Winning at IT security for the energy industry is critical. With poor security in energy, the safety and health of people across the nation will be at risk. Hospitals will go dark. Traffic lights will malfunction. The economy will suffer, and people may lose jobs. All of this can be prevented by implementing better IT security for the energy industry. We’ll show how to get started and cut through the chaos of cybersecurity.
The Path To IT Security Clarity: Design Your IT Security Requirements First
To develop a successful IT security program, you need to start by setting goals. You might be tempted to set a goal like “we will have no IT security failures.” Unfortunately, that goal may not be achievable. Instead, we recommend pursuing different objectives such as enforcing a robust IT security program throughout the organization. You may also add in access management KPIs to demonstrate your controls. To ensure your IT security program is comprehensive, you first need to gather your requirements.
Energy Industry IT Security Requirements
Consult the following resources to gather energy industry-specific security requirements.
- Power Grid Security. US Federal Energy Regulatory Commission’s Order No. 706. This 2008 order puts Critical Infrastructure Protection (CIP) cybersecurity reliability standards into action for the power grid. Areas covered in this order include security management controls, incident reporting, physical security, recovery plans for critical cyber assets and training.
- Oil Industry Security. According to EY’s report 20th Global Information Security Survey, “60% have had a recent significant cybersecurity incident.” The report also found that the majority of oil and gas industry respondents did not use cybersecurity best practices, such as tabletop exercises.
- Nuclear Energy Security. Several organizations, including The International Atomic Energy Agency, are sounding the alarm on nuclear cybersecurity. Use the agency’s Conducting Computer Security Assessments at Nuclear Facilities resource to start assessing your cybersecurity risks.
These resources illustrate some of the specific energy industry IT security requirements and standards you must follow. If your energy facility is regulated by a specific agency, make sure you contact that organization to confirm their needs. Confirming your alignment with these best practices is an excellent first step. It shows that you are keeping up with your peers. This is only the beginning of the journey, however.
IT Security Best Practices: Look Beyond Your Industry’s Security Ideas
Modeling what happens within the energy industry will help you develop your minimum requirements. However, success in IT security ultimately requires that you take a proactive philosophy. Ask yourself: what are the best practices from other industries that we can model? To jump start your thinking, consider these questions.
- Emphasize IT Security Convenience. If IT security is inconvenient, your employees will look for ways to avoid these requirements. That’s the harsh reality you need to recognize and address. You address this reality by using IT security tools like Apollo that make security easy for employees.
- Empower IT Audit. Perfection is difficult to accomplish, especially in IT security, but you can pursue continuous improvement. Your most important ally in improvement: IT audit. These professionals are focused on detecting gaps and oversight in your IT security practices. If you lack this capability internally, look at hiring audit professionals on a contract basis to provide assistance.
- Leverage IT Security Consultants. When you build an IT security program, it is natural to become proud of what you have created. This sense of professional pride makes it tough to find security weaknesses. The solution is simple. Engage an outside IT security consultant to conduct an independent evaluation of IT security. Specific services commonly used include penetration testing and red teaming (i.e. a full IT security attack simulation designed to find vulnerabilities and problems).
Identify The Gap In IT Security Practices
Now that you have clarified your IT security requirements, you need to compare that vision to your current situation. By conducting this analysis, you will find out where to focus your efforts. Focus is crucial because the IT security department — even in a nuclear power plant — still has to operate with limited resources.
To start your self-assessment, examine the following areas.
- IT Security Awareness and Training. What programs do you have to create awareness and IT security skills throughout the organization? Relying solely on the IT security department is a recipe for failure.
- IT Security Controls. Organizations rely on controls to protect the quality of their financial statements and processes. Likewise, use controls to detect and prevent IT security problems. For example, apply a control to reduce inactive user account risk.
- Independent Assurance and Testing. Measure how often you use external assistance to detect problems and your diligence in implementing recommendations.
- Monitoring. Review your monitoring and IT security alert tools. Alert tools often require calibration so that you are not buried in irrelevant messages.
- IT Security Tools and Software. Implementing IT security automation tools is one of the best ways to increase the productivity of the IT security team. In the energy industry, sometimes people have to work around the clock in remote locations to maintain energy facilities. To make sure they have uninterrupted access to their accounts, use an IT security chatbot like Apollo.
If you have followed the process to this stage, you have achieved two important milestones. First, you have clarified your IT security requirements. Second, you have critically examined your organization for gaps and problems. Assessing your organization to find problems is rarely fun; however, it is far better to detect problems on your own than have others expose them.
Your Next Step To Better Energy Industry IT Security
Discovering gaps in your IT security is crucial. However, that awareness alone will not generate improved security. Your next step is to choose one priority area, like password management, and assign a project manager to lead the implementation. As that area is fully developed, you can then move your project emphasis to the next most significant gap in IT security.
