Digital data downpour
SRP employs strict cyber precautions
Published In: Intelligent Utility Magazine March/April 2011
IT'S RAINING ONES AND ZEROS, AND UTILITIES ARE DUCKING for protection just like every other business, institution and government in the world. Data that used to have protective shelter under lock and key with limited employee access is now whizzing about in an ever-increasing mix of wire, fiber and wireless transmissions and storage technologies.
Information is constantly being aggregated and distributed in new and different forms. And, as soon as people get a handle on what's happening, newer technologies quickly emerge to further complicate the challenges. More portals for such data over power lines, smart meters, smart phones and tablet computers used by utility field personnel, cloud computing and point-to-point microwave transmissions further widen exposure and open risks.
There are few certainties in this new storm. One is: if there is valuable data being transmitted or stored, then someone will inevitably attempt to disrupt or steal it.
Bold steps to defend infrastructure
Bold steps are being taken across the industry by IT professionals to defend vital generation, transmission and distribution infrastructure. IT departments are constantly fighting hacker onslaughts and internal breeches by controlling access, building stronger firewalls and implementing encryption.
The Salt River Project (SRP) provides electricity to more than 940,000 retail customers in the Phoenix, Arizona, area and has already deployed more than 600,000 smart meters. Mike Lowe, SRP's manager of customer services, explained precautions his utility is taking. "We've got the traditional firewalls around the various networks and continually monitor them for penetrations. We do background checks on all hires and restrict employee access to systems on a need-to-know basis.
"We tightly control access to buildings as employees are reassigned or leave. Employee access is periodically reviewed and modified or revokedas appropriate."
$100 drive can lead to million-dollar leak
Often the enemy resides within.
As the U.S. State Department learned from the Wikileaks scandal, an employee with low-level security clearance and a USB flash drive caused worldwide chaos by releasing sensitive documents. In December, it led the U.S. Department of Defense to block computers holding classified files from being downloaded to external drives and USB media.
A greedy or disgruntled employee should never have an opportunity to download proprietary data to external storage. In the wrong hands, a tiny, 32- gigabyte flash drive could cause embarrassment or millions of dollars in damage.
"At SRP a review on the use of USB flash drives is coming very quickly. We expect to have it implemented in the next 12 months," said Lowe. "There isgoing to be encryption available for those that need to use USB ports and, depending on the operational area in the company, ports may be shut down."
"I always tell utilities that as much effort as they spend on mitigating external threats, they need to spend twice as much effort on internal risks because that's the greater risk," advised Roy E. Hadley, Jr., a partner in the Atlanta law office of Barnes & Thornburg, and co-leader of the firm's cloud computing and cyber security practice team.
"Customer information held by a utility is considered a trade secret. A customer list is one of the most valuable trade secrets a company has, not only personal customer information, but usage patterns as well as personnel data. It's a valuable intellectual property, the basis of a business, the source of profit," Hadley said.
Mike Lowe commented on SRP's customer protections: "In our customer system we've gone through the National Security Administration Information
security assessment methodology and classified the data for the levels of confidentiality, availability and accuracy. Some things you have to hold sacrosanct like customer social security numbers and we lock down those types of things very tightly and control access.
"We also log access to every screen in the customer system so we know who looked at a screen and when. And we are currently investigating the encryption of key variables in our customer database. We have a desire to maintain control over our data and networks and have limited interest in cloud computing for that reason. We maintain all our own servers, which are locked down," Lowe said.
Liability issues explored
Who is liable if customer information is compromised?
The utility is the victim in the sense that the information was stolen from the utility, but under most state data protection and privacy laws the customer is considered the victim. Under most state laws, the utility is required to notify a customer that his or her confidential information has been breeched.
As of November 2008, all utilities were required to implement the Red Flag rules by the Federal Trade Commission to protect their customers from identity theft. Under the rules, utilities were mandated to develop a formal program to detect warning signs that fraud may be occurring such as unusual account activity. Red Flag programs must also describe appropriate responses to prevent and mitigate crimes. If a utility is negligent, fines of up to $2,500 per customer may apply. "We are fully Red Flag compliant," Lowe said.
Now a new world of exposure emerges as millions of smart meters are installed and utilities cope with meter data management (MDM).
"As utilities have access to more information through smart meters and smart grid technologies, there are certain types of information that utilities never had to deal with before," warned Hadley. "You have not seen many cases on it yet, but arguably some types of information could become private information that would then become subject to privacy and data protection laws."
Here's how SRP protects its smart meters: "We have internal security over the head-in systems so we restrict who has access," Lowe said. Our system has a high level of encryption, communication through frequency-hopping spread spectrum and only certain meters can talk to certain other meters so you cannot break in just anywhere and have access to the network. There are also tamper flags. If there is a physical violation of a meter we know about it."
Protection is more than an IT function
How can utilities best protect themselves?
"Where most companies fall down is they think that this type of risk management, protecting the information, falls squarely in the IT function, but it's typically more than an IT function," said Hadley.
He recommends the formation of a of a multi-dimensional information security committee to regularly address the issues and establish a set of policies and procedures to protect the company.
Members should include, but not be limited to, governance, IT, compliance, operations, finance and human resources.
"You really have to have a multidimensional approach because everyone has to fully understand where the data is, how it's stored, used and transmitted. New technologies will come on board and are often implemented very quickly," Hadley said. "Utilities must be adept and agile to take advantage of those technologies, but also understand the risks and put in place mechanisms to mitigate those risks."
The Salt River Project appears to be ahead of the curve on Hadley's advice. SRP has an executive security leadership committee chaired by executives over physical security and information security as well as key operating managers enterprisewide.
DATA SECURITY TIPS
It starts with a cultural security ethic and it has to be enterprisewide.
You have to take security very, very seriously.
Recognize that there are risks.
Plug all the risks you can.
You may decide that some risks are not that great and accept some, but keep a careful eye on them.
Work with your vendors to increase security in the systems you buy.
It takes constant vigilance.
Source: Mike Lowe, SRP