By Corey McMahon, Burns & McDonnell
We have all seen it. “Tonight, on news at 6 — a big retailer has lost millions of credit card numbers.” As consumers and individuals, the idea of exposure to a computer virus seems less sensational every day. This year alone, many have received multiple identity theft protection services free due to a corporate or government breach. However, securing the data required for operation of the nationwide power grid is orders of magnitude more important for the security of our nation than that of personal data.
Data security for the power industry is regulated by the Federal Energy Regulatory Commission (FERC). However, let’s take a step back from these complicated regulations and talk about holistic cybersecurity concepts.
Cybersecurity is seen by many as a sunk cost. In the business world and in the Federal government, compliance frameworks are constantly forced, but typically miss the mark due to their implementation and enforcement strategy. These regulations are often filled with “one size fits all” paper drills and annual assessments with extreme penalties for failure. These “flexible” frameworks all too often become a “check-the-box” system where resources are wasted on simply meeting the minimum compliance standard but not an inch further.
One word describes why utilities should care about cybersecurity: risk. On a personal level, the integrity of a family’s memories are the most important. To ensure this data is always available, parents regularly backup photos and videos locally on an external hard drive as well as to a cloud storage provider. This same concept is vital to power producers. This provides local redundancy as well as remote redundancy — the likelihood of all three drives being destroyed is very low. The likelihood that a computer hard drive and local external hard drive failing or being destroyed simultaneously is small, but considering one natural disaster could take out both of them easily, having backups off-site minimizes the risk to a tolerable level. The same principles should be utilized for any data of tangible or intangible value.
The real goal is risk tolerance. To achieve this goal, you must establish a thorough understanding of your facility’s cybersecurity risk. When trying to evaluate a utility’s cybersecurity program, start with a basic question — what is the critical data?
What part of your Information Technology (IT) or Operational Technology (OT) infrastructure is the most important to you and your business interests? For a utility, the most vital business process is probably the ability to monitor and respond to the ebb and flow of grid demand. It may be the customer financial information sitting in a dormant state, it might be the prioritization of power service restoration, or it could be another critical business process–many times, it is a blend of all three.
Once the critical data sets and priorities are identified-figure out what state of the data is important. Is it keeping the data confidential? Is it ensuring the integrity of the data? Perhaps the most important priority is availability – building a resilient system where non-critical portions of the network are acceptable to fail while others must stay online. Again, you need a blend of the three components, but it is important to understand where your priorities are in order to provide your cybersecurity team clear direction.
This strategic focus helps build a foundation to utilize in assessing the extremely complex and multidimensional cybersecurity risk to power providers. It provides a starting point and will mature and enhance an understanding of the risk to the data. At this point, executives need to establish a relationship with a set of trusted advisors to provide an honest look from the outside in. This should be above and beyond a typical audit — starting at a strategic level and systematically work through maturity layers to ensure a holistic approach has been taken while identifying any gaps.
Continual maturing is paramount for utilities – most cybersecurity programs can be drastically improved through strategic incremental improvements. Assessing risk, prioritizing efforts, implementing solutions, and re-assessing are key to ensure that a cybersecurity program is moving in the right direction while verifying results along the way. Through this method, an understanding of the business’ cybersecurity risk will enable leadership to better understand their risks and invest in the cybersecurity solutions that provide the highest return on investment to the business.
The reason to care about cybersecurity is to enable risk management and tolerance.