Reliable, secure energy is essential to the smooth functioning of modern society. However, the complexity and age of modern power systems leaves much to be desired. In 2015, the Ukraine power grid was attacked. That incident knocked more than 30 substations offline and put more than 230,000 users in the dark. Later analysis found that the attack was not bad luck:
According to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance. (Source: Wired Magazine)
This incident could happen at any energy or utility firm. Use these steps to identify the weak links in your security processes.
1. Is Your Workforce Equipped for Today’s Security Challenges?
New threats and challenges are constantly evolving in the security world. Given that reality, it is critical to recognize that your staff may need support to address new threats. Fortunately, professional organizations like ISACA make this process easier. In addition to providing exams and information security publications, ISACA also provides continuing education. To avoid “too busy for training” excuses, consider giving staff one day per quarter (or more) of paid time to attend training courses.
Management Check: Ask your security staff what professional development activities they have completed in the past six months.
2. Have You Reviewed Your Organization’s “Shadow IT”?
The rise of cloud computing services and mobile devices has made it easy for individual employees to purchase IT services. If these decisions are made without IT involvement, you are likely to encounter problems. For example, non-technical staff may not know how to evaluate security risks. Further, they may not have the capacity to implement identity management to new systems. As an IT manager, it is up to you to detect shadow IT systems and applications, and apply governance to them.
Management Check: At your next IT staff meeting, discuss shadow IT at your organization and what processes you have to detect and govern these systems.
3. Review Industry Security and Control Requirements
A variety of organizations regulate the energy and utility sectors. In addition to audits carried out by internal and external auditors, you have additional obligations to meet. For instance, the United States Nuclear Regulatory Commission publishes security inspection reports on its website. Studying these documents will help you avoid critical failures. As you review your security processes and systems, it is important to take the time to understand the expectations and requirements of regulators.
Management Check: Request a briefing from your company’s regulatory compliance organization on an annual basis. If your organization does not provide such a service, consider hiring an outside consultant to provide advice to you.
4. Identify High-Risk Manual Security Processes
Effectively running an energy firm poses many challenges. An operational failure puts lives at risk and may disrupt economic activity. Power interruptions for U.S. customers may generate costs over $22 billion, according to a 2006 government estimate. Given the need for high reliability in the energy field, managers cannot afford to waste time on ineffective manual processes. When it comes to security, consider using a solution like Avatier’s identity management framework to automate the security process.
Management Check: What security activities and processes do managers and employees have to address each month and each year? If a process is complex and carried out infrequently, you can expect mistakes to occur.
5. Recognize Security Is Never Complete
Energy and utility organizations are attractive targets for terrorists, criminals, and other bad actors. That is the reality of the world we live in. As a result, managers need to realize that their security processes, technologies, and training will never be complete. Adopt a humble mindset when it comes to your security. You may have successfully passed a penetration test last year, but that success does not guarantee immunity from future attacks.
Management Check: Look for ways to keep security training dynamic and engaging for your employees. Explore how you can use gamification to further engage your employees during training.
Further Reading to Improve Your Security
In a complex energy company, it is easy to get lost in your organization’s concerns. While that focus is admirable, it becomes a liability in cybersecurity. Explore these resources to stay informed about new threats and issues.
Andrew Froehlich, Shadow IT: 8 Ways To Cope, Information Week, March 18, 2015
Ernest Orlando Lawrence Berkeley National Laboratory, Cost of Power Interruptions to Electricity Consumers in the United States, February 2006
European Commission, Cyber Security in the Energy Sector Report, February 2017
Kim Zetter, Inside The Cunning, Unprecedent Hack of Ukraine’s Power Grid, Wired Magazine, March 3, 2016