In-Depth

New Data Security Standards Set for Utilities

New regulations mandate increased security for utilities' supervisory control and data acquisition systems

• By Mathew Schwartz
• 09/13/2005

Thanks to new, impending regulations, electric companies are set to get mandatory information security standards.

Such regulations were often discussed following 9/11, given the perceived insecurity of information security systems at many utilities and so-called infrastructure organizations. Indeed, attackers could compromise producers or distributors of natural gas, electricity, chemical, and petroleum, and alter or shut down the supervisory control and data acquisition (SCADA) systems which run critical processes. Thus a successful attack might shut down power, vent harmful chemicals into the environment, or even cause an explosion.

Many executives at utilities see this as more than a potential threat. According to a July survey of 50 IT executives at medium and large-size utilities commissioned by TNT and conducted by Applied Research - West Inc., one-third think their SCADA systems or energy distribution systems will be attacked in the next two years. Twenty percent report their SCADA systems have already come under attack.

Beyond Voluntary Efforts

Over the past four years, some utilities have responded to these threats by creating industry baselines of information security practices, and encouraging others in their industry to use them. Voluntary standards from the North American Energy Reliability Council (NERC), called the NERC 1300 standards (though now technically known as CIP-002-009), also encourage organizations to improve their information security practices. The guidelines were drawn up in the wake of the blackout which affected parts of the Northeast and Midwest in 2003. In fact, the power outage was reportedly linked to—or at least not helped by—one utility’s PCs becoming infected with the Blaster worm.

The keyword there, of course, is voluntary. That will soon change, thanks to a recent report from the U.S. General Accounting Office (GAO), which raised new questions about the information security preparedness of infrastructure organizations and utilities. That, in turn, helped spur a new mandate for an “electric reliability organization” to set standards for the North American energy grid. This mandate is part of the Energy Policy Act of 2005, which President Bush signed into law last month. NERC will help craft the law.

This is good news, Robert Ciampa, the vice president of marketing and business strategy at Trusted Network Technologies Inc., a developer of identity audit and control software. “A uniform set of security standards combined with continued IT education regarding network access control will play a critical role in ensuring a reliable utilities security posture.”

Utilities are likely not overjoyed by the new regulations. According to the TNT survey, two-thirds of IT executives note that efforts to document controls are intensely manual, and 43 percent say implementing NERC guidelines or Sarbanes-Oxley regulations interferes with critical IT efforts.

The regulations are not optional. “You’re in such a heavily regulated environment, you just grow up in a mindset in a utility that you can’t be out of compliance with anything,” notes Jim Turner, the compliance director for Alabama Power Company.

Hence, spending will increase. Utilities expect to spend a third more on Sarbanes-Oxley projects next year, and 52 percent more on the NERC 1300 guidelines, which not coincidentally will probably strongly resemble the new energy regulations Congress is now crafting.

Of course, the new regulations, provided they’re enforced, should overall also improve electric companies’ information security practices. For example, Turner reports that, spurred by Sarbanes-Oxley requirements, the utility improved its “IT, network controls, application controls, and security controls.” So while the project “was a substantial amount of work,” he says it nevertheless “got some needed attention and a lot of money appropriated to make those controls more robust and adequate.”

Related Articles:

Case Study: Energy Company Monitors IM
http://www.esj.com/Security/article.aspx?EditorialsID=1409

Q&A: How to Secure a Critical Infrastructure
http://www.esj.com/Security/article.aspx?EditorialsID=1356