LogBlog

« July 2009 | Main | September 2009 »

How Smart Is Our Critical Infrastructure When It Comes to Security?

By Dominique Levin

EVP Marketing and Strategy

In recent studies, the energy sector was deemed the most vulnerable of our nation’s critical infrastructure.  A world without functioning energy and utilities companies means businesses shut down, traffic lights go dark and groceries begin to rot. When it comes to energy, security is of utmost importance.  The CIA has revealed, “cyberattacks have been used to disrupt power equipment in several regions inside the United States." 

Yet the Obama administration is pushing smart grid initiatives that could further undermine the security of our most critical infrastructure.  As demonstrated at Black Hat last week, the so called 'smart meters' are not very smart when it comes to security and a worm could easily propagate throughout the grid and  blackout major cities, states, or whole regions. 

To get to the heart of this issue, we at LogLogic surveyed our own energy customers to find out how they approach IT security and whether the North American Electric Reliability Corporation's (NERC) compliance standards in fact do help build a secure critical infrastructure. 

Over half of utility companies, both large and small, interviewed for this survey, reported they currently experience more than 150 attacks per week.

We also found unanimous concern that compliance with NERC standards alone is NOT sufficient when it comes to protecting the nation’s critical infrastructure. 

One respondent even commented at length that NERC causes him to lower his security benchmarks to the lowest common denominator to be in full NERC compliance. The interpretation of NERC in that particular organization dictated that no special 'extra' security could be put in place for one system, without bringing all systems up to that same standard (which was cost prohibitive).  Let's hope that this interpretation is the exception, not the rule.

From our interviews it is clear that security professionals are trying their utmost to protect our nation.  However, it is also clear that the 'stick of compliance' is required to force management to 'do the right thing'.  Many smart meter budgets did not include a line item for security, though that is changing fast now the issue is receiving some national press attention (thank god).

NERC and SOX compliance are consistently cited as helpful, even necessary, to justify security spending with executive management.  NERC is supposed to come out with an updated standard in 2010 and security practitioners are hoping for more clear guidance, as well as a higher bar for security in new standard.

Also, organizations in violation of NERC can be fined up to US$1 million per day per violation with audits starting from July 1, 2009.  We know from other industries, such as the healthcare and payment card industries, that many organizations wait with making security investments until fines are being handed out.  For NERC, that's still a 'wait and see'. 

You can check out the full report here after registering to download. Please let us know what you think - is NERC enough to secure your business or organization? Can you be 'secure' without being compliant, or compliant without being 'secure.' How much security is enough?

Posted August 05, 2009 in | Permalink | Comments (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

June 2010
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch