David Donelan, EMC Corp.
As the security of our nation and its information continues to be threatened, many energy-based companies are beginning to explore additional measures to protect their valuable data. These companies are uncovering weaknesses in the technology that operates numerous power plants and across the country. They have revealed the probability that just a single failure in one part of a wholesale electric generation, transmission, or grid management system can compromise the operation of an entire region.
Many energy companies are already looking for new ways to reduce cost, gain greater visibility into business processes, and make valuable information available 24×7. They want a solution that will tightly integrate all of their tremendously disparate IT systems while providing increased protection to the information shared between all participants of the energy supply chain. By implementing an automated networked storage solution, companies can increase the utilization and availability of information, as it is needed to perform business operations such as: content management, supply chain management (including procurement and inventory management), asset management, and online configuration of complex products and services. Automated networked storage solutions are designed to provide survivability and resilience—ensuring the future recovery of information from a possible catastrophe.
Energy companies have reinforced physical security and now monitor personnel entrances more closely than ever before. But little attention has been paid to the security of information—the lifeblood of any organization. Inadequacies, such as the limited communication between Independent System Operators (ISOs) have just begun to surface as more energy companies are beginning to share their information. This becomes an increasingly larger problem when the weather patterns become so severe that certain geographies need more energy from additional grids. Many of these transactions are intercepted and result in brownouts.
Even more threatening is the energy industry’s tight connection with the government and the regulations that require all “pipeline” schematics and power plant locations be available to the public.
Additionally, the North American energy market is evolving from a regulated market to a free market—at different speeds by state and province. As a result, the market participants have disparate business processes and IT systems. Their underlying information is in multiple formats, and will take a more systematic and unified approach to information security to improve today’s vulnerability.
To accelerate focus on information security, the Federal Energy Regulatory Commission (FERC) has stepped in. The FERC has laid out a roadmap for improving information security across all energy companies and market participants that will go into effect on January 1, 2004. According to the FERC, senior management must pay greater attention to information security. It also recommended improving security education and awareness, upgrading the ability to detect and share information on vulnerabilities, and ensuring that security criteria are integrated into all investment decisions.
Standards ensure that the nation’s electric grid and market are protected from the impacts of planned and unplanned outages. The security standards primarily focus on electronic systems including: hardware, software, data, related communications networks, control systems as they impact the grid or market and personnel. In addition, the proposed FERC guidelines address physical security—to the extent that it is necessary to assure protection of these “cyber” resources.
The intent of security standards is to ensure that the appropriate mitigating plans and actions are in place in the event of an attack. (See pyramid graphic.)
Once the FERC standard goes into effect in 2004, every energy market participant will be required to certify compliance on an annual basis. As a result, the leading market participants need to leverage an automated networked storage solution to help comply with these FERC regulations, and many energy leaders are already implementing enterprise-wide information storage networks protected by state-of-the-art intelligent software to automate information protection, sharing, and management.
Building a solution
The proposed system management regulation requires that energy companies develop a security perimeter around all cyber assets, and, at a minimum, institute: procedures for passwords; authorization and re-validation of computer accounts; disabling of unauthorized or unused computer accounts as well as unused network services and ports; and secure dial-up modem connections including firewall software, intrusion detection systems, host-based intrusion or system failure for critical systems, patch management, and the installation of anti-virus checkers. Energy companies are deploying security software from vendors like CA, BMC, McAfee, IBM, and others to aid in intrusion detection, access control, virus detection and firewalls. They are also using information replication software and I/O path access control software from storage vendors to further ensure protection and compliance. EMC, for example, offers a “phone-home” feature designed to signal support personnel when information storage assets are not performing at optimal levels, whereby allowing the storage vendor to ameliorate a problem even before the energy company knows about it.
An advanced automated networked storage solution (as illustrated by the graphic) combines common direct and network attached techniques (direct attached storage [DAS], storage area networks [SAN], and network attached storage [NAS]) into a common architecture to reap the benefits of each connection method. For example, several North American ISOs store summary information about electricity demand on a NAS system. They make the information available (through a firewall) to its participating generation companies (GEN COS) over the Internet. Simultaneously, the ISOs consolidate large volumes of real-time transmission statistics from the grid through the larger information sharing network channels of the SAN. This is one example of how energy market participants are leveraging, and optimizing the functionality of advanced automated networked storage.
Automated networked storage helps all energy market participants including: ISOs, shareholder-owned utilities, GENCOs, transmission companies, and even industrial customers to drive standardization while reducing cost, complexity, and redundancy without sacrificing the flexibility to support changing business cycles. And through a flexible architecture, IT can change, evolve, and eliminate the costly replication of data, equipment, and training.
Although the ISO never buys or sells electricity itself, the ISO acts as an electronic auction house. It coordinates thousands of arrangements for electricity every hour between buyers and sellers, while tracking prices and running sophisticated settlement systems. The ISO depends on secure and valid information to properly manage this delicate balance. A standardized approach to ensuring information security will help the ISO to do its job—with fewer errors, less cost, and less risk.
As the demand for power climbs, utility companies strive to generate power to meet the demand and generate more revenue. The more secure the information that drives demand forecasting, the more accurately they can manage their generation operations. This ultimately reduces a utility company’s cost of generation, increases their profit, and improves accountability to shareholders.
The real proof that information security should be standardized will be seen in the energy customer base. Industrial companies and retail consumers alike will continue to see consistent energy supply, despite increasing threats of the new century, because energy market participants (shepherded by FERC) will ensure more rigid security methods. And, they will comply through the combined use of security software and an automated networked storage infrastructure.
Many agree that today’s energy market stakeholders will benefit from security standardization. As the generation companies need to present supply information in the same way so that it will be protected from tampering, the ISOs will be able to assess market conditions, load, and demand in a more consistent way. Energy retailers and distributors will be more assured of consistent supply and end-users will be assured of a more reliable energy source.
Donelan is responsible for EMC’s industry and enterprise business applications initiatives worldwide. After joining EMC Corp. in 1997 as marketing manager for software programs, he has held a number of management positions.