Powering Up - Prioritizing Security Threats

While Allegheny Energy was concerned about maintaining a relationship, another leading utility was focused on maintaining security. PG&E has a metrics-based IT security program that allows the San Francisco-based firm to quantify potential systemic threats and actual vulnerabilities. This enables PG&E to prioritize resources, gain management support, and meet industry and other certification standards.

When Seth Bromberger, manager of information security, joined PG&E in 2005, his first priority was to develop, standardize and quantify security practices across the company, which is one of the largest combination natural gas and electric utilities in the United States. Using a military-based security model that consisted of identifying assets, threats and vulnerabilities, as well as calculating risk and asset protection, Bromberger and his team spent six months developing a methodology for real-time quantitative threat analysis and vulnerability management.

“Everyone assesses threats and vulnerabilities differently,” he says. “But I didn’t want to give management reports based on opinions or gut-feel. Instead, I wanted a repeatable, consistent and understandable methodology that would limit subjectivity and provide quantitative output that could be objectively evaluated and compared.”

Another reason: Anything that can be quantified can be more easily automated.

The heart of the methodology is a dynamic matrix that outlines threats (divided into broad categories such as terrorism, insider activities and acts of nature) down one side and the capabilities of those threats across the top. Threats are based on information from law enforcement personnel, vendors, corporate operations and other sources. The threats are ranked on a scale of 0 to 5 (with 5 representing the highest level of capability) based on funding level, size and access to facilities.

Next, system, software and other vulnerabilities are ranked and evaluated against the threat data to determine which threats are more likely to exploit vulnerabilities. Threats are analyzed systematically twice a year and when required. Vulnerability assessments are made 200 to 600 times a week.

“The result is a mathematical way to rate threats and vulnerabilities,” Bromberger explains. “So we can easily see where specific threats are more likely to be able to leverage known vulnerabilities.”

One tool PG&E uses for vulnerability assessment is nCircle’s IP360 software, which scans multiple hosts across the enterprise and reports on systemic and individual vulnerabilities. It also provides remediation recommendations, such as applying a patch or closing a port. If no fix is available, the PG&E information security group implements other actions, such as raising barriers to unauthorized access.

The threat and vulnerability assessment system has paid off for PG&E in several ways. Bromberger and his team calculated that the enterprise network security risk was reduced by more than 76 percent in the first year of implementation.

The system makes it easy to spot the leading threats to enterprise security, setting the stage for obtaining annual budgets to meet those threats. PG&E was awarded the second highest rating ever on the National Security Agency’s INFOSEC Assurance Capability Maturity Model (IA-CMM). Finally, the system gave PG&E a head start on meeting the North American Electric Reliability’s Critical Infrastructure Protection standard, now mandatory for utilities. In addition, Bromberger is working to expand the threat and vulnerability assessment program from IT systems to control systems.