When PricewaterhouseCoopers and CIO Magazine conducted their most recent annual Global State of Information Security® study in the spring of 2008 (2008 GSIS), the result for the utility industry was the classic good news/bad news story. While utilities have made significant strides in improving the state of information security throughout their operations, there still exists a significant gap between the confidence utility executives have as to the effectiveness of their systems and the actual audit or measurement of security policies. And while, in the 2008 GSIS survey, utilities surpassed the cross-industry average for having cellular and wireless security standards in place, the total number showed less than half of all utilities had implemented these key standards.
For example, in October of 2007, SecureWorks, one of the industry’s leading managed security services providers with, at the time, more than 1,800 clients and 100 utilities, reported a 90 percent increase in the number of hackers attempting to attack its utility clients in just one year. In January 2008, a CIA senior analyst reported at a national trade event that hackers had successfully attacked a foreign utility causing power outages that impacted multiple cities, all involving intrusions through the Internet. And closer to home, a Government Accountability Office (GAO) report concluded in May of 2008 that the Tennessee Valley Authority (TVA) was vulnerable to cyber attacks that could have disrupted its power production and transmission system. Incidentally, in its responses to the GAO recommendations (Appendix II of the report) TVA demonstrated through specific actions and processes its “commitment to assuring the security of its critical infrastructures and related information and control systems.”