In the wake of the Sept. 11 attacks last year, the IT security needs of the Tennessee Valley Authority—which already were massive—became even more important, said Anthony Smith, the authoritys IT security senior manager.
Generating enough revenue to run itself without federal assistance, the TVA—the nations largest public power producer—generates up to 30,000 megawatts of power each year, from 11 coal plants, 29 hydroelectric plants, three nuclear plants, one pump storage plant and backup combustion turbines. TVA serves seven states, 8.3 millions people, and 150 local, municipal and cooperative energy sellers.
“What we found is the largest element in IT security is training and education,” said Smith, in Knoxville.
The authoritys 700 IT employees have been schooled, through classroom instruction, campaigns and even contests, in how to recognize “social engineering” security tactics, such as crackers who try to obtain physical access to passwords.
“[Another] thing that weve begun to do is partner with other federal agencies, to see what theyve done” in areas like anti-virus software, intrusion detection and vulnerability testing, Smith said.
He wouldnt provide details of TVAs actual IT infrastructure, but said its tested regularly.
“We have labs, where we simulate these are the types of attacks youd see, and how to mitigate those threats. Thats an ongoing process,” he said. In addition, “were having to work hand-in-hand with the physical security people.”
To accomplish that, TVA is using both off-the-shelf and customized IT tools, and has classified plans for the military bases it serves.
Overall, since Sept. 11, “we have definitely stepped up our posture,” Smith said. In particular, the authority is working to keep in compliance with the Government Information Security Reform Act, he said.
Advice and criticism of power plant security and technologys role comes from varied sources. At the Union of Concerned Scientists, a non-profit, politically neutral technology safety advocate, nuclear safety engineer David Lochbaum has a laundry list of suggestions for improving plant safety, many of which incorporate the use of IT resources. Lochbaum knows the issues first-hand, having spent 17 years in the industry.
: Energy Utilities Ramp Up Security”>
“Prior to 9/11, the background checks were pretty much done with your social security number, to see if youve had any trouble in the U.S.,” he said. However, todays networks make those checks worldwide and much more quickly, said Lochbaum, in Washington. For example, fingerprint storing and checking is now done over a network instead of with ordinary mail, he said.
In some cases, it helps to not use technology, Lochbaum said. The governments Nuclear Regulatory Council has removed much technical information from its Web site, “just to make sure were not aiding our enemies too much,” he said.
In another example, todays power plants use modern networks for day-to-day business needs, but their complex control systems tend to be “a lot of 1960s technology. A lot of the safety systems are … not digital,” he said.
Criminals cant break into whats not a digital connection.
Help also comes from private companies, like Rainbow Mykotronx, owned by Rainbox Technologies Inc., in Irvine, Calif. About 75 percent of Mykrotronxs $75 million in annual revenue comes from the National Security Agency, but the division has been expanding into the commercial sector, including public utilities, said John Droge, vice president of business development and an 11-year NSA veteran.
Droge disagrees with the obscurity-as-security notion. At a bank, “they dont take the money and put it in desk drawers and hide it, they lock it,” he said. Similarly, criminals may not know a telecommunications networks passwords, but with “a coat hanger and a couple of parts from Radio Shack, you can start talking to a satellite,” he said.
That concept is real. Satellites have control links that are separate from their data links to deal with things like rocket angle, solar panels and battery power. Private satellite owners have only recently began adopting the governments 20-year-old policy of encrypting those control links. Otherwise, “if you could shut the gas off going into downtown Chicago in January, you could do some damage. You might have some people die,” said Droge, in Torrance, Calif.
“Bad things have definitely happened, there are a number of different smoking guns,” he said. “A former employee for a water utility was upset that he was let go and he actually dumped raw sewage into clean systems from his computer. Hes in jail now,” Droge said. “Eighty to 90 percent of the industry doesnt have the security mechanisms that are needed in todays world.”