Condition yellow, which is preceded by green and followed by amber and red, signifies a major event that raises the likelihood of an attack against Exelon's facilities, says David Albrecht, IT operations manager for Exelon's mid-Atlantic region, covering Pennsylvania, New Jersey, and Maryland. Albrecht's region includes energy delivery companies such as Peco Energy and a number of Exelon facilities, including Limerick Nuclear Generating Station, Peach Bottom Atomic Power Station, Three-Mile Island, and Oyster Bay. In his five years with the company, Albrecht says this is the first condition yellow he's seen.
Each level of Exelon's alert condition hierarchy beefs up auditing of Internet gateways, Web servers, firewall logs, and intrusion-detection systems. "In the past, we were primarily focused on viruses. There's no end to the way hackers exploit the vulnerabilities of IT systems," Albrecht says. Since moving Exelon's alert status to condition yellow, Albrecht and his team have analyzed the security settings on all of the IT department's servers and installed a number of patches for Microsoft NT.
Albrecht looks at the extra diligence as a small price to pay. "As an American, to see that kind of terrorist activity, or that threat of war, really hits home," he says. "Sept. 11 was a wake-up call, especially in how we view security."
"There's no question that Mr. Ashcroft's comments were heard," says Thom Tillis, a partner with PricewaterhouseCoopers' energy & utilities practice. Tillis says that energy and utility companies are used to coping with emergencies such as blizzards, tornadoes, or hurricanes. Adequate protection of IT assets in most cases means extending "an established playbook" for security and contingency planning, he says.
Ashcroft's warning also brings into focus new threats to IT. Prior to the attacks, Exelon defined IT security primarily as protection against malicious viruses such as code Red or Nimda. Now Albrecht says he's on guard against hackers using Exelon's IT systems to launch a cyber attack on others.
"I don't think this heightened awareness will end, and I don't think it should end," Albrecht says. Albrecht suggests that companies should have a chief security officer on staff, in addition to a CIO. "I think security deserves that level of attention," he says. "Our facilities rely on these systems, and if they're compromised, it will impact their ability to do business."