http://www.eweek.com/article2/0,3959,525968,00.asp September 10, 2002 By Evan Koblentz In the wake of the Sept. 11 attacks last year, the IT security needs of the Tennessee Valley Authority - which already were massive - became even more important, said Anthony Smith, the authority's IT security senior manager. Generating enough revenue to run itself without federal assistance, the TVA - the nation's largest public power producer - generates up to 30,000 megawatts of power each year, from 11 coal plants, 29 hydroelectric plants, three nuclear plants, one pump storage plant and backup combustion turbines. TVA serves seven states, 8.3 millions people, and 150 local, municipal and cooperative energy sellers. "What we found is the largest element in IT security is training and education," said Smith, in Knoxville. The authority's 700 IT employees have been schooled, through classroom instruction, campaigns and even contests, in how to recognize "social engineering" security tactics, such as crackers who try to obtain physical access to passwords. "[Another] thing that we've begun to do is partner with other federal agencies, to see what they've done" in areas like anti-virus software, intrusion detection and vulnerability testing, Smith said. He wouldn't provide details of TVA's actual IT infrastructure, but said it's tested regularly. "We have labs, where we simulate 'these are the types of attacks you'd see,' and how to mitigate those threats. That's an ongoing process," he said. In addition, "we're having to work hand-in-hand with the physical security people." To accomplish that, TVA is using both off-the-shelf and customized IT tools, and has classified plans for the military bases it serves. Overall, since Sept. 11, "we have definitely stepped up our posture," Smith said. In particular, the authority is working to keep in compliance with the Government Information Security Reform Act, he said. Advice and criticism of power plant security and technology's role comes from varied sources. At the Union of Concerned Scientists, a non-profit, politically neutral technology safety advocate, nuclear safety engineer David Lochbaum has a laundry list of suggestions for improving plant safety, many of which incorporate the use of IT resources. Lochbaum knows the issues first-hand, having spent 17 years in the industry. "Prior to 9/11, the background checks were pretty much done with your social security number, to see if you've had any trouble in the U.S.," he said. However, today's networks make those checks worldwide and much more quickly, said Lochbaum, in Washington. For example, fingerprint storing and checking is now done over a network instead of with ordinary mail, he said. In some cases, it helps to not use technology, Lochbaum said. The government's Nuclear Regulatory Council has removed much technical information from its Web site, "just to make sure we're not aiding our enemies too much," he said. In another example, today's power plants use modern networks for day-to-day business needs, but their complex control systems tend to be "a lot of 1960s technology. A lot of the safety systems are … not digital," he said. Criminals can't break into what's not a digital connection. Help also comes from private companies, like Rainbow Mykotronx, owned by Rainbox Technologies Inc., in Irvine, Calif. About 75 percent of Mykrotronx's $75 million in annual revenue comes from the National Security Agency, but the division has been expanding into the commercial sector, including public utilities, said John Droge, vice president of business development and an 11-year NSA veteran. Droge disagrees with the obscurity-as-security notion. At a bank, "they don't take the money and put it in desk drawers and hide it, they lock it," he said. Similarly, criminals may not know a telecommunications network's passwords, but with "a coat hanger and a couple of parts from Radio Shack, you can start talking to a satellite," he said. That concept is real. Satellites have control links that are separate from their data links to deal with things like rocket angle, solar panels and battery power. Private satellite owners have only recently began adopting the government's 20-year-old policy of encrypting those control links. Otherwise, "if you could shut the gas off going into downtown Chicago in January, you could do some damage. You might have some people die," said Droge, in Torrance, Calif. "Bad things have definitely happened, there are a number of different smoking guns," he said. "A former employee for a water utility was upset that he was let go and he actually dumped raw sewage into clean systems from his computer. He's in jail now," Droge said. "Eighty to 90 percent of the industry doesn't have the security mechanisms that are needed in today's world." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 01:34:47 PDT