Peter M. Curtis - Maintaining Mission Critical Systems in a 24/7 Environment

11 The fundamental issue, namely, is that the electric utility is both the supplier of last resort and is responsible for the quality of power (such as it is today) delivered to every metered customer. This means that utilities will endeavor to live up to these responsibilities and design a system robust enough to minimize liabilities due to poor power quality. Therefore, the technical requirements placed upon distributed generation designs will be very stringent in an effort to make such generation units “utility‐grade” in quality.

These above factors tend to both drive and discourage renewable energy and distributed generation economies at the same time. A rational plan that fosters a diverse energy supply advances easy‐to‐permit distributed resources for a redundant supply and cultivates distributed generation into a dependable source of capacity. This is presently being driven by policy, without much technical consideration of the potential widespread impacts.

Given the technical and institutional realities, there is still much room within which any critical facility owner can design a power supply system that includes at least these three key components: reasonably reliable utility electric service, a reliable and well maintained back‐up power generation system, and distributed energy resource(s) that use high efficiency or renewable energy sources to drive down energy costs while reducing air pollution and greenhouse gas emissions. In certain installations, the distributed energy resource can be engineered to work in concert with the back‐up generation system.

Fuel cell technology has seen uses in mission critical environments since its inclusion in NASA’s Gemini space missions in the mid‐1960s using hydrogen and oxygen to produce power. Modern fuel cells, which convert natural gas to electricity without combustion, are deployed as a combined heat and power (CHP) system provide reliable, high‐quality power and recoverable waste heat, while reducing the “carbon footprint” of your facility. To make the best use of a fuel cell installation, it should be sized at or below the base load of the data center or other critical facility that it will serve. In areas with reliable grid service, the financial viability of fuel cells is dependent on low natural gas prices, but fuel cells may also be deployed as the primary power source in areas with poor grid reliability due to a lack of utility investment or extreme weather conditions.

There are also many examples of data centers incorporating photovoltaic technology into their power systems. Due to federal and state subsidies and incentives, PV technology is often a cost‐effective way to “go green,” and lower costs with a return on investment as low as a few years.

One proposed larger‐scale solution is the use of “virtual power plants,” whereby multiple distributed generation resources are linked together via the Internet so they can be managed as a single entity. This model allows for a mix of resources to work together to negate some of the disadvantages and power quality issues traditionally associated with small energy sources.

In recent years, there have been critical infrastructure drawings found on unsecured laptop computers, in garbage pails, and blowing around the streets of major cities. These security leaks provide an opportunity for cyber threats to occur and make our national infrastructure vulnerable to people who want to disrupt the electrical grid, or specific critical buildings vital to our national and economic security. Examples of these security leaks include a major banking and finance company’s laptop computer that was found in India with critical infrastructure drawings on it, transportation drawings found in a trash can outside a major transportation hub, and most recently, the New York City Freedom Tower drawings found in the trash. The occurrence of these situations can compromise corporate and national safety and security if these documents fall into the wrong hands. Business officials traveling abroad are also a major target for information theft. Spyware installed on electronic devices and laptops can open communications with outside networks, exposing information stored on them. In the environment we live in today, we need a steadfast plan to secure invaluable information such as critical drawings, procedures, and business processes. The following items should be considered when you are evaluating your internal security:

Security Questions:

1 Have you addressed physical security concerns?

2 Have all infrastructures been evaluated for the type of security protection needed (e.g., card control, camera recording, key control)?

3 If remote dial‐in or Internet access is provided to any infrastructure system, have you safeguarded against hacking, or do you permit read‐only functionality?

4 How frequently do you review and update access permission authorization lists?

5 Are critical locations included in security inspection rounds?

Network and Access:

1 Do you have a secure network between your facility’s IT installations?

2 Do you have an individual on your IT staff responsible for managing the security infrastructure of your data?

3 Do you have an online file repository? If so, how is the use of the repository monitored, logged, and audited?

4 How is data retrieved from the repository and then kept secure once it leaves the repository?

5 Is your file repository available through the public Internet?

Techniques for addressing information security:

1 Enforce strong password management for properly identifying and authenticating users.

2 Authorize user access to only permit access needed to perform job functions.

3 Encrypt sensitive data.

4 Effectively monitor changes on mainframe computers.

5 Physically identify and protect computer resources.

Enhancements that can improve security and reliability:

Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.

Policies and procedures that:Are based on risk assessments.Cost‐effectively reduce risks.Ensure that information security is addressed throughout the life cycle of each system.Ensure compliance with applicable requirements.

Plans for providing adequate information security for networks, facilities, and systems.

Security awareness training to inform personnel of information security risks and of their responsibilities in complying with agency policies, procedures, and practices, performed.

A process for planning, implementing, evaluating, and documenting remedial action to address deficiencies in information security policies, procedures, or practices.

Plans and procedures to ensure continuity of operations for information systems.

Recommendations for executive action:

Update policies and procedures for configuring mainframe operations to ensure that they provide the necessary detail for controlling and documenting changes.

Identify individuals with significant security responsibilities and ensure they receive specialized training.

Expand scope for testing and evaluating controls to ensure more comprehensive testing.

Enhance contractor oversight to better ensure that contractors’ noncompliance with information security policies is detected.

Update remedial action plans to ensure that they include what, if any, resources are required to implement corrective actions.

Identify and prioritize critical business processes as part of contingency planning.