Hackers. Viruses. Worms. These phenomena, the curse words of the computerized business community, have provided the impetus behind a new gas utility trend — creation of a cybersecurity position. "Right now, network security is the hottest area in information technology. There's going to be more growth in that IT area than any other," says Brunson White, vice president and chief information officer at Energen Corp.
Under the old model, the person in charge of computer network security worked in the IT department and reported to the department director. The new model calls for that person to work independently of the IT group and report directly to the CIO or another member of senior management.
"Network security has to be identified as its own responsibility within a company, whether the function is in IT or elsewhere," says Lisa Metcalfe, vice president and CIO at Washington Gas. "You don't want to spread that responsibility across the organization or dilute it across an IT structure. You want security to report high enough in the management chain that it gets the appropriate focus and resources."
"During the Y2K weekend, anyone who watched people probe their firewall just to see if it was there understands the need for an independent security officer who focuses full time on protecting the network," says White. "Earlier this year, we reorganized IT and created an enterprise security position that reports to top management rather than to the person in charge of day-to-day IT operations." John Masopust, the person filling that enterprise security manager's position at Energen, explains: "You need the authority behind you so that when you speak everyone knows it comes from the top."
Moreover, says Michael Daumer, manager of information protection at NiSource Inc., independence from other IT activities "means security personnel won't be biased in implementing security policy and practices or influenced by other initiatives or pressures within the company."
Besides having someone in-house who focuses solely on network security issues, several IT experts from natural gas utilities view the following as other vital steps to maintaining a secure network:
Write a Security Policy
Everyone in the company needs to be on the same page when it comes to cybersecurity, but that could prove impossible if there aren't any pages. The utility security experts stress the importance of having a written security policy that covers everything from what employees can and cannot do on their computers to rules on acceptable use of internal information resources.
For instance, Energen's policies make it clear that employees are not permitted to install their own software on office computers or visit certain places on the Web. "We don't allow people to keep executable files on their systems other than those required for the company's base system," says Masopust. "During Y2K, we cleaned up every office computer so that all of them now look alike. We use software to scan the computers to make sure no one has added anything that they shouldn't have, such as a game."
Build Employee Awareness
Because the biggest security risk comes from inside the company, employee awareness tops many a CIO's list of security measures. "Education is key," says Daniel Crespo-Dubie, IT general manager at KeySpan Energy. "Employees must understand their critical role in ensuring a secure environment."
NiSource, for example, distributes printed materials on cybersecurity and augments that with training sessions for new employees and interns, plus training on the use of e-mail and the Internet. "There's always more that can be done, but there's often a resource constraint," says Daumer.
"You need to continually look for ways to convey security messages to employees. Use all the communication channels available within the company, such as the corporate intranet, e-mail, newsletters, training sessions and the IT help desk," advises Washington Gas' Metcalfe. "You can never check this activity off your list of things to do."
Telecommuting and laptops pose their own brand of security risks. "When an employee is working outside the internal environment, you don't know who is sitting at the keyboard and whether the computer is being used for personal e-mail, which makes the network more susceptible to viruses," says Daumer. He recommends using encryption software on traveling laptops even though employees find it inconvenient. "Unfortunately, companies are sometimes reluctant to accept the inconvenience because they've never experienced a loss," he says. The experts also say laptop hard drives should be wiped clean before the computer is loaned to another employee.
The bottom line is that if employees fully understand the importance of a secure network, they may not grumble so much about such security necessities as new passwords, which are changed as often as every 30 days in some utilities, or the need to use encryption.
"Keeping up to date is one of the biggest challenges because the knowledge base changes daily, if not more frequently," says Don Field, executive vice president at Peoples Energy Corp. His company, like many others, uses consultants specializing in cybersecurity to augment the work of the in-house staff. "It would be impossible for us to maintain their level of skill internally," he says.
Beyond installing the latest anti-virus software and other security-related programs on the network, the natural gas utility security experts recommend making full use of Web sites that post warnings about viruses, worms, hoaxes and the other nastiness lurking in cyberspace. Some of their favorite sites are:
http://www.cert.org  (Carnegie Mellon University's CERT Coordination Center)
(Critical Infrastructure Assurance Clearinghouse)
(Department of Energy's Computer Incident Advisory Capability)
(FBI's National Infrastructure Protection Center)
http://www.sans.org  (System Administration, Networking and Security Institute)
http://www.sans.org/giac.htm  (Global Incident Analysis Center)
http://www.securityfocus.com , click on Bugtraq
Additional resources, however, may be necessary during a crisis, such as a virus attack. The Web sites that provide inoculations against viruses are so busy when a new virus is discovered that getting into the site can prove impossible. "You need to have your own private network, whether it's via the Internet or via telephone, so you can get information immediately," Field says. "Good preparedness means you know how to get around the bottlenecks."
Prompt implementation of patches and upgrades, which often can be found on the Web, is another important way to reduce system vulnerabilities, according to NiSource's Daumer. "In addition, when building new servers, remove all unnecessary services, scripts and default user IDs and passwords that could leave your system open to compromise."
Plan Break-in Attempts
To make sure they are well-protected, many companies hire security consultants to attempt to breach their networks. Some utilities use firms familiar with their systems; others prefer to hire someone who knows nothing about their network in order to simulate the typical hacker attack. This second testing technique is generally more expensive and takes longer than the first one. Regardless of which technique is used, experts say companies should have third-party security audits performed regularly.
From Daumer's point of view, the disadvantage of repeatedly using the same security firm to test a company's system is the fact that it becomes too familiar with the system. On the other hand, he says, this could be an advantage because it may give the security firm "a leg up in understanding how to penetrate the system and pinpoint weaknesses."
KeySpan, like many other utilities, uses both security-testing techniques. "It's important to find a balance between which types of tests you run and how often you do these tests in order to find the right balance between a reasonable level of expense and your risk of being vulnerable to attack," says Crespo-Dubie.
In the end, as Don Field so succinctly puts it: "You have to think about security all the time."
Karen Ryan provides freelance editorial services and is a contributing editor for American Gas. She may be reached at email@example.com .
Return to American Gas Magazine
Subcribe to American Gas