Infrastructure security powers up

He may not have known it at the time, but Lonnie Charles Denison helped prove the need for tighter security at many infrastructure businesses when he launched a multifaceted attack against California Independent System Operator, a quasi-governmental agency responsible for management of the state's power grid.

Close to midnight on April 12, Denison -- who had been working for a contractor hired by Cal ISO -- allegedly used his employee credentials to gain access to a datacenter at the Folsom, Calif.-based organization. Once inside, the 32-year-old reportedly used a hammer to break into an emergency cut-off switch and kill power to the agency's computers, specifically machines used to trade energy with other utilities in real time.

As the company scrambled to respond to the shutdown on Monday, April 13, Denison, who is currently in a California prison facing charges of felony destruction of an energy facility, e-mailed a bomb threat to Cal ISO officials, forcing employees to evacuate the premises where he had carried out his sabotage.

While Cal ISO survived the incident admirably, reporting no interruption in services and getting its energy trading systems back up and running quickly, the attack is considered by some industry experts to represent the worst kind of infrastructure threat scenario possible: a combined affront on physical and IT security systems.

Since the Sept. 11 attacks, utilities, telecommunications companies, and other businesses controlling sensitive infrastructure operations have moved to bolster both their physical and IT defenses. However, most experts concede that much work remains to be done in improving security across vertical industries, which haven't always viewed IT and operational attacks in the same context.

Over the last decade, many companies have also moved to marry newer IP-based systems with older legacy technologies to improve productivity across their operations. And while those efforts have created new opportunities for businesses to monitor their workers and facilities, the applications have also introduced a wide range of additional security concerns around IT attacks.

"The awareness over the last six or seven years has really changed. We were always aware of physical security concerns, but we weren't worried about cybersecurity as much because the electronics we were using on location were so unique," said Greg Britton, telecommunications superintendent at the Tri-State Generation and Transmission Association.

The Westminster, Colo.-based company is a wholesale electric power supplier whose operations cover a 250,000-square-mile territory across Colorado, Nebraska, New Mexico, and Wyoming.

"As we've modernized, we've brought more IP-based systems into the operational side, and we've taken on the challenge of making things as accessible as possible for people who need to get in while also trying to do a better job of defending our networks," Britton said. "Like everything else in business or IT, it's a cost and balancing act, but one where the stakes are very, very high."

In addition to dealing with the same types of external and internal IT security concerns that face many other types of businesses, power companies like Tri-State are also facing a rash of break-ins at remote substation facilities; as prices for copper metal have soared, so have the number of criminals attempting to make off with the valuable copper wire.