Commentary: Button up network security

By Richard Hunter and William Malik, Gartner Analysts

Breaches such as the one that recently hit the California Independent System Operator are common and often result from a lack of security awareness on the part of a well-intentioned IT security staff.

	See news story: Hack raises fears of unsafe energy networks

Human error is at the root of most unauthorized access incidents, and the complexity of computer systems makes it more likely that human errors will continue to occur. Once they happen, it's likely that a hacker will sooner or later--probably sooner--discover and exploit an error if it persists.

Fortunately, in the case of the attack on the power center, the depth of the breach was probably limited by the hacker's lack of experience.

Very few business functions remain in our society that aren't controlled or assisted by a computer. Any computer that isn't secured on a network could be breached--and any unauthorized intruder might be dangerous. If the computer manages sensitive information critical to people's lives or business, then the intrusion threatens them as well.

Businesses responsible for services that are sensitive, or could cause widespread harm if the information is misused, unavailable or distorted, must take extraordinary measures to ensure that those services are not visible on the Internet. All systems should be put behind a secure firewall. A number of tools are available to ensure that breaches don't occur on a regular basis.

Companies must scan for intrusions and malicious code on a regular basis and have a policy that requires the status of their systems be verified regularly as well. This is especially true when it comes to something as important as a power grid or other critical systems. At this point in the evolution of IT security practices, allowing such important systems to remain wide-open verges on irresponsibility.

Companies that do not have a security policy should develop one. Those that do have a policy should verify that employees understand and comply with it.

Security should not be an afterthought. It must be part of the training and procedures implemented with any system from day one. Gartner expects negligence suits and regulatory penalties aimed at sloppy security administrators and their companies to be adopted in the United States as early as 2003.

(For related commentary on how to secure networks from hackers, see TechRepublic.com--free registration required.)