By Gary Sevounts, Symantec Corp.
Utilities have made significant progress in guarding themselves against external IT security risks such as viruses, worms, Trojans and spyware. However, they must put an equal focus on internal security risk. Information assets held within power and energy industries remain vulnerable to internal security threats ranging from routine error to unauthorized system modifications and employee misconduct. Virtually every utility in the industry today maintains some type of database containing highly critical business information–from customer contact or account data, tracking information and human resource records to critical operational data and functions that keep plants and grids running.
In an instant, an employee with access to these databases could knowingly or unknowingly wreak havoc on the entire system, jeopardizing customer and employee information and safety. Moreover, by compromising database security and obtaining customers’ personal data, stealing money or blackmailing the targeted company, both internal and external attackers can damage the reputation, financial standing and customer trust of a business.
Continued reports of database breaches are raising concern about information protection in the power and energy industry. In addition to safeguarding databases, utilities must demonstrate compliance with industry and government regulations to ensure the security of their sensitive internal and customer information. As a result, protecting their infrastructure from insider threats has become a serious concern for utilities. But traditional infrastructure-based defenses alone not only cannot protect against internal threats, they also cannot meet the audit requirements of information-focused regulations and standards. Today’s strict mandates call for security tools that safeguard critical data and mitigate both internal and external threats while helping ensure compliance with stringent government and industry directives.
Protecting Against Extrusion
Power and energy companies are making progress toward addressing difficult cybersecurity issues and challenges. In many organizations, perimeter defenses are being put in place at multiple layers of the information infrastructure to help prevent malicious code, hackers, cybercriminals and the like from gaining access to critical information and systems. At the same time, however, these organizations are struggling to implement a more comprehensive security strategy that guards against unauthorized system modifications or the loss or disclosure of information from internal sources.
Indeed, data breaches are no longer simply the handiwork of remote hackers, thieves and spies who break through or evade perimeter defenses to get at sensitive information. Data breaches also can result from the unintentional exposure of information by authorized individuals as well as the intentional exposure of information by dishonest insiders who abuse employee privileges.
Instances of intentional unauthorized access abound, according to nonprofit consumer information and advocacy organization Privacy Rights (www.privacyrights.org). In March of this year, a former contract worker of a Japanese commercial printing company stole nearly 9 million pieces of private data on customers from 43 clients, among them a number of companies with a large presence in the U.S. The stolen data included confidential information including names, addresses and credit card numbers.
Similarly, in December 2006, a former contractor for one of the nation’s top financial services institutions intentionally gained unauthorized access to the personal information of an undisclosed number of customers for the purpose of committing fraud.
Months earlier, in May 2006, a former employee of a mortgage company was arrested for extortion. He attempted to blackmail his former employer for nearly $7 million by threatening to expose company files containing sensitive customer information, including customer names, address, Social Security numbers, loan numbers and loan types if he was not paid. Apparently, the employee stole the files over the 16 months he worked at the mortgage company.
In an age in which information is considered virtual currency, unauthorized data extrusion has become an increasingly troubling problem for many organizations, regardless of company size, geographic location or industry. Addressing this challenge requires a new approach to security that complements perimeter protection as well as database access control mechanisms. Furthermore, organizations require a way to meet core regulatory requirements without compromising the availability or performance of critical databases and avoid costly and impractical upgrades to networks and database infrastructure.
Augmenting Traditional Defenses
The power and energy industry continues to work to adopt best practices for securing control networks and systems. By securing interconnections with control networks, utilities are taking a significant step toward ensuring the security and availability of their critical infrastructure.
With data breaches becoming more prevalent and pressure to meet regulatory requirements more demanding, power and energy organizations are turning to new ways of protecting information that do not rely on indirect methods using perimeter, network or database-resident defenses. A growing number of organizations are implementing tools and processes for protecting databases against both internal and external threats. This new information-centric approach to security incorporates data loss prevention, database security and auditing capabilities to strengthen the organization’s security posture and reduce risk.
With this new approach, all access to protected data is logged, whether from authorized or unauthorized individuals, and complete access records are kept of who accessed what information from which IP address and when they accessed it. As a result, an audit trail is maintained for all activity that takes place on the database server to enable organizations to more efficiently and cost-effectively demonstrate compliance with information protection policies and regulations.
To provide more comprehensive defense for sensitive data, database requests are analyzed in real time to spot anomalous behavior by authorized users. Intelligent profiling is often leveraged to build a profile based on what is considered “normal” interaction with the database so that any activity that falls outside that profile generates an alert. In addition, to guard against sensitive information leakage, all information that leaves the database is monitored in real time. Exceptions to policies and anomalies are flagged, including injection attempts, database responses that contain sensitive information formats and suspicious log-on or administrative activity such as permission changes.
This data-centric approach to security provides power and energy utilities with direct protection and comprehensive coverage. Its alerts and reports help meet audit requirements, protect against fraud and identify data leakage regardless of its source. By making no distinction between insider and outsider behaviors, this information-based security approach protects against hacker attacks as well as improper activity by authorized insiders and even abuse of administrative privileges.
By detecting and alerting organizations to fraudulent activity on the database, offering real-time detection of sensitive information leakage and maintaining a compliance audit trail, this new data-centric approach to protection enables power and energy utilities to take significant strides toward building a robust cybersecurity posture in an increasingly challenging digital environment.
As senior director of industry solutions for Symantec Corp., Gary Sevounts is responsible for the definition and introduction of enterprise security solutions in the electric power and oil and gas industries. With more than 13 years of experience in information technology including five years in information security, Sevounts brings a wealth of knowledge and expertise to Symantec. Before joining Symantec, Sevounts worked for Hewlett-Packard’s Internet SecuritySolutions Division as director of marketing.