IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

CIA: Energy Infrastructure Attacked

January 24th, 2008 · No Comments

In my book, IT Compliance and Controls, I highlight the importance of the energy infrastructure, and the risks that these systems face given their newly interconnectedness. To highlight the relevant points from the book – the energy infrastructures of the world support the medical, HVAC, security, and financial systems of our economies. The loss of a single gear in any of these systems introduces a crises into the system. Consider the financial markets for a moment, and the hysteria that ensues when traders are caught in an illiquid market or are locked out of a market due to outside forces. The traders that are locked out could lose billions in hours due to these interruptions.

While these loses are massive, they still “only” represent money. The energy infrastructure of today has allowed people to populate regions of the world that would not be possible without HVAC. Even in seemingly moderate climate zones (Paris, France) the loss of power in 2003 resulted in over 35,000 loses of life during the last power outage that occurred during a great heat wave.

The energy infrastructure is owed great respect and deserves careful application of technology controls. These controls have been promoted by NERC within the U.S. and the recent acceptance by FERC of these standards further enforces their importance. The recent attack on several city power systems was released by the CIA, and has been covered by several thoughtful articles. Please see their reportings on the findings of this event.

This event raises to me several key points that hopefully will be released (or released to the power generation industry at least):

  • What resiliency existed in the systems to minimize the impact to delivery of the energy (I.e. How long till power was restored?)
  • How were the monitoring controls deployed and what improvements could be found on the intervals and scope of the reports?
  • What incident response capabilities were utilized and what could be done better?
  • I can think of dozen more questions, but we shall have to see what is released and what is learned.

So lets focus on the risks to the energy infrastructure both physical and digital,

James DeLuccia

Tags: Access and Authorization · Application Controls · Incident Response Capability · Logical Access · Monitoring and Performance Reviews · Physical Access · Sustain Operations · Technology Intelligence · Trusted Computing Platform Systems

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment