Information networks have controlled electric power company core operations since before industry deregulation. These networks allow companies to maintain centralized monitoring of their energy management systems (EMS) and “move” power from generation to the end user. As shown in Figure 1 below, EMS systems encompass large numbers of transmission and distribution substations, which are often spread out over large distances and require centralized management. In order to provide a centralized management and monitoring capability, power companies deploy supervisory control and data acquisition (SCADA) systems, which allow a control center to collect electric system data from nodes placed throughout the power system. Using this data, SCADA systems can initiate alarms to operations personnel and relay control commands to the field.
FIGURE 1—Traditional Electric Power
Company Communications and Control Layout
Source: “Electric Power Information Assurance Risk Assessment Report.” NSTAC Information Assurance Task Force (March 1997)
Due to the enormous size of power station, the use of SCADA systems is widespread in the electric power industry and is considered an absolute necessity for effective energy management.
Most of the approximately 3,200 electric power utilities serving North America depend on SCADA systems to manage power generation, transmission, and distribution. With 30,000 to50,000 data collection points in an average SCADA system, centralized management of network data has become crucial to ensure power system reliability and maximize staff efficiency.
Recognizing the importance of their EMS and SCADA systems, most power companies constructed these networks separately from other corporate systems. Early SCADA systems were effectively “walled off” through the use of unique power supplies, special disaster recovery plans, and separate system development protocols. Over time, however, the convergence of power company networks and the demand for remote access to these systems has rendered many SCADA systems accessible through non-SCADA networks
.
Over the past ten years, the increased use of Internet technologies has transformed the way business is conducted in almost every major industry in world, and the electric power industry is no exception. IT strategies are enabling power companies to operate cost effectively, communicate more efficiently, and create innovative business practices. Meanwhile, the advantages of an effective e-business strategy are becoming increasingly important, as power companies are forced to compete in a deregulated environment. The table below highlights a few of the key business areas that utilities have improved through the use of e-business and Internet strategies.
Transformation of Existing Business Process
Customer Customer Information Systems(CIS) Many utilities are replacing outdated CIS with new
systems that focus outwardly on customers and are more accessible. Over half of present utility CIS systems are older than 10 years
.
Supplier E-procurement systems Utility companies are joining together to take advantage of the efficiencies of online procurement of utility supplies. Pantellos, now an independent company and leader in utility procurement, was formed through the cooperation of 21 large companies.
Operations Work and outage management systems (WMS/OMS)
With growing competition forcing more attention on customer service plus the threat of "performance-based rates" on the horizon, utilities across North America are scrambling to install WMS/OMS. Tightly integrating WMS/ OMSs improves response time, reduces manpower, and enhances productivity
.
Source: “Replacing A Customer Information System,” Public Power, October 1999
In order to compete successfully in a deregulated market, many electric power companies are seeking new sources of revenue growth through investment in opportunities that involve “nonelectric” functions, which formerly resided outside of their core business. These ventures are rapidly evolving from small start-ups into medium-sized and large stand-alone corporations. The most highlights of these ventures – power marketing– is heavily reliant on information systems. For instance, one major power market transaction platform, launched in 1999, conducted more than 130,000 transactions during its first 26 weeks, with a daily transaction value of up to $1.5 billion per day. Over half of these transactions are performed online. Figure 2 illustrates the growth of power marketing over the past 3 years.
FIGURE 2—GROWTH OF POWER MARKETING (1996-1998)
(In Billion)
MWH
1996 1997 1998
Source: Edison Electric Institute, January 2000
Network security vulnerabilities of Electric Power Industry.
While the benefits of IT are obvious, many utilities are only beginning to acknowledge the dangers that inevitably result when networks become more accessible to a wider range and number of users. Linking corporate systems together to provide access to customers, suppliers, and other third parties will significantly increase the vulnerability of sensitive and proprietary information contained in these systems. As a result, their widespread use of SCADA systems for network management, power companies are currently vulnerable to internal and external network attacks. Because corporate networks and SCADA systems are linked at most utilities, the security of the SCADA system is often only as strong as the security of the corporate network. With pressure from deregulation forcing the rapid adoption of open access capabilities, vulnerabilities in these systems are increasing rapidly. There is evidence from National Security Telecommunications Advisory Committee (NSTAC) SCADA systems at risk, “A knowledgeable intruder, aided by publicly available ‘hacker’ tools, could issue false commands to a utilities energy management system (EMS), opening and closing relays, shutting down lines, and causing voltage oscillations and, potentially, cascading outages.” “Electric Power Information Assurance Risk Assessment Report.” NSTAC Information Assurance Task Force (March1997)
As Information Technology gain the power, power companies often up-date, billing and accounting information systems with other corporate information systems. In addition, consolidation through mergers and the integration of new lines of business are forcing power companies to connect diverse legacy systems without considering security risks. All of these factors are increasing the number and severity of security vulnerabilities. As figure 3 demonstrates, the information security concerns in the industry are evolving from operational issues to e-business and Internet concerns in the present and future.
FIGURE 4—Evolution of Network Vulnerabilities at Power Companies
Source: “Electric Power Information Assurance Risk Assessment Report.” NSTAC Information Assurance Task Force (March1997)
Electric power companies, which are already concerned with security vulnerabilities affecting their ability to protect transmission and delivery systems, are beginning to realize additional potential vulnerabilities. For example, the development of advanced customer information systems (CIS) and e-procurement methods are prime examples of emerging concerns. In addition, expansion into new lines of business that require the integration of legacy systems will introduce completely new information security challenges.
. An example of the cost of retaining public confidence in the wake of a security breach is illustrated by the recent security breach at the British utility Powergen. Earlier this year, Powergen admitted to a serious leak in network security that inadvertently exposed account information for over 7,000 users. The company
issued advisories to all 7,000 users and also offered £50 compensation to each. (The News-Times, July 2000. “Powergen suffers serious security slip-up” Internet.Works)
Impact of security breaches
The disruption of core business operations is the dominant security fear for electric power companies. Government and consumer pressure to keep electric systems operational have forced the industry to invest in methods to maximize the reliability and availability of power. While network security issues have always been a threat to electric power system reliability, the expansion of remote access SCADA systems, and the rise of E-business have significantly increased the number of potential system exploits. At the same time, the potential cost of a security breach has shown a corresponding increase. Some of the ways in which a security breach might negatively impact a power company are showed in the following table.
IMPACT OF INFORMATION SECURITY BREACHES
Operational Disruptions At the core of the electric power industry is the need for reliability and availability of electricity throughout the power grid. Utilities must remain vigilant about the protection of their electricity management and SCADA
systems to ensure that unauthorized access to these systems does not disrupt service.
Although these systems have largely remained isolated from public network access in the past, the use of remote access to manage SCADA makes these systems increasingly more vulnerable to external attacks. Illustrating the monetary cost of service disruptions, a recent 8-hour power outage in Delaware, Maryland, and Virginia cost regional businesses $30.8 million in lost revenue.
Public Confidence Competition has brought about an increased focus on customer service; thus, data about customer usage habits, payment, and demographics are crucial to utilities’ CIS strategies. Disruptions of customer service functions could rupture carefully nurtured customer relationships and have damaging long lasting effects on customer confidence. As such, utilities must ensure that customer information is secured properly and that customer interfaces, such as call centers and web sites, are adequately guarded from denial of service attacks and “cyber-vandalism.”
Corporate Reputation Perhaps the most important implication of network security attacks on utility information systems is their impact to the reputation of the company. Just one security breach can have a devastating, irrevocable impact on the reputation and financial health of an organization, especially with increased competition in a
deregulated environment. Because many investors are unsure as to which companies will compete successfully in the newly deregulated power market, increased business risks and greater stock price volatility will likely abound. Valuations will not only depend on share price and bond ratings, but will also reflect investor perceptions regarding how well an electric power company is managed, including the company's ability to respond to competitive pressures and other market challenges.
Sources: “Power Outage Darkens Delmarva Peninsula,” The News-Times, May 1996;
Recommendation strategies.
With network security vulnerabilities rising rapidly, and the cost of security breaches becoming more obvious, power companies need to develop top-notch information security practices. An effective approach to network security begins with a careful evaluation of network security architectures, and more importantly, electric power company managers must recognize the gaps in their internal capabilities and consult with firms that offer network security expertise when necessary. The following steps is the recommendation for network security products and services in the power industry.
Step one: Regular Vulnerability Assessments
Power companies must conduct regular vulnerability assessments of information systems and networks that support critical business processes. An effective assessment of information system and network can reveal unintended gaps
in security, unknown linkages between public and private networks, and firewall configuration problems.
Step two: Expert Information Security Architecture Design
There are number of technologies which available for power companies, such as firewalls, Intrusion Detection Systems (IDS), and Virtual Private Networks (VPN) can all help protect networks and data from malicious attacks. Actually, companies should work with information security professionals in order to minimize risks associated with poor network architecture.
Step three: Managed Security
As power companies add network security technologies to ensure their security position, the need of properly manage and monitor these devices is becoming increasingly complex. Many Organizations Struggling to Manage Security Devices, according to Richard Power, (Editorial Director, Computer Security Institute) that “You’d be surprised at how many blue chip companies and dot-com sensations do not have someone in their organization who is competent to answer even simple questions.”
Managed security offerings ensure that all security devices are configured properly and fully patched, while monitoring the actual activity on each device using intelligent software solutions and security analyst expertise. This will enable corporation to maintain a real-time security monitoring and a relatively low cost.
Summary and conclusion:
Computers and MIS are one of the important organisational resources for the firms of Electric Power industry. The power companies should spend a huge amount of money for buying, development and enhance of such systems. A great number of enterprises could not operate properly and successfully without the implementation of MIS in the new changing environment. The modern IT will become the main force determining the pattern of the 21st century and giving great opportunities in all aspects of our life.
MIS have great contribution to increased competitiveness and effectiveness of managers in decision-making process and solving of different problems which appeared in managing an organisation. However, theory and research has demonstrated that the technology per se is not a determinant of organizational outcomes, but an enabler, with its effects dependent upon how the technology is used (Attewell and Rule, 1984; Markus and Robey, 1988; Orlikowski and Robey, 1991; Robey and Sahay, 1996).
Reference list:
Attewell, P., and J. Rule, “Computing and Organizations: What We Know and What We Don't Know,” Communications of the ACM, 27, 12 (1984), 1184-1192.
Bee, R., Bee, F.,1999. Managing Information and Statistic. Trowbridge: Cromwell Press.
Markus, M. L., and D. Robey “Information Technology and Organizational Change: Causal tructure in Theory and Research,” Management Science, 34, 5 (1988), 583-598.
Orlikowski, W.J., and D. Robey, “Information Technology and the Structuring of Organizations,” Information Systems Research, 2, 2 (1991), 143-169.
Papows, J., 1998. Enterprise.com: Market Leadership in Information Age. London: Nicholas Brealey Publishing.
Robey, D., and S. Sahay, “Transforming Work Through Information Technology: A Comparative Case Study of Geographic Information Systems in County Government,” Information Systems Research, 7 ,1 (1996), 93-110.
Richard Power, Editorial Director, Computer Security Institute. “Hack Attacks Drive Outsourced Security.” PC Week. (August 1999); “Expert Alarmed by Lack of Cybercrime Defenses.” The Indianapolis Star. (May 2000).
Electric Power Information Assurance Risk Assessment Report.” NSTAC Information Assurance Task Force (March 1997)
“Replacing A Customer Information System,” Public Power, October 1999
Edison Electric Institute, January 2000
“Electric Power Information Assurance Risk Assessment Report.” NSTAC Information Assurance Task Force (March1997)
The News-Times, July 2000. “Powergen suffers serious security slip-up” Internet.Works
“Power Outage Darkens Delmarva Peninsula,” The News-Times, May 1996;
.