Data Protection: EnergySec's plan for critical infrastructure
Energy companies rely on IT infrastructure more than ever. Would-be cyber terrorists know it. A group called EnergySec hopes to be ready for what may come.
By Bill Brenner , Senior Editor
June 16, 2010 — CSO —
Our recent article on MidAmerican Energy Company's push for better code security brought home the dangers energy companies face in the digital age. Another recent article on the damage bad guys can do with embedded systems illustrated the same dangers on a broader scale.
A wiki called SecurityFAIL.com was recently set up to fight the problem. There is also an organization called EnergySec that hopes to build a rock-solid defense against whatever may come.
In the following Q&A, EnergySec directors Seth Bromberger and Steven Parker describe how the organization formed, who is part of it and what kinds of best practices they've developed to keep our power flowing.
Describe the origins of the organization, the number of members, what kinds of activities involvement encompasses, and so on.
Bromberger: EnergySec evolved as a not-for-profit corporation in small steps and through grassroots efforts. Its predecessor organization, E-SEC NW, was an informal group of security professionals who worked for electric utilities in the Pacific Northwest. This group met occasionally for lunch to discuss security issues relevant to their work. Over time, word spread and membership increased to the point where it was no longer a regional organization. When the group received the SANS National Cyber Security Leadership award in 2007, it was clear that our industry craved a national group to exchange security information.
Today, EnergySec has over 300 members representing almost 100 energy companies, government agencies, academic institutions, and national laboratories. The membership represents over 46 percent of the electric generation capacity in the US, and just under 60 percent of the electric distribution.
EnergySec's primary goal is to provide its members with access to timely, actionable information in an open, trusting forum. All our members are fully vetted and we have strict membership criteria. On a daily basis, the members discuss all aspects of security in the electric and energy sectors - from best practices, to real-time situational awareness, to pending legislation. For the past five years, we have held an annual conference where we can all meet face-to-face to discuss specific topics in more detail.
Is the highest priority physical threats to energy infrastructure or is your mission specifically based on the cyber danger?
Bromberger: Our members come primarily from the cyber security and risk areas within their organizations, but we do discuss physical threats, especially in the context of blended cyber/kinetic attacks.