E-commerce: Security Matters – A trusted source

As e-business becomes more prevalent, companies within the power industry are increasingly looking at how they can improve their existing business models and reap the benefits of conducting business electronically. For almost any company, there are clear potential benefits of exploiting the internet, including faster time-to-market, lower distribution costs and access to a much wider customer base.

KEP Energy, an internet venture owned by UK-based power company Powergen, is one of many companies that in the 1990s recognised the opportunities presented by the internet. It quickly identified a market opportunity in the development and distribution of business-critical web-based applications.

KEP Energy was formed in the 1990s by a consortium made up of KEMA, the Dutch testing and research organization, EPRI, the largest independent research organization in the USA, and Powergen – hence the initials KEP. The group was formed with the aim of researching and implementing methods of using the internet commercially for the power industry. Subsequently Powergen bought out the other venture partners.

Figure 1. BT TrustWise adds security to applications on line
Click here to enlarge image

KEP Energy operates within the retail division of Powergen, based in Coventry, UK. and supplies business-critical applications and solutions on-line to the power industry and other sectors world-wide.

Business applications and solutions are provided by KEP using the internet as a virtual ‘private’ network (VPN). Security systems are used to provide an additional level of confidence and security. Supplying applications through the Application Service Provider (ASP) model enables customers to avoid the substantial initial costs of purchasing software outright, and lifts the burden of ongoing maintenance and upgrades.

In addition, ASP customers benefit from support services and access to a much wider range of applications than they might have otherwise. However, without watertight internet security, internet applications and the ASP model cannot work. Customers must be completely confident that their ASP is keeping their data as safe as they would themselves, if not safer.

Clear benefits

In 1996, KEP Energy started looking for ways to exploit the advent of the internet for the benefit of the power industry. The team first explored the idea of launching a portal that would allow like-minded companies access to information and applications to help them manage their businesses. However, KEP Energy felt that this idea had drawbacks, as it would need to be funded by advertising, lowering the quality of the information available on the site and diminishing its appeal to potential users in the power community.

Instead, the KEP team concentrated on developing business solutions whereby the power community could securely access and run applications that would deliver a clear business benefit. The internet was clearly an ideally suited distribution network and opened the door to a greater variety of pricing models such as ‘pay as you go’ (PAYG), where customers pay for the applications as they use them.

KEP Energy has developed a portfolio of solutions available through the ASP model, including two key applications that enable businesses in the power industry to operate more efficiently.

One of these applications is a secure, remote-access diagnostic tool for power plants. The application allows firms to log on to the power plant’s control system from anywhere in the world via a web browser. The turbines, generators, pumps and all other systems within the working plant can be monitored individually and in near-real time. For example, an engineer in London can analyse and diagnose a problem and instruct an engineering team in India on how to fix it. The system costs little to set up since it taps into the existing digital control system of the plant, loads the information into a database and then accesses it via a web browser.

The other key productivity application provided by KEP Energy is Forum, an online project management service. This enables teams to access information about projects, upload and download files and communicate with each other, all through a secure, intuitive, online interface. Forum is ideal for widely distributed teams with members from different companies, as it is all accessed via a standard web browser and doesn’t depend on platform compatibility between companies. Such a tool clearly requires a high level of security in order that companies can place mission-critical information on the site for teams to share, without fear that it could be accessed by competitors, or worse, by saboteurs.

These, and all of the other applications provided by KEP Energy, rely heavily on top level, unbeatable security. The confidence of users in the integrity of the systems is of paramount importance.

Digital certificates

In the early 1990s, Powergen used Kerberos to secure its internet transactions. Kerberos was the original weapons-grade encryption technology developed by the Massachusetts Institute of Technology (MIT). As internet use grew, however, a common set of standards was needed and security solutions, such as BT TrustWise – a portfolio of security solutions developed in association with VeriSign – were developed to work on widely used web browsers. It made sense for KEP Energy to run their business applications and the security to support them using de facto standard components.

KEP Energy now uses BT TrustWise security solutions from BT Ignite Application Services to ensure that access to applications is granted only to authorized users, and that each user only has access to the information to which they are qualified and permitted.

“BT TrustWise digital certificates allow us to do three vital things,” says Jeff Cole, technical manager at KEP Energy. “With the certificates we can authenticate, encrypt and ensure the message integrity of all the packets of information that travel to and from our servers. Through authentication we can validate the identity of the parties involved in transactions; with encryption we ensure the information being exchanged is only readable by the intended recipient; and message integrity guards the confidentiality of the transaction, ensuring that it won’t be intercepted during transmission.”

A digital certificate is the electronic equivalent of a digital signature. It is issued by a trusted third party, called a Certification Authority (CA). BT Ignite Application Services, through BT TrustWise, acts as a CA, and can also enable its clients to become a CA and issue their own certificates to customers.

Before a certificate is issued, the CA reviews the applicant’s credentials through third party databases, and takes several other steps to ensure that the organization is what it claims to be and is not claiming a false, or ‘spoof’ identity. The CA then issues the organization or individual with a digital certificate which will be able to prove the holder’s identity and verify its right to access information in electronic transactions.

In physical transactions, the challenges of identification, authentication and privacy are solved with physical marks, such as seals or signatures. In electronic transactions, the equivalent of a seal must be coded into the information itself. By checking that the electronic ‘seal’ is present and has not been broken, the recipient can confirm the identity of the message sender and ensure that the message content was not altered in transit. By using a BT TrustWise digital certificate, this ‘seal’ is automatically encoded into the information, guaranteeing that the information is authentic and has not been tampered with.

KEP Energy acts as its own certification authority, which means that it can issue digital certificates to the users nominated by its clients. This means that although applications run on KEP Energy’s servers, KEP Energy does not necessarily have access to its clients data, as the client can choose to permit access only to the holders of certain certificates – which can exclude KEP Energy.

KEP Energy has found BT TrustWise security solutions easy to implement and manage, outsourcing much of the legwork to BT Ignite Application Services. According to Cole: “BT TrustWise enables us to run our certification authority seamlessly for our customers. The customers only see their interactions with us, though the certification is outsourced to BT Ignite Application Services. This allows us to focus on customer service and application development.”

TCPA: an alliance for security
In a world increasingly influenced by the internet, data security and information protection have never been so important; e-business can really only flourish within a secure, trusted environment. With this in mind, and with a predicted surge in internet-based B2B trade in the years ahead, IT industry giants Hewlett-Packard, IBM, Intel and Microsoft decided it was time to collaborate.

The result was the Trusted Computing Platform Alliance (TCPA). TCPA was formed in 1999 and now has over 145 members consisting of both software and hardware companies working together to build confidence and security in computing platforms and e-business transactions.

TCPA’s mission is the development of a new hardware and software specifications that will enable technology companies to offer a more trusted and secure computing platform based on common standards.

In January 2001, TCPA announced TCPA Version 1.0, a platform designed to add significant trust capability and security building blocks to existing platforms. It defines a subsystem which contains an isolated computing engine that cannot be altered. Platforms also include an embedded chip that can reliably report and measure information. This ‘integrity check’ feature of the subsystem enhances software-only security services.

The embedded chip is a cryptographic microprocessor that supports functions such as key encryption for privacy and digital signatures for authentication or user identification. It is included on the motherboard to protect electronic communications by protecting a user’s private key information. The chip provides the most secure endpoint for Public Key Infrastructure, more so than software-based security. It is also designed to work with other security options, including firewalls and antivirus software.

TCPA aims to encourage wide industry support and adoption of the specifications so that low-cost, standardized levels of security can become ubiquitous allowing e-commerce to flourish in a safe, trusted environment.

No posts to display