Utility sets IT department on path to self-destruction

Northeast Utilities tells IT employees it may shift work to overseas firm, but hasn't set deal or severance plan if it comes to it

1 2 3 Page 3
Page 3 of 3

One issue that has yet to arise is whether offshoring the utility's IT services would create long-term security risks, particularly if work is moved offshore.

The mere fact that a utility company might be outsourcing IT functions to India, China or other offshore locales should not raise security red flags, said Joseph Weiss, managing partner at Applied Control Systems and author of the book Protecting Industrial Control Systems from Electronic Threats.

Many of the largest providers of critical industrial control systems used by U.S. utility companies are either based overseas or have major software development centers in foreign countries, Weiss said. As an example, he pointed to General Electric, which has its biggest software development center in China.

"I'm not really sure if the security risk would be any different [with offshoring business applications,]" Weiss noted.

What ultimately is important are the governance and oversight processes in place to mitigate security risks, he said. Any company that finds itself needing to implement tougher governance processes simply as a result of outsourcing should not be doing it in the first place, Weiss said.

"If you think you need to have more oversight if you are going to India, then why are you doing this?" he asked. "If you are saying the 'trust is less', then don't do it."

Dale Peterson, CEO of Digital Bond, a consulting firm specializing in control system security, said the real risk arises only if control room operations are being outsourced to an offshore destination.

"[That] is a whole other matter," Peterson said. A few utilities have begun talking about control systems being managed through virtual plants based somewhere else, he said. "But that would be very bleeding-edge stuff," and most likely not what's going on here, Peterson said.

Typically business application outsourcing should introduce little new risk for a utility, he said. "Essentially the [industrial control systems], [supervisory control and data acquisition systems], [distributed control systems] network considers the corporate or business network untrusted," he said. "No access is allowed into the [industrial control systems] zone except under emergency conditions."

Corporate networks sometimes have links to plant systems to gather performance metrics and other data, he said. But the data needed by the corporate network is typically pushed out to the industrial control system perimeter in a secure fashion, he added, so any offshore vendor with access to the corporate network is unlikely to be able to touch plant systems.

"If an owner or operator has a good [industrial control systems] security perimeter, it doesn't matter if the corporate or business network is outsourced," said Peterson.

Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at  @DCgov, or subscribe to Patrick's RSS feed . His email address is pthibodeau@computerworld.com.

See more by Patrick Thibodeau on Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Shop Tech Products at Amazon