nCircle Guest Blog: January 2012 Archives

Municipalities (also known as Community Owned Utilities or COUs) face a unique set of security challenges. They are typically smaller organizations, rarely reaching "enterprise" size. COUs face a unique set of challenges that affect the security of our critical infrastructure.

COUs are owned by ratepayers. This means that they have deep public scrutiny of everything they do. Spending on security can be difficult if they are unable to sufficiently justify the expense to the ratepayer. Further, since many have elected officials at the helm, politics is a major factor in everything they do. There are cases where politicians may be unwilling to spend money on equipment and staff unless those initiatives are directly tied to getting/maintaining future votes.

Industrial control systems at many utilities including COUs are generally legacy systems that were never designed to include to security. They are not easy to upgrade and many staff at COUs are forced to operate with aging infrastructure that has been extended far beyond its normal lifespan.

As bad as infrastructure funding is, insufficient staffing is far worse because it's far easier to get money for capital expenses than for operations or headcount.

One of the biggest concerns with COUs is that they underestimate cyber security threats and their relative vulnerability. They think "we're too small for anyone to attack" or "we're too small to be a target" or "we don't really have anything of value to a hacker, terrorist or organized crime ring."

These assumptions are wrong in many ways. Beyond the many issues connected with managing infrastructure critical to local population centers, most COUs are connected to larger utility networks and any breach that affects them has the potential to impact the surrounding energy grid.

It might be surprising, but the staff at municipal utilities are actually remarkably dedicated and resourceful people. They have to be, given the circumstances they face everyday.