On Aug. 14, 2003, the lights went out across a large swath of North America. A power company in Ohio was slack in tree trimming (or "vegetation management," in the words of the official report on the incident), and a local transmission line problem cascaded into a 61,800-megawatt blackout, leaving 50 million people in the dark in eight states and parts of Canada. In some areas, it took four days to restore power, which, according to some estimates, cost the American economy between $4 billion and $10 billion.
The blackout highlighted the vulnerability of the electric grid to massive failures and to potential attacks by terrorists, giving new impetus to calls for more regulatory standards and enforcement in the utilities industry. On Aug. 8, President George W. Bush signed the Energy Policy Act of 2005, which helped change the way the utility industry is regulated. "This bill," said President Bush, "will strengthen our economy, and it will improve our environment, and it's going to make this country more secure."
Focus On: Utilities
|Top Business Challenge: Modernizing the electric grid while complying with new federal regulations for data and plant security.
Solution: Technical and physical security measures.
How IT Can Help: Through firewalls, intrusion detection, advanced metering infrastructure, high-temperature superconductors, flexible alternating current technologies and advanced energy storage.
It also means more headaches for utility CIOs, who occupy an industry burdened with heavy debt, the fallout of the Enron bankruptcy and fierce pressure to cut costs. "It's a tough time, and CIOs have to do a juggling act," says Andrew Bartels, who covers the sector for Cambridge, Mass.-based Forrester Research Inc. "Some are in a hunkered-down mode, not being very aggressive. Others feel that they're doing everything they can and it's not enough, that the expectations are unrealistic. They're working their tails off, and they have business partners who aren't satisfied."
The North American electrical grid is a $1-trillion network that knits together nearly 3,500 utilities, most of which are publicly owned or cooperative organizations. The 200,000 miles of transmission lines bring power to 283 million people.
Forrester estimates that utility IT spending shrank last year to $10 billion, or 1.8% of revenue, from a peak of $15 billion, or 2.9% of revenue, in 2002 -- a reflection of contracting market capitalization and heavy debt loads. Although share prices have turned around, bottom-line pressure remains strong, and new technology initiatives have largely been limited to supporting business cost cutting, security and regulatory compliance.
"The utilities are being squeezed by raw-material prices, and their prices are often regulated so they can't charge too much more," Bartels says. And in some areas, "they have no choice on what they spend, such as with compliance."
Beyond Voluntary Compliance
The Energy Policy Act changes the regulatory landscape. Previously, most utility companies cooperated voluntarily under the auspices of the North American Electric Reliability Council (NERC), a nongovernmental entity based in Princeton, N.J., that sets standards for managing the grid but that has no enforcement power. NERC was created in 1968 in the wake of the 1965 New York blackout.
"For years, peer pressure was tremendously effective," says NERC CIO Lynn Costantini. "But with deregulation in the 1990s, new competitive pressures developed. Peer pressure just isn't the mechanism that will guarantee compliance anymore."
Even before 9/11, the industry was concerned with security. NERC has been involved in several long-standing initiatives designed to protect the grid and recover functionality in the event of a national emergency. The Critical Infrastructure Protection Committee brings together industry experts in cyber-, physical and operational security to develop best practices. The Electricity Sector Information Sharing and Analysis Center, which coordinates policies and disseminates threat assessment and data between utilities and the public agencies. And the Spare Equipment Database is designed to speed disaster recovery.
"Utilities share information with each other and with the government, too," notes David E. Mannering, CIO at Lincoln Electric System, a $168-million-a-year utility in Lincoln, Neb. "It could be two or three full-time jobs just to keep track of what's going on."
Now NERC is revising policies for both reliability and security; these new standards will be mandatory, not voluntary. The working drafts have already generated 3,800 pages of comments from CIOs who will have to comply with the standards when the law takes effect in 2006.
"Current cyberstandards are a very low bar that we've set, but at least it gives us some confidence that we're all on the same playing field," Costantini says. "Now we're raising the bar. This will involve some IT spending, but we're giving utilities several years. We have to be respectful of budget cycles; it is not security at any cost. Some CIOs might freak out for a while, but I don't think it will bankrupt anyone."
Although CIOs say they don't yet know how the new rules will affect IT spending, they insist they're on top of the problem.
"For some utilities, it will require a lot of time and resources," says Lincoln Electric's Mannering. "We've already begun putting together our teams. We probably have eight people working on it part time. It will branch out into more work and take significant resources."
Mannering says he expects that the new requirements will involve everything from new hardware and software purchases to drawing up new policies and improving plant security with more rigorous background checks on employees and card-reading devices.
One critical issue is the security of Supervisory Control and Data Acquisition (SCADA) systems, which are used to monitor and maintain far-flung power networks.
"The threats are certainly there," says Costantini. "In our industry, we have a lot of legacy SCADA systems that don't lend themselves to attack because they're not connected to the Internet. The newer systems are at risk. Everyone was looking at the business advantages of networking without a lot of thought to security aspects."
"The main thing everyone needs to keep an eye on is connections to outside entities," adds Mannering. Utility CIOs also face other hurdles, such as executives' lingering perception that IT is not a strategic business advantage. Still, Forrester's Bartels notes that there are several steps that CIOs can take to align business and IT.
"First," he says, "they have to establish basic credibility in core IT -- keeping costs down, process management so that projects are on time and on schedule. The second is to understand the business need that IT is meeting and communicating that to the rest of the company."
Jim Jones, CIO at Great River Energy, the $540-million-a-year rural cooperative in Elk River, Minn., understands those pressures. "You really have to stay on top of everything," says Jones. "You just can't keep throwing people at problems; you have to improve what you're doing and how. We're not treating compliance as a project but as a program. Disaster recovery, business continuity, security never get done. You just get better."
Mannering agrees that the industry's quest for reliability and security is a ceaseless task.
"You have to always review your policies and update them to make sure you're in compliance, but it will be a never-ending task," says Mannering. "Our mission is to keep the lights on."