One would be hard-pressed to seek out someone within the electric utility industry who doesn’t know the risks of cyber-attack. A discussion of actual and possible events is within the news almost daily. In fact, there are real-world incursions into industrial control systems and even electric utility operations by bad actors using cyber-attack methods and tools. How can we protect ourselves from the attack and as an executive what do you have to emphasize during a program? There are some ways that Information Technology, Operational Technology, and cybersecurity programs within the electric sector are put together. There are some key considerations that ought to transcend differences in approach.
Dedicate a private because of the Cyber administrator
Cybersecurity may be a specialized area and if you’re serious about addressing risks, you would like the one that has the responsibility to oversee that function and be accountable to the board for that role. One encounters across media platforms, discussions and debate about what background and skills a cyber-security director should have. It’s worth keeping in mind that a cybersecurity manager in any business features a role that will only be described together with inherent dichotomies. She’s liable for detecting and reporting attacks and breaches and liable for preventing them too. A program that can't detect cyber incursions might sound good at preventing them. As well, good detection and reporting of incursions might be poor prevention. Further, a cyber-security director must be ready to communicate effectively in the least levels from the board room to the substation and wiring closet. they need to simultaneously extol the positive aspects of a cyber-security program through positive assertions and candidly return to the board and executives on the gaps and weaknesses without appearing obtuse. most significantly that person must have a solid understanding of the business and what matters. no matter what else you see as a requirement for the role, that person must handle these situations.
"Cybersecurity directors must simultaneously extol the positive aspects of a cyber-security program through positive assertions and candidly return to the board and executives on the gaps and weaknesses without appearing obtuse"
It’s Not about Compliance
Every electric utility that's a part of the majority electric system is conversant in North American Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and therefore the compliance regime related to it. It’s a group of standards overseen by NERC and audited by regional entities across the NERC membership. NERC CIP provides a solid baseline of mandatory cybersecurity requirements. Non-compliance may result in fines. A culture of compliance is sweet, and nobody should suggest risking non-compliance and facing fines (up to $1,000,000 a day). However, don’t emphasize compliance because of the end, or maybe as a program in and of itself. Compliance for compliance’s sake can cause significant gaps during a cybersecurity program. As a C-suite executive, you'll note, probably shouldn't have in-depth knowledge of cybersecurity controls and weaknesses at the component level. you are doing influence the culture. Emphasize that reducing risk and not compliance alone is that the goal. Encourage a program that implements risk-based cybersecurity tied to the impacts of an attack accounting for compliance as a natural but not final step. Hold your cybersecurity director accountable thereto and invite a daily cadence of cyber-attack risk reporting.
Keep Your Operations, Operations.
If possible, you don’t want to possess cybersecurity systems (application firewalls, intrusion detection systems, etc.) operated by cybersecurity personnel. Why? Generally, people specialize in the mission of their group. Operations keep the systems working to realize the mission. Yes, they care about security, and your cyber team should be backing them up and ensuring they are doing. But security isn’t in situ for its own sake. It serves the requirements of the mission and therefore the enterprise. Outages or disruptions created by implementing security can cause the precise sorts of disruptions we, who place reliability at the highest of our priority list, put cybersecurity in situ to stop.
Bring in a Red-Team and Adjust
A “red-team” is a private or group that's truly independent and thus can see a thing objectively. Often in cybersecurity, this function is including penetration testing. True red teams act because of the “bad guys” and plan to breach systems with no warning or knowledge given to all or any but an executive or two. Red teams in cyber should include a programmatic review. Encourage your red team to tie weaknesses within the program to the technical vulnerabilities they find (they will find some, we all have them). Doing that's difficult but it is often truly useful in helping motivate staff.
Train Your Staff
Budgets are always tight but cybersecurity skills are perishable and cybersecurity staff is tough to return by. Keep your team trained up and tell the board it’s essential. Show the return on investment through reporting. make sure that your employees have a disciplined goal for his or her training that aligns together with your program because it supports the strategy of your business.
Brief the Executives and Tailor Metrics
Successful managers generally are individual contributors who didn’t await their boss to inform them how they were doing but took responsibility asking with regularity, “this is how I feel I’m doing, what does one see?” this is often an equivalent idea. Brief the chief team, or the CEO on a daily cadence. Tell them where the risks are and what must happen. Confirm they're comfortable with the danger. during this ongoing conversation, develop metrics that interest your executives and tailor them for what your organization does and what works for you.
There are near as many various implementations of data Technology, Operational Technology, and cybersecurity programs as there are electric utilities. However, some key principles can help as architectural guidelines for your program. Although these aren’t the sole things one should consider for a program, they ought to be applicable to any organization.