Michael T. Burr
As the 20th century draws to a close, some utilities are beginning to feel like Shakespeare`s Hamlet-beset by the slings and arrows of outrageous fortune.
“Attacks by international terrorists on all types of infrastructure systems are occurring on a very frequent basis,” said Donnie Young, supervisory special agent with the FBI`s National Infrastructure Protection Center (NIPC), speaking at the EEI/AGA Information Technology (IT) Conference in mid-September.
The Y2K bug is accompanied by an even more menacing pest: computer hackers bent on causing mayhem (See “Millennium monsters: Hacker threats intensify as Y2K nears,” page 1). If an army of pasty-faced miscreants wielding 56k modems isn`t unsettling enough, consider the following excerpt from the October 6 testimony of Michael A. Vatis, NIPC director, addressing the U.S. Senate Judiciary Committee`s Subcommittee on Technology & Terrorism:
There is one potential problem associated with Y2K that causes us special concern-the possibility that malicious actors, foreign or domestic, could use the Y2K remediation process to install malicious code in the `remediated` software.
Utilities are beginning to second-guess Y2K remediation work that has already been completed. The very people entrusted with eradicating the Y2K bug present a security risk. Their insider status affords opportunities to install trap doors or obtain access privileges, providing access to sensitive systems; to implant so-called “logic bombs”-time-delayed viruses that disrupt systems at a later date; or to steal information for sale to competitors or foreign agents.
It might sound like something out of a Tom Clancy novel, but IT security threats are very real. “The more you learn about this stuff, the less you sleep at night,” said Lawrence Dolci, director of environmental services and senior attorney with Kansas City Power & Light Co. (KCPL). Speaking at the EEI/AGA IT Conference, Dolci explained that the utility monitors virtually continuous network activity that could represent attempts to break into its systems.
“We`d better do something, because the Federal government is going to require us to act if we do not. We are critical to the national security,” Dolci said.
The phrase, “critical to the national security,” strikes fear in the hearts of utility officials-and it should. KCPL and most other utilities are working closely with the FBI-mostly to combat terrorism, but also to stave off onerous federal oversight. Nice ideas like competition, customer loyalty and value-added services will go right out the window if they stand in the way of protecting national security interests.
Obvious measures like erecting strong firewalls and monitoring network activity won`t be enough to protect utilities from either hackers or National Security Agency operatives. Ensuring the fortitude of critical systems requires utilities to develop a security-driven culture. This is a tougher mandate than they have faced in the past, and it might conflict with the customer service cultures utilities are struggling to develop.
“Good `cyber security` practices must address personnel security and `social engineering` in addition to instituting electronic security measures,” NIPC Director Vatis said. This includes training all personnel in policies and procedures, and indoctrinating them in a philosophy of extreme caution. The need to prevent sensitive information from falling into the wrong hands might foster a bunker mentality and a climate of paranoia.
Suffering slings and arrows is not an acceptable response to the very real threats posed by cyber-terrorists and tricksters. Taking up arms won`t end the sea of troubles either, but it can repel the invaders enough to keep the lights burning. The real challenge will be in developing a security culture that doesn`t choke off the customer orientation and competitive spirit required for survival in the 21st century.