Ken Silverstein EnergyBiz Insider Editor-in-Chief

Utilities are vulnerable on a lot of fronts. An increasing number of customers, for instance, are paying their bills online. As a result, power companies now possess vital information, such as bank account data and in some cases, credit card numbers. Some businesses use outdated software that can be breached by those with ill-will. And, utilities often have enemies, such as angry former employees, customers or landowners as well as anti-utility organizations. At the same time, hackers may steal the information and sell it over the Internet.

Tracking down hackers is not easy. But, it is possible. Virginia-based Intellitactics is the software firm focused on security issues that assisted the utility in need of help -- a company that Intellitactics can't name. The security team within the utility had been getting a number of defense alerts. Some turned out to be valid and others did not. But the shear volume of them meant that the power company had to come up with a more cost-effective solution to monitor its information technology systems.

"Let's face it, utility companies can be targets," an executive at the utility says. "We rely on our networked infrastructure to bring power to millions of subscribers. We can't control storms, fires and temperature extremes, all of which can jeopardize our service. But we can control attacks on the enterprise and protect the information we need to power this section of the country. We are serious about security."

Utilities also have to comply with regulations mandated by the U.S. Department of Energy and the Federal Energy Regulatory Commission. The Energy Department, for example, requires all actual and attempted cyber attacks to be reported to it within one hour after they occur. Randy Davis, Intellitactics CEO, says that information technology managers and company executives must develop metrics - measurable performance standards -- to understand the progress they are making to prevent corporate espionage.

"Every executive I've spoken with is interested in having the metrics that describe security effectiveness," says Davis. "Every security manager is grappling with how to generate and deliver them."

Greater Risks

The risks are greater now than ever before. The total interconnectivity of networks through the Internet has given hackers new ways to get vital information. That's why the North American Electric Reliability Council has developed standards for utilities when it comes to protection of their information systems. Indeed, power grids are susceptible to not just worms and viruses that can disrupt business but also to large-scale onslaughts intent on shutting down systems completely.

The problem is global in scope. In Queensland, Australia, on April 23, 2000, for instance, police stopped a car and found a stolen computer and radio transmitter inside. With commercially available technology, Vitek Boden -- a disgruntled former employee -- was able to crack Maroochy Shire's computer system that controls operations at the wastewater facility.

Using his car as his "place of business," he was able to configure the system to release thousands of gallons of untreated sewage water into the environment for two full months. After his arrest, Janelle Bryant of the Australian Environmental Protection Agency had said that "marine life died, the creek water turned black and the stench was unbearable for residents." Until Boden's arrest, officials didn't know why this was happening.

Terrorism is a top-of-mind issue for government officials. A well-heeled group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation," the Government Accountability Office wrote.

Beyond cyber threats, companies must implement employee agreements that prohibit anyone from using company "trade secrets" -- anything that a company knows that is unknown in the marketplace and that gives it a competitive advantage. The U.S. Department of Justice advises companies to notify their employees of existing trade secrets and limit access to that information on a strict need-to-know basis. It also suggests confidentiality agreements.

If secrets are unlawfully revealed, businesses can request criminal investigations that are guaranteed under the right circumstances by the Economic Espionage Act of 1996. That law doesn't just protect classified information. It also protects corporate information. Each year in the United States, $24 billion is lost because of corporate spying, the FBI's National Counter Intelligence Agency estimates. It also says that 34 cases have been prosecuted under the law since its inception.

Espionage can occur at all levels of American enterprise. Natural gas traders, for example, make trades and hold positions that are proprietary in nature. If such information were to be leaked by traders or back office personnel, it could not only erode the already thin margins their companies earn but it could also violate federal insider trading laws that assure the veracity of markets.

"Lots of money is at stake and people are always in search of ways to get ahead," says John DiFrances, managing partner at DiFrances & Associates in Wales, Wisconsin, which advises businesses on strategic and safety issues. "Corporate espionage hurts everyone and advantages only a few. That's why companies need to safeguard against these acts and if they occur, let violators know there will be consequences."

No company is safe. And that includes those in the utility sector. Cyber threats are real and can range from terrorist activity to the stealing of trade secrets to illegally obtaining customer information. The insidious nature of the crimes keeps escalating as hackers find more creative ways to achieve their means. The good news is that companies understand the threats and a lot of tools exist to address security concerns.

For far more extensive news on the energy/power visit:  http://www.energycentral.com .

Copyright © 1996-2005 by CyberTech, Inc. All rights reserved.