TAMPA, FLORIDA (10/16/2003) - More than 40 CIOs (chief information officers) from the energy industry this week agreed that cyber and terrorist threats to their infrastructures are on the rise. But like executives in other sectors of the economy, they said their industry is being pressed to protect all things all the time -- with little or no assistance from the government.
"The problem is that there is no acceptance of how to prioritize vulnerabilities and threats," said one CIO, who spoke on condition of anonymity. "Cybersecurity is everything, everywhere, all the time."
Senior security officers from the banking industry, who met last week in New York, echoed those concerns, with one official saying that despite funding challenges for security, he spent much of his time trying to get the board of directors at his company to "calm down" (see story).
Gary Gardner, CIO of the American Gas Association in Washington, D.C., which sponsored this year's 51st Annual Energy Information Technology Conference in Tampa, Florida, along with the Edison Electric Institute (EEI), acknowledged that if the energy infrastructure is going to be treated as a critical national-security asset, then the role of government in funding and regulation must be clarified.
"How do you identify the gap between what individual companies can afford to do from a security perspective and what they should be asked to do and what the government should do or support with funding?" asked Gardner, raising one of the key questions debated by the CIOs at the conference's opening session of the Technology Advisory Council (TAC).
Gardner suggested that if the federal government identifies additional security requirements for the industry, then it should provide the funding needed to make those investments.
Less than half of the 44 gas and electric company CIOs polled during the meeting said their companies belong to an information sharing and analysis center to share security information with the government. The same number of CIOs said their companies don't conduct detailed background investigations on employees with access to sensitive internal computer systems.
Denny Brown, CIO at Pinnacle West Capital Corp., a Phoenix-based owner of several Arizona utility companies, agreed with Gardner and other CIOs present that the TAC should consider forming a cybersecurity committee. The only security committee currently in existence at the senior executive level deals strictly with physical security, said Brown, who is also the TAC council chair representing the Washington, D.C.-based EEI.
In addition, the CIO-staffed TAC doesn't have direct access to the chief executive officers of their respective companies, according to another CIO who spoke to Computerworld on the condition that his name not be used. That CIO suggested working with the U.S. Federal Energy Regulatory Commission on a cybersecurity technology advisory committee.
Gardner also said that the American Gas Association has been working with other energy industry experts on specific recommendations for securing Supervisory Control and Data Acquisition (SCADA) systems, which are the commercial computers used to manage large-scale industrial operations such as the natural gas and electric grids.
According to Gardner, a final report on new encryption standards and methods for SCADA systems is scheduled to be released by the end of the year. The Gas Technology Institute in Des Plaines, Illinois, is working on ways to upgrade and retrofit existing parts of the energy infrastructure to accommodate the new encryption standards, he said.