You may ask, why the special emphasis now? Well, until recently and with no offense intended, utilities were an Internet backwater. They were (happily for them) way down on attackers' list of targets, partly because of their reputation as technology laggards, and partly because many of their systems were standalone, or nearly so. Folks we've met who've worked in utilities for decades, as well as those who've helped take care of their technology needs, attest that they've worked un-harassed in relative obscurity, until recently that is.
Emerging Center of the Universe
Now all eyes are on these guys: the press and analysts, Congress, the Department of Homeland Security (DHS), regulators NERC and FERC .... And two groups who more than any other are putting pressure on the utilities to perform, security-wise:
- The aforementioned attackers, who now like what they see a lot more as utilities bring new web apps on-line, begin to aggressively interconnect their systems, and enable two-way communications to/from some of their most important systems, like the head-ends that aggregate much of the incoming traffic from customer systems
- And of course, customers. Long dormant with only the absolute minimum interaction with their electricity providers, thanks largely to the press, customers are waking up and beginning to raise their voices demanding better service and control over fees
In addition to what you can see in the Forrester slide, both the old and the new, there are numerous other types of systems, not the least of which (in importance) are "outage management systems". From our survey of utilities' IT managers and their service providers, we can place all into one of several categories:
- Classic Cobol/Mainframe - As everyone knows, mainframe apps have been around forever and are always just a year or two away from replacement. This will (almost) never change. Many, if not most were developed initially deployed pre-Internet era and therefore security was neither designed in nor bolted on. Formerly protected primarily by their isolation, these old workhorses are becoming increasingly connected as their data (e.g., customer, financial, accounting, etc.) become increasingly important to other systems in a Smart Grid world. What's our advice for securing these systems ... stay tuned
- Client/Server - Most often found in the form of packaged or "commercial off the shelf" (COTS) applications, these include a server component including logic and a database, and client-side software that sits on PCs. Typically manufactured by large, well known software vendors, these systems are most secure when configured properly, patched quickly, and kept up to date on the most current release. Note: these systems are as secure as their vendors have chosen to make them
- Web Apps - Here we find some of the utilities' efforts to establish better rapport with business and residential customers. Some are purely informational, but others use access controls to enable account management, bill payment and other self-help features. These are typically developed using a mix of COTS packages, custom code and free and open source software (FOSS), and security vulnerabilities can lurk in any of those three pieces, as well as from improper configuration. Note: these are as secure as the requirements stipulated they must be. If there were few/no requirements for security in the design docs, barring a major overhaul at some point, that's how much security you can expect to find in them.
- Web Services and Cloud - Code words connoting using remotely hosted application logic and data storage. We all use them today, and utilities, while sometimes slower to adopt new tech than others, are no exception. Examples include Geographic Information Systems (GIS), email, productivity apps, etc. These too, are as secure as their designers have chosen to make them, and in particular, users need to ask about how their data is protected, in transit and at rest
In some ways, securing IT systems is the same job for utilities as it is for other sectors. It's been done before and is clearly not rocket science; yet doing it very well over time is a major undertaking for an organization, and requires solid commitment from the highest levels in an organization.as well as steady and adequate funding. It's not clear that as presently staffed and budget, most utilities can fully meet this challenge.
In other ways, of course, the ramifications of significant breaches are on quite a different plane altogether. As some of these systems will connect directly or indirectly to control systems that monitor and sometimes drive important physical power infrastructure, we should treat securing utility IT systems levels of gravity and rigor similar to FAA control tower applications or DOD command and control systems. The costs of failure in the energy sector are indeed often life threatening, not to mention economically and socially hazardous, and merit the community's absolute best efforts.
Chart courtesy of Forrester Research, 2009