Utilities Wrestle With IT Security Standards - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Utilities Wrestle With IT Security Standards

Two years after the blackout, electric companies are still developing security plans

As a brutal heat wave moved across the nation last week, sending temperatures in Denver to 105 degrees and causing Con Edison in New York to hit a peak usage record of more than 13,000 megawatts, electric utility executives met in San Francisco to put the finishing touches on standards to protect the U.S. power grid from physical and cyberattacks.

Originally slated to go into effect a year ago, the new deadline for complying with IT and physical security standards is expected to be August 2006, around three years after a power failure blacked out much of the northeastern United States and parts of Canada and raised questions about the security of the nation's power systems. The process of developing industrywide standards took longer than expected, utility executives say, because so many parties made proposals that needed to be reviewed and revised. Industry execs say they'll have no problem meeting the deadline for protecting IT and other automated control systems, but meeting the standards for physical security will be more difficult.

The IT-system security regulations under development by the North American Electric Reliability Council, an industry group, target processes such as test procedures; account and password management; security patch management; identification of vulnerabilities and responses; retention of operator, application, and intrusion-detection logs; change control and configuration management; disabling unused network services, ports, and dial-up modems; operating status monitoring tools; and backup and recovery. The industry is operating under a set of temporary security standards.

"This [new] standard will go much deeper than originally planned, including control systems, generation, and transmission," says Lou Leffler, manager of critical infrastructure protection at the council. "We're including thousands of facilities now and detailing the how, in addition to what."

Utilities face hundreds of attacks a day as hackers try to penetrate their systems. Executives won't discuss details of the attacks or the systems they have in place to repel them, but say they're well on their way to meeting the new cybersecurity standards since they've been beefing up IT security during the past two years.

"It's not so significant to secure cyberaccess," says Ed Lim, a systems administrator in the system power control center at PacifiCorp, a northwestern utility that serves seven states. "The biggest thing that helps us reach compliance is our work around Sarbanes-Oxley. Some of that work is immediately transferable."

Electric utilities support the creation of an industrywide IT security standard, but several say it won't result in major changes in the way they operate. "We follow standard security practices," says Julia Segars, CIO at Alabama Power, a member utility of Southern Company Services Inc. "I don't think it would've taken a regulation for us to implement these processes because it's a measure of good business practices."

Mike Carlson, VP of business transformation and customer value at Xcel Energy Inc., applauds the move to an industrywide standard. "The biggest value is the industry collectively pulling together around a single set of objectives and standards," he says. Xcel is taking advantage of its other IT systems to improve the security and management of utility-control systems. Over the long run, "we want to leverage the network infrastructure by putting [utility] control systems on the IP network," Carlson says.

Utility executives note that so far they haven't suffered a major cyberattack. They're more worried about Mother Nature and whether they can generate enough power to keep Americans cool during the hot summer months.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Why It's Nice to Know What Can Go Wrong with AI
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  11/11/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll