Computer hackers pose a significant threat to our information systems. Hackers spend considerable time and capital mapping the technology infrastructures of major corporations. Information security experts believe that the network exploitation used to map these infrastructures can also be used to disrupt our electric grid. Hackers have gained access to electric power plants and possibly triggered major power interruptions in the United States as well as all over the world. These events reveal the vulnerability and fragility of our critical infrastructure. To address this weakness, corporations must upgrade their policies and improve information security.
Corporations can begin by implementing strategic plans to secure invaluable information such as drawings, procedures, and business processes, especially for power plants, dams, and other critical infrastructures. They can also integrate a lessons learned discussion internally when an event does occur that help avoid similar situations in the future.
Hackers also target government and military computer systems. From 2005 to 2007 the Homeland Security Department, responsible for protecting civilian computer systems, suffered 850 computer-related attacks. These situations are now becoming more frequent, targeted, and sophisticated as hackers search for ways to disrupt operations.
In addition to protecting against these attacks, managers of critical infrastructure should attempt to minimize information leaks within their own company. In recent years, critical infrastructure drawings have been found on unsecured laptop computers, in public trash receptacles, and in the streets of major cities. These security leaks enable cyber threats to occur and make our national infrastructure vulnerable to people who want to intentionally disrupt the electrical grid, or specific critical buildings vital to our national and economic security. Examples of these security leaks include a major banking and finance company’s laptop computer that was found in India with critical infrastructure drawings on it, transportation drawings found in a trash can outside a major transportation hub, and most recently, the Freedom Tower drawings found by a pedestrian searching through trash containers in New York City. Events like these can compromise corporate and national safety and security when documents fall into the wrong hands. Business officials traveling abroad are prime targets for information thieves. Spyware installed on electronic devices and laptops can open communication links with outside networks, leaving the information on them vulnerable to hackers.
Organizations should ask the following questions and follow these recommendations when evaluating energy and information.
Since we are all in the mission critical industry, I would suggest we all do our part to improve the security of our documentation so that we can protect our critical infrastructure and safeguard our national and global security.
This column is a summary of a chapter on energy security that the author contributed to a book entitled Handbook of Information Security and Privacy which is due to be published by Artech House in the fourth quarter of 2008. The author has recently written a book titled Maintaining Mission Critical Systems in a 24/7 Environment now widely available and through the Power Management Concepts website: www.powermanage.com
Sidebar: Questions for Review / ConsiderationSecurity Questions
Have you addressed physical security concerns?
Are critical locations included in regularly scheduled security inspections?
If Internet access is provided to any infrastructure system, have you safeguarded against hacking or do you permit read-only functionality?
How frequently do you review and update access permission authorization lists?
Network and Access
Do you have a network between your facility’s IT installations that is secured and operational?
Do you have an individual on your IT staff responsible for managing security of your data?
Do you have an online file repository? If so, how is use of the repository monitored and audited?
Is your file repository accessible through the public internet?