[ISN] Energy Utilities Ramp Up Security

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 23:13:40 PDT

  • Next message: InfoSec News: "[ISN] Final Speakers Announced for HiverCon 2002"

    September 10, 2002
    By Evan Koblentz 
    In the wake of the Sept. 11 attacks last year, the IT security needs
    of the Tennessee Valley Authority - which already were massive -
    became even more important, said Anthony Smith, the authority's IT
    security senior manager.
    Generating enough revenue to run itself without federal assistance,
    the TVA - the nation's largest public power producer - generates up to
    30,000 megawatts of power each year, from 11 coal plants, 29
    hydroelectric plants, three nuclear plants, one pump storage plant and
    backup combustion turbines. TVA serves seven states, 8.3 millions
    people, and 150 local, municipal and cooperative energy sellers.
    "What we found is the largest element in IT security is training and
    education," said Smith, in Knoxville.
    The authority's 700 IT employees have been schooled, through classroom
    instruction, campaigns and even contests, in how to recognize "social
    engineering" security tactics, such as crackers who try to obtain
    physical access to passwords.
    "[Another] thing that we've begun to do is partner with other federal
    agencies, to see what they've done" in areas like anti-virus software,
    intrusion detection and vulnerability testing, Smith said.
    He wouldn't provide details of TVA's actual IT infrastructure, but
    said it's tested regularly.
    "We have labs, where we simulate 'these are the types of attacks you'd
    see,' and how to mitigate those threats. That's an ongoing process,"  
    he said. In addition, "we're having to work hand-in-hand with the
    physical security people."
    To accomplish that, TVA is using both off-the-shelf and customized IT
    tools, and has classified plans for the military bases it serves.
    Overall, since Sept. 11, "we have definitely stepped up our posture,"  
    Smith said. In particular, the authority is working to keep in
    compliance with the Government Information Security Reform Act, he
    Advice and criticism of power plant security and technology's role
    comes from varied sources. At the Union of Concerned Scientists, a
    non-profit, politically neutral technology safety advocate, nuclear
    safety engineer David Lochbaum has a laundry list of suggestions for
    improving plant safety, many of which incorporate the use of IT
    resources. Lochbaum knows the issues first-hand, having spent 17 years
    in the industry.
    "Prior to 9/11, the background checks were pretty much done with your
    social security number, to see if you've had any trouble in the U.S.,"  
    he said. However, today's networks make those checks worldwide and
    much more quickly, said Lochbaum, in Washington. For example,
    fingerprint storing and checking is now done over a network instead of
    with ordinary mail, he said.
    In some cases, it helps to not use technology, Lochbaum said. The
    government's Nuclear Regulatory Council has removed much technical
    information from its Web site, "just to make sure we're not aiding our
    enemies too much," he said.
    In another example, today's power plants use modern networks for
    day-to-day business needs, but their complex control systems tend to
    be "a lot of 1960s technology. A lot of the safety systems are  not
    digital," he said.
    Criminals can't break into what's not a digital connection.
    Help also comes from private companies, like Rainbow Mykotronx, owned
    by Rainbox Technologies Inc., in Irvine, Calif. About 75 percent of
    Mykrotronx's $75 million in annual revenue comes from the National
    Security Agency, but the division has been expanding into the
    commercial sector, including public utilities, said John Droge, vice
    president of business development and an 11-year NSA veteran.
    Droge disagrees with the obscurity-as-security notion. At a bank,
    "they don't take the money and put it in desk drawers and hide it,
    they lock it," he said. Similarly, criminals may not know a
    telecommunications network's passwords, but with "a coat hanger and a
    couple of parts from Radio Shack, you can start talking to a
    satellite," he said.
    That concept is real. Satellites have control links that are separate
    from their data links to deal with things like rocket angle, solar
    panels and battery power. Private satellite owners have only recently
    began adopting the government's 20-year-old policy of encrypting those
    control links. Otherwise, "if you could shut the gas off going into
    downtown Chicago in January, you could do some damage. You might have
    some people die," said Droge, in Torrance, Calif.
    "Bad things have definitely happened, there are a number of different
    smoking guns," he said. "A former employee for a water utility was
    upset that he was let go and he actually dumped raw sewage into clean
    systems from his computer. He's in jail now," Droge said. "Eighty to
    90 percent of the industry doesn't have the security mechanisms that
    are needed in today's world."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 01:34:47 PDT