Many of the largest providers of critical Industrial Control Systems used by U.S. utility companies are either based overseas or have major software development centers in foreign countries, Weiss said. As an example, he pointed to General Electric, which has its biggest software development center in China.
"I'm not really sure if the security risk would be any different [with offshoring business applications,]" Weiss noted.
What ultimately is important are the governance and oversight processes in place to mitigate security risks, he said. Any company that finds itself needing to implement tougher governance processes simply as a result of outsourcing should not be doing it in the first place, Weiss said.
"If you think you need to have more oversight if you are going to India, then why are you doing this? "If you are saying the 'trust is less', then don't do it."
Dale Peterson, CEO of consulting firm Digital Bond, a company specializing in control system security, said the real risk arises only if control room operations are being outsourced to an offshore destination.
"[That] is a whole other matter," Peterson said. A few utilities have begun talking about control systems being managed through virtual plants based somewhere else, he said. "But that would be very bleeding edge stuff," and most likely not what's going on here, Peterson said.
Typically business application outsourcing should introduce little new risk for a utility, he said. "Essentially the [Industrial Control Systems], [Supervisory Control and Data Acquisition Systems], Distributed Control Systems] network considers the corporate or business network untrusted," he said. "No access is allowed into the [Industrial Control Systems] zone except under emergency conditions."
Corporate networks sometimes have links to plant systems to gather performance metrics and other data, he said. But the data needed by the corporate network is typically pushed out to the Industrial Control System perimeter in a secure fashion, he said. So any offshore vendor with access to the corporate network is unlikely to be able to touch plant systems, he said.
"If an owner or operator has a good [Industrial Control Systems] security perimeter, it doesn't matter if the corporate or business network is outsourced," said Peterson.
Sign up for CIO Asia eNewsletters.