A computer hacker thought he was being discrete when
he tapped into the system of a major utility that serves
120 million customers and 280,000 businesses -- the
largest provider of energy in California. But little did
the hacker know his exploits were being monitored by the
utility and the firm that analyzes all relevant data in
its firewalls and application logs.
|
Ken Silverstein
EnergyBiz Insider
Editor-in-Chief |
Utilities are vulnerable on a lot of fronts. An
increasing number of customers, for instance, are paying
their bills online. As a result, power companies now
possess vital information, such as bank account data and
in some cases, credit card numbers. Some businesses use
outdated software that can be breached by those with
ill-will. And, utilities often have enemies, such as angry
former employees, customers or landowners as well as
anti-utility organizations. At the same time, hackers may
steal the information and sell it over the Internet.
Tracking down hackers is not easy. But, it is possible.
Virginia-based Intellitactics is the software firm focused
on security issues that assisted the utility in need of
help -- a company that Intellitactics can't name. The
security team within the utility had been getting a number
of defense alerts. Some turned out to be valid and others
did not. But the shear volume of them meant that the power
company had to come up with a more cost-effective solution
to monitor its information technology systems.
"Let's face it, utility companies can be targets," an
executive at the utility says. "We rely on our networked
infrastructure to bring power to millions of subscribers.
We can't control storms, fires and temperature extremes,
all of which can jeopardize our service. But we can
control attacks on the enterprise and protect the
information we need to power this section of the country.
We are serious about security."
Utilities also have to comply with regulations mandated
by the U.S. Department of Energy and the Federal Energy
Regulatory Commission. The Energy Department, for example,
requires all actual and attempted cyber attacks to be
reported to it within one hour after they occur. Randy
Davis, Intellitactics CEO, says that information
technology managers and company executives must develop
metrics - measurable performance standards -- to
understand the progress they are making to prevent
corporate espionage.
"Every executive I've spoken with is interested in
having the metrics that describe security effectiveness,"
says Davis. "Every security manager is grappling with how
to generate and deliver them."
Greater Risks
The risks are greater now than ever before. The total
interconnectivity of networks through the Internet has
given hackers new ways to get vital information. That's
why the North American Electric Reliability Council has
developed standards for utilities when it comes to
protection of their information systems. Indeed, power
grids are susceptible to not just worms and viruses that
can disrupt business but also to large-scale onslaughts
intent on shutting down systems completely.
The problem is global in scope. In Queensland,
Australia, on April 23, 2000, for instance, police stopped
a car and found a stolen computer and radio transmitter
inside. With commercially available technology, Vitek
Boden -- a disgruntled former employee -- was able to
crack Maroochy Shire's computer system that controls
operations at the wastewater facility.
Using his car as his "place of business," he was able
to configure the system to release thousands of gallons of
untreated sewage water into the environment for two full
months. After his arrest, Janelle Bryant of the Australian
Environmental Protection Agency had said that "marine life
died, the creek water turned black and the stench was
unbearable for residents." Until Boden's arrest, officials
didn't know why this was happening.
Terrorism is a top-of-mind issue for government
officials. A well-heeled group "could conduct a structured
attack on the electric power grid electronically, with a
high degree of anonymity, and without having to set foot
in the target nation," the Government Accountability
Office wrote.
Beyond cyber threats, companies must implement employee
agreements that prohibit anyone from using company "trade
secrets" -- anything that a company knows that is unknown
in the marketplace and that gives it a competitive
advantage. The U.S. Department of Justice advises
companies to notify their employees of existing trade
secrets and limit access to that information on a strict
need-to-know basis. It also suggests confidentiality
agreements.
If secrets are unlawfully revealed, businesses can
request criminal investigations that are guaranteed under
the right circumstances by the Economic Espionage Act of
1996. That law doesn't just protect classified
information. It also protects corporate information. Each
year in the United States, $24 billion is lost because of
corporate spying, the FBI's National Counter Intelligence
Agency estimates. It also says that 34 cases have been
prosecuted under the law since its inception.
Espionage can occur at all levels of American
enterprise. Natural gas traders, for example, make trades
and hold positions that are proprietary in nature. If such
information were to be leaked by traders or back office
personnel, it could not only erode the already thin
margins their companies earn but it could also violate
federal insider trading laws that assure the veracity of
markets.
"Lots of money is at stake and people are always in
search of ways to get ahead," says John DiFrances,
managing partner at DiFrances & Associates in Wales,
Wisconsin, which advises businesses on strategic and
safety issues. "Corporate espionage hurts everyone and
advantages only a few. That's why companies need to
safeguard against these acts and if they occur, let
violators know there will be consequences."
No company is safe. And that includes those in the
utility sector. Cyber threats are real and can range from
terrorist activity to the stealing of trade secrets to
illegally obtaining customer information. The insidious
nature of the crimes keeps escalating as hackers find more
creative ways to achieve their means. The good news is
that companies understand the threats and a lot of tools
exist to address security concerns.
For far more extensive news on the energy/power
visit: http://www.energycentral.com
.
Copyright © 1996-2005 by CyberTech,
Inc. All rights reserved.
|