|
For decades, the
world's business community has requested, nay demanded, "open"
systems and protocols from its information technology systems
and communications equipment suppliers. Now that open systems
are available in this "mix and match" and "plug and play" age,
companies are no longer bound to a single supplier for
information systems and application solutions.
Unfortunately,
large, multi location enterprises gain more than flexibility
and multi-vendor options with open systems. Along with the
openness comes an increase in risk of unauthorized access to
these systems. Unauthorized access can take the form of
tampering, reading private corporate files, hacking and other
forms of information terrorism.
Because security
breaches have been limited to date, it is difficult to
envision unauthorized access to a supposedly secure
mission-critical energy management system or supervisory
control and data acquisition systems. With the dawn of serious
competition upon us, the concurrent demand to open
communication links with multiple external organizations and
the emergence of potentially harmful information terrorism, we
must be mindful of our responsibility to the public we serve
and to the utility organizations that employ us.
Electric utilities
must stop relying on blind luck in their data network security
planning. This applies to both the business information system
area and, more important, to the technical information systems
area, including energy management and supervisory control
installations.
Call it a contrary
view forged in large part on real-life experiences with
communications security in another arena where true mission
critical decisions were on the line, but as we broaden and
extend our communications linkages and broaden the links
within our own operations, we may be opening Pandora's box as
far as network intrusions and unauthorized access are
concerned.
Utilities
Don't Take Security Seriously Recent Newton-Evans surveys on network
security found the following:
- More than
70% of utilities plan to move at least some
applications to open systems by the turn of the
century. About the same percentage plan to incorporate
remotely reconfigurable relays in the field.
- Only two of
100 utilities surveyed mentioned improved security as
a benefit of upgrading its protection and control
systems.
- Protection
coordination analysis studies - at least among
mid-size utilities - are typically run less than once
per year.
- More than
half of all computer applications will reside on open
client-server systems by the turn of the century.
- Seventy
percent of information services managers at the large
utilities surveyed indicated that they would be
implementing open protocols by the turn of the
century.
- In the
United States, about 10% of transmission class
substations and 40% of distribution substations are
not equipped with remote terminal units or
programmable logical controllers for remote data
acquisition, according to a recent survey. The
percentages are the same or worse in most other
countries. Even in those substations with basic remote
data acquisition, only a minority are configured to
provide alerts and alarms for events such as unlocked
gates, smoke detection and unauthorized access to the
facility.
|
Limiting access to
its business records and files is important for any company.
Limiting access to real-time, mission-critical computer and
communications activities is paramount to the continued safe
and secure operation of the world's electricity grids.
I encourage each of
you, as systems operations managers, system planners, network
designers and protection and control personnel, to act on
issues of critical importance.
- Review security
procedures for data network accessibility and authorization.
- Review security
and integrity aspects of protection and control systems.
- Actively manage
access authorization to real-time mission critical
operations.
- Consider limiting
access to mission critical data files, preferably limiting
access through down-line loaded historical data via data
warehouses. Personnel outside of the control center rarely
need direct access to real-time operational data.
- Request IT
security experts to conduct a formal security audit.
Open systems,
wireless media, Internet links and remote accessibility
provide advantages to utility operations, but if we ignore
security issues, we will pay dearly. In the future, utilities
will be asked to open their systems to more external
organizations. So do yourself a favor and conduct a top-down
security review of system/file access authorization and access
controls to sensitive utility operated facilities and
equipment before it's too late.
|
