Robert Booker, Syntegra
Utility CIOs understand the urgency behind protecting their organization’s information technology (IT) assets, but data security still hasn’t received the funding it deserves from the executive team. According to AMR Research, security claimed only 6 percent of energy companies’ 2002 IT budgets, and only 24 percent of utilities find security to be among their top three IT spending priorities. This is the result of the utility industry’s focus on cost containment, intense competition during an economic downturn and a misplaced assumption that legacy systems are unattractive, impenetrable targets. Yet legacy systems and control networks, which often lack security capabilities, are increasingly being integrated with Web-enabled applications and data networks to meet demand for online data access in today’s deregulated utility market.
To improve data security, utilities must first overcome the perception that security initiatives are costly luxuries. Security is not just a technology issue; it’s a strategic business objective. Progressive utilities understand the right security strategies can improve security and operational efficiency, which provides both an attractive ROI for the executive team and improved security of assets. By implementing five key security measures, smart utilities can create a unified security framework that cost-effectively achieves both goals.
Risk assessment and information assurance
A unified security framework starts with a thorough risk assessment. Utilities must identify both their information and physical assets, the risks to those assets and then analyze the impact to their business based on potential risks. For example, the physical risk to power stations and generation facilities from vandalism or malicious attack is well understood. However, an identification of risks to information assets such as control networks and customer management systems is more elusive. While risks may be tangible or less tangible, all risk creates the potential of an adverse business impact in the form of legal exposure, financial costs, increased regulation, and harm to the utility’s reputation and goodwill.
Once risks are identified, utilities should then analyze the likeliness of each risk and determine appropriate counter measures to assure information security. It is critical for utilities to conduct risk analysis using an efficient and repeatable method that results in a roadmap that provides for practical response based upon the risks and the potential business impact. In some cases, a risk may be so unlikely that utilities simply decide to accept it. In other cases, the cost to mitigate the risk may overshadow the business impact of the risk. The critical outcome of a risk analysis is a list of risks that will be addressed, counter measures to address those risks and a list of risks that will be accepted by the business. The executive management and the board of directors must both be aware of the utility’s risk management plan.
Once a risk analysis and management plan is created, employees of the utility must understand their role in supporting both operational and information security. Many of the security exposures that occur in an organization result from employee inattention and lack of care. Each member of the organization is responsible for the security of the enterprise.
Access management enables utilities to make it easier for on-site and remote employees to access the systems they need while reducing the cost of managing system access. In addition to single sign-on and strong authentication strategies, such as public key infrastructures and biometrics, the best access management systems sort employees into company-defined “organizations.” This role-based methodology enables utilities to more accurately match employees with security clearances appropriate for their position.
Engineering employees, for example, need access to control and distribution systems while operational services employees need access to the CRM system. By assigning each employee to an organization based on their identity, business role and affiliations, IT staff can automate the process of providing system access to thousands of users based on their designated organization.
This measure combines access management with provisioning to track employees’ identity and access to utility physical locations, networks and data systems throughout their career. Because disgruntled employees are one of the most common security threats, identity management systems enable the immediate removal of access rights for departing employees. It also prevents employees from accessing systems they no longer need as they change positions within the utility. By creating an electronic profile of employees’ physical and electronic access information, identity management automates the process of initiating and ending access and also provides for reporting of access privileges in support of audit and monitoring activities. The ability to efficiently support departments with high-turnover operations, such as energy company call centers, is a benefit of the identity management system.
Properly implemented, identity management systems also can reduce the cost of managing employee identities up to 60 percent by increasing IT staff efficiency and supporting user self-service. For one U.S. utility with 5,000 employees, identity management provided over $1 million in annual savings. Larger organizations should expect a 25 percent to 30 percent reduction in IT administration costs.
As energy companies begin viewing consumers as customers instead of ratepayers, electronic mail is an increasingly important communications tool. The most progressive utilities are exploring how e-mail can help them build better relationships with their customers though electronic bill presentment and customer care. The use of e-mail for these services requires a higher level of security for e-mail and also requires that the e-mail infrastructure be protected from exposures such spam and viruses. The e-mail capability of the organization also is critical to supporting communications during incidents that result in an impact to service. The e-mail system must therefore have the reliability and scalability required to deal with high-traffic situations.
Vulnerability and exposure management
Energy companies often implement intrusion detection systems as a quick-fix for information security challenges. Unfortunately, these traditional “alarm” systems are only as strong as the people responding to them. For example, if the intrusion detection system reports a significant amount of possible attacks, the organization will begin to discount the alarms as “background noise,” which eliminates the benefit of the system. Utilities should consider the real risks to information assets as unmanaged systems and should therefore consider vulnerability and exposure management capabilities rather than intrusion detection capabilities. Vulnerability and exposure management services first identify an organization’s weaknesses and then notify IT staff of systems that require management to mitigate any possible exposures. Network monitoring systems similar to intrusion detection may then be used to monitor only systems and networks that are potentially at risk from attacks. This dramatically reduces false alarms and improves utilities’ ability to respond to real threats.
Quantifying the value of security investments is difficult based on security improvements alone. But, utilities must make data security a priority to compete in today’s deregulated market and meet growing regulatory pressures. Collectively, these five measures will enable utilities to increase security and operational efficiency. The result: a unified security framework that provides the protection utility CIOs seek and the measurable ROI executives demand.
Booker, vice president, manages business development and Syntegra’s security and network consulting initiatives. He has more than 20 years experience in the information security industry. Contact him at firstname.lastname@example.org.