Utilities Wrestle With IT Security Standards - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Utilities Wrestle With IT Security Standards

Two years after the blackout, electric companies are still developing security plans

As a brutal heat wave moved across the nation last week, sending temperatures in Denver to 105 degrees and causing Con Edison in New York to hit a peak usage record of more than 13,000 megawatts, electric utility executives met in San Francisco to put the finishing touches on standards to protect the U.S. power grid from physical and cyberattacks.

Originally slated to go into effect a year ago, the new deadline for complying with IT and physical security standards is expected to be August 2006, around three years after a power failure blacked out much of the northeastern United States and parts of Canada and raised questions about the security of the nation's power systems. The process of developing industrywide standards took longer than expected, utility executives say, because so many parties made proposals that needed to be reviewed and revised. Industry execs say they'll have no problem meeting the deadline for protecting IT and other automated control systems, but meeting the standards for physical security will be more difficult.

The IT-system security regulations under development by the North American Electric Reliability Council, an industry group, target processes such as test procedures; account and password management; security patch management; identification of vulnerabilities and responses; retention of operator, application, and intrusion-detection logs; change control and configuration management; disabling unused network services, ports, and dial-up modems; operating status monitoring tools; and backup and recovery. The industry is operating under a set of temporary security standards.

"This [new] standard will go much deeper than originally planned, including control systems, generation, and transmission," says Lou Leffler, manager of critical infrastructure protection at the council. "We're including thousands of facilities now and detailing the how, in addition to what."

Utilities face hundreds of attacks a day as hackers try to penetrate their systems. Executives won't discuss details of the attacks or the systems they have in place to repel them, but say they're well on their way to meeting the new cybersecurity standards since they've been beefing up IT security during the past two years.

"It's not so significant to secure cyberaccess," says Ed Lim, a systems administrator in the system power control center at PacifiCorp, a northwestern utility that serves seven states. "The biggest thing that helps us reach compliance is our work around Sarbanes-Oxley. Some of that work is immediately transferable."

Electric utilities support the creation of an industrywide IT security standard, but several say it won't result in major changes in the way they operate. "We follow standard security practices," says Julia Segars, CIO at Alabama Power, a member utility of Southern Company Services Inc. "I don't think it would've taken a regulation for us to implement these processes because it's a measure of good business practices."

Mike Carlson, VP of business transformation and customer value at Xcel Energy Inc., applauds the move to an industrywide standard. "The biggest value is the industry collectively pulling together around a single set of objectives and standards," he says. Xcel is taking advantage of its other IT systems to improve the security and management of utility-control systems. Over the long run, "we want to leverage the network infrastructure by putting [utility] control systems on the IP network," Carlson says.

Utility executives note that so far they haven't suffered a major cyberattack. They're more worried about Mother Nature and whether they can generate enough power to keep Americans cool during the hot summer months.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll