Utilities Wrestle With IT Security Standards

As a brutal heat wave moved across the nation last week, sending temperatures in Denver to 105 degrees and causing Con Edison in New York to hit a peak usage record of more than 13,000 megawatts, electric utility executives met in San Francisco to put the finishing touches on standards to protect the U.S. power grid from physical and cyberattacks.

Originally slated to go into effect a year ago, the new deadline for complying with IT and physical security standards is expected to be August 2006, around three years after a power failure blacked out much of the northeastern United States and parts of Canada and raised questions about the security of the nation's power systems. The process of developing industrywide standards took longer than expected, utility executives say, because so many parties made proposals that needed to be reviewed and revised. Industry execs say they'll have no problem meeting the deadline for protecting IT and other automated control systems, but meeting the standards for physical security will be more difficult.

The IT-system security regulations under development by the North American Electric Reliability Council, an industry group, target processes such as test procedures; account and password management; security patch management; identification of vulnerabilities and responses; retention of operator, application, and intrusion-detection logs; change control and configuration management; disabling unused network services, ports, and dial-up modems; operating status monitoring tools; and backup and recovery. The industry is operating under a set of temporary security standards.

"This [new] standard will go much deeper than originally planned, including control systems, generation, and transmission," says Lou Leffler, manager of critical infrastructure protection at the council. "We're including thousands of facilities now and detailing the how, in addition to what."

Utilities face hundreds of attacks a day as hackers try to penetrate their systems. Executives won't discuss details of the attacks or the systems they have in place to repel them, but say they're well on their way to meeting the new cybersecurity standards since they've been beefing up IT security during the past two years.

"It's not so significant to secure cyberaccess," says Ed Lim, a systems administrator in the system power control center at PacifiCorp, a northwestern utility that serves seven states. "The biggest thing that helps us reach compliance is our work around Sarbanes-Oxley. Some of that work is immediately transferable."

Electric utilities support the creation of an industrywide IT security standard, but several say it won't result in major changes in the way they operate. "We follow standard security practices," says Julia Segars, CIO at Alabama Power, a member utility of Southern Company Services Inc. "I don't think it would've taken a regulation for us to implement these processes because it's a measure of good business practices."

Mike Carlson, VP of business transformation and customer value at Xcel Energy Inc., applauds the move to an industrywide standard. "The biggest value is the industry collectively pulling together around a single set of objectives and standards," he says. Xcel is taking advantage of its other IT systems to improve the security and management of utility-control systems. Over the long run, "we want to leverage the network infrastructure by putting [utility] control systems on the IP network," Carlson says.

Utility executives note that so far they haven't suffered a major cyberattack. They're more worried about Mother Nature and whether they can generate enough power to keep Americans cool during the hot summer months.