Energy Utilities Ramp Up Security

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,525968,00.asp

September 10, 2002
By Evan Koblentz 

In the wake of the Sept. 11 attacks last year, the IT security needs
of the Tennessee Valley Authority - which already were massive -
became even more important, said Anthony Smith, the authority's IT
security senior manager.

Generating enough revenue to run itself without federal assistance,
the TVA - the nation's largest public power producer - generates up to
30,000 megawatts of power each year, from 11 coal plants, 29
hydroelectric plants, three nuclear plants, one pump storage plant and
backup combustion turbines. TVA serves seven states, 8.3 millions
people, and 150 local, municipal and cooperative energy sellers.

"What we found is the largest element in IT security is training and
education," said Smith, in Knoxville.

The authority's 700 IT employees have been schooled, through classroom
instruction, campaigns and even contests, in how to recognize "social
engineering" security tactics, such as crackers who try to obtain
physical access to passwords.

"[Another] thing that we've begun to do is partner with other federal
agencies, to see what they've done" in areas like anti-virus software,
intrusion detection and vulnerability testing, Smith said.

He wouldn't provide details of TVA's actual IT infrastructure, but
said it's tested regularly.

"We have labs, where we simulate 'these are the types of attacks you'd
see,' and how to mitigate those threats. That's an ongoing process,"  
he said. In addition, "we're having to work hand-in-hand with the
physical security people."

To accomplish that, TVA is using both off-the-shelf and customized IT
tools, and has classified plans for the military bases it serves.

Overall, since Sept. 11, "we have definitely stepped up our posture,"  
Smith said. In particular, the authority is working to keep in
compliance with the Government Information Security Reform Act, he
said.

Advice and criticism of power plant security and technology's role
comes from varied sources. At the Union of Concerned Scientists, a
non-profit, politically neutral technology safety advocate, nuclear
safety engineer David Lochbaum has a laundry list of suggestions for
improving plant safety, many of which incorporate the use of IT
resources. Lochbaum knows the issues first-hand, having spent 17 years
in the industry.

"Prior to 9/11, the background checks were pretty much done with your
social security number, to see if you've had any trouble in the U.S.,"  
he said. However, today's networks make those checks worldwide and
much more quickly, said Lochbaum, in Washington. For example,
fingerprint storing and checking is now done over a network instead of
with ordinary mail, he said.

In some cases, it helps to not use technology, Lochbaum said. The
government's Nuclear Regulatory Council has removed much technical
information from its Web site, "just to make sure we're not aiding our
enemies too much," he said.

In another example, today's power plants use modern networks for
day-to-day business needs, but their complex control systems tend to
be "a lot of 1960s technology. A lot of the safety systems are … not
digital," he said.

Criminals can't break into what's not a digital connection.

Help also comes from private companies, like Rainbow Mykotronx, owned
by Rainbox Technologies Inc., in Irvine, Calif. About 75 percent of
Mykrotronx's $75 million in annual revenue comes from the National
Security Agency, but the division has been expanding into the
commercial sector, including public utilities, said John Droge, vice
president of business development and an 11-year NSA veteran.

Droge disagrees with the obscurity-as-security notion. At a bank,
"they don't take the money and put it in desk drawers and hide it,
they lock it," he said. Similarly, criminals may not know a
telecommunications network's passwords, but with "a coat hanger and a
couple of parts from Radio Shack, you can start talking to a
satellite," he said.

That concept is real. Satellites have control links that are separate
from their data links to deal with things like rocket angle, solar
panels and battery power. Private satellite owners have only recently
began adopting the government's 20-year-old policy of encrypting those
control links. Otherwise, "if you could shut the gas off going into
downtown Chicago in January, you could do some damage. You might have
some people die," said Droge, in Torrance, Calif.

"Bad things have definitely happened, there are a number of different
smoking guns," he said. "A former employee for a water utility was
upset that he was let go and he actually dumped raw sewage into clean
systems from his computer. He's in jail now," Droge said. "Eighty to
90 percent of the industry doesn't have the security mechanisms that
are needed in today's world."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.