With operational technology (OT) now core to distribution networks and extreme weather threatening operations, transmission and distribution utilities should think far more broadly about security. How? Below are my thoughts.
As the headlines show with painful clarity, cyberattacks are on the rise. Thankfully, leadership has been investing accordingly, with more than 90 percent of utilities spending more than 20 percent of cybersecurity budgets on advanced technologies. But more is needed.
<<< Start >>>
<<< End >>>
For today’s transmission and distribution (T&D) utilities, greater connectedness brings greater risk of attacks by malicious (and sometimes state) actors. This is compounded by a significant increase in the type and volume of users, which expands the potential for a serious breach that can affect customers and the public.
The ominous lessons of the FireEye and SolarWinds attacks
The layers and implications of these hacks, discovered in December after months of burrowing into the networks of companies and government agencies, are still being peeled away. But it’s clear that they are serious – so egregious that they prompted the chief executive officers of the largest American utility companies to hold an urgent, all hands call to discuss possible threats to the power grid.
Dragos, a threat intelligence firm, urged utilities to assess the exposure in their operational technology (OT) environments because “supply chain compromises, like SolarWinds, provide illicit and malicious access to OT environments, facilitating possible disruption," said Sergio Caltagirone, the firm’s vice president of threat intelligence for industrial cybersecurity.
This is why security is a challenge for the business at large
If we layer on extreme weather and other natural disasters, utilities are in emergency response mode more often, for longer and in more complex ways. This means their security strategies and approaches must be tested and watertight. They need to be increasingly agile and able to adapt to non-traditional operating models such as remote workers. All of these steps can help them reduce risk and accelerate analysis and remediation of attacks like FireEye and SolarWinds.
Put governance at the top of the security “to-do” list
How to handle security on an end-to-end basis? First, think about moving it out of IT. Some utilities are creating a chief security officer (CSO) role to bring IT, OT, supply chain and insider security concerns under one roof. In some cases, physical security is also part of the CSO’s purview. This approach to centralizing security can be an effective way forward. But to really drive a security culture, establish shared accountability with the business: T&D Leadership should explicitly share responsibility for security and for any breaches, behavior driven by shared incentives and objectives.
Think of cybersecurity differently
Move from a compliance mindset to a capability approach: “How do I build an effective end-to-end capability that can evolve along with – or even ahead of – security demands?” This also aligns with the direction many regulators are taking. The end game is increased security resilience and for utilities to take ownership for building security into the design of their infrastructure and systems. It’s a step change, a step toward a more forward-looking and proactive approach that is increasingly essential as the scale and nature of threats continue to ramp.
Design-in protection, with emergency response in scope
To be effective at security, from the control-center to the grid-edge, explicitly design it in, starting during planning. Too often, security is a bolt-on and budgeted after everything else, so funding is often nominal. Make it a priority by budgeting it as a line item upfront. Then keep it at the top of the list.
Make security part of the emergency response cadence
When you go into emergency mode, do not allow security to fall away. Infuse it into every process and system, including communications with field crews. For example, during regular and emergency operations, control center personnel communicate with field crews through a variety of paths typically secured (if they are indeed secured at all) via end-point encryption. Whether communications use cell or mesh networks, VoIP, satellite, traditional telephony or a hybrid, establish secure backup communication paths. This can reduce the risk of surveillance and/or data theft.
Our research shows only a quarter of utilities executives we surveyed feel very well prepared to deal with extreme weather events. Given that emergency response is an orchestrated, pre-planned process—one you will enact repeatedly—security considerations need to be one of the highest priorities in crisis management in the T&D business.
Get the right people in the room
How to design-in security? Gather all “security” stakeholders – this should include T&D operations, telecommunications, IT & OT leadership, along with the people from security and compliance to – to help budget for security concerns during design, not after-the fact.
Plus, make security a business-wide remit by encouraging all stakeholders to establish strong relationships and to share accountability. When the storm hits, relationships count. If there’s one thing we can guarantee, the storm—or hurricane, or cyclone or wildfire or cyberattack—will hit again.
The lesson of FireEye, SolarWinds and other attacks is that like all other organizations utilities should aim for proactive, end-to-end security resilience. Please contact me to find out more.