilities are struggling with revenue commitments to pay for improvements and enhancements without compromising their productivity and day-to-day operations.
Many utilities look at physical and cyber security and settle on improving those areas. A professional security assessment will address physical and cyber security, SCADA and DCS systems, communications security, grid security, distribution security, generation security, and biological/chemical issues to include an anthrax assessment. The security assessment team (usually consultants) needs to have recognized experts in security as well as technical experts who have worked in the Utility industry. Conducting an assessment is one thing, however, coming up with sound solutions and meaningful results is paramount. A professional Security Assessment team should be knowledgeable of current technologies and will be able to recommend financially viable options for implementing solutions.
A developing trend is to put in place a “security collaborative” where several Utilities share in the cost of an assessment and have a Security Assessment conducted on a number of facilities at the same time.
The Utility Industry has always been very community oriented, and pride themselves on employing only the best. It is not uncommon for a Utility employee to have fifteen to twenty years of service. When Utilities are confronted with the concept of pre-employment screening or security checks on vendors, there is frequently push back, “we have known these folks for years”. Pockets or cells of terrorists living in the United States, once unthinkable but now a probability, not to mention the everyday criminal, it becomes critical to screen every new employee and vendor to ensure they are who they say they are.
As Utilities move into this new era of security, the adoption of sound Security Policies, Procedures, and Guidelines are of the utmost importance, along with developing an updated “Crisis Management Plan” to address these new scenarios that could possibly occur at a Utility. Development of the Crisis Management Plan need to include Federal, State, and Local Law Enforcement and emergency services personnel to ensure all bases are covered before, during and after an incident.
As recent news stories confirm, in order for a security plan to be as successful as possible, it is critical to “Create a Security Culture” at all levels of a utility from the CEO on down. This can be accomplished through on the job training seminars put on by a security professional in conjunction with law enforcement. The more eyes and ears the Utility has, coupled with having folks trained on what to look for, increase the chances of having a successful security program.
When oil dips to $17.00 per barrel oil executives begin to panic over the loss of revenues. When the price at the pump climbs to $2.00 per gallon the consumer starts to think about rebellion. The simple truth is the Utility/Energy sector operates like a Swiss watch. Damage one small component and the watch ceases to function. Destroy a major refinery, severely damage the natural gas delivery system, sink the tankers, successfully conduct a cyber attack on telecommunications and electricity delivery grids, sicken the people who keep the system functioning and then, attack. Those are the scenarios that can cause the finely tuned system to cascade into catastrophic collapse.
Understanding the threat and knowing your vulnerabilities are only part of the answer to these troubling questions. Knowing how to plan for the worse case scenario and building that plan takes time and skill. The skill exists, but do we have the time?
Larry E. Ness is President/Owner of Ness Group International based in Dallas, Texas. Ness Group International is a Security Consulting/Investigative agency that specializes in the Utility/Energy Industry and is licensed through the Texas Commission on Private Security. Ness has extensive Executive level experience in the Utility Industry and is a former member of the United States Secret Service. Ness graduated from the U.S. Secret Service Academy, and was a former
November, 20 2002
George Fyffe says
Larry, congratulations on a very interesting article. We should be sending out the "plan for security" message as much as possible. Too many organisations see Security as an overhead and rely on the "it wont happen to us" mentality. We, at Micronage, are particularly concerned with Computer Security (ie the data held on computers or in databases falling into the wrong hands and being manipulated for illegal purposes). To this extent purely criminal intentions come to the fore. Imagine the mayhem there will be when some unscrupulous person hacks into a Utility database and releases all the Customer Credit information. There will be lawyers everywhere...and thats got to be as bad as terrorists !!
November, 24 2002
Joel Gordes says
Larry, this was an excellent assessment of the state of the utility industry but, as Richard Clarke, Cyberadvisor to Clinton and now Bush said a few years ago to some executives "you are still in a state of denial." This became glaringly true to me a few weeks ago. I was discussing with a Fortune 500 utility CEO the potential for a cyberattack on the utility grid either through hacking/intrusion and/or use of flux compression generators against ISO facilities and he barked back that "that can't happen." I think we need to mount a massive educational effort to better inform such top "leaders" that it can happened and that they need to become proactive in designing systems to prevent what could be massive damage.
November, 25 2002
TERRY MEYER says
Utilities are in denial and won't get real security until they are dragged into it kicking and screaming. And why should they? Where's the incentive? For now they can all point to each other and say they're at the industry standard, just like American Airlines did before 9/11/01. And, just like the airlines, when it comes time to get security, they'll be just as happy as the airlines to settle for the APPEARANCE of security at taxpayer expense.
Nothing will be done about true security until there is true financial liability on the scale of the terrorism: If the survivors of the victims of the lapse in airline security were to be awarded HUGE settlements (commensurate with loss of life) from the airlines, it would send a message to all industries that security (or lawsuits from lack of security) is part of the cost of doing business and Big Business would have to wake up and smell the coffee instead of sitting back on corporate welfare, subsidized profits and socialized security. Make losers of all lawsuits pay all the expenses, legal fees, and courts costs of the winner.
If Big Business decides to quantify this cost of doing business through insurance, there is a whole industry waiting to do business with them.
December, 03 2002
**** **** says
I found the article by Mr. Ness very interesting and thought provoking. I have only involved with Utility Security for a relatively short period in comparison to my 25 plus years in the industry. What we are facing today, in my opinion, is not unique. In actuality it is a knee-jerk reaction to a terrible event, which the majority felt it could not happen here. The reality is that improved security (which still needs to be defined) is not going to happen over night. It will be a gradual process that will utilize risk management tools and not the more common risk avoidance methods. Security practioners will be more successful if they take the time to listen and understand the business. We need to work the problem, seek to achieve meaningful/practical results, and be consistent (as best we can) in our applications. Yes, there need to be standards, but they should be workable and fundamental in nature. Above all they should be developed by those who have experience in the business. Larry a good article that should be read by more.
December, 12 2002
Alan Love says
Larry's paper is very timing. I used to work in power utility for a while and now I have been working on purely internet information security area. In my point of view, hackers (with currently normal hacking knowledge) can access the control information without too much difficulties. These infromation can be sniffed, tamperd and to be send to anywhere they want. This indicates that the utility communication needs to be hardened and secured at no time. However, as I talked to the leaders and experts in utilities, they would like to neglect the cyber threats compare to physical attack threats (eg, bombings to dams, substataions, etc), which shows information secutity knowledge is over lagged among them. If Larry can demonstate some real cases of utilities under hacking, that will be impressed more people in utilities.