Dana Bacciocco, Associate Editor
Nobody wants to talk about insurance, but they want to minimize risk. Paying for information security, like buying insurance, is not feeding a cash cow. But returns come in the form of cost avoidance, sound strategy, and heightened awareness.
“Justifying and balancing the costs of an information security system is tougher than seeing potential returns with IT expenditures for trading, for example, and all the associated Internet support,” said Paul Hurley, vice president, security professional services at Riptech.
In light of the all-powerful bottom line, it’s difficult to visualize information security having a strong contributing role. But look at it as a platform for revenue-generating systems. “If they (companies) have an increasing budget for their network and infrastructure support, they should also be seeing an increased budget for the security support; with one comes the other-because, if not, it’s more expensive later on, when the bad thing happens,” said Hurley.
The value of risk management as information security is emerging for utilities as they realize vulnerabilities. “If the threat is there, and if the vulnerability is there, they can combine to create risk. In the power and energy industry, you have both on the increase,” said Hurley.
“e-Security breaches cause close to $15 billion worth of financial loss each year,” said Christopher Roach, partner in KPMG LLP’s Risk and Advisory Services Practice. “Obviously the recent terrorist attacks make people think we ought to do something with security. The government’s focused on the critical infrastructure, and utilities are a big part of that.”
Growing up vertical
At first glance, energy companies are not unique. Like other companies, they need a personnel security program and a physical security program, for example, and should not divert resources from the basics that are in place.
While utilities are not on the vanguard of information security, they are gaining ground. “You can almost plot a course of sophistication in the security program by the kinds of requests you get for services. But it’s still not across the board,” said Hurley. Larger companies tend to have programs approaching the second generation.
In many cases, companies have purchased, installed, and subsequently ignored new information security systems for lack of expertise running them. Utilities are taking the first step toward greater sophistication by seeking and hiring the expertise required to use their new technology.
“Energy companies are having difficulty really getting a strong ROI on those devices by trying to do it internally,” said Joe Pendry, director of power and energy practice at Riptech. In the past six months, energy companies have shown interest in having outside parties manage their investment.
Roach cited a recent KPMG global study (see sidebar) that revealed a significant amount of hiring of skilled professionals within organizations to develop security plans-a good sign.
According to Hurley, energy companies are really still locking down internal programs, and gaining sophistication and knowledge from consultants and vendors.
Where the threats are
Pendry said that he has noticed increased interest in information security in response to September 11. The event demonstrated to power and energy companies, among others, that, although the attack was physical, attackers are willing to take a long-term, planned, coordinated approach. Furthermore, utilities are uniquely ripe to include as part of a coordinated electronic and physical attack.
Utilities face hackers and cybertheft as they engage in online transactions, just as any e-business would, and with high stakes. “Utilities face a combined community of threats-the same threat that any e-commerce company faces-along with a very similar threat to what the government in general faces: well-organized, well-funded foreign national support in the form of cyberterrorism,” said Hurley.
On the flipside, Roach warns against narrow focus on external forces, given that close to 80 percent of intrusions are typically made by insiders. Employees may be a part of the problem, but they also participate in the solution. It’s a matter of education and participation. “Our survey also indicated that although high-level executives seem to have a fairly good understanding of what the security risks are for an organization, below the manager level, there was less knowledge of the security position of an organization,” said Roach.
Network of risk
One thing that most organizations have in common is that modern networks are almost completely different than they were even two years ago, with significant reliance on the Internet as transaction medium. And deregulation has contributed decentralization and the emergence of pockets of technology that are distributed, yet connected to a central “command post,” according to Roach.
Riptech’s Security Operations Center. Photo by Riptech Inc.
“You’ve got a spectrum of risk,” said Hurley. “At one end is no risk and no communications; at the other end is very high risk with open communications; and somewhere in the middle of that is where it’s appropriate for every company to be.”
“We’ve seen, in recent years, a better design of their network architecture and gateways,” said Hurley. “But there’s still the danger that you’re not just risking the Web server anymore, you’re now risking the internal corporate infrastructure.”
According to KPMG’s survey, only 35 percent of energy industry execs believe their company is susceptible to a serious breach in information security. Some CIOs may not be fully aware of how many connections and administrators on the corporate network link back to SCADA systems and energy management systems, for instance. Companies should consider the quantity and depth of network linkages. “The real risk in the energy companies is the ability to tie multiple smaller vulnerabilities together,” said Hurley.
Looking for the silver bullet
Another preparedness gap, according to the KPMG results, is that the energy industry is struggling in adopting best practices. In terms of what will keep the industry from implementing a comprehensive program, 50 percent expressed a lack of understanding about best practices (see sidebar). Waiting for best practices to be packaged for sale is a mistake. Information security is more than a software problem.
According to Roach, a major hurdle exists in understanding the issue. For example, the KPMG survey found that 59 percent of the respondents view information security as a technology problem that can be handled by a technology solution. Only 39 percent view information security as a strategic business issue that requires an integrated organizational solution.
Best practices are relative to an organization, just like the tactics organizations use to differentiate themselves as players. However, common threads do exist among industry communities, like power and energy. For example, Riptech has joined the American Gas Association and the Edison Electric Institute and is working with member CIOs to develop a holistic approach to information security.
Hurley can be reached at email@example.com. Pendry can be reached at firstname.lastname@example.org. Roach can be reached at email@example.com.